Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Impersonate on specific directory

Reply
Thread Tools

Impersonate on specific directory

 
 
Nick
Guest
Posts: n/a
 
      05-19-2008
Hi there,

I need to enable Impersonation in order to access a network share from
an ASP.NET application. Unfortunately when I do this it enables it for the
entire application which causes other issues, how would I do this for a
particular folder?

Thanks in advance for your time.

Nick.


 
Reply With Quote
 
 
 
 
Steven Cheng [MSFT]
Guest
Posts: n/a
 
      05-20-2008
Hi Nick,

From your description, you want to access some shared folder in the ASP.NET
application, however, due to the security protection, you need to do
impersonate, and currently encounter some problems with the impersonate,
correct?

Regarding on this issue, I'd like to confirm the following things:

** Are you in a domain environment, for both the ASP.NET server machine and
the remote share folder's machine

** How did you do the impersonate currrently. Are you impersonate the
ASP.NET client user account( through windows authentication) or use a fixed
account in web.config to do the impersonate?

Based on my experince, if the ASP.NET application need to access another
remote machine's protected resource(such as file share), impersontating
client user(who access the ASP.NET application) will not work due to double
hop limitation. You need to do impersonate with a clear text
username/password so as to establish a security token that can forward
across from ASP.NET server to remote share folder machine.

For the question that you want to only impersonate the context when
accessing a particular file share, I think you can consider do impersonate
programmatically. You can make impersonate call only in method where you
want to access remote share and undo it after finished.

#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn.microsoft.com/en-us/library/ms998351.aspx

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
http://www.velocityreviews.com/forums/(E-Mail Removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
>From: "Nick" <(E-Mail Removed)>
>Subject: Impersonate on specific directory
>Date: Mon, 19 May 2008 15:09:42 +0100


>Hi there,
>
> I need to enable Impersonation in order to access a network share from
>an ASP.NET application. Unfortunately when I do this it enables it for

the
>entire application which causes other issues, how would I do this for a
>particular folder?
>
> Thanks in advance for your time.
>
>Nick.
>
>
>


 
Reply With Quote
 
 
 
 
Steven Cheng [MSFT]
Guest
Posts: n/a
 
      05-22-2008
Hi Nick,

Does the suggestion in my last reply help you some? If you have anything
unclear or need any other help, welcome to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(E-Mail Removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------t
>From: (E-Mail Removed) (Steven Cheng [MSFT])
>Organization: Microsoft
>Date: Tue, 20 May 2008 03:59:45 GMT
>Subject: RE: Impersonate on specific directory


>
>Hi Nick,
>
>From your description, you want to access some shared folder in the

ASP.NET
>application, however, due to the security protection, you need to do
>impersonate, and currently encounter some problems with the impersonate,
>correct?
>
>Regarding on this issue, I'd like to confirm the following things:
>
>** Are you in a domain environment, for both the ASP.NET server machine

and
>the remote share folder's machine
>
>** How did you do the impersonate currrently. Are you impersonate the
>ASP.NET client user account( through windows authentication) or use a

fixed
>account in web.config to do the impersonate?
>
>Based on my experince, if the ASP.NET application need to access another
>remote machine's protected resource(such as file share), impersontating
>client user(who access the ASP.NET application) will not work due to

double
>hop limitation. You need to do impersonate with a clear text
>username/password so as to establish a security token that can forward
>across from ASP.NET server to remote share folder machine.
>
>For the question that you want to only impersonate the context when
>accessing a particular file share, I think you can consider do impersonate
>programmatically. You can make impersonate call only in method where you
>want to access remote share and undo it after finished.
>
>#How To: Use Impersonation and Delegation in ASP.NET 2.0
>http://msdn.microsoft.com/en-us/library/ms998351.aspx
>
>Sincerely,
>
>Steven Cheng
>
>Microsoft MSDN Online Support Lead
>
>
>Delighting our customers is our #1 priority. We welcome your comments and
>suggestions about how we can improve the support we provide to you. Please
>feel free to let my manager know what you think of the level of service
>provided. You can send feedback directly to my manager at:
>(E-Mail Removed).
>
>================================================= =
>Get notification to my posts through email? Please refer to
>http://msdn.microsoft.com/subscripti...ault.aspx#noti

