tags:

views:

47

answers:

1
Q: 

Impersonation the current user using WindowsImpersonationContext to access network drive

I need to access a remote drive from a Web App. The drive isn't accessible to the ASP.NET process, so I want to impersonate the current user for the request.

I saw some basic examples using WindowsImpersonationContext, and have tried the following. 

WindowsImpersonationContext impersonationContext = null;

try
{
    impersonationContext = ((WindowsIdentity)User.Identity).Impersonate();

    file.SaveAs(filePath);
}
finally
{
    if (impersonationContext != null)
    {
        impersonationContext.Undo();
    }
}

I'm still getting an access denied exception.

I've read a bit of stuff about LogonUser, but as far as I can tell you need a user name and password to get credentials from that. I'm not looking to log in as a different specific user, just the current user (who should have permissions to access the file store), so I don't think I actually need the LogonUser API.

Does anyone have any idea what I'm missing? Should the above code work?

I'd also note that including

<identity impersonate="true" />

doesn't work, but including

<identity impersonate="true" userName="myName" password="myPassword" />

in the web.config lets me in. I've seen a few people ask questions about why this is, but I've seen no explanation. I'm wondering if it is connected to my problem though.

+1  A: 

You're probably running into an Impersonation vs. Delegation issue. When you Impersonate a user, you can access local resources as that user, but not remote resources. With Delegation, you can access remote resources too. Try the following:

  1. Ensure that Windows authentication is enabled in IIS, and that Anonymous authentication is disabled (Anonymous authentication takes precedence of other authentication mechanisms)
  2. Enable <authentication mode="Windows" /> in your web.config to ensure ASP.NET processes Windows authentication (this should only apply to Classic pipeline mode).
  3. <identity impersonate="true" /> should be enough.

The other thing you may need to do, is ensure that the the account running the AppPool is permitted to act like a delegate.

Matthew Abbott  2010-10-08 14:41:09
I have this all set up already, and it's not working. Could you explain a little more what you mean on the last point, *ensure that the the account running the AppPool is permitted to act like a delegate*? I'm not sure what you mean by this, do you have a link? Thanks
fearofawhackplanet  2010-10-11 08:01:25

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?