Re: Impersonation problem in Sharepoint 2007

Hi again everybody,

I post again because we still have the impersonation problem and here
are more details about the problem.
We use the following example to do our tests : in a custom navigation
provider, we want to determine if the current page is the default page
of the current Web. So we have to get
"SPContext.Current.Web.RootFolder.WelcomePage" and here is the problem!
The user needs elevated privileges to get this Welcomepage... We have
tested a lot of things to impersonate our current user but nothing
worked (retrieving this WelcomePage and everything else that needs
privileges...). Each time we catch "Access denied" errors.

We have tested:

- Impersonate method with Duplicate Token (which we always used with
Sharepoint 2003) :
brievly :
IntPtr token = WindowsIdentity.GetCurrent().Token;
DuplicateToken(token,
SecurityImpersonationLevel.SecurityImpersonation, ref token) // from
advapi32.dll
WindowsIdentity _appPoolIdentity = new
WindowsIdentity(token);
WindowsImpersonationContext _selfContext =
WindowsIdentity.Impersonate(IntPtr.Zero);
WindowsImpersonationContext _context =
_appPoolIdentity.Impersonate();
// my code
_selfContext.Undo();
_context.Undo();

- Impersonate method with RevertToSelf :
brievly :
WindowsIdentity impersonatedUserIdentity =
WindowsIdentity.GetCurrent();
Win32API.RevertToSelf() // from advapi32.dll
WindowsIdentity.GetCurrent().Impersonate();
// my code
impersonatedUserIdentity.Impersonate();

- SPSecurity.RunCodeWithElevatedPrivileges method :
brievly :
SPSecurity.CodeToRunElevated myDelegate = new
SPSecurity.CodeToRunElevated(MyCodeMethod);
SPSecurity.RunWithElevatedPrivileges(myDelegate);

/*...*/

public void MyCodeMethod()
{
// my code
}

- We tried too, to play with the current Identity of the HttpContext.

Each time, the impersonation is correctly realised and each time we
have "Access Denied" errors.

I want to precise that we only want to elevate the current user
privileges so that he can do administrators actions without giving him
the admin rights. Maybe the impersonation is not the way to do so.

Can somebody help us?

PS : the Sharepoint site is running under Windows 2003 with Integrated
Authentication. The appPool user is admin of every front servers and
database server and he is member of the groups : wss_admin_wpg,
wss_restricted_wpg and wss_wpg

jerome.decouenne@xxxxxxxxx wrote:
Hello,

It's been four days that we are looking for something to help us, but
we're still having problems getting it to work.

The thing we are trying to do is to grant temporarly rights to the
connected user, in order to use a Sharepoint method that demand
administrator privileges, such as create SPWebs, SPLists and
SPListItems or retrieve the WelcomePage of a SPWeb.

The first thing we thought is the classical Impersonate method, used in
SPS 2003. But it doesn't work!
We thought then, that it was the problem of the "Roles retrieval" in
SPS 2003, which forces to use AppDomains. But this solution is not
suitable because everything we try causes an Access Denied Exception.
There must be anything else.

When we impersonate, the WindowsIdendity associated to the context
correctly becomes the AppPool Identity (checked with Debug). But it
seems that the security context on which MOSS is based, is still the
user's one (checked by using its API : for example,
SPContext.Current.Web.CurrentUser is a SPUser
corresponding to the one is connected). This seems to have for
consequences that even in a impersonated block, if we create a new
list, the creator of the list is the logon user, not the current user
of the HttpContext!

Has anyone gotten this to work? Am I forgetting something?
Thanks for your reply

Jérôme D.

.

Relevant Pages

  • Re: Impersonation problem in Sharepoint 2007
    ... currently i am facing the difficulty in sps 2003!!! ... tested a lot of things to impersonate our current user but nothing ... Impersonate method with RevertToSelf: ... WindowsIdentity impersonatedUserIdentity = ...
    (microsoft.public.sharepoint.portalserver.development)
  • RE: COM dll thread security issue while accessing from ASP.NET
    ... I save a reference to the current WindowsIdentity ... IIS authenticated user account. ... impersonate the identity of the WindowsIdentity object saved above. ... the 'Impersonator' event handler is running inside the COM dll thread, ...
    (microsoft.public.dotnet.security)
  • Re: Impersonating when creating a process from inside a SQL Server Assembly
    ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... the current WindowsIdentity is still WINDOWS SERVICE. ... I'm trying to impersonate a different user when ...
    (microsoft.public.dotnet.security)
  • Re: Problem with Protocol Transition
    ... I'm just setting httpcontext.current.user to be a new WindowsIdentity object. ... Can't seem to see any params relating to Impersonate ... request is a HttpWorkerRequest object and ... Dim user as WindowsIdentity = New WindowsIdentity, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Problem with Protocol Transition
    ... what is the OS because windowsidentity react a little bit ... Network service or a service account. ... I've just noticed that the problem goes away if I impersonate the user. ... Joe Kaplan-MS MVP Directory Services Programming ...
    (microsoft.public.dotnet.framework.aspnet.security)