Solved

Create a Directory on network Shared Drive impersonating a service account using C# asp.net

Posted on 2008-10-16
15
2,699 Views
Last Modified: 2013-12-17
How can I Create a Directory on network Shared Drive impersonating a service account using C# asp.net. My web.config identity impersonate tag is set to true and no username and password is provided for security reasons. So I am just impersonating the code where I am accessing the network resources. It would be great if I could get a working code. Thanks.
0
Comment
Question by:nk_kanikaram
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
15 Comments
 
LVL 13

Expert Comment

by:TechTiger007
ID: 22732999
Here is a sample that moves file from one path to another, you can build on the same code to create directory in network path

http://www.experts-exchange.com/Programming/Languages/.NET/.NET_Framework_2.0/Q_23120865.html?sfQueryTermInfo=1+creat+folder+imperson
0
 

Author Comment

by:nk_kanikaram
ID: 22733153
Could I please get the C# equivalent code for the same.
0
 
LVL 13

Assisted Solution

by:TechTiger007
TechTiger007 earned 500 total points
ID: 22734419
Here is a sample in C#.
The full source code is available as zip file download it and use the required part of the code

http://csharptuning.blogspot.com/2007/06/impersonation-in-c.html
0
MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

 

Author Comment

by:nk_kanikaram
ID: 22734958
Thanks for the response. I am doing the following, but still i am getting the Access denied error message.I have looked at the folder security and granted fullcontrol to the root folder underwhich i am trying to create the new folder. Am I missing something here.

using System;
using System.Data;
using System.Configuration;
using System.Collections;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;

using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Security.Permissions;
using System.IO;

public partial class RunAs_Impersonator : System.Web.UI.Page
{
    public const int LOGON32_LOGON_INTERACTIVE = 2;
    public const int LOGON32_PROVIDER_DEFAULT = 0;
    IntPtr tokenHandle;
    IntPtr dupeTokenHandle;
    WindowsImpersonationContext impersonatedUser;

    [DllImport("advapi32.dll")]
    public static extern int LogonUserA(String lpszUserName,
        String lpszDomain,
        String lpszPassword,
        int dwLogonType,
        int dwLogonProvider,
        ref IntPtr phToken);
    [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
    public static extern int DuplicateToken(IntPtr hToken,
        int impersonationLevel,
        ref IntPtr hNewToken);

    [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
    public static extern bool RevertToSelf();

    [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
    public static extern bool CloseHandle(IntPtr handle);

    [PermissionSetAttribute(SecurityAction.Demand, Name = "FullTrust")]
    public void ImpersonateStart(string Domain, string userName, string Password)
    {
        try
        {
            tokenHandle = IntPtr.Zero;
            int returnValue = LogonUserA(userName, Domain, Password, 2, 0, ref tokenHandle);
            if (returnValue == 0)
            {
                int ret = Marshal.GetLastWin32Error();
                throw new System.ComponentModel.Win32Exception(ret);
            }
            WindowsIdentity newId = new WindowsIdentity(tokenHandle);
            impersonatedUser = newId.Impersonate();
        }
        catch(Exception ex)
        {
            throw ex;
        }
    }

    [PermissionSetAttribute(SecurityAction.Demand, Name = "FullTrust")]
    public void ImpersonateStop()
    {
        impersonatedUser.Undo();
    }

    protected void Page_Load(object sender, EventArgs e)
    {
        try
        {
            ImpersonateStart("userDomain", "userName", "userPassword");
            if (Directory.Exists(@"\\serverName\ExistingFolderwithpermissions"))// the "userName" account has modify permissions on this folder
            {
                //This line of code throws exception "Access denied to the \\serverName\ExistingFolderwithpermissions\NewFolder path."
                Directory.CreateDirectory(@"\\serverName\ExistingFolderwithpermissions\NewFolder");
            }
            ImpersonateStop();
        }
        catch (Exception ex)
        {
            ImpersonateStop();
        }
    }
}
0
 
LVL 13

Expert Comment

by:TechTiger007
ID: 22735133
does this user id that you are using to impersonate have permission on the folder?

is impersonation successful? did it throw any exception?

0
 

Author Comment

by:nk_kanikaram
ID: 22735260
Yes, the user has access to @"\\serverName\ExistingFolderwithpermissions". The code passed the impersonation. But fails on Creating the directory. Just for testing purposes, I replaced the CreateDirectory Code with following to view files under the same root folder and had no issues viewing the files.

