tags:

views:

551

answers:

2
+1  Q: 

Can ASP.NET Impersonate a user to Delete a Performance Counter Category?

I believe that I have successfully impersonated my own user account while running an ASP.NET page on my local machine.

Using the method described here, I have successfully changed the WindowsIdentity.GetCurrent().Name from ASPNET to my domain account.

I can successfully write to a file on the file system that ONLY my account has permission to access. However when I try to delete a Performance Counter Category, I get Access Denied.
I have auditing on the branch of the registry and its telling me that MyMachine\ASPNET is Failing at Object Access.

Here is the code it is failing on:

if ( PerformanceCounterCategory.Exists ( PerfmonCategory ) )
       PerformanceCounterCategory.Delete ( PerfmonCategory );

Its failing on the Delete Call.

(My account is admin and I can run the same code outside an ASP.NET context successfully).

I suspect that this System.Diagnostics namespace call is actually calling some COM process and somehow I am being bounced because of a 2nd hop. Can anyone confirm what might be going on?

Edit: The Exception: Access is denied Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.ComponentModel.Win32Exception: Access is denied

Running under full trust.

+1  A: 

You do indeed need to be an admin in order to add or remove performance counters.

I'm not sure why you'd want to use Win32 API calls to do your impersonation - it's been a while since I've messed with it, but I think all you need to do is use 

WindowsIdentity.GetCurrent().Impersonate()

To be clear, you'll first need to authenticate in your web application using Windows authentication, and then you should be able to make the call to Impersonate().

Impersonate() Method

Daniel Schaffer  2009-01-30 00:17:29
Actually you still need all them lovely Win32 API calls to get the correct logon token: WindowsIdentity windowsIdentity = new WindowsIdentity(logonToken) http://msdn.microsoft.com/en-us/library/chf6fbt4.aspx
Kev  2009-01-30 00:46:26
I don't think you *need* the logonToken... that's why there's a parameterless overload.
Daniel Schaffer  2009-01-30 01:47:30
I've actually impersonated both ways with no change in effect.
Jeff Martin  2009-01-30 14:53:34
I know that the impersonation is working as I can write to the file with restricted permissions.
Jeff Martin  2009-01-30 14:55:25
+1  A: 

You could run your application on its own application pool (always a good thing) and assign it a service user the appropriate rights, that way you don't need to mess with impersonation.

Otávio Décio  2009-01-30 00:22:33
Giving an app pool admin rights is a bit scary, don't you think? Besides, I doubt it is going to need those rights *all* the time, so it is better to elevate only when needed.
Daniel Schaffer  2009-01-30 00:24:49
Dumb question - why are you creating / deleting *categories* cfrom inside your web app? I thought you would be creating *instances* of counters.
Otávio Décio  2009-01-30 00:34:28
because in this case, I am running in a local dev environment and the performance counters are configured in the web.config. When the app is intalled to shared dev, QA, or Production, the installer takes care of the counter creation. I wanted to make it easy in the local dev environment to use.
Jeff Martin  2009-01-30 14:58:21
Well then giving the app pool admin rights doesn't look that scary - it's just dev, so maybe there is little harm...
Otávio Décio  2009-01-30 15:28:45

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps