| .NET Framework Groups | View |
| .NET Distributed_Apps |  |
| .NET | |
| .NET ADO.NET | |
| .NET ASP.NET | |
| .NET ASP.NET Security | |
| .NET ASP.NET Webcontrols | |
| .NET ASP.NET Web Services | |
| .NET Clr | |
| .NET Compact Framework | |
| .NET Drawing | |
| .NET Interop | |
| .NET Performance | |
| .NET Web Services | |
| .NET Windows Forms | |
| .NET Windows Forms Controls | |
| .NET General | |
| .NET Csharp | |
| .NET Visual Basic | |
| .NET Vc | |
| .NET Security | |
| .NET Xml | |
| Vsnet Debugging | |
| Xml | |
| Xsl | |
| Scripting Jscript | |
| Scripting Visual Basicscript | |
| Scripting Wsh | |
| Smartphone Developer | |
| Visual Basic Com | |
| Visual Basic Controls | |
| Visual Basic Crystal | |
| Visual Basic Database Ado | |
| Visual Basic Syntax | |
| Visual Basic Winapi | |
| Vc Atl | |
| Vc Debugger | |
| Vc Language | |
| Vc Mfc | |
| Vc Stl | |
| Visio Developer Visual Basica | |
| Windowsce Embedded Vc | |
| Windows Powershell | |
| Visual Basic Vista Compatibility | |
| Deployment Server | |
| .NET Micro Porting | |
|
| Group Summaries | View |
| .NET Framework | |
| Access | |
| BizTalk | |
| Certifications | |
| CRM | |
| DDK | |
| Exchange Server | |
| FoxPro | |
| French | |
| French .NET | |
| Games | |
| German | |
| German .NET | |
| Graphic Design | |
| IIS | |
| Internet | |
| ISA Server | |
| Italian | |
| Italian .NET | |
| Maps | |
| MCIS | |
| Miscellaneous | |
| Mobile Apps | |
| Money | |
| MSN | |
| Networking | |
| Office | |
| Ops Mgr | |
| Publisher | |
| Security | |
| SharePoint | |
| Small Business | |
| Spanish | |
| Spanish .NET | |
| SQL Server | |
| Systems Management Server | |
| Transaction Server | |
| Virtual PC / Virtual Server | |
| Visual Studio | |
| Win32 | |
| Windows 2000 | |
| Windows 2003 Server | |
| Windows 7 | |
| Windows Live | |
| Windows Media | |
| Windows Update | |
| Windows Vista | |
| Windows XP | |
| |
|
|
|
| View All Microsoft NET ASP NET Posts Ask A New Question |
|
Impersonate specific user in code with Windows 2008 |
avade posted on Wednesday, July 09, 2008 6:25 PM
|
ASP.Net 2.
We are migrating to Windows 2008 64 bit Server with IIS 7 from Windows 2003
32 Bit with IIS 6. A few library classes we wrote uses impersonation in code
like explained in this article:
http://support.microsoft.com/?id=306158#4
This doesn't work in Windows 2008 Server, we receive the following exception:
Security Exception
Description: The application attempted to perform an operation not allowed
by the security policy. To grant this application the required permission
please contact your system administrator or change the application's trust
level in the configuration file.
Exception Details: System.Security.SecurityException: Access is denied.
Source Error:
An unhandled exception was generated during the execution of the current web
request. Information regarding the origin and location of the exception can
be identified using the exception stack trace below.
[SecurityException: Access is denied.]
