Impersonation and Jet 4.0 OleDB Error

Hi

I have a ASP.Net 2.0 web site which dowloads the "#" delimited file from
FTP server and drop it onto a UNC share. This file is then loaded into a
dataset using Microsoft Jet 4.0 OleDB provider.

constr = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\temp;Extended
Properties=""Text;HDR=Yes;FMT=Delimited"";"

oCon = New System.Data.OleDb.OleDbConnection(constr)

oAdp = New System.Data.OleDb.OleDbDataAdapter("Select * from test.csv",
oCon)

WeatherDs = New DataSet

oAdp.Fill(WeatherDs)

WeatherDt = WeatherDs.Tables(0)

In order to write to the UNC share I am using impersonation. The above line
of code works fine if is no impersonation, but as soon as I added the
impersonation stuff in the web.config file the code
gives me error when I try to fill the dataset (oAdp.Fill(WeatherDs)).

The OleDB Provider return "Unspecified Error"
System.Data.OleDb.OleDbException: Unspecified error
at System.Data.OleDb.OleDbConnectionInternal..ctor(OleDbConnectionString
constr, OleDbConnection connection)
at
System.Data.OleDb.OleDbConnectionFactory.CreateConnection(DbConnectionOptions
options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection
owningObject)
at
System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection
owningConnection, DbConnectionPoolGroup poolGroup)
at
System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection
owningConnection)
at
System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection
outerConnection, DbConnectionFactory connectionFactory)
at System.Data.OleDb.OleDbConnection.Open()
at System.Data.Common.DbDataAdapter.QuietOpen(IDbConnection connection,
ConnectionState& originalState)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset,
DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String
srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32
startRecord, Int32 maxRecords, String srcTable, IDbCommand command,
CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet)

I have given require to rights as well.... Any help appreciated...

cheers,
mayur

On Fri, 15 Sep 2006 16:42:14 +1000, "mdhaman" <1234@1234.com> wrote:

¤ Hi
¤
¤ I have a ASP.Net 2.0 web site which dowloads the "#" delimited file from
¤ FTP server and drop it onto a UNC share. This file is then loaded into a
¤ dataset using Microsoft Jet 4.0 OleDB provider.
¤
¤ constr = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\temp;Extended
¤ Properties=""Text;HDR=Yes;FMT=Delimited"";"
¤
¤ oCon = New System.Data.OleDb.OleDbConnection(constr)
¤
¤ oAdp = New System.Data.OleDb.OleDbDataAdapter("Select * from test.csv",
¤ oCon)
¤
¤ WeatherDs = New DataSet
¤
¤ oAdp.Fill(WeatherDs)
¤
¤ WeatherDt = WeatherDs.Tables(0)
¤
¤ In order to write to the UNC share I am using impersonation. The above line
¤ of code works fine if is no impersonation, but as soon as I added the
¤ impersonation stuff in the web.config file the code
¤ gives me error when I try to fill the dataset (oAdp.Fill(WeatherDs)).
¤
¤ The OleDB Provider return "Unspecified Error"
¤ System.Data.OleDb.OleDbException: Unspecified error
¤ at System.Data.OleDb.OleDbConnectionInternal..ctor(OleDbConnectionString
¤ constr, OleDbConnection connection)
¤ at
¤ System.Data.OleDb.OleDbConnectionFactory.CreateConnection(DbConnectionOptions
¤ options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection
¤ owningObject)
¤ at
¤ System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection
¤ owningConnection, DbConnectionPoolGroup poolGroup)
¤ at
¤ System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection
¤ owningConnection)
¤ at
¤ System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection
¤ outerConnection, DbConnectionFactory connectionFactory)
¤ at System.Data.OleDb.OleDbConnection.Open()
¤ at System.Data.Common.DbDataAdapter.QuietOpen(IDbConnection connection,
¤ ConnectionState& originalState)
¤ at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset,
¤ DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String
¤ srcTable, IDbCommand command, CommandBehavior behavior)
¤ at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32
¤ startRecord, Int32 maxRecords, String srcTable, IDbCommand command,
¤ CommandBehavior behavior)
¤ at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet)
¤
¤ I have given require to rights as well.... Any help appreciated...

Once you enable impersonation you change the account under which the web application's worker
process executes. This, in addition to the type of authentication your web app is configured for,
will affect access to local and network resources.

I'm not exactly sure what type of authentication your application is configured for, but you need to
make certain that you've provided sufficient permissions for the proper account(s).


Paul
~~~~
Microsoft MVP (Visual Basic)

Paul Wrote:
> Once you enable impersonation you change the account under which the web
> application's worker
> process executes. This, in addition to the type of authentication your web
> app is configured for,
> will affect access to local and network resources.
>
> I'm not exactly sure what type of authentication your application is
> configured for, but you need to
> make certain that you've provided sufficient permissions for the proper
> account(s).

Hi Paul

I have given proper permissions to the account. The application only works
if the account is made an administrator... this defeats the purpose of
impersonation.... I used CASPOL to check the permission on the
System.Data.dll and returned unrestricted access to it (see below).

C:\Program Files\Microsoft Visual Studio 8\VC>caspol -all -resolveperm
C:\WINDOW
S\Microsoft.NET\Framework\v2.0.50727\System.Data.dll
Microsoft (R) .NET Framework CasPol 2.0.50727.42
Copyright (c) Microsoft Corporation. All rights reserved.

Resolving permissions for level = Enterprise
Resolving permissions for level = Machine
Resolving permissions for level = User

Grant =
<PermissionSet class="System.Security.PermissionSet"
version="1"
Unrestricted="true"/>

Success

Plus my security log show authentication failure as well

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 534
Date: 18/09/2006
Time: 12:01:40 PM
User: NT AUTHORITY\SYSTEM
Computer: DHAMANWALAM
Description:
Logon Failure:
Reason: The user has not been granted the requested
logon type at this machine
User Name: weather
Domain: DHAMANWALAM
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: DHAMANWALAM


Any ideas on how to resolve the security permission issues

Thanks,
Mayur


"Paul Clement" <UseAdddressAtEndofMessage@swspectrum.com> wrote in message
news:81flg292qkjar36eigs0cta61o047gp3f9@4ax.com...
> On Fri, 15 Sep 2006 16:42:14 +1000, "mdhaman" <1234@1234.com> wrote:
>
> ¤ Hi
> ¤
> ¤ I have a ASP.Net 2.0 web site which dowloads the "#" delimited file
> from
> ¤ FTP server and drop it onto a UNC share. This file is then loaded into a
> ¤ dataset using Microsoft Jet 4.0 OleDB provider.
> ¤
> ¤ constr = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\temp;Extended
> ¤ Properties=""Text;HDR=Yes;FMT=Delimited"";"
> ¤
> ¤ oCon = New System.Data.OleDb.OleDbConnection(constr)
> ¤
> ¤ oAdp = New System.Data.OleDb.OleDbDataAdapter("Select * from test.csv",
> ¤ oCon)
> ¤
> ¤ WeatherDs = New DataSet
> ¤
> ¤ oAdp.Fill(WeatherDs)
> ¤
> ¤ WeatherDt = WeatherDs.Tables(0)
> ¤
> ¤ In order to write to the UNC share I am using impersonation. The above
> line
> ¤ of code works fine if is no impersonation, but as soon as I added the
> ¤ impersonation stuff in the web.config file the code
> ¤ gives me error when I try to fill the dataset (oAdp.Fill(WeatherDs)).
> ¤
> ¤ The OleDB Provider return "Unspecified Error"
> ¤ System.Data.OleDb.OleDbException: Unspecified error
> ¤ at
> System.Data.OleDb.OleDbConnectionInternal..ctor(OleDbConnectionString
> ¤ constr, OleDbConnection connection)
> ¤ at
> ¤
> System.Data.OleDb.OleDbConnectionFactory.CreateConnection(DbConnectionOptions
> ¤ options, Object poolGroupProviderInfo, DbConnectionPool pool,
> DbConnection
> ¤ owningObject)
> ¤ at
> ¤
> System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection
> ¤ owningConnection, DbConnectionPoolGroup poolGroup)
> ¤ at
> ¤ System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection
> ¤ owningConnection)
> ¤ at
> ¤ System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection
> ¤ outerConnection, DbConnectionFactory connectionFactory)
> ¤ at System.Data.OleDb.OleDbConnection.Open()
> ¤ at System.Data.Common.DbDataAdapter.QuietOpen(IDbConnection
> connection,
> ¤ ConnectionState& originalState)
> ¤ at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset,
> ¤ DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String
> ¤ srcTable, IDbCommand command, CommandBehavior behavior)
> ¤ at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32
> ¤ startRecord, Int32 maxRecords, String srcTable, IDbCommand command,
> ¤ CommandBehavior behavior)
> ¤ at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet)
> ¤
> ¤ I have given require to rights as well.... Any help appreciated...
>
> Once you enable impersonation you change the account under which the web
> application's worker
> process executes. This, in addition to the type of authentication your web
> app is configured for,
> will affect access to local and network resources.
>
> I'm not exactly sure what type of authentication your application is
> configured for, but you need to
> make certain that you've provided sufficient permissions for the proper
> account(s).
>
>
> Paul
> ~~~~
> Microsoft MVP (Visual Basic)

On Mon, 18 Sep 2006 12:33:28 +1000, "mdhaman" <1234@1234.com> wrote:

¤
¤ Paul Wrote:
¤ > Once you enable impersonation you change the account under which the web
¤ > application's worker
¤ > process executes. This, in addition to the type of authentication your web
¤ > app is configured for,
¤ > will affect access to local and network resources.
¤ >
¤ > I'm not exactly sure what type of authentication your application is
¤ > configured for, but you need to
¤ > make certain that you've provided sufficient permissions for the proper
¤ > account(s).
¤
¤ Hi Paul
¤
¤ I have given proper permissions to the account. The application only works
¤ if the account is made an administrator... this defeats the purpose of
¤ impersonation.... I used CASPOL to check the permission on the
¤ System.Data.dll and returned unrestricted access to it (see below).
¤
¤ C:\Program Files\Microsoft Visual Studio 8\VC>caspol -all -resolveperm
¤ C:\WINDOW
¤ S\Microsoft.NET\Framework\v2.0.50727\System.Data.dll
¤ Microsoft (R) .NET Framework CasPol 2.0.50727.42
¤ Copyright (c) Microsoft Corporation. All rights reserved.
¤
¤ Resolving permissions for level = Enterprise
¤ Resolving permissions for level = Machine
¤ Resolving permissions for level = User
¤
¤ Grant =
¤ <PermissionSet class="System.Security.PermissionSet"
¤ version="1"
¤ Unrestricted="true"/>
¤
¤ Success
¤
¤ Plus my security log show authentication failure as well
¤
¤ Event Type: Failure Audit
¤ Event Source: Security
¤ Event Category: Logon/Logoff
¤ Event ID: 534
¤ Date: 18/09/2006
¤ Time: 12:01:40 PM
¤ User: NT AUTHORITY\SYSTEM
¤ Computer: DHAMANWALAM
¤ Description:
¤ Logon Failure:
¤ Reason: The user has not been granted the requested
¤ logon type at this machine
¤ User Name: weather
¤ Domain: DHAMANWALAM
¤ Logon Type: 5
¤ Logon Process: Advapi
¤ Authentication Package: Negotiate
¤ Workstation Name: DHAMANWALAM
¤
¤
¤ Any ideas on how to resolve the security permission issues


If the database is not on the same machine as the web server then you're probably experiencing a
security delegation problem. What type of authentication is your web application configured for?
Basic? Integrated NT?


Paul
~~~~
Microsoft MVP (Visual Basic)

> If the database is not on the same machine as the web server then you're
> probably experiencing a
> security delegation problem. What type of authentication is your web
> application configured for?
> Basic? Integrated NT?
>
>
> Paul
> ~~~~
> Microsoft MVP (Visual Basic)

Hi Paul,

Sorry I could not reply to you early...

I am using Integrated NT Authentication. But in regards to the location of
the database, I tried with the database
on my machine as well as the different machine using UNC share. In both
cases it does not work.

I also created a Local Machine Account (<my machine name>\testuser) and set
appropriate permissions as follows:
- gave full control to location where the file needs to be downloaded from
the FTP server(this location is on my machine).
- gave full control to Temporary ASP.NET folder as well.

Application can download the file from the FTP server to a location on my
machine. After dowloading I load the dataset using OleDB and at this point
it fails.
Now if I make the "testuser" as administrator of my machine it works fine.

I also tried using ASP.NET Machine Account and set permissions as follows:
- gave full control to location where the file needs to be downloaded from
the FTP server(this location is on my machine).

ASP.NET machine account can download the file and also load the file into
the dataset using OleDB provide.

I can't understand why with Local Machine Account / Domain Account the
loading of a dataset using OleDB does not work.
Are they any special permissions that needs to be set apart from the
permission that are mentioned above.

Any help will be appreciated....

Thanks Mayur.


