Why can't access a file under mapped network drive from Web Servic

Because the Framework built in security does not allow this unless the
user that the code is running under (which by default for a Web Service
is ASPNET I believe) has rights to the drive. You need to do one of
three things:

1) Change the rights that the user ASPNET has. Very bad idea. Major
security issues.

2) Change the user that the Web Service is running under to one that
has the correct rights. Better than 1) but still a big security risk.

3) Read up on impersonation and change the code to impersonate a user
that has rights to the drive - for only the amount of time that you are
actively accessing the files. Best option from a security standpoint,
but most work to get working. I have had mixed luck with impersonation
- but I know that the issues that I have are understanding issues, not
implementation issues.

HTH

David

"moonriver" <mo*******@discussions.microsoft.com> wrote in message
news:25**********************************@microsof t.com:

I write a program accessing files in network drive o:. It is doable as a
standalone application. However, if it is running under windows service, the
following exception will appear:

13/07/2004 10:24:48 AM run() error: System.IO.IOException: The specified
network password is not correct.

at System.IO.__Error.WinIOError(Int32 errorCode, String str)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess
access, FileShare share, Int32 bufferSize, Boolean useAsync, String msgPath,
Boolean bFromProxy)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess
access, FileShare share)
at dump_tool.Dump_Load.run()
The source codes relevant are:

Cur_Fs = File.Open( Cur_File, FileMode.Open, FileAccess.Read,
FileShare.Read );

Where Cur_File = "o:\jul04\10\fares.fl", o: is a mapped network drive.

Because the Framework built in security does not allow this unless the
user that the code is running under (which by default for a Web Service
is ASPNET I believe) has rights to the drive. You need to do one of
three things:

1) Change the rights that the user ASPNET has. Very bad idea. Major
security issues.

2) Change the user that the Web Service is running under to one that
has the correct rights. Better than 1) but still a big security risk.

3) Read up on impersonation and change the code to impersonate a user
that has rights to the drive - for only the amount of time that you are
actively accessing the files. Best option from a security standpoint,
but most work to get working. I have had mixed luck with impersonation
- but I know that the issues that I have are understanding issues, not
implementation issues.

HTH

David

"moonriver" <mo*******@discussions.microsoft.com> wrote in message
news:25**********************************@microsof t.com:

I write a program accessing files in network drive o:. It is doable as a
standalone application. However, if it is running under windows service, the
following exception will appear:

13/07/2004 10:24:48 AM run() error: System.IO.IOException: The specified
network password is not correct.

at System.IO.__Error.WinIOError(Int32 errorCode, String str)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess
access, FileShare share, Int32 bufferSize, Boolean useAsync, String msgPath,
Boolean bFromProxy)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess
access, FileShare share)
at dump_tool.Dump_Load.run()
The source codes relevant are:

Cur_Fs = File.Open( Cur_File, FileMode.Open, FileAccess.Read,
FileShare.Read );

Where Cur_File = "o:\jul04\10\fares.fl", o: is a mapped network drive.

"moonriver" <mo*******@discussions.microsoft.com> wrote in message
news:25**********************************@microsof t.com...

I write a program accessing files in network drive o:. It is doable as a standalone application. However, if it is running under windows service, the following exception will appear:

You can't access mapped drives from a service because mapped drives are
user-specific and become available when a physical login takes place.
Services don't have an associated user session. Use a UNC path instead. In
other words, if mapped drive "o:" is represented by:

'\\computername\neo\trinity"

set the filename argument to

'\\computername\neo\trinity\jul04\10\fares.fl'

FWIW, I'm not really Asian.

"moonriver" <mo*******@discussions.microsoft.com> wrote in message
news:25**********************************@microsof t.com...

I write a program accessing files in network drive o:. It is doable as a standalone application. However, if it is running under windows service, the following exception will appear:

You can't access mapped drives from a service because mapped drives are
user-specific and become available when a physical login takes place.
Services don't have an associated user session. Use a UNC path instead. In
other words, if mapped drive "o:" is represented by:

'\\computername\neo\trinity"

set the filename argument to

'\\computername\neo\trinity\jul04\10\fares.fl'

FWIW, I'm not really Asian.

David,

I have tried your solution (3) by the following codes:

================================================== ====
public bool set_impersonate()
{
const int LOGON32_PROVIDER_DEFAULT = 0;
const int LOGON32_LOGON_INTERACTIVE = 2;
const int SecurityImpersonation = 2;
WindowsIdentity wi;
IntPtr tokenHandle = new IntPtr(0);
IntPtr dupeTokenHandle = new IntPtr(0);

tokenHandle = IntPtr.Zero;
dupeTokenHandle = IntPtr.Zero;

try
{
// Call LogonUser to obtain a handle to an access
token.
bool returnValue = LogonUser
( "xiaodan", "IT1135XD", "xiao2002",
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, ref tokenHandle );

if( !returnValue )
{
int ret = Marshal.GetLastWin32Error();

