Solved

Need help with asp.net, web.config, & <identity impersonate="true"> tag.

Posted on 2009-05-15
4
566 Views
Last Modified: 2013-11-08
I no clue what to do about this problem.  I am developing a web application which creates PDF documents on one server using data from a database on another server.  The application impersonates a useraccount that was set up specifically for the application and noone else uses it.  The application throws a 'Sys.WebForms.PageRequestManagerServerErrorException: Object reference not set to an instance of an object' whenever it trys to create a PDF document while impersonating a user.  It throws the exception from the published version of the application on the server and from the development version on my laptop while impersonating the useraccount that was set up for the application and also while impersonating my own useraccount.  I have full administrative rights in my company's domain.  When I comment out the '<identity impersonate="true" userName=OMITTED password=OMITTED />' tag in the web.config file, the application works perfectly on my laptop while I'm logged on with my username.  The people who will be using the final version of this application won't have the access rights necessary to that a possible solution to my problem, though, so I'm in desperate need of help.
0
Comment
Question by:garyoallen
  • 2
  • 2
4 Comments
 
LVL 96

Expert Comment

by:Bob Learned
ID: 24402221
Hmmm...that is a great question.

Here are some possibilities:

Understanding ASP.NET Impersonation Security
http://www.west-wind.com/WebLog/posts/2153.aspx

<Quote>
If you are running IIS 5, the default account that IIS runs ASP.NET under is the ASPNET account. The actual account is configurable in machine.config. The ASPNET account is an account that ASP.NET installs and has fairly low rights. One big drawback in IIS 5 is that this account cannot be customized for each application  the ProcessModel key that sets this account lives in machine.config and cannot be overridden in web.config, so you basically end up with having the same account run all your ASP.NET applications.

On IIS 6 things are much more configurable. The default account used is NETWORK SERVICE but its actually configurable via a new feature called an Application Pool. With IIS 6 all processing no longer occurs in the INETINFO.EXE process, but rather is offloaded into one or more daemon process (w3wp.exe). You can configure one or more of these processes by adding Application Pools in the IIS management Console. You can then add virtual directories to specific Application Pools. Application Pools are quite configurable and one of the key options is the ability to specify an Identity that this process runs under.
</Quote>

or this:

Using programmatic Impersonation from an ASP.NET Page
http://west-wind.com/weblog/posts/1572.aspx
using System;

using System.Collections;

using System.ComponentModel;

using System.Data;

using System.Drawing;

using System.Web;

using System.Web.SessionState;

using System.Web.UI;

using System.Web.UI.WebControls;

using System.Web.UI.HtmlControls;
 

using System.Runtime.InteropServices;

using System.Text;
 

namespace Westwind.WebStore.Demos

{

/// <summary>

/// Summary description for Test.

/// </summary>

public class Test : System.Web.UI.Page

{
 

	const int LOGON32_LOGON_INTERACTIVE       = 2;

	const int LOGON32_LOGON_NETWORK           = 3;

	const int LOGON32_LOGON_BATCH             = 4;

	const int LOGON32_LOGON_SERVICE           = 5;

	const int LOGON32_LOGON_UNLOCK            = 7;

	const int LOGON32_LOGON_NETWORK_CLEARTEXT = 8;

	const int LOGON32_LOGON_NEW_CREDENTIALS   = 9;

	const int LOGON32_PROVIDER_DEFAULT        = 0;
 

	[DllImport("advapi32.dll", SetLastError=true)]

	public static extern int LogonUser(

		string lpszUsername, 

		string lpszDomain, 

		string lpszPassword, 

		int dwLogonType, 

		int dwLogonProvider, 

		out IntPtr phToken

		);

	[DllImport("advapi32.dll", SetLastError=true)]

	public static extern int ImpersonateLoggedOnUser(

		IntPtr hToken

	);
 

	[DllImport("advapi32.dll", SetLastError=true)]

	static extern int RevertToSelf();
 

	[DllImport("kernel32.dll", SetLastError=true)]

	static extern int CloseHandle(IntPtr hObject);
 

	private void Page_Load(object sender, System.EventArgs e)

	{

		Response.Write( Environment.UserName + "<hr>");
 

		IntPtr lnToken;

		int TResult = LogonUser("ricks",".","supersecret",					LOGON32_LOGON_NETWORK,LOGON32_PROVIDER_DEFAULT,					out lnToken);

		if ( TResult > 0 )

		{

			ImpersonateLoggedOnUser(lnToken);

			StringBuilder sb = new StringBuilder(80,80);

		

			uint Size = 79;

			Response.Write( Environment.UserName + " - " + 					this.User.Identity.Name + "<hr>");
 

			RevertToSelf();

			Response.Write("<hr>" + Environment.UserName);
 

			CloseHandle(lnToken);

		}

		else 

		{

			Response.Write("Not logged on: " + Environment.UserName);

		}
 
 

		return;
 

	}}

Open in new window

0
 

Author Comment

by:garyoallen
ID: 24416338
I've done a bit more debugging and I've discovered one cause of my error.  I'm getting a System.IO.DirectoryNotFoundException when I use impersonation, even when impersonating my own user account (which the application works perfectly well under when I comment out the '<identity impersonate="true" userName="******" password="******" />' tag from the web.config file), .  For some reason, when I use impersonation, the System.IO.DirectoryInfo.Exists for all mapped drives and their subfolders is false.  This causes my code that ensures the existence of the directory to which the application is trying to write to try to create directories that already exist.  This is where the exception is being thrown.  Does anyone know why DirectoryInfo.Exists = false for the mapped drives, and what I should do about it?

public static void EnsureDirectory(System.IO.DirectoryInfo oDirInfo)

        {

            if (oDirInfo.Parent != null)

            {

                EnsureDirectory(oDirInfo.Parent);

            }

            if (!oDirInfo.Exists)

            {

                oDirInfo.Create();

            }

        }

Open in new window

0
 

Accepted Solution

by:
garyoallen earned 0 total points
ID: 24425891
I finally figured it out.  The impersonated user doesn't have access to the mapped drives because the impersonated user never actually logs on so the drives aren't mapped for the impersonated user.  Instead, I just used a UNC path, //serverName/shareName/fileName.
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 24426037
UNC's are a perfect way to go.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction (All good things must come to an end (http://en.wikipedia.org/wiki/All_Good_Things...)) The original MySQL API (http://php.net/manual/en/book.mysql.php) has gone away, deprecated by PHP in Version 5.5, and removed from PHP in all curre…
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now