security

"ivang" <iv**@ciklum.net> wrote in message
news:OL**************@TK2MSFTNGP10.phx.gbl...

Hello, All!

How can I check if I have access to specific network resource?

Or, having user's domain name and password check if he or she has access
to
network resource?

Thanks.

Not sure what are you calling a network resource?
If it's a remote file server, try to use the resource (fi. open a file) and
catch the "access denied" exception just like you do for a local file.

Willy.

Hello, Willy!

Thanks for reply.

Yes, it's file server. But i can't check access using file access functions,
this doesn't work when I use impersonation feature (impersonated tokens
doesn't have access to network shares at all).

WDM> "ivang" <iv**@ciklum.net> wrote in message
WDM> news:OL**************@TK2MSFTNGP10.phx.gbl...
??>> Hello, All!
??>>
??>> How can I check if I have access to specific network resource?
??>>
??>> Or, having user's domain name and password check if he or she has
??>> access to network resource?
??>>
??>> Thanks.
??>>
WDM> Not sure what are you calling a network resource?
WDM> If it's a remote file server, try to use the resource (fi. open a
WDM> file) and catch the "access denied" exception just like you do for a
WDM> local file.
With best regards, ivang. E-mail: iv************@hotmail.com

"ivang" <iv************@hotmail.com> wrote in message
news:ea**************@TK2MSFTNGP15.phx.gbl...

Hello, Willy!

Thanks for reply.

Yes, it's file server. But i can't check access using file access
functions,
this doesn't work when I use impersonation feature (impersonated tokens
doesn't have access to network shares at all).

No they dont, but if you specify the correct logontype when calling
LogonUser (NETWORK_CLEARTEXT) you will get a direct token with network
access privileges!
If you're like me and don't like impersonation, you simply have to establish
a network logon session (use record) using the "net use" command (from the
command line a logon script), or by calling Win32 API NetUseAdd through
PInvoke.

Willy.

Hello, Willy!
You wrote on Wed, 15 Dec 2004 14:15:38 +0100:

WDM> No they dont, but if you specify the correct logontype when calling
WDM> LogonUser (NETWORK_CLEARTEXT) you will get a direct token with network
WDM> access privileges!
Will this api work under asp.net process account on windows servers lower
than 2003?

WDM> If you're like me and don't like impersonation, you simply have to
WDM> establish a network logon session (use record) using the "net use"
WDM> command (from the command line a logon script), or by calling Win32
WDM> API NetUseAdd through PInvoke.
I'm not sure this will be fast enough to map different network share for
each function call :(
With best regards, ivang. E-mail: iv************@hotmail.com

"ivang" <iv************@hotmail.com> wrote in message
news:u4**************@TK2MSFTNGP11.phx.gbl...

Hello, Willy!
You wrote on Wed, 15 Dec 2004 14:15:38 +0100:

WDM> No they dont, but if you specify the correct logontype when calling
WDM> LogonUser (NETWORK_CLEARTEXT) you will get a direct token with
network
WDM> access privileges!
Will this api work under asp.net process account on windows servers lower
than 2003?
*** No, on W2K "LogonUser" can only be called by users having "Act as part
of the Operating System" privilege, by default only SYSTEM has this
privilege is, that means asp.net should run as "Localsystem" .
This restriction does not exists any longer on XP and higher.
WDM> If you're like me and don't like impersonation, you simply have to
WDM> establish a network logon session (use record) using the "net use"
WDM> command (from the command line a logon script), or by calling Win32
WDM> API NetUseAdd through PInvoke.
I'm not sure this will be fast enough to map different network share for
each function call :(

*** You shouldn't use this from asp.net, use impersonation instead.
See inline ***

Willy.

Hello, Willy!
You wrote on Wed, 15 Dec 2004 18:26:29 +0100:
WDM> *** No, on W2K "LogonUser" can only be called by users having "Act as
WDM> part of the Operating System" privilege, by default only SYSTEM has
WDM> this privilege is, that means asp.net should run as "Localsystem" .
WDM> This restriction does not exists any longer on XP and higher.
This is a real problem. We still have clients with Windows 2000 Server...