DumpLog.WriteEntry( String.Format( "{0}
LogonUser failed with error code : {1}",
DateTime.Now, ret ) );

DumpLog.WriteEntry( String.Format( "{0} Error:
[{1}]", DateTime.Now, ret ) );
return( false );
}

bool retVal = DuplicateToken( tokenHandle,
SecurityImpersonation, ref dupeTokenHandle );
if( !retVal )
{
CloseHandle( tokenHandle );
DumpLog.WriteEntry( String.Format( "Exception
thrown in trying to duplicate token." ) );
return( false );
}

wi = WindowsIdentity.GetCurrent();
DumpLog.WriteEntry( String.Format( "Before
impersonation: {0} User Name = ({1}), Token = {2}",
DateTime.Now, wi.Name, wi.Token ) );

// The token that is passed to the following
// constructor must be a primary token in order
// to use it for impersonation.
WindowsIdentity newId = new WindowsIdentity(
dupeTokenHandle );
WindowsImpersonationContext impersonatedUser =
newId.Impersonate();

wi = WindowsIdentity.GetCurrent();
DumpLog.WriteEntry( String.Format( "After
impersonation: {0} User Name = ({1}), Token =
{2}",
DateTime.Now, wi.Name, wi.Token ) );
return( true );
}
catch( Exception e )
{
Log_sw.WriteLine( "{0} set_impersonate() error:
{1}",
DateTime.Now, e.ToString() );
DumpLog.WriteEntry( String.Format( "{0}
set_impersonate() error: {1}",
DateTime.Now, e.ToString() ) );
return( false );
}
}
================================================== ====

I call the funtion just before the File.Open()
statement to switch the impersonate to my log-on
username/password, shown as follows:

================================================== ====
set_impersonate();

WindowsIdentity wi = WindowsIdentity.GetCurrent();
DumpLog.WriteEntry( String.Format( "Before
File.Open(): {0} User Name = ({1}), Token = {2}",
DateTime.Now, wi.Name, wi.Token ) );

Cur_Fs = File.Open( Cur_File, FileMode.Open,
FileAccess.Read, FileShare.Read );
================================================== ====

The log displays:

================================================== ====
Before File.Open(): 14/07/2004 6:35:15 PM User Name =
(IT1135XD\xiaodan), Token = 828
================================================== ====

Which is exactly my log-on impersonate. However, the
exception is still raised in the File.Open statement
as the follows:

================================================== ====
14/07/2004 6:35:16 PM run() error:
System.IO.IOException: Logon failure: unknown user
name or bad password.

at System.IO.__Error.WinIOError(Int32 errorCode,
String str)
at System.IO.FileStream..ctor(String path, FileMode
mode, FileAccess access, FileShare share, Int32
bufferSize, Boolean useAsync, String msgPath, Boolean
bFromProxy)
at System.IO.FileStream..ctor(String path, FileMode
mode, FileAccess access, FileShare share)
at dump_tool.Dump_Load.run()
================================================== ====

So how to do?

"David Williams" <David Williams>, "VB.NE" wrote:

Because the Framework built in security does not allow this unless the
user that the code is running under (which by default for a Web Service
is ASPNET I believe) has rights to the drive. You need to do one of
three things:

1) Change the rights that the user ASPNET has. Very bad idea. Major
security issues.

2) Change the user that the Web Service is running under to one that
has the correct rights. Better than 1) but still a big security risk.

3) Read up on impersonation and change the code to impersonate a user
that has rights to the drive - for only the amount of time that you are
actively accessing the files. Best option from a security standpoint,
but most work to get working. I have had mixed luck with impersonation
- but I know that the issues that I have are understanding issues, not
implementation issues.

HTH

David

"moonriver" <mo*******@discussions.microsoft.com> wrote in message
news:25**********************************@microsof t.com:

I write a program accessing files in network drive o:. It is doable as a
standalone application. However, if it is running under windows service, the
following exception will appear:

13/07/2004 10:24:48 AM run() error: System.IO.IOException: The specified
network password is not correct.

at System.IO.__Error.WinIOError(Int32 errorCode, String str)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess
access, FileShare share, Int32 bufferSize, Boolean useAsync, String msgPath,
Boolean bFromProxy)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess
access, FileShare share)
at dump_tool.Dump_Load.run()
The source codes relevant are:

Cur_Fs = File.Open( Cur_File, FileMode.Open, FileAccess.Read,
FileShare.Read );

Where Cur_File = "o:\jul04\10\fares.fl", o: is a mapped network drive.

