 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / New Users / May 2005ASP.NET Impersonation Problem
Now this is a classic. The impersonation fails for CASE I but doesn't fail for CASE II or III. Case I: Client Side Code ----------------- System.Net.NetworkCredential credential = new System.Net.NetworkCredential("myUserName", "myPassword", "myDomain"); ServiceA a = new ServiceA(); a.Credentials = credential; a.SomeMethod(); Server Side Code ------------------ Web.config ----------- <authentication mode="Windows" /> <identity impersonate="true" /> ServiceA --------- [WebMethod] public void SomeMethod() { // Write to share drive code (the share drive has myUserName in ACL list, myUserName should be able to write to it) // But it fails } Case II: Everything being same if I change only the Web.config as follows, it works: <authentication mode="Windows" /> <identity impersonate="true" userName="myDomain\myUserName" password="myPassword" /> Case III: Web.config ------------ <authentication mode="Windows" /> <!-- No impersonation --> ServiceA --------- [WebMethod] public void SomeMethod() { Impersonate i = new Impersonate(); i.StartImpersonate(); // Write to share drive code (the share drive has myUserName in ACL list, myUserName should be able to write to it) // This time it works i.UndoImpersonate(); } public class Impersonate { // Usual code using the following [DllImport("advapi32.dll")] public static extern int LogonUserA(...); } I've tried the following for CASE I as suggested in http://support.microsoft.com/default.aspx?scid=KB;en-us;q306158. But nothing works. a) Changing the "userName" attribute from "machine" to "system" in "processModel" node in machine.config b) Including ASPNET user in following Group Policy: \Local Computer Policy\Computer Configuration\Windows Settings\Local Policies\User Rights Assignment\"Act as part of the operating system" Infrastructure: Windows XP Pro (Service Pack 1); .NET Frmaework 1.0 (No service pack) Our corporate policy strongly favors doing things as in CASE I. How can I make it work? Thanks, Ram > Client Side Code > ----------------- > System.Net.NetworkCredential credential = new How can this be client-side code...? I create an instance of NetworkCredential and feed that to the WebService proxy class object. The credential do get carried to the WebService. However the token's ACL is lost somewhere in the middle. In CASE I on server side, if I do System.Security.Principal.WindowsIdentity id = System.Security.Principal.WindowsIdentity.GetCurrent(); I can see my identity. Ram > > Client Side Code > > ----------------- > > System.Net.NetworkCredential credential = new > > How can this be client-side code...? >I create an instance of NetworkCredential and feed that to the WebService > proxy class object. Not client-side you don't... > Now this is a classic. The impersonation fails for CASE I but doesn't fail > for CASE II or III. [quoted text clipped - 80 lines] > Thanks, > Ram I told you, that this can only work in a Kerberos Realm (W2K AD domain), and this only when Delegation is enabled at the server and all clients are delegatable. This is not something I would ever recommend. A better solution is to authenticate the client , and access the remote share using fixed credentials, access control can be implemented using roles. Willy. its all to due with creditial forwarding (1 hop rule). to access the network, you creditial need to be a primary token with network access. case I: will fail becuase the server does not have a primary token only one passed from the client, unless the browser in on the server - localhost. (as many develop apps on their local box and use localhost, the problem is not seen until prod. you can dup on your own box, by hitting from another box.) case II: works because the server has a primary token created by asp.net case III: works becuase the thread creates a primary token as pointed at, you can use kerberos, and enable creditial forwarding. -- bruce (sqlwork.com) > Now this is a classic. The impersonation fails for CASE I but doesn't fail > for CASE II or III. [quoted text clipped - 80 lines] > Thanks, > Ram Thanks a lot Bruce, As rightly pointed out by you, it's a double hop issue which can be resolved via kerberos delegation. However, our corporate security group will never allow it. I know this question is stupid but is there any way that on the server side I can create a primary token based on the credentials supplied from client? Ram > its all to due with creditial forwarding (1 hop rule). to access the > network, you creditial need to be a primary token with network access. [quoted text clipped - 96 lines] > > Thanks, > > Ram > Thanks a lot Bruce, > [quoted text clipped - 9 lines] > > Ram If You mean passing the credentials from the client to the server, yes there is call "LogonUser"at the server using the credentials supplied. But again this is a real bad idea, calling LogonUser for each service request can kill the performance of the server application when handling multiple simultaneous requests, and I wonder if the security group will allow this. Do as I said, authenticate as close to the client as possible, once authenticated use roles for authorization handling. Willy. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.