System.Security.Principal.WindowsImpersonationContext.Undo() +2787836
System.Security.Principal.WindowsImpersonationContext.Dispose(Boolean
disposing) +36
System.Security.Principal.WindowsImpersonationContext.Dispose() +9
System.Security.Principal.WindowsIdentity.GetName() +227
System.Security.Principal.WindowsIdentity.get_Name() +31
MyProject.MyLibrary.Library.Security.Impersonate.get_CurrentIdentity() in
MyPath\Security\ImpersonateUser.cs:204
MyProject.MyLibrary.Library.Security.Impersonate.get_Impersonating() in
MyPath\Security\ImpersonateUser.cs:214
MyProject.MyLibrary.Library.Security.Impersonate.UndoImpersonation() in
MyPath\Security\ImpersonateUser.cs:262
MyProject.MyLibrary.Library.Event.Registration.MyFunction(String
directoryName, String accountNumber) in
MyPath\Event\Registration\WebPublisher.cs:41
EventEdit.MyFunction() +72
EventEdit.btnMyFunction_Click(Object sender, EventArgs e) +10
System.Web.UI.WebControls.LinkButton.OnClick(EventArgs e) +90
System.Web.UI.WebControls.LinkButton.RaisePostBackEvent(String
eventArgument) +76
System.Web.UI.WebControls.LinkButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler
sourceControl, String eventArgument) +11
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +177
System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +7350
System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint,
Boolean includeStagesAfterAsyncPoint) +213
System.Web.UI.Page.ProcessRequest() +86
System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +18
System.Web.UI.Page.ProcessRequest(HttpContext context) +49
ASP.event_edit_aspx.ProcessRequest(HttpContext context) +4
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +358
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously) +64
I did double check the policy and it is running on full trust. Full
(Internal).
If you look at the linked article, the impersonation code is calling
advapi32 and kernel32, I am guessing that is why it is failing. So my
question is, is there a code example / article out there for how to do this
on Windows 2008? Or is there an alternate method of impersonating a specific
account in code.
This is the exact code that I am using and is failing (i've removed all the
other functionality to isolate the problem).
Impersonate impersonate = new
Impersonate(LogonProvider.LOGON32_PROVIDER_WINNT50);
try {
impersonate.ImpersonateUser(myusername, mydomain, mypassword);
}
finally {
impersonate.UndoImpersonation();
}
Thx. |
 |
|
| |
|
|
I forgot, this is the exact code that handles the impersonation. |
avade posted on Wednesday, July 09, 2008 6:41 PM
|
I forgot, this is the exact code that handles the impersonation. I can't find
the original article which had this....
using System;
using System.Web;
using System.Security.Principal;
using System.Security.Permissions;
using System.Runtime.InteropServices;
using System.ComponentModel;
using System.Threading;
namespace EnterpriseUtilities
{
/// <summary>
/// used for connecting to other Logon Providers
/// </summary>
public enum LogonProvider
{
LOGON32_PROVIDER_DEFAULT = 0,
LOGON32_PROVIDER_WINNT40 = 2,
LOGON32_PROVIDER_WINNT50 = 3
}
/// <summary>
/// Used to change the level of impersonation on remote systems
/// </summary>
public enum ImpersonationLevel
{
SecurityAnonymous = 0,
SecurityIdentification,
SecurityImpersonation,
SecurityDelegation
}
public enum LogonTypes
{
//logon types
LOGON32_LOGON_INTERACTIVE = 2,
LOGON32_LOGON_NETWORK = 3,
LOGON32_LOGON_BATCH = 4,
// Windows2000
LOGON32_LOGON_NETWORK_CLEARPASSWORD = 8,
LOGON32_LOGON_NEW_CREDENTIALS = 9
}
/// <summary>
/// Impersonate a specific user in the domain.
/// Note that the user account on the calling process must have
/// the SE_TCB_NAME priviledge when running on W2k.
/// This can be given using Local Policy MMC and adding account to
/// "Act as Part of the Operationg System". For ASP.NET applications the
calling
/// user context is usually ASPNET user.
