Network access from ASPNET user

the token you duplicate must be a primary token if you want to use it for
network access. if you are impersonating the iis user, they must use basic
authentication (which results in a primary token) or digest which gives a
token that supports delegation (if delegation is turned on).

if you have a standard domain login & password you want to use, you can use
them to create a primary token, though you migh as well set the login &
password in the web config.
-- bruce (sqlwork.com)

"Dave Kolb" <Da**************@remove.sas.com> wrote in message
news:OS**************@tk2msftngp13.phx.gbl...

Is there any other [simple] solution for an ASPNET application to access
network resources other than running as SYSTEM, using delegation (a
nightmare to get to work) or the COM+ solution? I cannot seem to impersonate a user and obtain network credentials using the DuplicateTokenEx call with
appropriate parameters even though the call seems to not fail. I check my
identity has changed but can only still do local commands.

I would consider running CreateProcessWithLogonW after impersonating an
admin if I could reliably supply stdin and capture stdout and stderr but
can't figure out how to do this in .NET though have done something similar
with standard I/O streams and CreateProcess in a C++ OCX control before.

Main idea is do be able to display network related command output in an
Intranet web page and still maintain reasonable security on the internal
server.

CreateProcessWithLogonW would be the ticket if I could impersonate an Admin w/o network credentials and then could capture the process' output.

Thanks for any ideas or samples,
Dave

When using Windows Authentication with ASPNET and using either <identity
user= pw=/> on web.config or programatically via LogonUser/DuplicateTokenEx
I do not get a token with network credentials as I can only do things on my
own machine. I use a combination of these calls asking for full access and a
primary token successfully and still get all network access denied. I check
that I have successfully switched identities by printing them out. Dave

"bruce barker" <no***********@safeco.com> wrote in message
news:OG**************@TK2MSFTNGP12.phx.gbl...

the token you duplicate must be a primary token if you want to use it for
network access. if you are impersonating the iis user, they must use basic
authentication (which results in a primary token) or digest which gives a
token that supports delegation (if delegation is turned on).

if you have a standard domain login & password you want to use, you can use them to create a primary token, though you migh as well set the login &
password in the web config.
-- bruce (sqlwork.com)

"Dave Kolb" <Da**************@remove.sas.com> wrote in message
news:OS**************@tk2msftngp13.phx.gbl...

Is there any other [simple] solution for an ASPNET application to access
network resources other than running as SYSTEM, using delegation (a
nightmare to get to work) or the COM+ solution? I cannot seem to

impersonate

a user and obtain network credentials using the DuplicateTokenEx call with appropriate parameters even though the call seems to not fail. I check my identity has changed but can only still do local commands.

I would consider running CreateProcessWithLogonW after impersonating an
admin if I could reliably supply stdin and capture stdout and stderr but
can't figure out how to do this in .NET though have done something similar with standard I/O streams and CreateProcess in a C++ OCX control before.

Main idea is do be able to display network related command output in an
Intranet web page and still maintain reasonable security on the internal
server.

CreateProcessWithLogonW would be the ticket if I could impersonate an

Admin

w/o network credentials and then could capture the process' output.

Thanks for any ideas or samples,
Dave

Dave,
You can access network resources of another machine using
impersonation.
Follow this procedure :

* Create a windows user on the web server you are
using(your machine),call it eg: netuser1.
* In the Web.Config file of your ASP.NET application,
<system.web>
<identity impersonate="true" />
</system.web>

Then create a user with the same name netuser1 with the same password on
the machine on the network and give access
to this user for the resource you want to access.(For eg: give security
permission,read,write etc. to the folder on that machine).
You can put the user name and pasword in the identity part in the
Web.config but that is not secure.
So it will be secure to put the impersonate user name and password on the
directory security of virtual directory of iis.
For eg : in iis 5.0 in Windows 2000,

* Right click on the virtual directory
* Goto directory security tab and click on the first EDIT button for
anonymous access and authentication control.
Click on the EDIT of anonymous access,click Browse and change the user
name and password to netuser1 and its password.
Now you can access the network
resource..

For eg :
You can access the file on another machine
string filename="\\\\ip addres of the
machine\\sharename$\\foldername\file1.txt;

StreamReader oSR=new StreamReader(filename);
and loop through it to get the information on that file.
Hope this helps..
Regards,
Marshal Antony
http://dotnetmarshal.com


"Dave Kolb" <Da**************@remove.sas.com> wrote in message
news:OF**************@TK2MSFTNGP10.phx.gbl...

When using Windows Authentication with ASPNET and using either <identity
user= pw=/> on web.config or programatically via LogonUser/DuplicateTokenEx I do not get a token with network credentials as I can only do things on my own machine. I use a combination of these calls asking for full access and a primary token successfully and still get all network access denied. I check that I have successfully switched identities by printing them out. Dave

"bruce barker" <no***********@safeco.com> wrote in message
news:OG**************@TK2MSFTNGP12.phx.gbl...

the token you duplicate must be a primary token if you want to use it for

network access. if you are impersonating the iis user, they must use basic authentication (which results in a primary token) or digest which gives a token that supports delegation (if delegation is turned on).

if you have a standard domain login & password you want to use, you can

use

them to create a primary token, though you migh as well set the login

& password in the web config.
-- bruce (sqlwork.com)

"Dave Kolb" <Da**************@remove.sas.com> wrote in message
news:OS**************@tk2msftngp13.phx.gbl...

