Now this is a classic. The impersonation fails for CASE I but doesn't fail
for CASE II or III.
Case I:
Client Side Code
-----------------
System.Net.NetworkCredential credential = new
System.Net.NetworkCredential("myUserName", "myPassword", "myDomain");
ServiceA a = new ServiceA();
a.Credentials = credential;
a.SomeMethod();
Server Side Code
------------------
Web.config
-----------
<authentication mode="Windows" />
<identity impersonate="true" />
ServiceA
---------
[WebMethod]
public void SomeMethod() {
// Write to share drive code (the share drive has myUserName in ACL
list, myUserName should be able to write to it)
// But it fails
}
Case II:
Everything being same if I change only the Web.config as follows, it works:
<authentication mode="Windows" />
<identity impersonate="true" userName="myDomain\myUserName"
password="myPassword" />
Case III:
Web.config
------------
<authentication mode="Windows" />
<!-- No impersonation -->
ServiceA
---------
[WebMethod]
public void SomeMethod() {
Impersonate i = new Impersonate();
i.StartImpersonate();
// Write to share drive code (the share drive has myUserName in ACL
list, myUserName should be able to write to it)
// This time it works
i.UndoImpersonate();
}
public class Impersonate {
// Usual code using the following
[DllImport("advapi32.dll")]
public static extern int LogonUserA(...);
}
I've tried the following for CASE I as suggested in http://support.microsoft.com/default...;en-us;q306158. But nothing
works.
a) Changing the "userName" attribute from "machine" to "system" in
"processModel" node in machine.config
b) Including ASPNET user in following Group Policy:
\Local Computer Policy\Computer Configuration\Windows Settings\Local
Policies\User Rights Assignment\"Act as part of the operating system"
Infrastructure: Windows XP Pro (Service Pack 1); .NET Frmaework 1.0 (No
service pack)
Our corporate policy strongly favors doing things as in CASE I. How can I
make it work?
Thanks,
Ram 14  2994 
"Ram P. Dash" <ra****@hotmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl... Client Side Code
-----------------
System.Net.NetworkCredential credential = new
How can this be client-side code...?
"Ram P. Dash" <ra****@hotmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl... Client Side Code
-----------------
System.Net.NetworkCredential credential = new
How can this be client-side code...?
I create an instance of NetworkCredential and feed that to the WebService
proxy class object. The credential do get carried to the WebService. However
the token's ACL is lost somewhere in the middle. In CASE I on server side,
if I do System.Security.Principal.WindowsIdentity id =
System.Security.Principal.WindowsIdentity.GetCurre nt(); I can see my
identity.
Ram
"Mark Rae" <ma**@mark-N-O-S-P-A-M-rae.co.uk> wrote in message
news:e3**************@TK2MSFTNGP14.phx.gbl... "Ram P. Dash" <ra****@hotmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
Client Side Code
-----------------
System.Net.NetworkCredential credential = new
How can this be client-side code...?
I create an instance of NetworkCredential and feed that to the WebService
proxy class object. The credential do get carried to the WebService. However
the token's ACL is lost somewhere in the middle. In CASE I on server side,
if I do System.Security.Principal.WindowsIdentity id =
System.Security.Principal.WindowsIdentity.GetCurre nt(); I can see my
identity.
Ram
"Mark Rae" <ma**@mark-N-O-S-P-A-M-rae.co.uk> wrote in message
news:e3**************@TK2MSFTNGP14.phx.gbl... "Ram P. Dash" <ra****@hotmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
Client Side Code
-----------------
System.Net.NetworkCredential credential = new
How can this be client-side code...?
"Ram P. Dash" <ra****@hotmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl... Now this is a classic. The impersonation fails for CASE I but doesn't fail
for CASE II or III.
Case I:
Client Side Code
-----------------
System.Net.NetworkCredential credential = new
System.Net.NetworkCredential("myUserName", "myPassword", "myDomain");
ServiceA a = new ServiceA();
a.Credentials = credential;
a.SomeMethod();
Server Side Code
------------------
Web.config
-----------
<authentication mode="Windows" />
<identity impersonate="true" />
ServiceA
---------
[WebMethod]
public void SomeMethod() {
// Write to share drive code (the share drive has myUserName in ACL
list, myUserName should be able to write to it)
// But it fails
}
Case II:
Everything being same if I change only the Web.config as follows, it
works:
<authentication mode="Windows" />
<identity impersonate="true" userName="myDomain\myUserName"
password="myPassword" />
Case III:
Web.config
------------
<authentication mode="Windows" />
<!-- No impersonation -->
ServiceA
---------
[WebMethod]
public void SomeMethod() {
Impersonate i = new Impersonate();
i.StartImpersonate();
// Write to share drive code (the share drive has myUserName in ACL
list, myUserName should be able to write to it)
// This time it works
i.UndoImpersonate();
}
public class Impersonate {
// Usual code using the following
[DllImport("advapi32.dll")]
public static extern int LogonUserA(...);
}
I've tried the following for CASE I as suggested in
http://support.microsoft.com/default...;en-us;q306158. But
nothing
works.
