Network access from ASPNET user

  • Thread starter Thread starter Dave Kolb
  • Start date Start date
D

Dave Kolb

Is there any other [simple] solution for an ASPNET application to access
network resources other than running as SYSTEM, using delegation (a
nightmare to get to work) or the COM+ solution? I cannot seem to impersonate
a user and obtain network credentials using the DuplicateTokenEx call with
appropriate parameters even though the call seems to not fail. I check my
identity has changed but can only still do local commands.

I would consider running CreateProcessWithLogonW after impersonating an
admin if I could reliably supply stdin and capture stdout and stderr but
can't figure out how to do this in .NET though have done something similar
with standard I/O streams and CreateProcess in a C++ OCX control before.

Main idea is do be able to display network related command output in an
Intranet web page and still maintain reasonable security on the internal
server.

CreateProcessWithLogonW would be the ticket if I could impersonate an Admin
w/o network credentials and then could capture the process' output.

Thanks for any ideas or samples,
Dave
 
the token you duplicate must be a primary token if you want to use it for
network access. if you are impersonating the iis user, they must use basic
authentication (which results in a primary token) or digest which gives a
token that supports delegation (if delegation is turned on).

if you have a standard domain login & password you want to use, you can use
them to create a primary token, though you migh as well set the login &
password in the web config.


-- bruce (sqlwork.com)
 
When using Windows Authentication with ASPNET and using either <identity
user= pw=/> on web.config or programatically via LogonUser/DuplicateTokenEx
I do not get a token with network credentials as I can only do things on my
own machine. I use a combination of these calls asking for full access and a
primary token successfully and still get all network access denied. I check
that I have successfully switched identities by printing them out. Dave



bruce barker said:
the token you duplicate must be a primary token if you want to use it for
network access. if you are impersonating the iis user, they must use basic
authentication (which results in a primary token) or digest which gives a
token that supports delegation (if delegation is turned on).

if you have a standard domain login & password you want to use, you can use
them to create a primary token, though you migh as well set the login &
password in the web config.


-- bruce (sqlwork.com)



Dave Kolb said:
Is there any other [simple] solution for an ASPNET application to access
network resources other than running as SYSTEM, using delegation (a
nightmare to get to work) or the COM+ solution? I cannot seem to impersonate
a user and obtain network credentials using the DuplicateTokenEx call with
appropriate parameters even though the call seems to not fail. I check my
identity has changed but can only still do local commands.

I would consider running CreateProcessWithLogonW after impersonating an
admin if I could reliably supply stdin and capture stdout and stderr but
can't figure out how to do this in .NET though have done something similar
with standard I/O streams and CreateProcess in a C++ OCX control before.

Main idea is do be able to display network related command output in an
Intranet web page and still maintain reasonable security on the internal
server.

CreateProcessWithLogonW would be the ticket if I could impersonate an Admin
w/o network credentials and then could capture the process' output.

Thanks for any ideas or samples,
Dave
 
Dave,
You can access network resources of another machine using
impersonation.
Follow this procedure :

* Create a windows user on the web server you are
using(your machine),call it eg: netuser1.
* In the Web.Config file of your ASP.NET application,
<system.web>
<identity impersonate="true" />
</system.web>

Then create a user with the same name netuser1 with the same password on
the machine on the network and give access
to this user for the resource you want to access.(For eg: give security
permission,read,write etc. to the folder on that machine).
You can put the user name and pasword in the identity part in the
Web.config but that is not secure.
So it will be secure to put the impersonate user name and password on the
directory security of virtual directory of iis.
For eg : in iis 5.0 in Windows 2000,

* Right click on the virtual directory
* Goto directory security tab and click on the first EDIT button for
anonymous access and authentication control.
Click on the EDIT of anonymous access,click Browse and change the user
name and password to netuser1 and its password.
Now you can access the network
resource..

For eg :
You can access the file on another machine
string filename="\\\\ip addres of the
machine\\sharename$\\foldername\file1.txt;

StreamReader oSR=new StreamReader(filename);
and loop through it to get the information on that file.


Hope this helps..
Regards,
Marshal Antony
http://dotnetmarshal.com






Dave Kolb said:
When using Windows Authentication with ASPNET and using either <identity
user= pw=/> on web.config or programatically via LogonUser/DuplicateTokenEx
I do not get a token with network credentials as I can only do things on my
own machine. I use a combination of these calls asking for full access and a
primary token successfully and still get all network access denied. I check
that I have successfully switched identities by printing them out. Dave



bruce barker said:
the token you duplicate must be a primary token if you want to use it for
network access. if you are impersonating the iis user, they must use basic
authentication (which results in a primary token) or digest which gives a
token that supports delegation (if delegation is turned on).

if you have a standard domain login & password you want to use, you
can
use
them to create a primary token, though you migh as well set the login &
password in the web config.


