Impersonation and accessing Windows file share

[Julie]

Hi all,

I have an ASP .NET application and am experiencing an interesting issue.

The application runs under Windows integrated authentication and anonymous
access is turned off; I need the current logged in user's ID for some initial
processing. Partway through the code, I impersonate a system account using
WindowsIdentity objects with the objective of retrieving a file from another
server.

I have the username and password for the system account encrypted in my
code. I can verify using Environment.Username that the impersonation is
working - the username of my system account is returned. However, I'm unable
to authenticate to the file server. It doesn't seem to me that this is a
"double-hop" as I'm just hopping from my web server to this file server - I
do not need to pass the logged-in user's credentials to the file server, just
this system account's credentials that I configure from within my code. (And
unfortunately I cannot make changes to the file system security.)

Any feedback as to whether this is possible would be appreciated. If
necessary, I can switch to moving the service account's credentials to the
web.config file in the <impersonate> tag but I'm hoping there's a way to
switch between the user accounts in the same application.

Thanks!

 

[Luke Zhang [MSFT]]

Hello,

First, you can use the following code to determine what user the thread is
executing as:

System.Security.Principal.WindowsIdentity.GetCurrent().Name

Also, you if logon as the System account on the server, can you access the
Windows file share like "\\Myserver\Myshare"?

Regards,

Luke Zhang
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Julie]

I use that code and I can confirm that impersonation is impersonating the
correct user. And yes, I can access the file share as the system account -
thanks for checking.

 

[Luke Zhang [MSFT]]

In IIS manager, find the application pool for your web application, and
change the identiy to the system account you used to impersonated in the
code, and then restart the IIS server. Will this help?

Luke Zhang
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Joe Kaplan \(MVP - ADSI\)]

If you enable logon event auditing on the file server, what does the logon
failure say on that end? That may give you some clues.

Also, when you called LogonUser, what type of logon did you do? You need to
make sure you use one that gives you network credentials.

Joe K.

 

[Julie]

I can see on the Event log on my web server that the service account is
logging in successfully.
However, on the file server, the event log shows that the user is connecting
to the file server as NT AUTHORITY\ANONYMOUS LOGON. Interesting.

My Logon code looks like this:
Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal
lpszUsername As [String], _
ByVal lpszDomain As [String], ByVal lpszPassword As [String], _
ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer, _
ByRef phToken As IntPtr) As Boolean


Private Function Logon() As WindowsIdentity
Dim handle As IntPtr = New IntPtr(0)
handle = IntPtr.Zero

Const LOGON32_LOGON_NETWORK As Integer = 3
Const LOGON32_PROVIDER_DEFAULT As Integer = 0

Dim logonSucceeded As Boolean = LogonUser(Me.sUsername, Me.sDomain,
Me.sPassword, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, handle)

If Not logonSucceeded Then
Dim errorCode As Integer = Marshal.GetLastWin32Error
Throw New Exception("User logon failed. Error number: " &
errorCode)
Exit Function
End If

Dim winIdentity As WindowsIdentity = New WindowsIdentity(handle)
CloseHandle(handle)
Return winIdentity
End Function

 

[Joe Kaplan \(MVP - ADSI\)]

I think I see your problem. You are using LOGON32_LOGON_NETWORK, but if you
read the docs for LogonUser in MSDN carefully, you'll see that this type of
logon doesn't have network credentials. You probably should switch to
LOGON32_LOGON_NETWORK_CLEARTEXT.

Joe K.

I can see on the Event log on my web server that the service account is
logging in successfully.
However, on the file server, the event log shows that the user is
connecting
to the file server as NT AUTHORITY\ANONYMOUS LOGON. Interesting.

My Logon code looks like this:
Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal
lpszUsername As [String], _
ByVal lpszDomain As [String], ByVal lpszPassword As [String], _
ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer,
_
ByRef phToken As IntPtr) As Boolean


Private Function Logon() As WindowsIdentity
Dim handle As IntPtr = New IntPtr(0)
handle = IntPtr.Zero

Const LOGON32_LOGON_NETWORK As Integer = 3
Const LOGON32_PROVIDER_DEFAULT As Integer = 0

Dim logonSucceeded As Boolean = LogonUser(Me.sUsername, Me.sDomain,
Me.sPassword, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, handle)

If Not logonSucceeded Then
Dim errorCode As Integer = Marshal.GetLastWin32Error
Throw New Exception("User logon failed. Error number: " &
errorCode)
Exit Function
End If

Dim winIdentity As WindowsIdentity = New WindowsIdentity(handle)
CloseHandle(handle)
Return winIdentity
End Function

If you enable logon event auditing on the file server, what does the
logon
failure say on that end? That may give you some clues.

Also, when you called LogonUser, what type of logon did you do? You need
to
make sure you use one that gives you network credentials.

Joe K.

 

[Dominick Baier [DevelopMentor]]

correct me if i am wrong - but when delegation is configured, NETWORK logons
do have network credentials ??!