a) Changing the "userName" attribute from "machine" to "system" in
"processModel" node in machine.config
b) Including ASPNET user in following Group Policy:
\Local Computer Policy\Computer Configuration\Windows Settings\Local
Policies\User Rights Assignment\"Act as part of the operating system"
Infrastructure: Windows XP Pro (Service Pack 1); .NET Frmaework 1.0 (No
service pack)
Our corporate policy strongly favors doing things as in CASE I. How can I
make it work?
Thanks,
Ram
I told you, that this can only work in a Kerberos Realm (W2K AD domain), and
this only when Delegation is enabled at the server and all clients are
delegatable. This is not something I would ever recommend.
A better solution is to authenticate the client , and access the remote
share using fixed credentials, access control can be implemented using
roles.
Willy.
"Ram P. Dash" <ra****@hotmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl... Now this is a classic. The impersonation fails for CASE I but doesn't fail
for CASE II or III.
Case I:
Client Side Code
-----------------
System.Net.NetworkCredential credential = new
System.Net.NetworkCredential("myUserName", "myPassword", "myDomain");
ServiceA a = new ServiceA();
a.Credentials = credential;
a.SomeMethod();
Server Side Code
------------------
Web.config
-----------
<authentication mode="Windows" />
<identity impersonate="true" />
ServiceA
---------
[WebMethod]
public void SomeMethod() {
// Write to share drive code (the share drive has myUserName in ACL
list, myUserName should be able to write to it)
// But it fails
}
Case II:
Everything being same if I change only the Web.config as follows, it
works:
<authentication mode="Windows" />
<identity impersonate="true" userName="myDomain\myUserName"
password="myPassword" />
Case III:
Web.config
------------
<authentication mode="Windows" />
<!-- No impersonation -->
ServiceA
---------
[WebMethod]
public void SomeMethod() {
Impersonate i = new Impersonate();
i.StartImpersonate();
// Write to share drive code (the share drive has myUserName in ACL
list, myUserName should be able to write to it)
// This time it works
i.UndoImpersonate();
}
public class Impersonate {
// Usual code using the following
[DllImport("advapi32.dll")]
public static extern int LogonUserA(...);
}
I've tried the following for CASE I as suggested in
http://support.microsoft.com/default...;en-us;q306158. But
nothing
works.
a) Changing the "userName" attribute from "machine" to "system" in
"processModel" node in machine.config
b) Including ASPNET user in following Group Policy:
\Local Computer Policy\Computer Configuration\Windows Settings\Local
Policies\User Rights Assignment\"Act as part of the operating system"
Infrastructure: Windows XP Pro (Service Pack 1); .NET Frmaework 1.0 (No
service pack)
Our corporate policy strongly favors doing things as in CASE I. How can I
make it work?
Thanks,
Ram
I told you, that this can only work in a Kerberos Realm (W2K AD domain), and
this only when Delegation is enabled at the server and all clients are
delegatable. This is not something I would ever recommend.
A better solution is to authenticate the client , and access the remote
share using fixed credentials, access control can be implemented using
roles.
Willy.
its all to due with creditial forwarding (1 hop rule). to access the
network, you creditial need to be a primary token with network access.
case I: will fail becuase the server does not have a primary token only one
passed from the client, unless the browser in on the server - localhost. (as
many develop apps on their local box and use localhost, the problem is not
seen until prod. you can dup on your own box, by hitting from another box.)
case II: works because the server has a primary token created by asp.net
case III: works becuase the thread creates a primary token
as pointed at, you can use kerberos, and enable creditial forwarding.
-- bruce (sqlwork.com)
"Ram P. Dash" <ra****@hotmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl... Now this is a classic. The impersonation fails for CASE I but doesn't fail
for CASE II or III.