/// </summary>
public class Impersonate
{
#region Dll Imports
[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
public static extern bool LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
public extern static bool DuplicateToken(IntPtr hToken, int
impersonationLevel, ref IntPtr hNewToken);
[DllImport("kernel32.dll", CharSet=CharSet.Auto, SetLastError=true)]
public static extern bool CloseHandle(IntPtr handle);
[DllImport("advapi32.dll", SetLastError=true)]
public static extern int ImpersonateLoggedOnUser(IntPtr hToken);
[DllImport("advapi32.dll", SetLastError=true)]
static extern int RevertToSelf();
#endregion
#region MEMBER VARIABLES
private IntPtr token = IntPtr.Zero;
private IntPtr dupToken = IntPtr.Zero;
private LogonProvider _logonProvider;
private ImpersonationLevel _impersonationLevel;
private string _originalUser = Thread.CurrentPrincipal.Identity.Name;
private LogonTypes _logonType;
private bool impersonated = false;
#endregion
#region CONTRUCTORS
public Impersonate(LogonProvider logonProvider, ImpersonationLevel level,
LogonTypes logonType)
{
this._logonProvider = logonProvider;
this._impersonationLevel = level;
this._logonType = logonType;
}
public Impersonate(LogonProvider logonProvider, ImpersonationLevel level)
public Impersonate(LogonProvider logonProvider) : this (logonProvider,
ImpersonationLevel.SecurityImpersonation, LogonTypes.LOGON32_LOGON_NETWORK) {}
public Impersonate() : this(LogonProvider.LOGON32_PROVIDER_DEFAULT,
ImpersonationLevel.SecurityImpersonation, LogonTypes.LOGON32_LOGON_NETWORK) {}
#endregion
#region PUBLIC PROPERTIES
public ImpersonationLevel Level
{
get { return this._impersonationLevel; }
set { this._impersonationLevel = value; }
}
public LogonTypes LogonType
{
get { return this._logonType; }
set { this._logonType = value; }
}
public string CurrentIdentity
{
get
{
return Thread.CurrentPrincipal.Identity.Name;
}
}
/// <summary>
/// Property returns whether or not an impersonation is occurring
/// </summary>
public bool Impersonating
{
get
{
return this.CurrentIdentity != this._originalUser;
}
}
#endregion
#region PUBLIC METHODS
/// <summary>
/// Impersonates a specific user in the domain. This changes the process
/// identity to the impersonated user's security context.
/// </summary>
/// Domain name
/// Login ID
/// Password
public void ImpersonateUser(string domain, string username, string password)
{
ImpersonateUser(domain, username, password, false);
}
/// <summary>
/// Impersonates a specific user in the domain. This changes the process
/// identity to the impersonated user's security context.
/// </summary>
/// Domain name
/// Login ID
/// Password
/// Do not process impersonisation.
public void ImpersonateUser(string domain, string username, string
password, bool justLogon)
{
if (Impersonating) throw new System.Security.SecurityException("You are
already impersonating " + CurrentIdentity);
impersonated = LogonUser(username,
domain,
password,
(int)_logonType,
(int)_logonProvider,
ref token);
//check the error
if(!impersonated) throw new Win32Exception(Marshal.GetLastWin32Error());
if (!justLogon) ImpersonateLoggedOnUser(token);
}
/// <summary>
/// Reverts back to the original process identity.
/// </summary>
public void UndoImpersonation()
{
if (impersonated) RevertToSelf();
if (token != IntPtr.Zero) CloseHandle(token);
if (dupToken != IntPtr.Zero) CloseHandle(dupToken);
}
#endregion
}
} |
| |
|
One more update as I keep debugging. |
avade posted on Wednesday, July 09, 2008 7:11 PM
|
One more update as I keep debugging. I am impersonating domain account for
the website, which seems to make a difference because if I add my the user to
the local admin group, I get no errors.
In web.config I impersonate like this:
So now it seems like a security policy problem with this user. I found this
somewhat related post.
http://forums.asp.net/p/905562/1001414.aspx
Any help is appreciated. Thx. |
| |
|
If I remember you have to allow impersonation for this user. |
Patrice posted on Thursday, July 10, 2008 4:24 AM
|
If I remember you have to allow impersonation for this user. Try
http://support.microsoft.com/kb/821546/en-us
--
Patrice |
| |
|
Patrice,The IIS_USRS is already part of "Impersonate a Client After |
avade posted on Thursday, July 10, 2008 1:12 PM
|
Patrice,
The IIS_USRS is already part of "Impersonate a Client After Authentication",
I did add the domain user as well just in case.
I added the domain user to "Create Global Objects", but still get the same
error.
I issued gpupdate /force after making these changes.
Is there a way to debug/log what user is requesting / failing the specific
permission?
Thx. |
| |
|
|
|
|
| Previous Microsoft NET ASP NET conversation. |
|
|