Accessing shared memory while impersonating a client

Question

I'm trying to access global shared memory from an ASP.NET web method while impersonating a client, but I get access denied when trying to open the handle. As an example:

[WebMethod]
public string Testing()
{
  string result = null;

  using (var ctx = WindowsIdentity.Impersonate(IntPtr.Zero))
  {
    IntPtr p1 = NativeMethods.OpenFileMapping(NativeMethods.FILE_MAP_READ, false,
      @"Global\NetTcpPortSharing/endpoint");
    if (p1 == IntPtr.Zero)
      result = string.Format(" fail p1 ({0})", Marshal.GetLastWin32Error());
    else
      result = " ok p1";
  }

  IntPtr p2 = NativeMethods.OpenFileMapping(NativeMethods.FILE_MAP_READ, false,
    @"Global\NetTcpPortSharing/endpoint");
  if (p2 == IntPtr.Zero)
    result += string.Format(" fail p2 ({0})", Marshal.GetLastWin32Error());
  else
    result += " ok p2";

  return result;
}

Which results in this output:

<string> ok p1 fail p2 (5)</string>

So if I drop credentials to the App Pool identity it opens fine, but using impersonated credentials fails. The same call to OpenFileMapping succeeds if the client runs a console program, ie without impersonation.

• Is this some security setting that Windows enforces?
• How can I find out why I'm getting access denied?
• Any suggestions for how I can make this work?

I'm testing on Windows 7, w/ IIS 7.5 and Impersonation + Windows Auth, .NET 4.0. Similar results on Server 2003 w/ IIS 6.

Answer 1

I don't know anything about IIS, but it sounds like the security descriptor on the global section object doesn't grant access to the impersonated account. Who creates the object? If it's your code you could give it a custom ACL that allows the account (or Everyone) to read it.