"Lee" <lee.walton@ngtuk.com> wrote in message
news:F4789846-EFC7-4953-8150-CEEF72E0C4A9@microsoft.com...
> Hi Joe,
> just checking the code i posted and noticed a slight difference. I
> modified
> the code so it would output the user name in the error message
>
> throw new Win32Exception(ret,"DEBUG: " + currentUser.Name.ToString());
>
> Ive looked at the Local security policy and the account has "act as part
> of
> the operating system" privellege? So when this didnt work i thought id
> temporarily set 'Everyone' to have this privellege but still got the
> access
> denied error. Any suggestions on how to troubleshoot this?
>
> "Joe Kaplan" wrote:
>
>> I'd expect to see a different error returned than what you are getting
>> (maybe there is some little coding difference), but the bottom line is
>> that
>> you must either be running as SYSTEM or have the process account have the
>> "act as part of the operating system" OS privilege to call LogonUser on
>> Win2K.
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> "Lee" <lee.walton@ngtuk.com> wrote in message
>> news:4C97245A-6820-4118-A674-31C90CCE52F4@microsoft.com...
>> > Thanks for your time guys, yes to confirm the OS is w2k
>> >
>> > "Dominick Baier" wrote:
>> >
>> >> Hi,
>> >>
>> >> which OS are you using? On W2K you need SYSTEM privileges to call
>> >> LogonUser...
>> >>
>> >> dominick
>> >> www.leastprivilege.com
>> >>
>> >> > I am having problems trying to impersonate as a user in asp.net.
>> >> >
>> >> > I get an access denied error on the LogonUser method of the
>> >> > following
>> >> > code;
>> >> >
>> >> > /// <summary>
>> >> > /// Summary description for CustomWindowsIdentity.
>> >> > /// </summary>
>> >> > public class CustomWindowsIdentity : WindowsIdentity
>> >> > {
>> >> > [DllImport("advapi32.dll", SetLastError=true)]
>> >> > private static extern int LogonUser(String lpszUsername, String
>> >> > lpszDomain, String lpszPassword,
>> >> > int dwLogonType, int dwLogonProvider, out int phToken);
>> >> > [DllImport("kernel32.dll")]
>> >> > private static extern int GetLastError();
>> >> > public CustomWindowsIdentity( string domain, string username, string
>> >> > password ) :
>> >> > base( CustomWindowsIdentity.LogonUser(domain,username,password) )
>> >> > {
>> >> > }
>> >> >
>> >> > //--------------------------------------------------------------------
>> >> > ------
>> >> > // Impersonates as the supplied user.
>> >> > // Domain must be in standard NT format: e.g. "DOMAIN"
>> >> >
>> >> > //--------------------------------------------------------------------
>> >> > ------
>> >> > public static WindowsImpersonationContext Impersonate( string
>> >> > domain,
>> >> > string username, string password )
>> >> > {
>> >> > IntPtr token = LogonUser( domain, username, password );
>> >> > return WindowsIdentity.Impersonate( token );
>> >> > }
>> >> > private static IntPtr LogonUser( string domain, string username,
>> >> > string
>> >> > password )
>> >> > {
>> >> > int token = 0;
>> >> > int loggedOn = LogonUser( username, domain, password,
>> >> > 0x8, 0x0,
>> >> > //WindowsLogonType.NetworkClearText,
>> >> > //WindowsLogonProvider.Default,
>> >> > out token );
>> >> > if (loggedOn==0 || token==0)
>> >> > {
>> >> > int ret = GetLastError();
>> >> > //int ret = Marshal.GetLastWin32Error(); //GetLastError();
>> >> > if (ret!=0)
>> >> > {
>> >> > WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
>> >> > throw new Win32Exception(ret,"DEBUG: " +
>> >> > currentUser.Name.ToString());
>> >> > }
>> >> > }
>> >> > IntPtr tokenOut = new IntPtr( token );
>> >> >
>> >> > return tokenOut;
>> >> > }
>> >> > }
>> >> > Its worth noting we are using a different user account for IIS
>> >> > anonymous
>> >> > authentication so the user that is trying to impersonate is
>> >> > 'DOMAIN\MY_READER'.
>> >> > This same code block works on the production environment so my
>> >> > thinking is
>> >> > that its a permission or setting missing for the specific user on
>> >> > the
>> >> > staging
>> >> > server? Ive even tried having IIS use an administrator account for
>> >> > anonymous
>> >> > access but get the same error?
>> >> > Any help, clues or pointers would be great.
>> >> > many thanks
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>

"Joe Kaplan" wrote:

> It sounds like that isn't the problem. That makes some sense, as normally
> when that is the problem, GetLastError returns something like "a required
> privilege is not held by the client".
>
> I just checked the docs and it says that under Win2K, the ID must have the
> SE_CHANGE_NOTIFY_NAME (bypass traverse checking) privilege as well, or you
> will get the Access Denied, so I'd try that next.