WDM>>> If you're like me and don't like impersonation, you simply have to
WDM>>> establish a network logon session (use record) using the "net use"
WDM>>> command (from the command line a logon script), or by calling Win32
WDM>>> API NetUseAdd through PInvoke.
??>> I'm not sure this will be fast enough to map different network share
??>> for each function call :(
WDM> *** You shouldn't use this from asp.net, use impersonation instead.
WDM> See inline ***
In asp.net impersonation network credentials are not delegated by default
;( Of couse I can enable Kerberos delegation for application server but we
not always have access to domain controller.

With best regards, ivang. E-mail: iv************@hotmail.com

"ivang" <iv************@hotmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...

Hello, Willy!
You wrote on Wed, 15 Dec 2004 18:26:29 +0100:
WDM> *** No, on W2K "LogonUser" can only be called by users having "Act as
WDM> part of the Operating System" privilege, by default only SYSTEM has
WDM> this privilege is, that means asp.net should run as "Localsystem" .
WDM> This restriction does not exists any longer on XP and higher.
This is a real problem. We still have clients with Windows 2000 Server...

WDM>>> If you're like me and don't like impersonation, you simply have to
WDM>>> establish a network logon session (use record) using the "net use"
WDM>>> command (from the command line a logon script), or by calling Win32
WDM>>> API NetUseAdd through PInvoke.
??>> I'm not sure this will be fast enough to map different network share
??>> for each function call :(
WDM> *** You shouldn't use this from asp.net, use impersonation instead.
WDM> See inline ***
In asp.net impersonation network credentials are not delegated by default
;( Of couse I can enable Kerberos delegation for application server but we
not always have access to domain controller.

With best regards, ivang. E-mail: iv************@hotmail.com

I know this is a problem on W2K but there is no other solution as to run the
asp.net worker process as "LocalSystem" and impersonate using "LogonUser"
with a CLEARTEXT network logon type.
Forget about delegation, it doesn't work in an internat scenario.

Willy.

Use the WindowsIdentity class and obtain the credentials. The check for
the role of the user and permissions through IsInRole property of the
WindowsIdentity object. WindowsIdentity is in
System.Security.Permissions or System.Security.Principal. I do not
remember exactly.

with regards,
J.V.Ravichandran
- http://www.geocities.com/
jvravichandran
- http://www.411asp.net/func/search?
qry=Ravichandran+J.V.&cob=aspnetpro
- http://www.southasianoutlook.com
- http://www.MSDNAA.Net
- http://www.csharphelp.com
- http://www.poetry.com/Publications/
display.asp?ID=P3966388&BN=999&PN=2
- Or, just search on "J.V.Ravichandran"
at http://www.Google.com

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Did you read OP's question? Your answer has nothing to do with access
permissions to network resources.
Also, WindowsIdentity doesn't obtain credentials (domainname, username and
password), it only obtains the identity of a user provided he's an
authenticated windows user .
Willy.

"Ravichandran J.V." <jv************@yahoo.com> wrote in message
news:eK**************@TK2MSFTNGP15.phx.gbl...

Use the WindowsIdentity class and obtain the credentials. The check for
the role of the user and permissions through IsInRole property of the
WindowsIdentity object. WindowsIdentity is in
System.Security.Permissions or System.Security.Principal. I do not
remember exactly.

with regards,
J.V.Ravichandran
- http://www.geocities.com/
jvravichandran
- http://www.411asp.net/func/search?
qry=Ravichandran+J.V.&cob=aspnetpro
- http://www.southasianoutlook.com
- http://www.MSDNAA.Net
- http://www.csharphelp.com
- http://www.poetry.com/Publications/
display.asp?ID=P3966388&BN=999&PN=2
- Or, just search on "J.V.Ravichandran"
at http://www.Google.com

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!