ASP.NET Impersonation Problem

Client Side Code
-----------------
System.Net.Netw orkCredential credential = new

"Ram P. Dash" <ra****@hotmail .com> wrote in message
news:%2******** ********@TK2MSF TNGP10.phx.gbl. ..

Client Side Code
-----------------
System.Net.Netw orkCredential credential = new

How can this be client-side code...?

Now this is a classic. The impersonation fails for CASE I but doesn't fail
for CASE II or III.

Case I:

Client Side Code
-----------------
System.Net.Netw orkCredential credential = new
System.Net.Netw orkCredential(" myUserName", "myPassword ", "myDomain") ;
ServiceA a = new ServiceA();
a.Credentials = credential;
a.SomeMethod();

Server Side Code
------------------
Web.config
-----------
<authenticati on mode="Windows" />
<identity impersonate="tr ue" />

ServiceA
---------
[WebMethod]
public void SomeMethod() {

// Write to share drive code (the share drive has myUserName in ACL
list, myUserName should be able to write to it)
// But it fails
}

Case II:
Everything being same if I change only the Web.config as follows, it
works:

<authenticati on mode="Windows" />
<identity impersonate="tr ue" userName="myDom ain\myUserName"
password="myPas sword" />

Case III:

Web.config
------------
<authenticati on mode="Windows" />
<!-- No impersonation -->

ServiceA
---------
[WebMethod]
public void SomeMethod() {

Impersonate i = new Impersonate();
i.StartImperson ate();
// Write to share drive code (the share drive has myUserName in ACL
list, myUserName should be able to write to it)
// This time it works
i.UndoImpersona te();
}

public class Impersonate {

// Usual code using the following
[DllImport("adva pi32.dll")]
public static extern int LogonUserA(...) ;
}

I've tried the following for CASE I as suggested in
http://support.microsoft.com/default...;en-us;q306158. But
nothing
works.

a) Changing the "userName" attribute from "machine" to "system" in
"processMod el" node in machine.config
b) Including ASPNET user in following Group Policy:
\Local Computer Policy\Computer Configuration\W indows Settings\Local
Policies\User Rights Assignment\"Act as part of the operating system"

Infrastructure: Windows XP Pro (Service Pack 1); .NET Frmaework 1.0 (No
service pack)

Our corporate policy strongly favors doing things as in CASE I. How can I
make it work?

Thanks,
Ram

Now this is a classic. The impersonation fails for CASE I but doesn't fail
for CASE II or III.

Case I:

Client Side Code
-----------------
System.Net.Netw orkCredential credential = new
System.Net.Netw orkCredential(" myUserName", "myPassword ", "myDomain") ;
ServiceA a = new ServiceA();
a.Credentials = credential;
a.SomeMethod();

Server Side Code
------------------
Web.config
-----------
<authenticati on mode="Windows" />
<identity impersonate="tr ue" />

ServiceA
---------
[WebMethod]
public void SomeMethod() {

// Write to share drive code (the share drive has myUserName in ACL
list, myUserName should be able to write to it)
// But it fails
}

Case II:
Everything being same if I change only the Web.config as follows, it
works:

<authenticati on mode="Windows" />
<identity impersonate="tr ue" userName="myDom ain\myUserName"
password="myPas sword" />

Case III:

Web.config
------------
<authenticati on mode="Windows" />
<!-- No impersonation -->

ServiceA
---------
[WebMethod]
public void SomeMethod() {

Impersonate i = new Impersonate();
i.StartImperson ate();
// Write to share drive code (the share drive has myUserName in ACL
list, myUserName should be able to write to it)
// This time it works
i.UndoImpersona te();
}

public class Impersonate {

// Usual code using the following
[DllImport("adva pi32.dll")]
public static extern int LogonUserA(...) ;
}

I've tried the following for CASE I as suggested in
http://support.microsoft.com/default...;en-us;q306158. But
nothing
works.

a) Changing the "userName" attribute from "machine" to "system" in
"processMod el" node in machine.config
b) Including ASPNET user in following Group Policy:
\Local Computer Policy\Computer Configuration\W indows Settings\Local
Policies\User Rights Assignment\"Act as part of the operating system"

Infrastructure: Windows XP Pro (Service Pack 1); .NET Frmaework 1.0 (No
service pack)

Our corporate policy strongly favors doing things as in CASE I. How can I
make it work?

Thanks,
Ram

I create an instance of NetworkCredenti al and feed that to the WebService
proxy class object.

its all to due with creditial forwarding (1 hop rule). to access the
network, you creditial need to be a primary token with network access.

case I: will fail becuase the server does not have a primary token only one passed from the client, unless the browser in on the server - localhost. (as many develop apps on their local box and use localhost, the problem is not
seen until prod. you can dup on your own box, by hitting from another box.)
case II: works because the server has a primary token created by asp.net

case III: works becuase the thread creates a primary token

as pointed at, you can use kerberos, and enable creditial forwarding.

-- bruce (sqlwork.com)

"Ram P. Dash" <ra****@hotmail .com> wrote in message
news:%2******** ********@TK2MSF TNGP10.phx.gbl. ..

Now this is a classic. The impersonation fails for CASE I but doesn't fail for CASE II or III.

Case I:

Client Side Code
-----------------
System.Net.Netw orkCredential credential = new
System.Net.Netw orkCredential(" myUserName", "myPassword ", "myDomain") ;
ServiceA a = new ServiceA();
a.Credentials = credential;
a.SomeMethod();

Server Side Code
------------------
Web.config
-----------
<authenticati on mode="Windows" />
<identity impersonate="tr ue" />

ServiceA
---------
[WebMethod]
public void SomeMethod() {

// Write to share drive code (the share drive has myUserName in ACL list, myUserName should be able to write to it)
// But it fails
}

Case II:
Everything being same if I change only the Web.config as follows, it
works:

<authenticati on mode="Windows" />
<identity impersonate="tr ue" userName="myDom ain\myUserName"
password="myPas sword" />

Case III:

Web.config
------------
<authenticati on mode="Windows" />
<!-- No impersonation -->

ServiceA
---------
[WebMethod]
public void SomeMethod() {

Impersonate i = new Impersonate();
i.StartImperson ate();
// Write to share drive code (the share drive has myUserName in ACL list, myUserName should be able to write to it)
// This time it works
i.UndoImpersona te();
}

public class Impersonate {

// Usual code using the following
[DllImport("adva pi32.dll")]
public static extern int LogonUserA(...) ;
}

I've tried the following for CASE I as suggested in
http://support.microsoft.com/default...;en-us;q306158. But
nothing
works.

a) Changing the "userName" attribute from "machine" to "system" in
"processMod el" node in machine.config
b) Including ASPNET user in following Group Policy:
\Local Computer Policy\Computer Configuration\W indows Settings\Local
Policies\User Rights Assignment\"Act as part of the operating system"

Infrastructure: Windows XP Pro (Service Pack 1); .NET Frmaework 1.0 (No
service pack)

Our corporate policy strongly favors doing things as in CASE I. How can I make it work?

Thanks,
Ram

Thanks a lot Bruce,

As rightly pointed out by you, it's a double hop issue which can be
resolved
via kerberos delegation. However, our corporate security group will never
allow it.

I know this question is stupid but is there any way that on the server
side
I can create a primary token based on the credentials supplied from
client?

Ram