ExamGuru IT/.Net Guru : Impersonation - again on ASPFriends.com 'aspngsec' list

.NETGURU

Impersonation - again

Messages

Related Types

This message was discovered on ASPFriends.com 'aspngsec' list.

Goldfarb, Christopher

Hi all,

First of all, apologies in advance for what seems to be the beating of a
dead horse. I've poured over the docs and the discussions, but I can't find
an example that quite meets my scenario.

-----> SCENARIO:
ASP.NET webserver on Intranet using Windows authentication.
Webserver needs to create directories on a Linux server running Samba based
on user input.
Samba configuration grants certain users on a domain write access to the
Linux server.

-----> HISTORY:
I've tried LogonUser passing (UserName, Domain, Password, 3, 0, out token1)
and WindowsIdentity.Impersonate() with no luck. Some combinations have
earned a successful login, others haven't, but in all cases, I receive a
"DirectoryNotFoundException", insinuating improper access rights.

-----> INTERESTING POINT:
This code (and a combination of WindowsIdentity.Impersonate()) successfully
creates directories on machines that I have access to using my domain
userid/pwd. I don't have access to the Linux machine, so I'm relying on
others to attempt login. While these users are able to be authenticated
using WindowsIdentity.Impersonate(), they cannot create directories on the
Linux machine or their own workstations. Using the code below, which
apparently is what is required when accessing remote servers, these same
users are not being authenticated.

-----> CODE BIT 1 (relevant pieces left in):
(upon form submit providing username, pwd, domain, and directory to create)
ImpersonatedUser u = new ImpersonatedUser();
u.Password = sPassword;
u.UserName = sUser;
u.Domain = sDomain;
if (u.Login())
(create the directory)

-----> CODE BIT 2 (relevant pieces left in):
public class ImpersonatedUser
{
[DllImport("C:\\WINDOWS\\System32\\advapi32.dll")]
public static extern bool LogonUser(String lpszUsername,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
out int phToken);

[DllImport("C:\\WINDOWS\\System32\\advapi32.dll")]
public static extern bool ImpersonateLoggedOnUser(long token);

public string UserName, Password, Domain;

public bool Login()
{
int token1;
if (LogonUser( UserName, Domain, Password, 4, 0, out token1 ))
return (ImpersonateLoggedOnUser(token1));
return false;
}
}

Can someone point out to me what I may be doing incorrectly??

THANKS IN ADVANCE!
Chris

Reply to this message...

Little, Ambrose

Chris,

Check this code out:
http://code.clanlittle.org/ShowCode.aspx?name=BOKF.Security.Impersonation
<http://code.clanlittle.org/ShowCode.aspx?name=BOKF.Security.Impersonation>

I had a similar problem using the WindowsIdentity stuff. I believe it had
something to do w/ the type of logon.

Use begin & end impersonation.

--Ambrose

-----Original Message-----
From: Goldfarb, Christopher [mailto:Click here to reveal e-mail address]
Sent: Thursday, 23 May, 2002 17:50
To: aspngsec
Subject: [aspngsec] Impersonation - again

Hi all,

First of all, apologies in advance for what seems to be the beating of a
dead horse. I've poured over the docs and the discussions, but I can't find
an example that quite meets my scenario.

-----> SCENARIO:
ASP.NET webserver on Intranet using Windows authentication.
Webserver needs to create directories on a Linux server running Samba based
on user input.
Samba configuration grants certain users on a domain write access to the
Linux server.

-----> HISTORY:
I've tried LogonUser passing (UserName, Domain, Password, 3, 0, out token1)
and WindowsIdentity.Impersonate() with no luck. Some combinations have
earned a successful login, others haven't, but in all cases, I receive a
"DirectoryNotFoundException", insinuating improper access rights.

-----> INTERESTING POINT:
This code (and a combination of WindowsIdentity.Impersonate()) successfully
creates directories on machines that I have access to using my domain
userid/pwd. I don't have access to the Linux machine, so I'm relying on
others to attempt login. While these users are able to be authenticated
using WindowsIdentity.Impersonate(), they cannot create directories on the
Linux machine or their own workstations. Using the code below, which
apparently is what is required when accessing remote servers, these same
users are not being authenticated.

-----> CODE BIT 1 (relevant pieces left in):
(upon form submit providing username, pwd, domain, and directory to create)
ImpersonatedUser u = new ImpersonatedUser();
u.Password = sPassword;
u.UserName = sUser;
u.Domain = sDomain;
if (u.Login())
(create the directory)

-----> CODE BIT 2 (relevant pieces left in):
public class ImpersonatedUser
{
[DllImport("C:\\WINDOWS\\System32\\advapi32.dll")]
public static extern bool LogonUser(String lpszUsername,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
out int phToken);

[DllImport("C:\\WINDOWS\\System32\\advapi32.dll")]
public static extern bool ImpersonateLoggedOnUser(long token);

public string UserName, Password, Domain;

public bool Login()
{
int token1;
if (LogonUser( UserName, Domain, Password, 4, 0, out token1 ))
return (ImpersonateLoggedOnUser(token1));
return false;
}
}

Can someone point out to me what I may be doing incorrectly??

