Solved

Need help with asp.net, web.config, & <identity impersonate="true"> tag.

Posted on 2009-05-15
4
563 Views
Last Modified: 2013-11-08
I no clue what to do about this problem.  I am developing a web application which creates PDF documents on one server using data from a database on another server.  The application impersonates a useraccount that was set up specifically for the application and noone else uses it.  The application throws a 'Sys.WebForms.PageRequestManagerServerErrorException: Object reference not set to an instance of an object' whenever it trys to create a PDF document while impersonating a user.  It throws the exception from the published version of the application on the server and from the development version on my laptop while impersonating the useraccount that was set up for the application and also while impersonating my own useraccount.  I have full administrative rights in my company's domain.  When I comment out the '<identity impersonate="true" userName=OMITTED password=OMITTED />' tag in the web.config file, the application works perfectly on my laptop while I'm logged on with my username.  The people who will be using the final version of this application won't have the access rights necessary to that a possible solution to my problem, though, so I'm in desperate need of help.
0
Comment
Question by:garyoallen
  • 2
  • 2
4 Comments
 
LVL 96

Expert Comment

by:Bob Learned
Comment Utility
Hmmm...that is a great question.

Here are some possibilities:

Understanding ASP.NET Impersonation Security
http://www.west-wind.com/WebLog/posts/2153.aspx

<Quote>
If you are running IIS 5, the default account that IIS runs ASP.NET under is the ASPNET account. The actual account is configurable in machine.config. The ASPNET account is an account that ASP.NET installs and has fairly low rights. One big drawback in IIS 5 is that this account cannot be customized for each application  the ProcessModel key that sets this account lives in machine.config and cannot be overridden in web.config, so you basically end up with having the same account run all your ASP.NET applications.

On IIS 6 things are much more configurable. The default account used is NETWORK SERVICE but its actually configurable via a new feature called an Application Pool. With IIS 6 all processing no longer occurs in the INETINFO.EXE process, but rather is offloaded into one or more daemon process (w3wp.exe). You can configure one or more of these processes by adding Application Pools in the IIS management Console. You can then add virtual directories to specific Application Pools. Application Pools are quite configurable and one of the key options is the ability to specify an Identity that this process runs under.
</Quote>

or this:

Using programmatic Impersonation from an ASP.NET Page
http://west-wind.com/weblog/posts/1572.aspx
using System;

using System.Collections;

using System.ComponentModel;

using System.Data;

using System.Drawing;

using System.Web;

using System.Web.SessionState;

using System.Web.UI;

using System.Web.UI.WebControls;

using System.Web.UI.HtmlControls;
 

using System.Runtime.InteropServices;

using System.Text;
 

namespace Westwind.WebStore.Demos

{

/// <summary>

/// Summary description for Test.

/// </summary>

public class Test : System.Web.UI.Page

{
 

	const int LOGON32_LOGON_INTERACTIVE       = 2;

	const int LOGON32_LOGON_NETWORK           = 3;

	const int LOGON32_LOGON_BATCH             = 4;

	const int LOGON32_LOGON_SERVICE           = 5;

	const int LOGON32_LOGON_UNLOCK            = 7;

	const int LOGON32_LOGON_NETWORK_CLEARTEXT = 8;

	const int LOGON32_LOGON_NEW_CREDENTIALS   = 9;

	const int LOGON32_PROVIDER_DEFAULT        = 0;
 

	[DllImport("advapi32.dll", SetLastError=true)]

	public static extern int LogonUser(

		string lpszUsername, 

		string lpszDomain, 

		string lpszPassword, 

		int dwLogonType, 

		int dwLogonProvider, 

		out IntPtr phToken

		);

	[DllImport("advapi32.dll", SetLastError=true)]

	public static extern int ImpersonateLoggedOnUser(

		IntPtr hToken

	);
 

	[DllImport("advapi32.dll", SetLastError=true)]

	static extern int RevertToSelf();
 

	[DllImport("kernel32.dll", SetLastError=true)]

	static extern int CloseHandle(IntPtr hObject);
 

	private void Page_Load(object sender, System.EventArgs e)

	{

		Response.Write( Environment.UserName + "<hr>");
 

		IntPtr lnToken;

		int TResult = LogonUser("ricks",".","supersecret",					LOGON32_LOGON_NETWORK,LOGON32_PROVIDER_DEFAULT,					out lnToken);

		if ( TResult > 0 )

		{

			ImpersonateLoggedOnUser(lnToken);

			StringBuilder sb = new StringBuilder(80,80);

		

			uint Size = 79;

			Response.Write( Environment.UserName + " - " + 					this.User.Identity.Name + "<hr>");
 

			RevertToSelf();

			Response.Write("<hr>" + Environment.UserName);
 

			CloseHandle(lnToken);

		}

		else 

		{

			Response.Write("Not logged on: " + Environment.UserName);

		}
 
 

		return;
 

	}}

Open in new window

0
 

Author Comment

by:garyoallen
Comment Utility
I've done a bit more debugging and I've discovered one cause of my error.  I'm getting a System.IO.DirectoryNotFoundException when I use impersonation, even when impersonating my own user account (which the application works perfectly well under when I comment out the '<identity impersonate="true" userName="******" password="******" />' tag from the web.config file), .  For some reason, when I use impersonation, the System.IO.DirectoryInfo.Exists for all mapped drives and their subfolders is false.  This causes my code that ensures the existence of the directory to which the application is trying to write to try to create directories that already exist.  This is where the exception is being thrown.  Does anyone know why DirectoryInfo.Exists = false for the mapped drives, and what I should do about it?

public static void EnsureDirectory(System.IO.DirectoryInfo oDirInfo)

        {

            if (oDirInfo.Parent != null)

            {

                EnsureDirectory(oDirInfo.Parent);

            }

            if (!oDirInfo.Exists)

            {

                oDirInfo.Create();

            }

        }

Open in new window

0
 

Accepted Solution

by:
garyoallen earned 0 total points
Comment Utility
I finally figured it out.  The impersonated user doesn't have access to the mapped drives because the impersonated user never actually logs on so the drives aren't mapped for the impersonated user.  Instead, I just used a UNC path, //serverName/shareName/fileName.
0
 
LVL 96

Expert Comment

by:Bob Learned
Comment Utility
UNC's are a perfect way to go.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Using Quotation Marks in PHP This question (http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28217211.html) seems to come up a lot for developers who are new to PHP.  And it got me thinking, "How can we explain the rule…
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now