>
> DO NOT leave act as part of the operating system set to everyone. It is a
> very dangerous privilege! There is a reason that not even administrators
> have it by default.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> --
> "Lee" <lee.walton@ngtuk.com> wrote in message
> news:F4789846-EFC7-4953-8150-CEEF72E0C4A9@microsoft.com...
> > Hi Joe,
> > just checking the code i posted and noticed a slight difference. I
> > modified
> > the code so it would output the user name in the error message
> >
> > throw new Win32Exception(ret,"DEBUG: " + currentUser.Name.ToString());
> >
> > Ive looked at the Local security policy and the account has "act as part
> > of
> > the operating system" privellege? So when this didnt work i thought id
> > temporarily set 'Everyone' to have this privellege but still got the
> > access
> > denied error. Any suggestions on how to troubleshoot this?
> >
> > "Joe Kaplan" wrote:
> >
> >> I'd expect to see a different error returned than what you are getting
> >> (maybe there is some little coding difference), but the bottom line is
> >> that
> >> you must either be running as SYSTEM or have the process account have the
> >> "act as part of the operating system" OS privilege to call LogonUser on
> >> Win2K.
> >>
> >> Joe K.
> >>
> >> --
> >> Joe Kaplan-MS MVP Directory Services Programming
> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> Programming"
> >> http://www.directoryprogramming.net
> >> --
> >> "Lee" <lee.walton@ngtuk.com> wrote in message
> >> news:4C97245A-6820-4118-A674-31C90CCE52F4@microsoft.com...
> >> > Thanks for your time guys, yes to confirm the OS is w2k
> >> >
> >> > "Dominick Baier" wrote:
> >> >
> >> >> Hi,
> >> >>
> >> >> which OS are you using? On W2K you need SYSTEM privileges to call
> >> >> LogonUser...
> >> >>
> >> >> dominick
> >> >> www.leastprivilege.com
> >> >>
> >> >> > I am having problems trying to impersonate as a user in asp.net.
> >> >> >
> >> >> > I get an access denied error on the LogonUser method of the
> >> >> > following
> >> >> > code;
> >> >> >
> >> >> > /// <summary>
> >> >> > /// Summary description for CustomWindowsIdentity.
> >> >> > /// </summary>
> >> >> > public class CustomWindowsIdentity : WindowsIdentity
> >> >> > {
> >> >> > [DllImport("advapi32.dll", SetLastError=true)]
> >> >> > private static extern int LogonUser(String lpszUsername, String
> >> >> > lpszDomain, String lpszPassword,
> >> >> > int dwLogonType, int dwLogonProvider, out int phToken);
> >> >> > [DllImport("kernel32.dll")]
> >> >> > private static extern int GetLastError();
> >> >> > public CustomWindowsIdentity( string domain, string username, string
> >> >> > password ) :
> >> >> > base( CustomWindowsIdentity.LogonUser(domain,username,password) )
> >> >> > {
> >> >> > }
> >> >> >
> >> >> > //--------------------------------------------------------------------
> >> >> > ------
> >> >> > // Impersonates as the supplied user.
> >> >> > // Domain must be in standard NT format: e.g. "DOMAIN"
> >> >> >
> >> >> > //--------------------------------------------------------------------
> >> >> > ------
> >> >> > public static WindowsImpersonationContext Impersonate( string
> >> >> > domain,
> >> >> > string username, string password )
> >> >> > {
> >> >> > IntPtr token = LogonUser( domain, username, password );
> >> >> > return WindowsIdentity.Impersonate( token );
> >> >> > }
> >> >> > private static IntPtr LogonUser( string domain, string username,
> >> >> > string
> >> >> > password )
> >> >> > {
> >> >> > int token = 0;
> >> >> > int loggedOn = LogonUser( username, domain, password,
> >> >> > 0x8, 0x0,
> >> >> > //WindowsLogonType.NetworkClearText,
> >> >> > //WindowsLogonProvider.Default,
> >> >> > out token );
> >> >> > if (loggedOn==0 || token==0)
> >> >> > {
> >> >> > int ret = GetLastError();
> >> >> > //int ret = Marshal.GetLastWin32Error(); //GetLastError();
> >> >> > if (ret!=0)
> >> >> > {
> >> >> > WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
> >> >> > throw new Win32Exception(ret,"DEBUG: " +
> >> >> > currentUser.Name.ToString());
> >> >> > }
> >> >> > }
> >> >> > IntPtr tokenOut = new IntPtr( token );
> >> >> >
> >> >> > return tokenOut;
> >> >> > }
> >> >> > }
> >> >> > Its worth noting we are using a different user account for IIS
> >> >> > anonymous
> >> >> > authentication so the user that is trying to impersonate is
> >> >> > 'DOMAIN\MY_READER'.
> >> >> > This same code block works on the production environment so my
> >> >> > thinking is
> >> >> > that its a permission or setting missing for the specific user on
> >> >> > the
> >> >> > staging
> >> >> > server? Ive even tried having IIS use an administrator account for
> >> >> > anonymous
> >> >> > access but get the same error?
> >> >> > Any help, clues or pointers would be great.
> >> >> > many thanks
> >> >> >
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>