f
>ications.
>
>Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
>where an initial response from the community or a Microsoft Support
>Engineer within 1 business day is acceptable. Please note that each follow
>up response may take approximately 2 business days as the support
>professional working with you may need further investigation to reach the
>most efficient resolution. The offering is not appropriate for situations
>that require urgent, real-time or phone-based interactions or complex
>project analysis and dump analysis issues. Issues of this nature are best
>handled working with a dedicated Microsoft Support Engineer by contacting
>Microsoft Customer Support Services (CSS) at
>http://msdn.microsoft.com/subscripti...t/default.aspx.
>================================================= =
>This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
>--------------------
>>From: "Nick" <(E-Mail Removed)>
>>Subject: Impersonate on specific directory
>>Date: Mon, 19 May 2008 15:09:42 +0100

>
>>Hi there,
>>
>> I need to enable Impersonation in order to access a network share

from
>>an ASP.NET application. Unfortunately when I do this it enables it for

>the
>>entire application which causes other issues, how would I do this for a
>>particular folder?
>>
>> Thanks in advance for your time.
>>
>>Nick.
>>
>>
>>

>
>


 
Reply With Quote
 
Nick
Guest
Posts: n/a
 
      05-30-2008
Hi Steven

Thankyou for your help, I fixed this by creating a class that calls the
Win32 LogonUser function on demand, this stops having to enable
impersonation for the entire application. Anyone else doing this should
consider cashing the indentity as repeat calling of the API can cause
resources to expire pretty quick in a live application.

Thanks for your time and help.

Nick.

"Steven Cheng [MSFT]" <(E-Mail Removed)> wrote in message
news:TBj7FR%(E-Mail Removed)...
> Hi Nick,
>
> Does the suggestion in my last reply help you some? If you have anything
> unclear or need any other help, welcome to post here.
>
> Sincerely,
>
> Steven Cheng
>
> Microsoft MSDN Online Support Lead
>
>
> Delighting our customers is our #1 priority. We welcome your comments and
> suggestions about how we can improve the support we provide to you. Please
> feel free to let my manager know what you think of the level of service
> provided. You can send feedback directly to my manager at:
> (E-Mail Removed).
>
> ==================================================
> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/subscripti...ult.aspx#notif
> ications.
>
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> --------------------t
>>From: (E-Mail Removed) (Steven Cheng [MSFT])
>>Organization: Microsoft
>>Date: Tue, 20 May 2008 03:59:45 GMT
>>Subject: RE: Impersonate on specific directory

>
>>
>>Hi Nick,
>>
>>From your description, you want to access some shared folder in the

> ASP.NET
>>application, however, due to the security protection, you need to do
>>impersonate, and currently encounter some problems with the impersonate,
>>correct?
>>
>>Regarding on this issue, I'd like to confirm the following things:
>>
>>** Are you in a domain environment, for both the ASP.NET server machine

> and
>>the remote share folder's machine
>>
>>** How did you do the impersonate currrently. Are you impersonate the
>>ASP.NET client user account( through windows authentication) or use a

> fixed
>>account in web.config to do the impersonate?
>>
>>Based on my experince, if the ASP.NET application need to access another
>>remote machine's protected resource(such as file share), impersontating
>>client user(who access the ASP.NET application) will not work due to

> double
>>hop limitation. You need to do impersonate with a clear text
>>username/password so as to establish a security token that can forward
>>across from ASP.NET server to remote share folder machine.
>>
>>For the question that you want to only impersonate the context when
>>accessing a particular file share, I think you can consider do impersonate
>>programmatically. You can make impersonate call only in method where you
>>want to access remote share and undo it after finished.
>>
>>#How To: Use Impersonation and Delegation in ASP.NET 2.0
>>http://msdn.microsoft.com/en-us/library/ms998351.aspx
>>
>>Sincerely,
>>
>>Steven Cheng
>>
>>Microsoft MSDN Online Support Lead
>>
>>
>>Delighting our customers is our #1 priority. We welcome your comments and
>>suggestions about how we can improve the support we provide to you. Please
>>feel free to let my manager know what you think of the level of service
>>provided. You can send feedback directly to my manager at:
>>(E-Mail Removed).
>>
>>================================================ ==
>>Get notification to my posts through email? Please refer to
>>http://msdn.microsoft.com/subscripti...ault.aspx#noti