Is there any other [simple] solution for an ASPNET application to access network resources other than running as SYSTEM, using delegation (a
nightmare to get to work) or the COM+ solution? I cannot seem to

impersonate

a user and obtain network credentials using the DuplicateTokenEx call with appropriate parameters even though the call seems to not fail. I

check

my identity has changed but can only still do local commands.

I would consider running CreateProcessWithLogonW after impersonating

an admin if I could reliably supply stdin and capture stdout and stderr but can't figure out how to do this in .NET though have done something similar with standard I/O streams and CreateProcess in a C++ OCX control before.
Main idea is do be able to display network related command output in an Intranet web page and still maintain reasonable security on the internal server.

CreateProcessWithLogonW would be the ticket if I could impersonate

an Admin

w/o network credentials and then could capture the process' output.

Thanks for any ideas or samples,
Dave

Marshal, This solution does not work for me as I am not in a position to add
a local user to all the machines and resources I need access to from my web
app and I also need Windows authentication to happen. I need to be able to
impersonate a particular domain user that already has access to the machines
in question and that if I do a local RunAs works fine. Thanks though, Dave

P.S. I have a working class that can execute commands (.NET Process object)
and do impersonation (Logon/DuplicateTokenEx) and capture output but it does
not manage to actually get network credentials for the domain user being
impersonated even though I ask for them and the DuplicateTokenEx seems to
work fine.

Dave
"Marshal Antony" <ma***********@yahoo.com> wrote in message
news:#n**************@TK2MSFTNGP10.phx.gbl...

Dave,
You can access network resources of another machine using
impersonation.
Follow this procedure :

* Create a windows user on the web server you are
using(your machine),call it eg: netuser1.
* In the Web.Config file of your ASP.NET application,
<system.web>
<identity impersonate="true" />
</system.web>

Then create a user with the same name netuser1 with the same password on
the machine on the network and give access
to this user for the resource you want to access.(For eg: give security
permission,read,write etc. to the folder on that machine).
You can put the user name and pasword in the identity part in the
Web.config but that is not secure.
So it will be secure to put the impersonate user name and password on the directory security of virtual directory of iis.
For eg : in iis 5.0 in Windows 2000,

* Right click on the virtual directory
* Goto directory security tab and click on the first EDIT button for
anonymous access and authentication control.
Click on the EDIT of anonymous access,click Browse and change the user
name and password to netuser1 and its password.
Now you can access the network
resource..

For eg :
You can access the file on another machine
string filename="\\\\ip addres of the
machine\\sharename$\\foldername\file1.txt;

StreamReader oSR=new StreamReader(filename);
and loop through it to get the information on that file.
Hope this helps..
Regards,
Marshal Antony
http://dotnetmarshal.com

"Dave Kolb" <Da**************@remove.sas.com> wrote in message
news:OF**************@TK2MSFTNGP10.phx.gbl...

> When using Windows Authentication with ASPNET and using either <identity

> user= pw=/> on web.config or programatically via LogonUser/DuplicateTokenEx

> I do not get a token with network credentials as I can only do things on my

> own machine. I use a combination of these calls asking for full access and a

> primary token successfully and still get all network access denied. I

check

> that I have successfully switched identities by printing them out.

Dave >
>
> "bruce barker" <no***********@safeco.com> wrote in message
> news:OG**************@TK2MSFTNGP12.phx.gbl...

> > the token you duplicate must be a primary token if you want to use it for > > network access. if you are impersonating the iis user, they must use basic > > authentication (which results in a primary token) or digest which gives a > > token that supports delegation (if delegation is turned on).
> >
> > if you have a standard domain login & password you want to use, you can

> use

> > them to create a primary token, though you migh as well set the

login & > > password in the web config.
> >
> >
> > -- bruce (sqlwork.com)
> >
> >
> >
> > "Dave Kolb" <Da**************@remove.sas.com> wrote in message
> > news:OS**************@tk2msftngp13.phx.gbl...
> > > Is there any other [simple] solution for an ASPNET application to access > > > network resources other than running as SYSTEM, using delegation

(a > > > nightmare to get to work) or the COM+ solution? I cannot seem to
> > impersonate
> > > a user and obtain network credentials using the DuplicateTokenEx

call

> with

> > > appropriate parameters even though the call seems to not fail. I

check

> my

> > > identity has changed but can only still do local commands.
> > >
> > > I would consider running CreateProcessWithLogonW after impersonating an > > > admin if I could reliably supply stdin and capture stdout and

stderr

but > > > can't figure out how to do this in .NET though have done something > similar

> > > with standard I/O streams and CreateProcess in a C++ OCX control before. > > >
> > > Main idea is do be able to display network related command output

in an > > > Intranet web page and still maintain reasonable security on the internal > > > server.
> > >
> > > CreateProcessWithLogonW would be the ticket if I could impersonate an > > Admin
> > > w/o network credentials and then could capture the process'

output. > > >
> > > Thanks for any ideas or samples,
> > > Dave
> > >
> > >
> > >
> >
> >

>
>

Dave,

Read this which may help you :
http://www.netomatix.com/ImpersonateUser.aspx

Regards,
Marshal Antony
http://dotnetmarshal.com
"Dave Kolb" <Da**************@remove.sas.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...

