Network access from ASPNET user

[Dave Kolb]

Is there any other [simple] solution for an ASPNET application to access
network resources other than running as SYSTEM, using delegation (a
nightmare to get to work) or the COM+ solution? I cannot seem to impersonate
a user and obtain network credentials using the DuplicateTokenEx call with
appropriate parameters even though the call seems to not fail. I check my
identity has changed but can only still do local commands.

I would consider running CreateProcessWithLogonW after impersonating an
admin if I could reliably supply stdin and capture stdout and stderr but
can't figure out how to do this in .NET though have done something similar
with standard I/O streams and CreateProcess in a C++ OCX control before.

Main idea is do be able to display network related command output in an
Intranet web page and still maintain reasonable security on the internal
server.

CreateProcessWithLogonW would be the ticket if I could impersonate an Admin
w/o network credentials and then could capture the process' output.

Thanks for any ideas or samples,
Dave

 

[bruce barker]

the token you duplicate must be a primary token if you want to use it for
network access. if you are impersonating the iis user, they must use basic
authentication (which results in a primary token) or digest which gives a
token that supports delegation (if delegation is turned on).

if you have a standard domain login & password you want to use, you can use
them to create a primary token, though you migh as well set the login &
password in the web config.


-- bruce (sqlwork.com)

 

[Dave Kolb]

When using Windows Authentication with ASPNET and using either <identity
user= pw=/> on web.config or programatically via LogonUser/DuplicateTokenEx
I do not get a token with network credentials as I can only do things on my
own machine. I use a combination of these calls asking for full access and a
primary token successfully and still get all network access denied. I check
that I have successfully switched identities by printing them out. Dave

the token you duplicate must be a primary token if you want to use it for
network access. if you are impersonating the iis user, they must use basic
authentication (which results in a primary token) or digest which gives a
token that supports delegation (if delegation is turned on).

if you have a standard domain login & password you want to use, you can use
them to create a primary token, though you migh as well set the login &
password in the web config.


-- bruce (sqlwork.com)

Is there any other [simple] solution for an ASPNET application to access
network resources other than running as SYSTEM, using delegation (a
nightmare to get to work) or the COM+ solution? I cannot seem to impersonate
a user and obtain network credentials using the DuplicateTokenEx call with
appropriate parameters even though the call seems to not fail. I check my
identity has changed but can only still do local commands.

I would consider running CreateProcessWithLogonW after impersonating an
admin if I could reliably supply stdin and capture stdout and stderr but
can't figure out how to do this in .NET though have done something similar
with standard I/O streams and CreateProcess in a C++ OCX control before.

Main idea is do be able to display network related command output in an
Intranet web page and still maintain reasonable security on the internal
server.

CreateProcessWithLogonW would be the ticket if I could impersonate an Admin
w/o network credentials and then could capture the process' output.

Thanks for any ideas or samples,
Dave

 

[Marshal Antony]

Dave,
You can access network resources of another machine using
impersonation.
Follow this procedure :

* Create a windows user on the web server you are
using(your machine),call it eg: netuser1.
* In the Web.Config file of your ASP.NET application,
<system.web>
<identity impersonate="true" />
</system.web>

Then create a user with the same name netuser1 with the same password on
the machine on the network and give access
to this user for the resource you want to access.(For eg: give security
permission,read,write etc. to the folder on that machine).
You can put the user name and pasword in the identity part in the
Web.config but that is not secure.
So it will be secure to put the impersonate user name and password on the
directory security of virtual directory of iis.
For eg : in iis 5.0 in Windows 2000,

* Right click on the virtual directory
* Goto directory security tab and click on the first EDIT button for
anonymous access and authentication control.
Click on the EDIT of anonymous access,click Browse and change the user
name and password to netuser1 and its password.
Now you can access the network
resource..

For eg :
You can access the file on another machine
string filename="\\\\ip addres of the
machine\\sharename$\\foldername\file1.txt;

StreamReader oSR=new StreamReader(filename);
and loop through it to get the information on that file.


Hope this helps..
Regards,
Marshal Antony
http://dotnetmarshal.com

When using Windows Authentication with ASPNET and using either <identity
user= pw=/> on web.config or programatically via LogonUser/DuplicateTokenEx
I do not get a token with network credentials as I can only do things on my
own machine. I use a combination of these calls asking for full access and a
primary token successfully and still get all network access denied. I check
that I have successfully switched identities by printing them out. Dave

the token you duplicate must be a primary token if you want to use it for
network access. if you are impersonating the iis user, they must use basic
authentication (which results in a primary token) or digest which gives a
token that supports delegation (if delegation is turned on).

if you have a standard domain login & password you want to use, you

can

use
them to create a primary token, though you migh as well set the login &
password in the web config.