David,

I have tried your solution (3) by the following codes:

================================================== ====
public bool set_impersonate()
{
const int LOGON32_PROVIDER_DEFAULT = 0;
const int LOGON32_LOGON_INTERACTIVE = 2;
const int SecurityImpersonation = 2;
WindowsIdentity wi;
IntPtr tokenHandle = new IntPtr(0);
IntPtr dupeTokenHandle = new IntPtr(0);

tokenHandle = IntPtr.Zero;
dupeTokenHandle = IntPtr.Zero;

try
{
// Call LogonUser to obtain a handle to an access
token.
bool returnValue = LogonUser
( "xiaodan", "IT1135XD", "xiao2002",
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, ref tokenHandle );

if( !returnValue )
{
int ret = Marshal.GetLastWin32Error();

DumpLog.WriteEntry( String.Format( "{0}
LogonUser failed with error code : {1}",
DateTime.Now, ret ) );

DumpLog.WriteEntry( String.Format( "{0} Error:
[{1}]", DateTime.Now, ret ) );
return( false );
}

bool retVal = DuplicateToken( tokenHandle,
SecurityImpersonation, ref dupeTokenHandle );
if( !retVal )
{
CloseHandle( tokenHandle );
DumpLog.WriteEntry( String.Format( "Exception
thrown in trying to duplicate token." ) );
return( false );
}

wi = WindowsIdentity.GetCurrent();
DumpLog.WriteEntry( String.Format( "Before
impersonation: {0} User Name = ({1}), Token = {2}",
DateTime.Now, wi.Name, wi.Token ) );

// The token that is passed to the following
// constructor must be a primary token in order
// to use it for impersonation.
WindowsIdentity newId = new WindowsIdentity(
dupeTokenHandle );
WindowsImpersonationContext impersonatedUser =
newId.Impersonate();

wi = WindowsIdentity.GetCurrent();
DumpLog.WriteEntry( String.Format( "After
impersonation: {0} User Name = ({1}), Token =
{2}",
DateTime.Now, wi.Name, wi.Token ) );
return( true );
}
catch( Exception e )
{
Log_sw.WriteLine( "{0} set_impersonate() error:
{1}",
DateTime.Now, e.ToString() );
DumpLog.WriteEntry( String.Format( "{0}
set_impersonate() error: {1}",
DateTime.Now, e.ToString() ) );
return( false );
}
}
================================================== ====

I call the funtion just before the File.Open()
statement to switch the impersonate to my log-on
username/password, shown as follows:

================================================== ====
set_impersonate();

WindowsIdentity wi = WindowsIdentity.GetCurrent();
DumpLog.WriteEntry( String.Format( "Before
File.Open(): {0} User Name = ({1}), Token = {2}",
DateTime.Now, wi.Name, wi.Token ) );

Cur_Fs = File.Open( Cur_File, FileMode.Open,
FileAccess.Read, FileShare.Read );
================================================== ====

The log displays:

================================================== ====
Before File.Open(): 14/07/2004 6:35:15 PM User Name =
(IT1135XD\xiaodan), Token = 828
================================================== ====

Which is exactly my log-on impersonate. However, the
exception is still raised in the File.Open statement
as the follows:

================================================== ====
14/07/2004 6:35:16 PM run() error:
System.IO.IOException: Logon failure: unknown user
name or bad password.

at System.IO.__Error.WinIOError(Int32 errorCode,
String str)
at System.IO.FileStream..ctor(String path, FileMode
mode, FileAccess access, FileShare share, Int32
bufferSize, Boolean useAsync, String msgPath, Boolean
bFromProxy)
at System.IO.FileStream..ctor(String path, FileMode
mode, FileAccess access, FileShare share)
at dump_tool.Dump_Load.run()
================================================== ====

So how to do?

"David Williams" <David Williams>, "VB.NE" wrote:

Because the Framework built in security does not allow this unless the
user that the code is running under (which by default for a Web Service
is ASPNET I believe) has rights to the drive. You need to do one of
three things:

1) Change the rights that the user ASPNET has. Very bad idea. Major
security issues.

2) Change the user that the Web Service is running under to one that
has the correct rights. Better than 1) but still a big security risk.

3) Read up on impersonation and change the code to impersonate a user
that has rights to the drive - for only the amount of time that you are
actively accessing the files. Best option from a security standpoint,
but most work to get working. I have had mixed luck with impersonation
- but I know that the issues that I have are understanding issues, not
implementation issues.

HTH

David

"moonriver" <mo*******@discussions.microsoft.com> wrote in message
news:25**********************************@microsof t.com:

I write a program accessing files in network drive o:. It is doable as a
standalone application. However, if it is running under windows service, the
following exception will appear:

13/07/2004 10:24:48 AM run() error: System.IO.IOException: The specified
network password is not correct.

at System.IO.__Error.WinIOError(Int32 errorCode, String str)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess
access, FileShare share, Int32 bufferSize, Boolean useAsync, String msgPath,
Boolean bFromProxy)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess
access, FileShare share)
at dump_tool.Dump_Load.run()
The source codes relevant are:

Cur_Fs = File.Open( Cur_File, FileMode.Open, FileAccess.Read,
FileShare.Read );

Where Cur_File = "o:\jul04\10\fares.fl", o: is a mapped network drive.