-- bruce (sqlwork.com)



Dave Kolb said:
Is there any other [simple] solution for an ASPNET application to access
network resources other than running as SYSTEM, using delegation (a
nightmare to get to work) or the COM+ solution? I cannot seem to impersonate
a user and obtain network credentials using the DuplicateTokenEx
call
check
my an
Admin
 
Marshal, This solution does not work for me as I am not in a position to add
a local user to all the machines and resources I need access to from my web
app and I also need Windows authentication to happen. I need to be able to
impersonate a particular domain user that already has access to the machines
in question and that if I do a local RunAs works fine. Thanks though, Dave

P.S. I have a working class that can execute commands (.NET Process object)
and do impersonation (Logon/DuplicateTokenEx) and capture output but it does
not manage to actually get network credentials for the domain user being
impersonated even though I ask for them and the DuplicateTokenEx seems to
work fine.

Dave


Marshal Antony said:
Dave,
You can access network resources of another machine using
impersonation.
Follow this procedure :

* Create a windows user on the web server you are
using(your machine),call it eg: netuser1.
* In the Web.Config file of your ASP.NET application,
<system.web>
<identity impersonate="true" />
</system.web>

Then create a user with the same name netuser1 with the same password on
the machine on the network and give access
to this user for the resource you want to access.(For eg: give security
permission,read,write etc. to the folder on that machine).
You can put the user name and pasword in the identity part in the
Web.config but that is not secure.
So it will be secure to put the impersonate user name and password on the
directory security of virtual directory of iis.
For eg : in iis 5.0 in Windows 2000,

* Right click on the virtual directory
* Goto directory security tab and click on the first EDIT button for
anonymous access and authentication control.
Click on the EDIT of anonymous access,click Browse and change the user
name and password to netuser1 and its password.
Now you can access the network
resource..

For eg :
You can access the file on another machine
string filename="\\\\ip addres of the
machine\\sharename$\\foldername\file1.txt;

StreamReader oSR=new StreamReader(filename);
and loop through it to get the information on that file.


Hope this helps..
Regards,
Marshal Antony
http://dotnetmarshal.com

Dave Kolb said:
When using Windows Authentication with ASPNET and using either <identity
user= pw=/> on web.config or programatically via LogonUser/DuplicateTokenEx
I do not get a token with network credentials as I can only do things
on
my
own machine. I use a combination of these calls asking for full access and a
primary token successfully and still get all network access denied. I check
that I have successfully switched identities by printing them out. Dave
it
login
&
password in the web config.


-- bruce (sqlwork.com)



Is there any other [simple] solution for an ASPNET application to access
network resources other than running as SYSTEM, using delegation (a
nightmare to get to work) or the COM+ solution? I cannot seem to
impersonate
a user and obtain network credentials using the DuplicateTokenEx
call
with
appropriate parameters even though the call seems to not fail. I
check
my
identity has changed but can only still do local commands.

I would consider running CreateProcessWithLogonW after
impersonating
stderr
in
 
Dave,

Read this which may help you :
http://www.netomatix.com/ImpersonateUser.aspx

Regards,
Marshal Antony
http://dotnetmarshal.com


Dave Kolb said:
Marshal, This solution does not work for me as I am not in a position to add
a local user to all the machines and resources I need access to from my web
app and I also need Windows authentication to happen. I need to be able to
impersonate a particular domain user that already has access to the machines
in question and that if I do a local RunAs works fine. Thanks though, Dave

P.S. I have a working class that can execute commands (.NET Process object)
and do impersonation (Logon/DuplicateTokenEx) and capture output but it does
not manage to actually get network credentials for the domain user being
impersonated even though I ask for them and the DuplicateTokenEx seems to
work fine.

Dave


Marshal Antony said:
Dave,
You can access network resources of another machine using
impersonation.
Follow this procedure :

* Create a windows user on the web server you are
using(your machine),call it eg: netuser1.
* In the Web.Config file of your ASP.NET application,
<system.web>
<identity impersonate="true" />
</system.web>

Then create a user with the same name netuser1 with the same password on
the machine on the network and give access
to this user for the resource you want to access.(For eg: give security
permission,read,write etc. to the folder on that machine).
You can put the user name and pasword in the identity part in the
Web.config but that is not secure.
So it will be secure to put the impersonate user name and password
on
the
directory security of virtual directory of iis.
For eg : in iis 5.0 in Windows 2000,

* Right click on the virtual directory
* Goto directory security tab and click on the first EDIT button for
anonymous access and authentication control.
Click on the EDIT of anonymous access,click Browse and change the user
name and password to netuser1 and its password.
Now you can access the network
resource..

For eg :
You can access the file on another machine
string filename="\\\\ip addres of the
machine\\sharename$\\foldername\file1.txt;

StreamReader oSR=new StreamReader(filename);
and loop through it to get the information on that file.


Hope this helps..
Regards,
Marshal Antony
http://dotnetmarshal.com
things
on access
and a denied. I
check
use
it
for
network access. if you are impersonating the iis user, they must
use
basic
authentication (which results in a primary token) or digest
which
gives a
token that supports delegation (if delegation is turned on).

if you have a standard domain login & password you want to use,
you
can
use
them to create a primary token, though you migh as well set the
login
&
password in the web config.


-- bruce (sqlwork.com)



Is there any other [simple] solution for an ASPNET application
to
access
network resources other than running as SYSTEM, using
delegation
(a DuplicateTokenEx
call I
check impersonating stderr control
before.
output
in the
internal impersonate
an
 
Back
Top