-- bruce (sqlwork.com)

Is there any other [simple] solution for an ASPNET application to access
network resources other than running as SYSTEM, using delegation (a
nightmare to get to work) or the COM+ solution? I cannot seem to impersonate
a user and obtain network credentials using the DuplicateTokenEx

call

with

check

my an
Admin

 

[Dave Kolb]

Marshal, This solution does not work for me as I am not in a position to add
a local user to all the machines and resources I need access to from my web
app and I also need Windows authentication to happen. I need to be able to
impersonate a particular domain user that already has access to the machines
in question and that if I do a local RunAs works fine. Thanks though, Dave

P.S. I have a working class that can execute commands (.NET Process object)
and do impersonation (Logon/DuplicateTokenEx) and capture output but it does
not manage to actually get network credentials for the domain user being
impersonated even though I ask for them and the DuplicateTokenEx seems to
work fine.

Dave

Dave,
You can access network resources of another machine using
impersonation.
Follow this procedure :

* Create a windows user on the web server you are
using(your machine),call it eg: netuser1.
* In the Web.Config file of your ASP.NET application,
<system.web>
<identity impersonate="true" />
</system.web>

Then create a user with the same name netuser1 with the same password on
the machine on the network and give access
to this user for the resource you want to access.(For eg: give security
permission,read,write etc. to the folder on that machine).
You can put the user name and pasword in the identity part in the
Web.config but that is not secure.
So it will be secure to put the impersonate user name and password on the
directory security of virtual directory of iis.
For eg : in iis 5.0 in Windows 2000,

* Right click on the virtual directory
* Goto directory security tab and click on the first EDIT button for
anonymous access and authentication control.
Click on the EDIT of anonymous access,click Browse and change the user
name and password to netuser1 and its password.
Now you can access the network
resource..

For eg :
You can access the file on another machine
string filename="\\\\ip addres of the
machine\\sharename$\\foldername\file1.txt;

StreamReader oSR=new StreamReader(filename);
and loop through it to get the information on that file.


Hope this helps..
Regards,
Marshal Antony
http://dotnetmarshal.com

When using Windows Authentication with ASPNET and using either <identity
user= pw=/> on web.config or programatically via LogonUser/DuplicateTokenEx
I do not get a token with network credentials as I can only do things

on

my
own machine. I use a combination of these calls asking for full access and a
primary token successfully and still get all network access denied. I check
that I have successfully switched identities by printing them out. Dave

it

for can

login

&

password in the web config.


-- bruce (sqlwork.com)



Is there any other [simple] solution for an ASPNET application to access
network resources other than running as SYSTEM, using delegation (a
nightmare to get to work) or the COM+ solution? I cannot seem to
impersonate
a user and obtain network credentials using the DuplicateTokenEx

call

with
appropriate parameters even though the call seems to not fail. I

check

my
identity has changed but can only still do local commands.

I would consider running CreateProcessWithLogonW after

impersonating

an

stderr

but

in

an

 

[Marshal Antony]

Dave,

Read this which may help you :
http://www.netomatix.com/ImpersonateUser.aspx

Regards,
Marshal Antony
http://dotnetmarshal.com

Marshal, This solution does not work for me as I am not in a position to add
a local user to all the machines and resources I need access to from my web
app and I also need Windows authentication to happen. I need to be able to
impersonate a particular domain user that already has access to the machines
in question and that if I do a local RunAs works fine. Thanks though, Dave

P.S. I have a working class that can execute commands (.NET Process object)
and do impersonation (Logon/DuplicateTokenEx) and capture output but it does
not manage to actually get network credentials for the domain user being
impersonated even though I ask for them and the DuplicateTokenEx seems to
work fine.

Dave

Dave,
You can access network resources of another machine using
impersonation.
Follow this procedure :

* Create a windows user on the web server you are
using(your machine),call it eg: netuser1.
* In the Web.Config file of your ASP.NET application,
<system.web>
<identity impersonate="true" />
</system.web>

Then create a user with the same name netuser1 with the same password on
the machine on the network and give access
to this user for the resource you want to access.(For eg: give security
permission,read,write etc. to the folder on that machine).
You can put the user name and pasword in the identity part in the
Web.config but that is not secure.
So it will be secure to put the impersonate user name and password

on

the
directory security of virtual directory of iis.
For eg : in iis 5.0 in Windows 2000,

* Right click on the virtual directory
* Goto directory security tab and click on the first EDIT button for
anonymous access and authentication control.
Click on the EDIT of anonymous access,click Browse and change the user
name and password to netuser1 and its password.
Now you can access the network
resource..

For eg :
You can access the file on another machine
string filename="\\\\ip addres of the
machine\\sharename$\\foldername\file1.txt;

StreamReader oSR=new StreamReader(filename);
and loop through it to get the information on that file.


Hope this helps..
Regards,
Marshal Antony
http://dotnetmarshal.com

things

on access
and a denied. I
check

use

it

for
network access. if you are impersonating the iis user, they must

use
basic

authentication (which results in a primary token) or digest

which
gives a

token that supports delegation (if delegation is turned on).

if you have a standard domain login & password you want to use,

you
can

use
them to create a primary token, though you migh as well set the

login

&
password in the web config.


-- bruce (sqlwork.com)



Is there any other [simple] solution for an ASPNET application

to
access

network resources other than running as SYSTEM, using

delegation

(a DuplicateTokenEx
call I
check impersonating stderr control
before.

output

in the
internal impersonate
an