Impersonation in ASP.NET

G

Guest

Hi
I would like to know how to use impersonation, in order to write to a file
on a network share.
The user will be logging on to this web app, and will then click a button
which will write to a file on the network share. Currently though, I am
getting permissions errors. I don't want to set identity impersonate = "true"
because I gather that exposes security weaknesses. Rather, I would like the
user to have to actually enter their windows password. I would then call an
impersonate method, and then try to do it. But it is not working at the
moment, I suspect due to permissions.

Here is the code used to impersonate:
Public Function Impersonate(ByVal UserName As String, ByVal Domain As
String, ByVal Password As String) As Boolean
Dim tempWindowsIdentity As WindowsIdentity
Dim token As IntPtr

Dim tokenDuplicate As IntPtr
If LogonUser(UserName, Domain, Password, LOGON32_LOGON_INTERACTIVE, _
LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
tempWindowsIdentity = New WindowsIdentity(tokenDuplicate)
impersonationContext = tempWindowsIdentity.Impersonate()

Return Not (impersonationContext Is Nothing)
End If
End If
End Function

(written in VB.NET, but equally in C#)

Running the same code to write to the text file in a windows forms
application works fine.
This throws a permissions error in ASP.NET, even though the impersonation
method appears to be successful.

Any help much appreciated

Thanks
 
R

Raterus

Don't cross post..aspnet.security is the only appropriate group you needed to post to.

One thing that should work is to make the page that performs this operation set up for "basic authentication", they will be authenticated on IIS first, then if this takes place, impersonate with code using the shorter method found here. http://support.microsoft.com/default.aspx?scid=kb;en-us;306158 I don't see why it wouldn't work, and you also won't have to worry about coding a potentially buggy interface to gather their username/password.
 
B

Bonj

I've done the 'impersonate with code' bit, but I can't figure out the "make
the page set up for basic authentication" bit. Any ideas? I mean, what do I
actually need to configure other than the code I've already written?

The interface does collect their username and password, but it isn't buggy
because it doesn't store it in session variables, the query string or any
other form of memory other than the stack.

Don't cross post..aspnet.security is the only appropriate group you needed
to post to.

One thing that should work is to make the page that performs this operation
set up for "basic authentication", they will be authenticated on IIS first,
then if this takes place, impersonate with code using the shorter method
found here. http://support.microsoft.com/default.aspx?scid=kb;en-us;306158
I don't see why it wouldn't work, and you also won't have to worry about
coding a potentially buggy interface to gather their username/password.
 
R

Raterus

You have to configure basic authentication in IIS, find the page you are referring to, right-click properties, directory security tab.
 
G

Guest

I figured it. The problem was not permissions, but the fact that IIS
obviously doesn't understand network drives. Putting the full UNC path in it
(e.g. \\server\share$ rather than just L:\) and it works like a dream.
Didn't help but the fact that the error message was quite generic in all
cases - 'could not find a part of the path ... blah blah blah'. Which is the
same error message you get if you don't call Impersonate.

Thanks
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top