|
|
You're in the
dotnet web services
group:ASP.NET Impersonation Problem
dotnet web services:
"Ram P. Dash" <rampr2@hotmail.com> wrote in message news:%23sri7mvYFHA.3864@TK2MSFTNGP10.phx.gbl... > Client Side Code > ----------------- > System.Net.NetworkCredential credential = new How can this be client-side code...?
[quoted text, click to view] "Ram P. Dash" <rampr2@hotmail.com> wrote in message news:%23sri7mvYFHA.3864@TK2MSFTNGP10.phx.gbl... > Now this is a classic. The impersonation fails for CASE I but doesn't fail > for CASE II or III. > > Case I: > > Client Side Code > ----------------- > System.Net.NetworkCredential credential = new > System.Net.NetworkCredential("myUserName", "myPassword", "myDomain"); > ServiceA a = new ServiceA(); > a.Credentials = credential; > a.SomeMethod(); > > Server Side Code > ------------------ > Web.config > ----------- > <authentication mode="Windows" /> > <identity impersonate="true" /> > > ServiceA > --------- > [WebMethod] > public void SomeMethod() { > > // Write to share drive code (the share drive has myUserName in ACL > list, myUserName should be able to write to it) > // But it fails > } > > Case II: > Everything being same if I change only the Web.config as follows, it > works: > > <authentication mode="Windows" /> > <identity impersonate="true" userName="myDomain\myUserName" > password="myPassword" /> > > Case III: > > Web.config > ------------ > <authentication mode="Windows" /> > <!-- No impersonation --> > > ServiceA > --------- > [WebMethod] > public void SomeMethod() { > > Impersonate i = new Impersonate(); > i.StartImpersonate(); > // Write to share drive code (the share drive has myUserName in ACL > list, myUserName should be able to write to it) > // This time it works > i.UndoImpersonate(); > } > > public class Impersonate { > > // Usual code using the following > [DllImport("advapi32.dll")] > public static extern int LogonUserA(...); > } > > I've tried the following for CASE I as suggested in > http://support.microsoft.com/default.aspx?scid=KB;en-us;q306158. But > nothing > works. > > a) Changing the "userName" attribute from "machine" to "system" in > "processModel" node in machine.config > b) Including ASPNET user in following Group Policy: > \Local Computer Policy\Computer Configuration\Windows Settings\Local > Policies\User Rights Assignment\"Act as part of the operating system" > > Infrastructure: Windows XP Pro (Service Pack 1); .NET Frmaework 1.0 (No > service pack) > > Our corporate policy strongly favors doing things as in CASE I. How can I > make it work? > > Thanks, > Ram > > > I told you, that this can only work in a Kerberos Realm (W2K AD domain), and this only when Delegation is enabled at the server and all clients are delegatable. This is not something I would ever recommend. A better solution is to authenticate the client , and access the remote share using fixed credentials, access control can be implemented using roles. Willy.
its all to due with creditial forwarding (1 hop rule). to access the
network, you creditial need to be a primary token with network access. case I: will fail becuase the server does not have a primary token only one passed from the client, unless the browser in on the server - localhost. (as many develop apps on their local box and use localhost, the problem is not seen until prod. you can dup on your own box, by hitting from another box.) case II: works because the server has a primary token created by asp.net case III: works becuase the thread creates a primary token as pointed at, you can use kerberos, and enable creditial forwarding. -- bruce (sqlwork.com) [quoted text, click to view] "Ram P. Dash" <rampr2@hotmail.com> wrote in message news:%23sri7mvYFHA.3864@TK2MSFTNGP10.phx.gbl... > Now this is a classic. The impersonation fails for CASE I but doesn't fail > for CASE II or III. > > Case I: > > Client Side Code > ----------------- > System.Net.NetworkCredential credential = new > System.Net.NetworkCredential("myUserName", "myPassword", "myDomain"); > ServiceA a = new ServiceA(); > a.Credentials = credential; > a.SomeMethod(); > > Server Side Code > ------------------ > Web.config > ----------- > <authentication mode="Windows" /> > <identity impersonate="true" /> > > ServiceA > --------- > [WebMethod] > public void SomeMethod() { > > // Write to share drive code (the share drive has myUserName in ACL > list, myUserName should be able to write to it) > // But it fails > } > > Case II: > Everything being same if I change only the Web.config as follows, it > works: > > <authentication mode="Windows" /> > <identity impersonate="true" userName="myDomain\myUserName" > password="myPassword" /> > > Case III: > > Web.config > ------------ > <authentication mode="Windows" /> > <!