            ImpersonateStart("userDomain", "userName", "userPassword");
            DirectoryInfo dirInfo = new DirectoryInfo(@"\\serverName\ExistingFolderwithpermissions");
            FileInfo[] files = dirInfo.GetFiles();
            DirectoryInfo[] directories = dirInfo.GetDirectories();
            foreach (DirectoryInfo dir in directories)
            {
                Response.Write(dir.FullName + "<br/>");
            }
            foreach (FileInfo file in files)
            {
                Response.Write(file.FullName + "<br/>");
            }
           ImpersonateStop();
0
 
LVL 13

Assisted Solution

by:TechTiger007
TechTiger007 earned 500 total points
ID: 22735345
If you are able to see the list of files that means the user have got read access to the folder. To create another folder user should have "Modify" privilege on it having "Write" privilege wont be enough. Does the user have Modify privilege on the folder?

Try out with giving full access for the user if Modify didnt work.
0
 

Author Comment

by:nk_kanikaram
ID: 22735435
The user has full control, read & execute, modify, write permissions on the folder. Also, I have checked all of the advanced permissions for this user on the folder(like create files, folders, write, append data etc.) . And also made sure that the folder is shared.
0
 
LVL 13

Assisted Solution

by:TechTiger007
TechTiger007 earned 500 total points
ID: 22738498
Let me confirm
1. User has got modify permission on the physical folder of the shared folder on the machine
2. User has got full access on the share permissions. (folder permissions and share permissions are different)
3. Both machines are in same domain
4. User is part of the domain
5. User impersonation succeeds

above are conditions that should satisfy.
I think we did not check the permission for user in the share. what do you say?
0
 

Author Comment

by:nk_kanikaram
ID: 22741152
Yes, I have double checked all the 5 points mentioned, all the permissions are set for the user on the shared folder, user is part of the domain, impersonation succeeds, machines are in the same domain etc.,
I Tried to run the same code from the server itself and surprisingly it failed even on the server.
Seems like Directory.CreateDirectory(@"\\serverName\ExistingFolderwithpermissions\NewFolder"); fails with UNC path. Same code works fine with physical path. ie Directory.CreateDirectory(@"C:\ExistingFolderwithpermissions\NewFolder");

0
 
LVL 13

Assisted Solution

by:TechTiger007
TechTiger007 earned 500 total points
ID: 22741418
try to impersonate with your user account once and check if you are able to create folder

may be I am asking again but just to confirm, is this what you did?
Right click on the folder that is shared
Select "Share and Security" option or "Share" option (depends on the OS)
In the pop up window, select security tab
click on permissions
give full permission for the user

0
 

Accepted Solution

by:
nk_kanikaram earned 0 total points
ID: 22757796
looks like its working now. I am using the code below. No need to set the permissions for the impersonation user on the root folder. Looks like the code adds the impersonating user to the newly created folder's security tab users list but with no permissions set for this user on the folder.

        string tempRoot = @"\\serverName\ExistingFolderwithpermissions\NewFolder";
        if (LogonUser("userName", "userDomain", "userPassword",
            8, // LOGON32_LOGON_NETWORK_CLEARTEXT    
            0, // LOGON32_PROVIDER_DEFAULT    
            out token))
        {
            wi = new WindowsIdentity(token);
            WindowsImpersonationContext wic = wi.Impersonate();
            try
            {
                Directory.CreateDirectory(tempRoot);
            }
            catch (UnauthorizedAccessException uae)
            {
                string msg = uae.StackTrace;
            }
            wic.Undo();
            CloseHandle(token);
        }
        else
        {
        }
0
 
LVL 13

Expert Comment

by:TechTiger007
ID: 22760481
Thats good to hear.
0
 

Author Comment

by:nk_kanikaram
ID: 22760525
Thanks a ton for your help.
0
 
LVL 13

Expert Comment

by:TechTiger007
ID: 22760751
You are welcome :-)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If I have to fix slow responding website my first thoughts are server side optimizations: the database may not be optimized or caching is not enabled, or things like that. We often overlook another major part of our web application: the client. We o…
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
This video teaches users how to migrate an existing Wordpress website to a new domain.
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question