"Paul Clement" <UseAdddressAtEndofMessage@swspectrum.com> wrote in message
news:sk50h2deujetg7uik36stfk6kkfjlflsc1@4ax.com...
> On Mon, 18 Sep 2006 12:33:28 +1000, "mdhaman" <1234@1234.com> wrote:
>
> ¤
> ¤ Paul Wrote:
> ¤ > Once you enable impersonation you change the account under which the
> web
> ¤ > application's worker
> ¤ > process executes. This, in addition to the type of authentication your
> web
> ¤ > app is configured for,
> ¤ > will affect access to local and network resources.
> ¤ >
> ¤ > I'm not exactly sure what type of authentication your application is
> ¤ > configured for, but you need to
> ¤ > make certain that you've provided sufficient permissions for the
> proper
> ¤ > account(s).
> ¤
> ¤ Hi Paul
> ¤
> ¤ I have given proper permissions to the account. The application only
> works
> ¤ if the account is made an administrator... this defeats the purpose of
> ¤ impersonation.... I used CASPOL to check the permission on the
> ¤ System.Data.dll and returned unrestricted access to it (see below).
> ¤
> ¤ C:\Program Files\Microsoft Visual Studio 8\VC>caspol -all -resolveperm
> ¤ C:\WINDOW
> ¤ S\Microsoft.NET\Framework\v2.0.50727\System.Data.dll
> ¤ Microsoft (R) .NET Framework CasPol 2.0.50727.42
> ¤ Copyright (c) Microsoft Corporation. All rights reserved.
> ¤
> ¤ Resolving permissions for level = Enterprise
> ¤ Resolving permissions for level = Machine
> ¤ Resolving permissions for level = User
> ¤
> ¤ Grant =
> ¤ <PermissionSet class="System.Security.PermissionSet"
> ¤ version="1"
> ¤ Unrestricted="true"/>
> ¤
> ¤ Success
> ¤
> ¤ Plus my security log show authentication failure as well
> ¤
> ¤ Event Type: Failure Audit
> ¤ Event Source: Security
> ¤ Event Category: Logon/Logoff
> ¤ Event ID: 534
> ¤ Date: 18/09/2006
> ¤ Time: 12:01:40 PM
> ¤ User: NT AUTHORITY\SYSTEM
> ¤ Computer: DHAMANWALAM
> ¤ Description:
> ¤ Logon Failure:
> ¤ Reason: The user has not been granted the requested
> ¤ logon type at this machine
> ¤ User Name: weather
> ¤ Domain: DHAMANWALAM
> ¤ Logon Type: 5
> ¤ Logon Process: Advapi
> ¤ Authentication Package: Negotiate
> ¤ Workstation Name: DHAMANWALAM
> ¤
> ¤
> ¤ Any ideas on how to resolve the security permission issues
>
>
> If the database is not on the same machine as the web server then you're
> probably experiencing a
> security delegation problem. What type of authentication is your web
> application configured for?
> Basic? Integrated NT?
>
>
> Paul
> ~~~~
> Microsoft MVP (Visual Basic)

On Thu, 21 Sep 2006 14:03:52 +1000, "mdhaman" <1234@1234.com> wrote:

¤ > If the database is not on the same machine as the web server then you're
¤ > probably experiencing a
¤ > security delegation problem. What type of authentication is your web
¤ > application configured for?
¤ > Basic? Integrated NT?
¤ >
¤ >
¤ > Paul
¤ > ~~~~
¤ > Microsoft MVP (Visual Basic)
¤
¤ Hi Paul,
¤
¤ Sorry I could not reply to you early...
¤
¤ I am using Integrated NT Authentication. But in regards to the location of
¤ the database, I tried with the database
¤ on my machine as well as the different machine using UNC share. In both
¤ cases it does not work.
¤
¤ I also created a Local Machine Account (<my machine name>\testuser) and set
¤ appropriate permissions as follows:
¤ - gave full control to location where the file needs to be downloaded from
¤ the FTP server(this location is on my machine).
¤ - gave full control to Temporary ASP.NET folder as well.
¤
¤ Application can download the file from the FTP server to a location on my
¤ machine. After dowloading I load the dataset using OleDB and at this point
¤ it fails.
¤ Now if I make the "testuser" as administrator of my machine it works fine.
¤
¤ I also tried using ASP.NET Machine Account and set permissions as follows:
¤ - gave full control to location where the file needs to be downloaded from
¤ the FTP server(this location is on my machine).
¤
¤ ASP.NET machine account can download the file and also load the file into
¤ the dataset using OleDB provide.
¤
¤ I can't understand why with Local Machine Account / Domain Account the
¤ loading of a dataset using OleDB does not work.
¤ Are they any special permissions that needs to be set apart from the
¤ permission that are mentioned above.
¤
¤ Any help will be appreciated....
¤

Yes, it definitely sounds like a security delegation issue. See the following:

http://msdn.microsoft.com/library/d...tdelegation.asp
http://support.microsoft.com/kb/810572/


Paul
~~~~
Microsoft MVP (Visual Basic)

Paul wrote:
> Yes, it definitely sounds like a security delegation issue. See the
> following:
>
> http://msdn.microsoft.com/library/d...tdelegation.asp
> http://support.microsoft.com/kb/810572/

Hi Paul,

I tried all different things as per the document. I gave following rights to
the domain account:

1) Full control to path where the "#" delimited file is located.
2) Full control to Temporary ASP.NET Files folder
3) Changed my local policy settings and grant access:
- log on locally
- log on as service
- log on as batch
- Act as part of the operating system
- Enable Computer and user accounts to be trusted for delegation.

Even after doing this it just fails to load the file into a dataset.

Finally I have given up on this problem. As it works fine for ASP.Net
machine account I will use that by giving appropriate access.
But whats baffling me is that, it can download a "#" delimited text file
from internet and write it
to a folder but can't load it into a dataset using OleDB.

Thanks for all the help...

Cheers,
Mayur