Re: Why can't access a file under mapped network drive from Web Se

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: moonriver (moonriver_at_discussions.microsoft.com)
Date: 07/14/04 

Date: Wed, 14 Jul 2004 04:05:01 -0700

David,

I have tried your solution (3) by the following codes:

======================================================
public bool set_impersonate()
{
  const int LOGON32_PROVIDER_DEFAULT = 0;
  const int LOGON32_LOGON_INTERACTIVE = 2;
  const int SecurityImpersonation = 2;
  WindowsIdentity wi;
  IntPtr tokenHandle = new IntPtr(0);
  IntPtr dupeTokenHandle = new IntPtr(0);

  tokenHandle = IntPtr.Zero;
  dupeTokenHandle = IntPtr.Zero;

  try
  {
    // Call LogonUser to obtain a handle to an access
token.
    bool returnValue = LogonUser
      ( "xiaodan", "IT1135XD", "xiao2002",
        LOGON32_LOGON_INTERACTIVE,
        LOGON32_PROVIDER_DEFAULT, ref tokenHandle );
                    
    if( !returnValue )
    {
      int ret = Marshal.GetLastWin32Error();
      
      DumpLog.WriteEntry( String.Format( "{0}
        LogonUser failed with error code : {1}",
        DateTime.Now, ret ) );
                                   
      DumpLog.WriteEntry( String.Format( "{0} Error:
        [{1}]", DateTime.Now, ret ) );
      return( false );
    }

    bool retVal = DuplicateToken( tokenHandle,
      SecurityImpersonation, ref dupeTokenHandle );
    if( !retVal )
    {
      CloseHandle( tokenHandle );
      DumpLog.WriteEntry( String.Format( "Exception
thrown in trying to duplicate token." ) );
      return( false );
    }

    wi = WindowsIdentity.GetCurrent();
    DumpLog.WriteEntry( String.Format( "Before
impersonation: {0} User Name = ({1}), Token = {2}",
      DateTime.Now, wi.Name, wi.Token ) );

    // The token that is passed to the following
    // constructor must be a primary token in order
    // to use it for impersonation.
    WindowsIdentity newId = new WindowsIdentity(
      dupeTokenHandle );
    WindowsImpersonationContext impersonatedUser =
      newId.Impersonate();

    wi = WindowsIdentity.GetCurrent();
    DumpLog.WriteEntry( String.Format( "After
      impersonation: {0} User Name = ({1}), Token =
{2}",
      DateTime.Now, wi.Name, wi.Token ) );
    return( true );
  }
  catch( Exception e )
  {
    Log_sw.WriteLine( "{0} set_impersonate() error:
{1}",
      DateTime.Now, e.ToString() );
    DumpLog.WriteEntry( String.Format( "{0}
set_impersonate() error: {1}",
      DateTime.Now, e.ToString() ) );
    return( false );
  }
}
======================================================

I call the funtion just before the File.Open()
statement to switch the impersonate to my log-on
username/password, shown as follows:

======================================================
  set_impersonate();
                                
  WindowsIdentity wi = WindowsIdentity.GetCurrent();
  DumpLog.WriteEntry( String.Format( "Before
File.Open(): {0} User Name = ({1}), Token = {2}",
DateTime.Now, wi.Name, wi.Token ) );

  Cur_Fs = File.Open( Cur_File, FileMode.Open,
FileAccess.Read, FileShare.Read );
======================================================

The log displays:

======================================================
Before File.Open(): 14/07/2004 6:35:15 PM User Name =
(IT1135XD\xiaodan), Token = 828
======================================================

Which is exactly my log-on impersonate. However, the
exception is still raised in the File.Open statement
as the follows:

======================================================
14/07/2004 6:35:16 PM run() error:
System.IO.IOException: Logon failure: unknown user
name or bad password.

   at System.IO.__Error.WinIOError(Int32 errorCode,
String str)
   at System.IO.FileStream..ctor(String path, FileMode
mode, FileAccess access, FileShare share, Int32
bufferSize, Boolean useAsync, String msgPath, Boolean
bFromProxy)
   at System.IO.FileStream..ctor(String path, FileMode
mode, FileAccess access, FileShare share)
   at dump_tool.Dump_Load.run()
======================================================

So how to do?

"David Williams" <David Williams>, "VB.NE" wrote:

> Because the Framework built in security does not allow this unless the
> user that the code is running under (which by default for a Web Service
> is ASPNET I believe) has rights to the drive. You need to do one of
> three things:
>
> 1) Change the rights that the user ASPNET has. Very bad idea. Major
> security issues.
>
> 2) Change the user that the Web Service is running under to one that
> has the correct rights. Better than 1) but still a big security risk.
>
> 3) Read up on impersonation and change the code to impersonate a user
> that has rights to the drive - for only the amount of time that you are
> actively accessing the files. Best option from a security standpoint,
> but most work to get working. I have had mixed luck with impersonation
> - but I know that the issues that I have are understanding issues, not
> implementation issues.
>
> HTH
>
> David
>
> "moonriver" <moonriver@discussions.microsoft.com> wrote in message
> news:25186C43-413D-4984-9885-81C5A58D1E0E@microsoft.com:
> > I write a program accessing files in network drive o:. It is doable as a
> > standalone application. However, if it is running under windows service, the
> > following exception will appear:
> >
> > 13/07/2004 10:24:48 AM run() error: System.IO.IOException: The specified
> > network password is not correct.
> >
> > at System.IO.__Error.WinIOError(Int32 errorCode, String str)
> > at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess
> > access, FileShare share, Int32 bufferSize, Boolean useAsync, String msgPath,
> > Boolean bFromProxy)
> > at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess
> > access, FileShare share)
> > at dump_tool.Dump_Load.run()
> >
> >
> > The source codes relevant are:
> >
> > Cur_Fs = File.Open( Cur_File, FileMode.Open, FileAccess.Read,
> > FileShare.Read );
> >
> > Where Cur_File = "o:\jul04\10\fares.fl", o: is a mapped network drive.
>
>

Relevant Pages

  • Re: System.Security.Principal.WindowsImpersonation
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... >>' This sample can be run only on Windows XP. ... >>' proper execution presents a security risk. ... >>impersonate a user on this machine. ...
    (microsoft.public.dotnet.security)
  • Re: Impersonate
    ... > I might be sounding a bit thick but if the user creating the impersonation> on the remote machine had the rights to do this then why would it need to> impersonate at all? ... Or is the impersonate user rights actually lower that> say restarting a windows service? ... >> Ian, ... >>>> Anyone used the WindowsIdentity class with success? ...
    (microsoft.public.dotnet.languages.csharp)
  • RE: COM dll thread security issue while accessing from ASP.NET
    ... I save a reference to the current WindowsIdentity ... IIS authenticated user account. ... impersonate the identity of the WindowsIdentity object saved above. ... the 'Impersonator' event handler is running inside the COM dll thread, ...
    (microsoft.public.dotnet.security)
  • Re: Authentication Nightmare
    ... non asp.net file IIS security takes over. ... > impersonating the user and trying to redirect to their personal directory. ... > WindowsIdentity widTempIdentity = new WindowsIdentity; ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Impersonating when creating a process from inside a SQL Server Assembly
    ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... the current WindowsIdentity is still WINDOWS SERVICE. ... I'm trying to impersonate a different user when ...
    (microsoft.public.dotnet.security)