Case I:
Client Side Code
-----------------
System.Net.NetworkCredential credential = new
System.Net.NetworkCredential("myUserName", "myPassword", "myDomain");
ServiceA a = new ServiceA();
a.Credentials = credential;
a.SomeMethod();
Server Side Code
------------------
Web.config
-----------
<authentication mode="Windows" />
<identity impersonate="true" />
ServiceA
---------
[WebMethod]
public void SomeMethod() {
// Write to share drive code (the share drive has myUserName in ACL
list, myUserName should be able to write to it)
// But it fails
}
Case II:
Everything being same if I change only the Web.config as follows, it
works:
<authentication mode="Windows" />
<identity impersonate="true" userName="myDomain\myUserName"
password="myPassword" />
Case III:
Web.config
------------
<authentication mode="Windows" />
<!-- No impersonation -->
ServiceA
---------
[WebMethod]
public void SomeMethod() {
Impersonate i = new Impersonate();
i.StartImpersonate();
// Write to share drive code (the share drive has myUserName in ACL
list, myUserName should be able to write to it)
// This time it works
i.UndoImpersonate();
}
public class Impersonate {
// Usual code using the following
[DllImport("advapi32.dll")]
public static extern int LogonUserA(...);
}
I've tried the following for CASE I as suggested in
http://support.microsoft.com/default...;en-us;q306158. But
nothing
works.
a) Changing the "userName" attribute from "machine" to "system" in
"processModel" node in machine.config
b) Including ASPNET user in following Group Policy:
\Local Computer Policy\Computer Configuration\Windows Settings\Local
Policies\User Rights Assignment\"Act as part of the operating system"
Infrastructure: Windows XP Pro (Service Pack 1); .NET Frmaework 1.0 (No
service pack)
Our corporate policy strongly favors doing things as in CASE I. How can I
make it work?
Thanks,
Ram
its all to due with creditial forwarding (1 hop rule). to access the
network, you creditial need to be a primary token with network access.
case I: will fail becuase the server does not have a primary token only one
passed from the client, unless the browser in on the server - localhost. (as
many develop apps on their local box and use localhost, the problem is not
seen until prod. you can dup on your own box, by hitting from another box.)
case II: works because the server has a primary token created by asp.net
case III: works becuase the thread creates a primary token
as pointed at, you can use kerberos, and enable creditial forwarding.
-- bruce (sqlwork.com)
"Ram P. Dash" <ra****@hotmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl... Now this is a classic. The impersonation fails for CASE I but doesn't fail
for CASE II or III.
Case I:
Client Side Code
-----------------
System.Net.NetworkCredential credential = new
System.Net.NetworkCredential("myUserName", "myPassword", "myDomain");
ServiceA a = new ServiceA();
a.Credentials = credential;
a.SomeMethod();
Server Side Code
------------------
Web.config
-----------
<authentication mode="Windows" />
<identity impersonate="true" />
ServiceA
---------
[WebMethod]
public void SomeMethod() {
// Write to share drive code (the share drive has myUserName in ACL
list, myUserName should be able to write to it)
// But it fails
}
Case II:
Everything being same if I change only the Web.config as follows, it
works:
<authentication mode="Windows" />
<identity impersonate="true" userName="myDomain\myUserName"
password="myPassword" />
Case III:
Web.config
------------
<authentication mode="Windows" />
<!-- No impersonation -->
ServiceA
---------
[WebMethod]
public void SomeMethod() {
Impersonate i = new Impersonate();
i.StartImpersonate();
// Write to share drive code (the share drive has myUserName in ACL
list, myUserName should be able to write to it)
// This time it works
i.UndoImpersonate();
}
public class Impersonate {
// Usual code using the following
[DllImport("advapi32.dll")]
public static extern int LogonUserA(...);
}
I've tried the following for CASE I as suggested in
http://support.microsoft.com/default...;en-us;q306158. But
nothing
works.
a) Changing the "userName" attribute from "machine" to "system" in
"processModel" node in machine.config
b) Including ASPNET user in following Group Policy:
\Local Computer Policy\Computer Configuration\Windows Settings\Local
Policies\User Rights Assignment\"Act as part of the operating system"
Infrastructure: Windows XP Pro (Service Pack 1); .NET Frmaework 1.0 (No
service pack)
Our corporate policy strongly favors doing things as in CASE I. How can I
make it work?
Thanks,
Ram
"Ram P. Dash" <ra****@hotmail.com> wrote in message
news:eQ**************@TK2MSFTNGP15.phx.gbl... I create an instance of NetworkCredential and feed that to the WebService
proxy class object.
Not client-side you don't...
"Ram P. Dash" <ra****@hotmail.com> wrote in message
news:eQ**************@TK2MSFTNGP15.phx.gbl... I create an instance of NetworkCredential and feed that to the WebService
proxy class object.
Not client-side you don't...
Thanks a lot Bruce,
As rightly pointed out by you, it's a double hop issue which can be resolved
via kerberos delegation. However, our corporate security group will never
allow it.
I know this question is stupid but is there any way that on the server side
I can create a primary token based on the credentials supplied from client?
Ram
"Bruce Barker" <br******************@safeco.com> wrote in message
news:uQ**************@TK2MSFTNGP09.phx.gbl... its all to due with creditial forwarding (1 hop rule). to access the
network, you creditial need to be a primary token with network access.
case I: will fail becuase the server does not have a primary token only
one passed from the client, unless the browser in on the server - localhost.
(as many develop apps on their local box and use localhost, the problem is not
seen until prod. you can dup on your own box, by hitting from another
box.)
case II: works because the server has a primary token created by asp.net
case III: works becuase the thread creates a primary token
as pointed at, you can use kerberos, and enable creditial forwarding.
-- bruce (sqlwork.com)
"Ram P. Dash" <ra****@hotmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl... Now this is a classic. The impersonation fails for CASE I but doesn't
fail for CASE II or III.
Case I:
Client Side Code
-----------------
System.Net.NetworkCredential credential = new
System.Net.NetworkCredential("myUserName", "myPassword", "myDomain");
ServiceA a = new ServiceA();
a.Credentials = credential;
a.SomeMethod();
Server Side Code
------------------
Web.config
-----------
<authentication mode="Windows" />
<identity impersonate="true" />
ServiceA
---------
[WebMethod]
public void SomeMethod() {
// Write to share drive code (the share drive has myUserName in
ACL list, myUserName should be able to write to it)
// But it fails
}
Case II:
Everything being same if I change only the Web.config as follows, it
works:
<authentication mode="Windows" />
<identity impersonate="true" userName="myDomain\myUserName"
password="myPassword" />
Case III:
Web.config
------------
<authentication mode="Windows" />
<!-- No impersonation -->
ServiceA
---------
[WebMethod]
public void SomeMethod() {
Impersonate i = new Impersonate();
i.StartImpersonate();
// Write to share drive code (the share drive has myUserName in
ACL list, myUserName should be able to write to it)
// This time it works
i.UndoImpersonate();
}
public class Impersonate {
// Usual code using the following
[DllImport("advapi32.dll")]
public static extern int LogonUserA(...);
}
I've tried the following for CASE I as suggested in
http://support.microsoft.com/default...;en-us;q306158. But
nothing
works.
a) Changing the "userName" attribute from "machine" to "system" in
"processModel" node in machine.config
b) Including ASPNET user in following Group Policy:
\Local Computer Policy\Computer Configuration\Windows Settings\Local
Policies\User Rights Assignment\"Act as part of the operating system"
Infrastructure: Windows XP Pro (Service Pack 1); .NET Frmaework 1.0 (No
service pack)
Our corporate policy strongly favors doing things as in CASE I. How can
I make it work?
Thanks,
Ram
Thanks a lot Bruce,
As rightly pointed out by you, it's a double hop issue which can be resolved
via kerberos delegation. However, our corporate security group will never
allow it.
I know this question is stupid but is there any way that on the server side
I can create a primary token based on the credentials supplied from client?
Ram
"Bruce Barker" <br******************@safeco.com> wrote in message
news:uQ**************@TK2MSFTNGP09.phx.gbl... its all to due with creditial forwarding (1 hop rule). to access the
network, you creditial need to be a primary token with network access.
case I: will fail becuase the server does not have a primary token only
one passed from the client, unless the browser in on the server - localhost.
(as many develop apps on their local box and use localhost, the problem is not
seen until prod. you can dup on your own box, by hitting from another
box.)
case II: works because the server has a primary token created by asp.net
case III: works becuase the thread creates a primary token
as pointed at, you can use kerberos, and enable creditial forwarding.
-- bruce (sqlwork.com)
"Ram P. Dash" <ra****@hotmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl... Now this is a classic. The impersonation fails for CASE I but doesn't
fail for CASE II or III.
Case I:
Client Side Code
-----------------
System.Net.NetworkCredential credential = new
System.Net.NetworkCredential("myUserName", "myPassword", "myDomain");
ServiceA a = new ServiceA();
a.Credentials = credential;
a.SomeMethod();
Server Side Code
------------------
Web.config
-----------
<authentication mode="Windows" />
<identity impersonate="true" />
ServiceA
---------
[WebMethod]
public void SomeMethod() {
// Write to share drive code (the share drive has myUserName in
ACL list, myUserName should be able to write to it)
// But it fails
}
Case II:
Everything being same if I change only the Web.config as follows, it
works:
<authentication mode="Windows" />
<identity impersonate="true" userName="myDomain\myUserName"
password="myPassword" />
Case III:
Web.config
------------
<authentication mode="Windows" />
<!-- No impersonation -->
ServiceA
---------
[WebMethod]
public void SomeMethod() {
Impersonate i = new Impersonate();
i.StartImpersonate();
// Write to share drive code (the share drive has myUserName in
ACL list, myUserName should be able to write to it)
// This time it works
i.UndoImpersonate();
}
public class Impersonate {
// Usual code using the following
[DllImport("advapi32.dll")]
public static extern int LogonUserA(...);
}
I've tried the following for CASE I as suggested in
http://support.microsoft.com/default...;en-us;q306158. But
nothing
works.