-- No impersonation --> > > ServiceA > --------- > [WebMethod] > public void SomeMethod() { > > Impersonate i = new Impersonate(); > i.StartImpersonate(); > // Write to share drive code (the share drive has myUserName in ACL > list, myUserName should be able to write to it) > // This time it works > i.UndoImpersonate(); > } > > public class Impersonate { > > // Usual code using the following > [DllImport("advapi32.dll")] > public static extern int LogonUserA(...); > } > > I've tried the following for CASE I as suggested in > http://support.microsoft.com/default.aspx?scid=KB;en-us;q306158. But > nothing > works. > > a) Changing the "userName" attribute from "machine" to "system" in > "processModel" node in machine.config > b) Including ASPNET user in following Group Policy: > \Local Computer Policy\Computer Configuration\Windows Settings\Local > Policies\User Rights Assignment\"Act as part of the operating system" > > Infrastructure: Windows XP Pro (Service Pack 1); .NET Frmaework 1.0 (No > service pack) > > Our corporate policy strongly favors doing things as in CASE I. How can I > make it work? > > Thanks, > Ram > > >
Now this is a classic. The impersonation fails for CASE I but doesn't fail
for CASE II or III. Case I: Client Side Code ----------------- System.Net.NetworkCredential credential = new System.Net.NetworkCredential("myUserName", "myPassword", "myDomain"); ServiceA a = new ServiceA(); a.Credentials = credential; a.SomeMethod(); Server Side Code ------------------ Web.config ----------- <authentication mode="Windows" /> <identity impersonate="true" /> ServiceA --------- [WebMethod] public void SomeMethod() { // Write to share drive code (the share drive has myUserName in ACL list, myUserName should be able to write to it) // But it fails } Case II: Everything being same if I change only the Web.config as follows, it works: <authentication mode="Windows" /> <identity impersonate="true" userName="myDomain\myUserName" password="myPassword" /> Case III: Web.config ------------ <authentication mode="Windows" /> <!-- No impersonation --> ServiceA --------- [WebMethod] public void SomeMethod() { Impersonate i = new Impersonate(); i.StartImpersonate(); // Write to share drive code (the share drive has myUserName in ACL list, myUserName should be able to write to it) // This time it works i.UndoImpersonate(); } public class Impersonate { // Usual code using the following [DllImport("advapi32.dll")] public static extern int LogonUserA(...); } I've tried the following for CASE I as suggested in http://support.microsoft.com/default.aspx?scid=KB;en-us;q306158. But nothing works. a) Changing the "userName" attribute from "machine" to "system" in "processModel" node in machine.config b) Including ASPNET user in following Group Policy: \Local Computer Policy\Computer Configuration\Windows Settings\Local Policies\User Rights Assignment\"Act as part of the operating system" Infrastructure: Windows XP Pro (Service Pack 1); .NET Frmaework 1.0 (No service pack) Our corporate policy strongly favors doing things as in CASE I. How can I make it work? Thanks, Ram
I create an instance of NetworkCredential and feed that to the WebService
proxy class object. The credential do get carried to the WebService. However the token's ACL is lost somewhere in the middle. In CASE I on server side, if I do System.Security.Principal.WindowsIdentity id = System.Security.Principal.WindowsIdentity.GetCurrent(); I can see my identity. Ram [quoted text, click to view] "Mark Rae" <mark@mark-N-O-S-P-A-M-rae.co.uk> wrote in message news:e3xwYqvYFHA.3272@TK2MSFTNGP14.phx.gbl... > "Ram P. Dash" <rampr2@hotmail.com> wrote in message > news:%23sri7mvYFHA.3864@TK2MSFTNGP10.phx.gbl... > > > Client Side Code > > ----------------- > > System.Net.NetworkCredential credential = new > > How can this be client-side code...? > >
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |