Hello Michel,
Welcome to the MSDN newsgroup.
From your description, you're developing an .NET application which will
programmaticall y access a network share folder and copy some files into it.
Since the share folder is protected, you're encountering problems access it
in code, correct?
Based on my experience, according to your scenario, you have the following
two difficulties need to overcome:
1. Let your application(cur rent thread) running under a specific security
identity other than the default logon user (for winform or console
application).
2. Generate an identity/account on your webserver(where the code runs)
which can be used as our application's security identity, and this identity
should be authenticatable on the remote network share's machine.
For #1, we can use the .net platform invoke to call win32 "LogonUser" api
and impersonate our application code to run under the specific logon user
identity. The following kb article demonstrate how to use managed code to
perform impersonate(it applies to both desktop and asp.net application):
#How to implement impersonation in an ASP.NET application
http://support.microsoft.com/kb/306158/en-us
For #2, since the remote share is on a DMZ server (which has only local
users and groups), we can not domain account to access it, however, the
logonuser API can only access an account(credent ial) on local machine(for
your scenario it's the domainA webserver) or domain. To resolve this, you
need to create two duplicated account which have the same username and
password on both machines( the domainA webserver and the DMZ webserver).
Thus, on our domainA webserver, we can impersonate our application to run
under the "localmachi ne/duplicatedUser" account, and this account's Network
Credential can be used to access the remote DMZ server(and its share
folders). Also, you need to grant the permission for this duplicated
account on the DMZ server so as to manipulate the share folder.
I've paste a simple test console application's complete code at the bottom
of this message demonstrating the impersonate code(I've also include the
code file in this message and you can get it if you're using OE reader to
access the newsgroup).
Please feel free to let me know if you have anything unclear or any other
questions on this.
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
=============== =============== =============== =====
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial
response from the community or a Microsoft Support Engineer within 1
business day is
acceptable. Please note that each follow up response may take approximately
2 business days
as the support professional working with you may need further investigation
to reach the
most efficient resolution. The offering is not appropriate for situations
that require
urgent, real-time or phone-based interactions or complex project analysis
and dump analysis
issues. Issues of this nature are best handled working with a dedicated
Microsoft Support
Engineer by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.
=============== =============== =============== =====
This posting is provided "AS IS" with no warranties, and confers no rights.
===========main program file=========== =============== =
using System;
using System.Collecti ons.Generic;
using System.Text;
using System.Security .Principal;
namespace ImpersonateCons ole
{
class Program
{
static void Main(string[] args)
{
Console.WriteLi ne("Before Impersonate, User: {0}",
WindowsIdentity .GetCurrent().N ame);
if (ImpersonateHel per.Impersonate ValidUser("acco untname",
"localmachi ne or domain name", "Password") )
{
try
{
Console.WriteLi ne("After Impersonate, User: {0}",
WindowsIdentity .GetCurrent().N ame);
//add your remote file access code here
}
finally
{
ImpersonateHelp er.UndoImperson ation();
}
}
else
{
Console.WriteLi ne("Impersonat e failed......... .");
}
}
}
}
==========helpe r class code=========== ===
using System;
using System.Collecti ons.Generic;
using System.Text;
using System.Security ;
using System.Security .Principal;
using System.Runtime. InteropServices ;
namespace ImpersonateCons ole
{
public class ImpersonateHelp er
{
private static WindowsImperson ationContext impersonationCo ntext;
public const int LOGON32_LOGON_I NTERACTIVE = 2;
public const int LOGON32_PROVIDE R_DEFAULT = 0;
[DllImport("adva pi32.dll")]
public static extern int LogonUserA(Stri ng lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider ,
ref IntPtr phToken);
[DllImport("adva pi32.dll", CharSet = CharSet.Auto, SetLastError =
true)]
public static extern int DuplicateToken( IntPtr hToken,
int impersonationLe vel,
ref IntPtr hNewToken);
[DllImport("adva pi32.dll", CharSet = CharSet.Auto, SetLastError =
true)]
public static extern bool RevertToSelf();
[DllImport("kern el32.dll", CharSet = CharSet.Auto)]
public static extern bool CloseHandle(Int Ptr handle);
public static bool ImpersonateVali dUser(String userName, String
domain, String password)
{
WindowsIdentity tempWindowsIden tity;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;
if (RevertToSelf() )
{
if (LogonUserA(use rName, domain, password,
LOGON32_LOGON_I NTERACTIVE,
LOGON32_PROVIDE R_DEFAULT, ref token) != 0)
{
if (DuplicateToken (token, 2, ref tokenDuplicate) != 0)
{
tempWindowsIden tity = new
WindowsIdentity (tokenDuplicate );
impersonationCo ntext =
tempWindowsIden tity.Impersonat e();
if (impersonationC ontext != null)
{
CloseHandle(tok en);
CloseHandle(tok enDuplicate);
return true;
}
}
}
}
if (token != IntPtr.Zero)
CloseHandle(tok en);
if (tokenDuplicate != IntPtr.Zero)
CloseHandle(tok enDuplicate);
return false;
}
public static void UndoImpersonati on()
{
impersonationCo ntext.Undo();
}
}
}