Marshal, This solution does not work for me as I am not in a position to add a local user to all the machines and resources I need access to from my web app and I also need Windows authentication to happen. I need to be able to impersonate a particular domain user that already has access to the machines in question and that if I do a local RunAs works fine. Thanks though, Dave
P.S. I have a working class that can execute commands (.NET Process object) and do impersonation (Logon/DuplicateTokenEx) and capture output but it does not manage to actually get network credentials for the domain user being
impersonated even though I ask for them and the DuplicateTokenEx seems to work fine.

Dave
"Marshal Antony" <ma***********@yahoo.com> wrote in message
news:#n**************@TK2MSFTNGP10.phx.gbl...

Dave,
You can access network resources of another machine using
impersonation.
Follow this procedure :

* Create a windows user on the web server you are
using(your machine),call it eg: netuser1.
* In the Web.Config file of your ASP.NET application,
<system.web>
<identity impersonate="true" />
</system.web>

Then create a user with the same name netuser1 with the same password on

the machine on the network and give access
to this user for the resource you want to access.(For eg: give security permission,read,write etc. to the folder on that machine).
You can put the user name and pasword in the identity part in the
Web.config but that is not secure.
So it will be secure to put the impersonate user name and password on

the

directory security of virtual directory of iis.
For eg : in iis 5.0 in Windows 2000,

* Right click on the virtual directory
* Goto directory security tab and click on the first EDIT button

for anonymous access and authentication control.
Click on the EDIT of anonymous access,click Browse and change the user name and password to netuser1 and its password.
Now you can access the network
resource..

For eg :
You can access the file on another machine
string filename="\\\\ip addres of the
machine\\sharename$\\foldername\file1.txt;

StreamReader oSR=new StreamReader(filename);
and loop through it to get the information on that file.
Hope this helps..
Regards,
Marshal Antony
http://dotnetmarshal.com

"Dave Kolb" <Da**************@remove.sas.com> wrote in message
news:OF**************@TK2MSFTNGP10.phx.gbl...

> When using Windows Authentication with ASPNET and using either <identity > user= pw=/> on web.config or programatically via

LogonUser/DuplicateTokenEx

> I do not get a token with network credentials as I can only do things on

my

> own machine. I use a combination of these calls asking for full

access and a

> primary token successfully and still get all network access

denied. I check

> that I have successfully switched identities by printing them out. Dave >
>
> "bruce barker" <no***********@safeco.com> wrote in message
> news:OG**************@TK2MSFTNGP12.phx.gbl...
> > the token you duplicate must be a primary token if you want to

use

it

for

> > network access. if you are impersonating the iis user, they must

use basic

> > authentication (which results in a primary token) or digest

which gives a

> > token that supports delegation (if delegation is turned on).
> >
> > if you have a standard domain login & password you want to use,

you can

> use
> > them to create a primary token, though you migh as well set the login

&

> > password in the web config.
> >
> >
> > -- bruce (sqlwork.com)
> >
> >
> >
> > "Dave Kolb" <Da**************@remove.sas.com> wrote in message
> > news:OS**************@tk2msftngp13.phx.gbl...
> > > Is there any other [simple] solution for an ASPNET application

to access

> > > network resources other than running as SYSTEM, using

delegation (a > > > nightmare to get to work) or the COM+ solution? I cannot seem

to > > impersonate
> > > a user and obtain network credentials using the DuplicateTokenEx call

> with
> > > appropriate parameters even though the call seems to not fail.

I check

> my
> > > identity has changed but can only still do local commands.
> > >
> > > I would consider running CreateProcessWithLogonW after impersonating

an

> > > admin if I could reliably supply stdin and capture stdout and

stderr

but

> > > can't figure out how to do this in .NET though have done

something > similar
> > > with standard I/O streams and CreateProcess in a C++ OCX

control before.

> > >
> > > Main idea is do be able to display network related command

output in

an

> > > Intranet web page and still maintain reasonable security on

the internal

> > > server.
> > >
> > > CreateProcessWithLogonW would be the ticket if I could

impersonate an

> > Admin
> > > w/o network credentials and then could capture the process'

output. > > >
> > > Thanks for any ideas or samples,
> > > Dave
> > >
> > >
> > >
> >
> >
>
>