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

I think I see your problem. You are using LOGON32_LOGON_NETWORK, but
if you read the docs for LogonUser in MSDN carefully, you'll see that
this type of logon doesn't have network credentials. You probably
should switch to LOGON32_LOGON_NETWORK_CLEARTEXT.

Joe K.

I can see on the Event log on my web server that the service account
is
logging in successfully.
However, on the file server, the event log shows that the user is
connecting
to the file server as NT AUTHORITY\ANONYMOUS LOGON. Interesting.
My Logon code looks like this:
Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal
lpszUsername As [String], _
ByVal lpszDomain As [String], ByVal lpszPassword As [String], _
ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer,
_
ByRef phToken As IntPtr) As Boolean
Private Function Logon() As WindowsIdentity
Dim handle As IntPtr = New IntPtr(0)
handle = IntPtr.Zero
Const LOGON32_LOGON_NETWORK As Integer = 3
Const LOGON32_PROVIDER_DEFAULT As Integer = 0
Dim logonSucceeded As Boolean = LogonUser(Me.sUsername, Me.sDomain,
Me.sPassword, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT,
handle)

If Not logonSucceeded Then
Dim errorCode As Integer = Marshal.GetLastWin32Error
Throw New Exception("User logon failed. Error number: " &
errorCode)
Exit Function
End If
Dim winIdentity As WindowsIdentity = New WindowsIdentity(handle)
CloseHandle(handle)
Return winIdentity
End Function

If you enable logon event auditing on the file server, what does the
logon
failure say on that end? That may give you some clues.
Also, when you called LogonUser, what type of logon did you do? You
need
to
make sure you use one that gives you network credentials.
Joe K.

I use that code and I can confirm that impersonation is
impersonating
the
correct user. And yes, I can access the file share as the system
account -
thanks for checking.
:

Hello,

First, you can use the following code to determine what user the
thread
is
executing as:
System.Security.Principal.WindowsIdentity.GetCurrent().Name

Also, you if logon as the System account on the server, can you
access
the
Windows file share like "\\Myserver\Myshare"?
Regards,

Luke Zhang
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your
newsreader
so
that others may learn and benefit from your issue.
==================================================
(This posting is provided "AS IS", with no warranties, and confers
no rights.)

 

[Julie]

That worked!!!!!!!!!!!! I changed the Const LOGON32_LOGON_NETWORK = 3 to
LOGON32_LOGON_NETWORK_CLEARTEXT = 8.
Thank you thank you thank you!

I think I see your problem. You are using LOGON32_LOGON_NETWORK, but if you
read the docs for LogonUser in MSDN carefully, you'll see that this type of
logon doesn't have network credentials. You probably should switch to
LOGON32_LOGON_NETWORK_CLEARTEXT.

Joe K.

I can see on the Event log on my web server that the service account is
logging in successfully.
However, on the file server, the event log shows that the user is
connecting
to the file server as NT AUTHORITY\ANONYMOUS LOGON. Interesting.

My Logon code looks like this:
Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal
lpszUsername As [String], _
ByVal lpszDomain As [String], ByVal lpszPassword As [String], _
ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer,
_
ByRef phToken As IntPtr) As Boolean


Private Function Logon() As WindowsIdentity
Dim handle As IntPtr = New IntPtr(0)
handle = IntPtr.Zero

Const LOGON32_LOGON_NETWORK As Integer = 3
Const LOGON32_PROVIDER_DEFAULT As Integer = 0

Dim logonSucceeded As Boolean = LogonUser(Me.sUsername, Me.sDomain,
Me.sPassword, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, handle)

If Not logonSucceeded Then
Dim errorCode As Integer = Marshal.GetLastWin32Error
Throw New Exception("User logon failed. Error number: " &
errorCode)
Exit Function
End If

Dim winIdentity As WindowsIdentity = New WindowsIdentity(handle)
CloseHandle(handle)
Return winIdentity
End Function

If you enable logon event auditing on the file server, what does the
logon
failure say on that end? That may give you some clues.

Also, when you called LogonUser, what type of logon did you do? You need
to
make sure you use one that gives you network credentials.

Joe K.

I use that code and I can confirm that impersonation is impersonating
the
correct user. And yes, I can access the file share as the system
account -
thanks for checking.


:

Hello,

First, you can use the following code to determine what user the
thread
is
executing as:

System.Security.Principal.WindowsIdentity.GetCurrent().Name

Also, you if logon as the System account on the server, can you access
the
Windows file share like "\\Myserver\Myshare"?

Regards,

Luke Zhang
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader
so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Joe Kaplan \(MVP - ADSI\)]

My understanding is that this is correct. However, in this case she was
calling LogonUser explicitly to use a service account to access the file
share. From what I can tell by the docs, you can't use LOGON_NETWORK for
that type of logon as it doesn't cache credentials.

I'm not actually sure what happens when you do Kerberos auth with IWA,
except that I assume that IIS calls AcceptSecurityContext instead of
LogonUser and something different happens under the hood. I really don't
know what the mechanics of those differences are.

In any event, it seems to have worked...

Joe K.