THANKS IN ADVANCE!
Chris
| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

******************************************************************************
The Company reserves the right to amend statements
made herein in the event of a mistake. Unless expressly
stated herein to the contrary, only agreements in writing signed
by an authorized officer of the Company may be enforced against it.
*******************************************************************************

Reply to this message...

Emil Christopher Melar

This was interesting!

How can I KEEP the impersonation until I close the browser, without
bothering to maintain the object? (like session)
I want to lose the NTCR loginbox with password, domain etc.

-
Emil Chr. Melar

-----Original Message-----
From: Little, Ambrose [mailto:Click here to reveal e-mail address]
Sent: 24. mai 2002 20:57
To: aspngsec
Subject: [aspngsec] RE: Impersonation - again

Chris,

Check this code out:
http://code.clanlittle.org/ShowCode.aspx?name=BOKF.Security.Impersonatio
n

I had a similar problem using the WindowsIdentity stuff. I believe it
had something to do w/ the type of logon.

Use begin & end impersonation.

--Ambrose

-----Original Message-----
From: Goldfarb, Christopher [mailto:Click here to reveal e-mail address]
Sent: Thursday, 23 May, 2002 17:50
To: aspngsec
Subject: [aspngsec] Impersonation - again

Hi all,

First of all, apologies in advance for what seems to be the beating of a
dead horse. I've poured over the docs and the discussions, but I can't
find an example that quite meets my scenario.

-----> SCENARIO:
ASP.NET webserver on Intranet using Windows authentication.
Webserver needs to create directories on a Linux server running Samba
based on user input.
Samba configuration grants certain users on a domain write access to the
Linux server.

-----> HISTORY:
I've tried LogonUser passing (UserName, Domain, Password, 3, 0, out
token1) and WindowsIdentity.Impersonate() with no luck. Some
combinations have earned a successful login, others haven't, but in all
cases, I receive a "DirectoryNotFoundException", insinuating improper
access rights.

-----> INTERESTING POINT:
This code (and a combination of WindowsIdentity.Impersonate())
successfully creates directories on machines that I have access to using
my domain userid/pwd. I don't have access to the Linux machine, so I'm
relying on others to attempt login. While these users are able to be
authenticated using WindowsIdentity.Impersonate(), they cannot create
directories on the Linux machine or their own workstations. Using the
code below, which apparently is what is required when accessing remote
servers, these same users are not being authenticated.

-----> CODE BIT 1 (relevant pieces left in):
(upon form submit providing username, pwd, domain, and directory to
create)
ImpersonatedUser u = new ImpersonatedUser();
u.Password = sPassword;
u.UserName = sUser;
u.Domain = sDomain;
if (u.Login())
(create the directory)

-----> CODE BIT 2 (relevant pieces left in):
public class ImpersonatedUser
{
[DllImport("C:\\WINDOWS\\System32\\advapi32.dll")]
public static extern bool LogonUser(String lpszUsername,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
out int phToken);

[DllImport("C:\\WINDOWS\\System32\\advapi32.dll")]
public static extern bool ImpersonateLoggedOnUser(long token);

public string UserName, Password, Domain;

public bool Login()
{
int token1;
if (LogonUser( UserName, Domain, Password, 4, 0, out token1 ))
return (ImpersonateLoggedOnUser(token1));
return false;
}
}

Can someone point out to me what I may be doing incorrectly??

THANKS IN ADVANCE!
Chris
| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

************************************************************************
******
The Company reserves the right to amend statements
made herein in the event of a mistake. Unless expressly
stated herein to the contrary, only agreements in writing signed
by an authorized officer of the Company may be enforced against it.
************************************************************************
*******
| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

Reply to this message...

Little, Ambrose

Emil,

I'm not sure exactly what you need. However, I think either using the
built-in impersonate=true flag in the web.config may be what you need, if
you want it to last for the whole session. If there's a particular identity
you want to impersonate, you can set that up there as well.

I don't *think* it's possible to enable programmatic impersonation longer
than the scope in which it is used.

--Ambrose

-----Original Message-----
From: Emil Christopher Melar [mailto:Click here to reveal e-mail address]
Sent: Friday, 24 May, 2002 21:42
To: aspngsec
Subject: [aspngsec] RE: Impersonation - again

This was interesting!

How can I KEEP the impersonation until I close the browser, without
bothering to maintain the object? (like session)
I want to lose the NTCR loginbox with password, domain etc.

-
Emil Chr. Melar

-----Original Message-----
From: Little, Ambrose [mailto:Click here to reveal e-mail address]
Sent: 24. mai 2002 20:57
To: aspngsec
Subject: [aspngsec] RE: Impersonation - again

Chris,

Check this code out:
http://code.clanlittle.org/ShowCode.aspx?name=BOKF.Security.Impersonation
<http://code.clanlittle.org/ShowCode.aspx?name=BOKF.Security.Impersonation>

I had a similar problem using the WindowsIdentity stuff. I believe it had
something to do w/ the type of logon.

Use begin & end impersonation.

--Ambrose

-----Original Message-----
From: Goldfarb, Christopher [mailto:Click here to reveal e-mail address]
Sent: Thursday, 23 May, 2002 17:50
To: aspngsec
Subject: [aspngsec] Impersonation - again

Hi all,

First of all, apologies in advance for what seems to be the beating of a
dead horse. I've poured over the docs and the discussions, but I can't find
an example that quite meets my scenario.

-----> SCENARIO:
ASP.NET webserver on Intranet using Windows authentication.
Webserver needs to create directories on a Linux server running Samba based
on user input.
Samba configuration grants certain users on a domain write access to the
Linux server.

-----> HISTORY:
I've tried LogonUser passing (UserName, Domain, Password, 3, 0, out token1)
and WindowsIdentity.Impersonate() with no luck. Some combinations have
earned a successful login, others haven't, but in all cases, I receive a
"DirectoryNotFoundException", insinuating improper access rights.

-----> INTERESTING POINT:
This code (and a combination of WindowsIdentity.Impersonate()) successfully
creates directories on machines that I have access to using my domain
userid/pwd. I don't have access to the Linux machine, so I'm relying on
others to attempt login. While these users are able to be authenticated
using WindowsIdentity.Impersonate(), they cannot create directories on the
Linux machine or their own workstations. Using the code below, which
apparently is what is required when accessing remote servers, these same
users are not being authenticated.

-----> CODE BIT 1 (relevant pieces left in):
(upon form submit providing username, pwd, domain, and directory to create)
ImpersonatedUser u = new ImpersonatedUser();
u.Password = sPassword;
u.UserName = sUser;
u.Domain = sDomain;
if (u.Login())
(create the directory)

-----> CODE BIT 2 (relevant pieces left in):
public class ImpersonatedUser
{
[DllImport("C:\\WINDOWS\\System32\\advapi32.dll")]
public static extern bool LogonUser(String lpszUsername,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
out int phToken);

[DllImport("C:\\WINDOWS\\System32\\advapi32.dll")]
public static extern bool ImpersonateLoggedOnUser(long token);

public string UserName, Password, Domain;

public bool Login()
{
int token1;
if (LogonUser( UserName, Domain, Password, 4, 0, out token1 ))
return (ImpersonateLoggedOnUser(token1));
return false;
}
}

Can someone point out to me what I may be doing incorrectly??

THANKS IN ADVANCE!
Chris
| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

****************************************************************************
**
The Company reserves the right to amend statements
made herein in the event of a mistake. Unless expressly
stated herein to the contrary, only agreements in writing signed
by an authorized officer of the Company may be enforced against it.
****************************************************************************
***
| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

******************************************************************************
The Company reserves the right to amend statements
made herein in the event of a mistake. Unless expressly
stated herein to the contrary, only agreements in writing signed
by an authorized officer of the Company may be enforced against it.
*******************************************************************************

Reply to this message...

	System.IO.DirectoryNotFoundException
	System.Security.Principal.WindowsIdentity

ExamGuru IT Solutions - .Net Guru is owned and operated by ExamGuru, Inc., the man behind .Net Guru. If you're in the market for bespoke software or software consultancy, why not get him and his highly trained team to help? - www.examguru.net/ITCertification

Need Dot Net Interview Questions?
Ask ExamGuru, Inc. for advice and help on Passing .Net Interviews

.Net Projects
Best-of-breed application framework for .NET projects, developed by ExamGuru, Inc. and ExamGuru IT

Free .net Help
Commission ExamGuru, Inc. and his team for your next bespoke software project

FogBUGZ
The only bug tracking system carefully crafted with one goal in mind: helping teams create great software.

Awesome Tools
If you don't know about these, you're missing out... IT Certification Questions
IT Interview Questions
Free Oracle 10g Training
MCSE Boortcamp
Cisco Study Guides
Cheap Study Guides
Exact Questions
Dot Net Interview Questions
Oracle OCP
Cheap Travel
Designer Perfumes - Wholesale Prices
Free Programming Tutorials

	Copyright © ExamGuru, Inc. 2001-2006
	Contact Us - Terms of Use - Privacy Policy - www.dot-net-guru.com - www.examguru.net - www.oraclesource.net - www.itinterviews.net - www.examguru.net/ITCertification