security

  • Thread starter Thread starter ivang
  • Start date Start date
I

ivang

Hello, All!

How can I check if I have access to specific network resource?

Or, having user's domain name and password check if he or she has access to
network resource?

Thanks.
 
ivang said:
Hello, All!

How can I check if I have access to specific network resource?

Or, having user's domain name and password check if he or she has access
to
network resource?

Thanks.
Click to expand...
Not sure what are you calling a network resource?
If it's a remote file server, try to use the resource (fi. open a file) and
catch the "access denied" exception just like you do for a local file.

Willy.
 
Hello, Willy!

Thanks for reply.

Yes, it's file server. But i can't check access using file access functions,
this doesn't work when I use impersonation feature (impersonated tokens
doesn't have access to network shares at all).

WDM> ??>> Hello, All!
??>>
??>> How can I check if I have access to specific network resource?
??>>
??>> Or, having user's domain name and password check if he or she has
??>> access to network resource?
??>>
??>> Thanks.
??>>
WDM> Not sure what are you calling a network resource?
WDM> If it's a remote file server, try to use the resource (fi. open a
WDM> file) and catch the "access denied" exception just like you do for a
WDM> local file.


With best regards, ivang. E-mail: (e-mail address removed)
 
ivang said:
Hello, Willy!

Thanks for reply.

Yes, it's file server. But i can't check access using file access
functions,
this doesn't work when I use impersonation feature (impersonated tokens
doesn't have access to network shares at all).
Click to expand...

No they dont, but if you specify the correct logontype when calling
LogonUser (NETWORK_CLEARTEXT) you will get a direct token with network
access privileges!
If you're like me and don't like impersonation, you simply have to establish
a network logon session (use record) using the "net use" command (from the
command line a logon script), or by calling Win32 API NetUseAdd through
PInvoke.

Willy.
 
Hello, Willy!
You wrote on Wed, 15 Dec 2004 14:15:38 +0100:

WDM> No they dont, but if you specify the correct logontype when calling
WDM> LogonUser (NETWORK_CLEARTEXT) you will get a direct token with network
WDM> access privileges!
Will this api work under asp.net process account on windows servers lower
than 2003?

WDM> If you're like me and don't like impersonation, you simply have to
WDM> establish a network logon session (use record) using the "net use"
WDM> command (from the command line a logon script), or by calling Win32
WDM> API NetUseAdd through PInvoke.
I'm not sure this will be fast enough to map different network share for
each function call :(


With best regards, ivang. E-mail: (e-mail address removed)
 
ivang said:
Hello, Willy!
You wrote on Wed, 15 Dec 2004 14:15:38 +0100:

WDM> No they dont, but if you specify the correct logontype when calling
WDM> LogonUser (NETWORK_CLEARTEXT) you will get a direct token with
network
WDM> access privileges!
Will this api work under asp.net process account on windows servers lower
than 2003?
Click to expand...
*** No, on W2K "LogonUser" can only be called by users having "Act as part
of the Operating System" privilege, by default only SYSTEM has this
privilege is, that means asp.net should run as "Localsystem" .
This restriction does not exists any longer on XP and higher.
WDM> If you're like me and don't like impersonation, you simply have to
WDM> establish a network logon session (use record) using the "net use"
WDM> command (from the command line a logon script), or by calling Win32
WDM> API NetUseAdd through PInvoke.
I'm not sure this will be fast enough to map different network share for
each function call :(
Click to expand...
*** You shouldn't use this from asp.net, use impersonation instead.


See inline ***

Willy.
 
Hello, Willy!
You wrote on Wed, 15 Dec 2004 18:26:29 +0100:


WDM> *** No, on W2K "LogonUser" can only be called by users having "Act as
WDM> part of the Operating System" privilege, by default only SYSTEM has
WDM> this privilege is, that means asp.net should run as "Localsystem" .
WDM> This restriction does not exists any longer on XP and higher.
This is a real problem. We still have clients with Windows 2000 Server...

WDM>>> If you're like me and don't like impersonation, you simply have to
WDM>>> establish a network logon session (use record) using the "net use"
WDM>>> command (from the command line a logon script), or by calling Win32
WDM>>> API NetUseAdd through PInvoke.
??>> I'm not sure this will be fast enough to map different network share
??>> for each function call :(
WDM> *** You shouldn't use this from asp.net, use impersonation instead.
WDM> See inline ***
In asp.net impersonation network credentials are not delegated by default
;( Of couse I can enable Kerberos delegation for application server but we
not always have access to domain controller.

With best regards, ivang. E-mail: (e-mail address removed)
 
ivang said:
Hello, Willy!
You wrote on Wed, 15 Dec 2004 18:26:29 +0100:


WDM> *** No, on W2K "LogonUser" can only be called by users having "Act as
WDM> part of the Operating System" privilege, by default only SYSTEM has
WDM> this privilege is, that means asp.net should run as "Localsystem" .
WDM> This restriction does not exists any longer on XP and higher.
This is a real problem. We still have clients with Windows 2000 Server...

WDM>>> If you're like me and don't like impersonation, you simply have to
WDM>>> establish a network logon session (use record) using the "net use"
WDM>>> command (from the command line a logon script), or by calling Win32
WDM>>> API NetUseAdd through PInvoke.
??>> I'm not sure this will be fast enough to map different network share
??>> for each function call :(
WDM> *** You shouldn't use this from asp.net, use impersonation instead.
WDM> See inline ***
In asp.net impersonation network credentials are not delegated by default
;( Of couse I can enable Kerberos delegation for application server but we
not always have access to domain controller.

With best regards, ivang. E-mail: (e-mail address removed)
Click to expand...
I know this is a problem on W2K but there is no other solution as to run the
asp.net worker process as "LocalSystem" and impersonate using "LogonUser"
with a CLEARTEXT network logon type.
Forget about delegation, it doesn't work in an internat scenario.

Willy.
 
Use the WindowsIdentity class and obtain the credentials. The check for
the role of the user and permissions through IsInRole property of the
WindowsIdentity object. WindowsIdentity is in
System.Security.Permissions or System.Security.Principal. I do not
remember exactly.

with regards,


J.V.Ravichandran
- http://www.geocities.com/
jvravichandran
- http://www.411asp.net/func/search?
qry=Ravichandran+J.V.&cob=aspnetpro
- http://www.southasianoutlook.com
- http://www.MSDNAA.Net
- http://www.csharphelp.com
- http://www.poetry.com/Publications/
display.asp?ID=P3966388&BN=999&PN=2
- Or, just search on "J.V.Ravichandran"
at http://www.Google.com
 
Did you read OP's question? Your answer has nothing to do with access
permissions to network resources.
Also, WindowsIdentity doesn't obtain credentials (domainname, username and
password), it only obtains the identity of a user provided he's an
authenticated windows user .
Willy.
 
Back
Top