• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 441
  • Last Modified:

What are the minimum requirement for an impersonation account in ASP.NET

I have an account that does not work for impersonation that has a lot of restrictions on it and I am wondering what are the minimum requirements for an account to be used for impersonation in ASP.NET.  I have another account that does work that is a lot less restrictive so i could go through changing one thing at a time on the account that doesnt work (to make it like the account that does) until it works.  This is really tedious so i am hoping there is an expert out there who knows this or who knows where there is a reference to this online.

Thanks for your expertise.
0
dave4dl
Asked:
dave4dl
  • 3
  • 3
  • 2
1 Solution
 
Anurag ThakurCommented:
you dont decide on implementing impersonation on the basis of user account restrictions
this is decided by the functionality you are trying to implement on the web site

one example might be - that you want users to upload the files - to do that either you provide the aspnet user permissions to write in a folder or you do impersonation using the user account which has access to the server and can create folders

second example might be - the web site is accessing some network shares and those shares are not accessible using aspnet user account - in this case you will have to do impersonation by using the accoutn which has been configured to access the network shares
0
 
dave4dlAuthor Commented:
my situation is your second example.  You post that i must do impersonation using an account which has been configured to access the network share.  I do have such an account which i can use as a user to access that network share, however i cannot impersonate that user.  My question was, put in different language, what do i need to add to that account (beyond what i already have which currently allows me to access that share) in order to impersonate that account.
0
 
b_levittCommented:
The only thing I can think of other than permissions specific to your app is read access to the app directory (with your aspx/.cs files in it) and write access to the Temporary ASP.Net Files folder.

This article talks about setting up an account for an app domain to run under but it shouldn't be all that different other than an app domain account requires a couple more permissions:
http://msdn.microsoft.com/en-us/library/ms998297.aspx
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Anurag ThakurCommented:
i think that you have also posted another question - trying to know the minimum permissions to do impersonation

the bare basic set of permission required to do impersonation should be more than aspnet user - the default user under which account the website normally runs
now as you are trying to achieve something more than what is permitted to the aspnet user you have to do impersonation
0
 
b_levittCommented:
If your impersonation user is a domain account then simply adding permissions to the folder (read,write, etc) for that domain user is all you need.  However, if this is not a domain account, than you need to add a mirror account to the machine with the share - same username and password, and give that second user permission to access the share.  This is called pass-thru authentication.
0
 
dave4dlAuthor Commented:
sorry i havent posted to this question in a while.

Unfortunately you guys both have missed the point of my question (which probably means i phrased it in an unclear way).

I am not encountering the problem of the user that i am impersonating being unable to do something, my problem is that i cannot impersonate a specific user.  How can i go about finding out why?

As i stated in my original question, i can impersonate other users so the mechanics of my impersonation code are working, there is something specific about that user that is preventing me from impersonating it.
0
 
b_levittCommented:
What error are you getting?

Is the user a domain user or a local user?

What do you mean by your "impersonation code?"  Up until now I had assumed you were simply specifying an impersonation user in the web.config.

As I said before the only permissions that I can think of that are required are read/write to the temporary asp.net directory and read of your app directory.  If you're accessing other resources such as databases or other files, they obviously would have their own security requirements.  Registry access can be an issue with interop or EnterpriseServices components.

As far as debugging - Place a simple helloworld.aspx file in your code.  If it works the temp and app dir security is probabably not an issue.  At that point excute the offending page and you should have the exact line number throwing an exception.  If that's not enough, and this is infact a file system permission issue, than sysinternals process monitor is a great tool.  Once you get your filters right, it's pretty easy to see what is being denied:
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

0
 
dave4dlAuthor Commented:
Sorry i didnt see that you posted a response b_levitt.  I was using C# to impersonate a user.  I appreciate you staying with this question so long an i apologize for not spending more time on it myself.  By now the code i was using has changed so much i dont know if it is relevant anymore.

Thanks for your help!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now