3

In this MSDN article on "How to implement impersonation in an ASP.NET application" they list 4 different ways to change the account that's used to execute the web request. Unfortunately, it doesn't describe the differences between these alternatives.

I'm trying to impersonate the IIS authenticated user to copy some files off their local machine. It works when I use the WIN32 api LogonUserA and impersonate a specific user. But I need the webapp to work with many users (I don't have an account that can access everyone's files).

I thought simply setting Impersonate = "true" and configuring IIS should work but something is different. When I check Environment.UserName it appears to be impersonating the correct account but I am getting "Access is denied" errors.

Anyone know the difference between these impersonation methods? Is it possible to impersonate the IIS authenticated user and then do some file operations with it?

Update: From the feedback I've been getting I need to be more clear about what I'm facing.

Environment setup: IIS: disable anonymous authentication, enable integrated windows authentication ASP.Net's web.config: authentication mode = "windows", impersonate = true, deny anonymous users

Suppose I'm accessing the page as "userA":

Scenario 1: impersonate the IIS Authenticated user

try{
  File.Copy(srcFile, destFile);   // Access Denied even though userA has access to srcFile.
} catch(Exception ex) {
...
}

Scenario 2: impersonate userA with LogonUser

try{
  // Impersonater is a wrapper around the WIN32 LogonUser API
  using(Impersonater imp = new Impersonator("domain", "userA", "pwd")) 
  {
    File.Copy(srcFile, destFile); // Works
  }
} catch(Exception ex) {
...
}

In both cases, I'm impersonating "userA".

techBeginner
  • 3,792
  • 11
  • 43
  • 59
PPC-Coder
  • 3,522
  • 2
  • 21
  • 30
  • Are you trying to upload a file from a client to the server? Maybe use Http Post instead... – Johnny Nov 20 '12 at 02:51
  • I'm not doing any uploading. Everything is on an intranet and I just want to move files off of the client machine to another network location. – PPC-Coder Nov 20 '12 at 03:01
  • It's not too clear where specifically are you getting access denied errors. Have you tried looking at the security audit log to understand what is being attempted and which user is used for the action? – Serge Belov Nov 20 '12 at 21:47
  • I'm getting Access Denied errors when attempting to do a file copy. I'll update with some example code to show what I mean. – PPC-Coder Nov 21 '12 at 01:57
  • Did you use pass-through authentication (http://support.microsoft.com/kb/214806) or use a dedicated account there? Besides, where is the `srcFile`? It cannot be on a mapped drive, as IIS does not support mapped drives at all. – Lex Li Nov 21 '12 at 02:43
  • @LexLi srcFile is some UNC network path like \\machine\folder\... I can't use a dedicated account because the machine being connected to is the user's local machine and we can't give one account access to everyone's machines. – PPC-Coder Nov 21 '12 at 14:25

2 Answers2

3

Q: Anyone know the difference between these impersonation methods?

A: First some background on how IIS handles request.

There is a specific system user called IUSR_computername (default in IIS6) which the IIS-server uses to handle file access. And there is a process running on the IIS server called Aspnet_wp.exe which runs under an account called ASPNET or NetworkService.

So when a request is made to the server, the IIS reacts and if the request is to a ASP.NET application it passes the request to that process.

This means that if the IIS-server is setup to use the IUSR_computername (anonymous) access method. The server will use that account to process the request, and if it sees that it is an ASP.NET application it will transfer the request to the ASP.NET process.

By default impersonation is disabled, this means that the request will run under the ASPNET or NetworkService account when the ASP.NET process handles the request.

Now to the difference between the impersonation methods:

  • Impersonate the IIS authenticated account or user
    Uses an account that the IIS is setup to use. Usually IUSR_computername.
    Usage: <identity impersonate="true" />

  • Impersonation enabled for a specific identity
    Uses a specific account that is specified.
    Usage: <identity impersonate="true" userName="accountname" password="password" />

The third option is the default state, which is to disable impersonation.

Q: Is it possible to impersonate the IIS authenticated user and then do some file operations with it?

A: Depends on the priviliges of the IIS authenticated user. If the account has permission to manipulate files (NTFS permission in Windows), the answer would be yes.

Read more here:

  1. IIS Authentication
  2. ASP.NET Authentication
Johnny
  • 785
  • 1
  • 7
  • 16
  • Thanks. I know how to set up the impersonation and know about how the process account is different from the account that's running the code. What I don't see is why I'm getting Access Denied errors when I use identity impersonate = true but it works when I use LogonUserA. – PPC-Coder Nov 20 '12 at 20:32
2

I believe you've run into the "double hop" issue described here. Basically, the connection between the client and IIS is one hop, the connection between IIS and the network share is the second one and with impersonation double hops are not allowed by default. That means in your first example the user should be able to access resources local to the IIS machine but not remote ones.

When the credentials are entered on the IIS programmatically, there's no second hop. That's the difference you're looking for.

To support your requirements, you need to implement delegation rather than impersonation. Please have a look at MSDN for more info.

MrLore
  • 3,759
  • 2
  • 28
  • 36
Serge Belov
  • 5,633
  • 1
  • 31
  • 40