Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

ASP.NET refuses to respect my authority.

Tags:

asp.net

ldap

impersonation

I've managed to impersonate a user successfully. Using the LogonUser Interop, e.g.

    [DllImport("advapi32.dll", SetLastError = true)]
    static extern bool LogonUser(
      string principal,
      string authority,
      string password,
      LogonSessionType logonType,
      LogonProvider logonProvider,
      out IntPtr token);

This works fine. When I go to my immediate window and enter WindowsIdentity.GetCurrent().Name, the impersonated user shows as my CurrentUser. When I release this user, it goes back to my real user. No problems here -- I'm am impersonating.

However, when I attempt to write a file to a share that the user has access to, I get:

Access to the path [path name] denied..

I've been able to log into Windows manually as the user I am impersonating, navigated, and written a file to the share. The user definately has administrative privlidges to the directory I'm targeting.

I am allowing the end user to upload a file, and using the HttpPostedFileBase object, write a file to this share. Essentially, I am restricting the impersonation to the block of code to upload the file. Once it's finished, it goes back to the original authenticated LDAP user e.g.

 imp = Impersonation.ImpersonateUser("someuser","somepassword");
 HttpPostedFileBase hpf = Request.Files[file] as HttpPostedFileBase;
 ...
 hpf.SaveAs(path);
 Impersonation.StopImpersonating(imp);

The path is correct.

When I save the file using the SaveAs method, is it respecting my impersonation?

Is it attempting to write the file under another account I'm not aware of? And if so, how can I change this?

There doesn't seem to be a whole lot of control using the SaveAs method -- not a single overload. Are there any other alternatives to using this object that would give me greater control over my credentials?

like image 778
George Johnston Avatar asked Jul 29 '11 20:07

George Johnston

1 Answers

It sounds like a double-hop authentication problem. Have you tried getting giving the network share modify access to your site's default IIS user (e.g. ASPNET) and run the POST/SaveAs without the impersonation code at all? If that fails, you should look to see if things are setup in IIS that can lead to server hop authentication issues. Here might be a good place to start:

http://weblogs.asp.net/owscott/archive/2008/08/22/iis-windows-authentication-and-the-double-hop-issue.aspx

like image 71
ironsam Avatar answered Oct 24 '22 06:10

ironsam
Sign in to Comment

Related questions

DateTime Json Return From WebAPI with Default Serializer
ksoap2 org.xmlpull.v1.xmlpullparserexception expected start_tag error
change format from wav to mp3 in memory stream in NAudio
Duplicate section error even after using <remove> tag in web.config for IIS
Is there any way to create a patch for an ASP.Net web application installer?
usercontrol hosted in IE renders as a textbox
Using Autofac for DI into WCF service hosted in ASP.NET application
RegularExpressionValidator VS Ajax 1.0.20229
Seemingly infinite stack trace in EF 4.0 and poor query performance under load
ASP.NET Web API 2 file upload
How to exclude certain properties from binding in ASP.NET Web Api
ASP.NET OAuth having issues with URL Rewrite
Error on change style of page with jquery
SignalR causing bad request 400 seen on the server
Does an 'Account Activation' workflow exist for ASP.NET MVC
Sign in as different user when using Integrated Windows Authentication
Send Sms Using way2sms api
What alternatives are there to SignalR in .NET?
ASP.NET LinkButton / ImageButton and JQuery Validate?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!