> f
>>ications.
>>
>>Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
>>where an initial response from the community or a Microsoft Support
>>Engineer within 1 business day is acceptable. Please note that each follow
>>up response may take approximately 2 business days as the support
>>professional working with you may need further investigation to reach the
>>most efficient resolution. The offering is not appropriate for situations
>>that require urgent, real-time or phone-based interactions or complex
>>project analysis and dump analysis issues. Issues of this nature are best
>>handled working with a dedicated Microsoft Support Engineer by contacting
>>Microsoft Customer Support Services (CSS) at
>>http://msdn.microsoft.com/subscripti...t/default.aspx.
>>================================================ ==
>>This posting is provided "AS IS" with no warranties, and confers no
>>rights.
>>
>>
>>
>>--------------------
>>>From: "Nick" <(E-Mail Removed)>
>>>Subject: Impersonate on specific directory
>>>Date: Mon, 19 May 2008 15:09:42 +0100

>>
>>>Hi there,
>>>
>>> I need to enable Impersonation in order to access a network share

> from
>>>an ASP.NET application. Unfortunately when I do this it enables it for

>>the
>>>entire application which causes other issues, how would I do this for a
>>>particular folder?
>>>
>>> Thanks in advance for your time.
>>>
>>>Nick.
>>>
>>>
>>>

>>
>>

>



 
Reply With Quote
 
Steven Cheng [MSFT]
Guest
Posts: n/a
 
      06-02-2008
Thanks for your reply Nick,

I'm glad that you've got it resolved.

Have a nice day!

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(E-Mail Removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>From: "Nick" <(E-Mail Removed)>
>References: <#RmU$(E-Mail Removed)>

<(E-Mail Removed)>
<TBj7FR#(E-Mail Removed)>
>Subject: Re: Impersonate on specific directory
>Date: Fri, 30 May 2008 12:16:06 +0100


>Hi Steven
>
> Thankyou for your help, I fixed this by creating a class that calls

the
>Win32 LogonUser function on demand, this stops having to enable
>impersonation for the entire application. Anyone else doing this should
>consider cashing the indentity as repeat calling of the API can cause
>resources to expire pretty quick in a live application.
>
> Thanks for your time and help.
>
>Nick.
>
>"Steven Cheng [MSFT]" <(E-Mail Removed)> wrote in message
>news:TBj7FR%(E-Mail Removed). ..
>> Hi Nick,
>>
>> Does the suggestion in my last reply help you some? If you have anything
>> unclear or need any other help, welcome to post here.
>>
>> Sincerely,
>>
>> Steven Cheng
>>
>> Microsoft MSDN Online Support Lead
>>
>>
>> Delighting our customers is our #1 priority. We welcome your comments and
>> suggestions about how we can improve the support we provide to you.

Please
>> feel free to let my manager know what you think of the level of service
>> provided. You can send feedback directly to my manager at:
>> (E-Mail Removed).
>>
>>>>>
>>>>Hi there,
>>>>
>>>> I need to enable Impersonation in order to access a network share

>> from
>>>>an ASP.NET application. Unfortunately when I do this it enables it for
>>>the
>>>>entire application which causes other issues, how would I do this for a
>>>>particular folder?
>>>>
>>>> Thanks in advance for your time.
>>>>
>>>>Nick.
>>>>
>>>>
>>>>
>>>
>>>

>>

>
>
>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Impersonate specific user in code with Windows 2008 AvaDev ASP .Net 3 07-10-2008 05:12 PM
impersonate not working for directory. archana ASP .Net 3 10-29-2007 04:55 AM
To grant access to a protected directory use " impersonate" or " LogonUser"? Johannes Hammersen ASP .Net Security 1 06-12-2005 02:27 AM
Windows 2003 server web service consumer with interop cannot impersonate a specific user John Lau ASP .Net Security 0 09-13-2004 07:41 PM
DirectoryEntry Impersonate or WindowsIdentity Impersonate? Bill Belliveau ASP .Net Security 3 01-31-2004 04:19 AM



Advertisments