a) Changing the "userName" attribute from "machine" to "system" in
"processModel" node in machine.config
b) Including ASPNET user in following Group Policy:
\Local Computer Policy\Computer Configuration\Windows Settings\Local
Policies\User Rights Assignment\"Act as part of the operating system"
Infrastructure: Windows XP Pro (Service Pack 1); .NET Frmaework 1.0 (No
service pack)
Our corporate policy strongly favors doing things as in CASE I. How can
I make it work?
Thanks,
Ram
"Ram P. Dash" <ra****@hotmail.com> wrote in message
news:%2******************@TK2MSFTNGP14.phx.gbl... Thanks a lot Bruce,
As rightly pointed out by you, it's a double hop issue which can be
resolved
via kerberos delegation. However, our corporate security group will never
allow it.
I know this question is stupid but is there any way that on the server
side
I can create a primary token based on the credentials supplied from
client?
Ram
If You mean passing the credentials from the client to the server, yes there
is call "LogonUser"at the server using the credentials supplied. But again
this is a real bad idea, calling LogonUser for each service request can kill
the performance of the server application when handling multiple
simultaneous requests, and I wonder if the security group will allow this.
Do as I said, authenticate as close to the client as possible, once
authenticated use roles for authorization handling.
Willy.
"Ram P. Dash" <ra****@hotmail.com> wrote in message
news:%2******************@TK2MSFTNGP14.phx.gbl... Thanks a lot Bruce,
As rightly pointed out by you, it's a double hop issue which can be
resolved
via kerberos delegation. However, our corporate security group will never
allow it.
I know this question is stupid but is there any way that on the server
side
I can create a primary token based on the credentials supplied from
client?
Ram
If You mean passing the credentials from the client to the server, yes there
is call "LogonUser"at the server using the credentials supplied. But again
this is a real bad idea, calling LogonUser for each service request can kill
the performance of the server application when handling multiple
simultaneous requests, and I wonder if the security group will allow this.
Do as I said, authenticate as close to the client as possible, once
authenticated use roles for authorization handling.
Willy. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Chris |
last post by:
Hello all,
Here is my problem. I have a windows service (C#) that is
supposed to move files from/to the local drive to/from a
UNC share (\\domainserver\share). The service is running
on a Win3k...
|
by: Anil Krishnamurthy |
last post by:
We have an ASP.NET application that uses COM objects through Interop. The
web application requires access to network and database resources and hence,
needs to impersonate a domain account. The...
|
by: techfuzz |
last post by:
I'm posting my problem experience and solution I found here for other
ASP.NET developers.
I have a web application that uses Forms Authentication with Active
Directory to control access. In...
|
by: Anthony Munter |
last post by:
I have a web application with impersonate=”true” in Web.config and on my own logon page I allow the user to either
- specify a userid/password for the app to impersonate when calling legacy...
|
by: Jake Smythe |
last post by:
Hello,
I have some code that impersonates a user upon launching of the
application. We now have the need to run some command line items. The
impersonation doesn't seem to pass to the commands...
|
by: Phil |
last post by:
Hi,
I've currently setup a local user as described in:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnne...
|
by: velvet.graham |
last post by:
I'm having a difficult time with impersonation. I've created an
impersonation class. Here is the code below:
******Impersonation Class Code*********
Imports System
Imports System.Web.Security...
|
by: David Cablalero |
last post by:
I have a windows service which every night checks a SQL Server database for
some data and business rules. The application can access different DBs with
the same structure, to tell the service which...
|
by: Marco Mechelli |
last post by:
Hello,
i'm facing with the following problem while using the Job API during an
impersonation.
I have a main process that needs to do the following:
1. Creates a new Job Object that will be...
|
by: Brian |
last post by:
Greetings!
I'm trying to find a good place to call SqlCacheDependency.Start() and
I'm running into some issues. I know this isn't a SQL forum, but this
seems more like an ASP.NET lifetime...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development projectplanning, coding, testing,...
| |
