[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Need help with asp.net, web.config, & <identity impersonate="true"> tag.

Posted on 2009-05-15
4
Medium Priority
?
619 Views
Last Modified: 2013-11-08
I no clue what to do about this problem.  I am developing a web application which creates PDF documents on one server using data from a database on another server.  The application impersonates a useraccount that was set up specifically for the application and noone else uses it.  The application throws a 'Sys.WebForms.PageRequestManagerServerErrorException: Object reference not set to an instance of an object' whenever it trys to create a PDF document while impersonating a user.  It throws the exception from the published version of the application on the server and from the development version on my laptop while impersonating the useraccount that was set up for the application and also while impersonating my own useraccount.  I have full administrative rights in my company's domain.  When I comment out the '<identity impersonate="true" userName=OMITTED password=OMITTED />' tag in the web.config file, the application works perfectly on my laptop while I'm logged on with my username.  The people who will be using the final version of this application won't have the access rights necessary to that a possible solution to my problem, though, so I'm in desperate need of help.
0
Comment
Question by:garyoallen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 96

Expert Comment

by:Bob Learned
ID: 24402221
Hmmm...that is a great question.

Here are some possibilities:

Understanding ASP.NET Impersonation Security
http://www.west-wind.com/WebLog/posts/2153.aspx

<Quote>
If you are running IIS 5, the default account that IIS runs ASP.NET under is the ASPNET account. The actual account is configurable in machine.config. The ASPNET account is an account that ASP.NET installs and has fairly low rights. One big drawback in IIS 5 is that this account cannot be customized for each application  the ProcessModel key that sets this account lives in machine.config and cannot be overridden in web.config, so you basically end up with having the same account run all your ASP.NET applications.

On IIS 6 things are much more configurable. The default account used is NETWORK SERVICE but its actually configurable via a new feature called an Application Pool. With IIS 6 all processing no longer occurs in the INETINFO.EXE process, but rather is offloaded into one or more daemon process (w3wp.exe). You can configure one or more of these processes by adding Application Pools in the IIS management Console. You can then add virtual directories to specific Application Pools. Application Pools are quite configurable and one of the key options is the ability to specify an Identity that this process runs under.
</Quote>

or this:

Using programmatic Impersonation from an ASP.NET Page
http://west-wind.com/weblog/posts/1572.aspx
using System;
using System.Collections;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Web;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;
 
using System.Runtime.InteropServices;
using System.Text;
 
namespace Westwind.WebStore.Demos
{
/// <summary>
/// Summary description for Test.
/// </summary>
public class Test : System.Web.UI.Page
{
 
	const int LOGON32_LOGON_INTERACTIVE       = 2;
	const int LOGON32_LOGON_NETWORK           = 3;
	const int LOGON32_LOGON_BATCH             = 4;
	const int LOGON32_LOGON_SERVICE           = 5;
	const int LOGON32_LOGON_UNLOCK            = 7;
	const int LOGON32_LOGON_NETWORK_CLEARTEXT = 8;
	const int LOGON32_LOGON_NEW_CREDENTIALS   = 9;
	const int LOGON32_PROVIDER_DEFAULT        = 0;
 
	[DllImport("advapi32.dll", SetLastError=true)]
	public static extern int LogonUser(
		string lpszUsername, 
		string lpszDomain, 
		string lpszPassword, 
		int dwLogonType, 
		int dwLogonProvider, 
		out IntPtr phToken
		);
	[DllImport("advapi32.dll", SetLastError=true)]
	public static extern int ImpersonateLoggedOnUser(
		IntPtr hToken
	);
 
	[DllImport("advapi32.dll", SetLastError=true)]
	static extern int RevertToSelf();
 
	[DllImport("kernel32.dll", SetLastError=true)]
	static extern int CloseHandle(IntPtr hObject);
 
	private void Page_Load(object sender, System.EventArgs e)
	{
		Response.Write( Environment.UserName + "<hr>");
 
		IntPtr lnToken;
		int TResult = LogonUser("ricks",".","supersecret",					LOGON32_LOGON_NETWORK,LOGON32_PROVIDER_DEFAULT,					out lnToken);
		if ( TResult > 0 )
		{
			ImpersonateLoggedOnUser(lnToken);
			StringBuilder sb = new StringBuilder(80,80);
		
			uint Size = 79;
			Response.Write( Environment.UserName + " - " + 					this.User.Identity.Name + "<hr>");
 
			RevertToSelf();
			Response.Write("<hr>" + Environment.UserName);
 
			CloseHandle(lnToken);
		}
		else 
		{
			Response.Write("Not logged on: " + Environment.UserName);
		}
 
 
		return;
 
	}}

Open in new window

0
 

Author Comment

by:garyoallen
ID: 24416338
I've done a bit more debugging and I've discovered one cause of my error.  I'm getting a System.IO.DirectoryNotFoundException when I use impersonation, even when impersonating my own user account (which the application works perfectly well under when I comment out the '<identity impersonate="true" userName="******" password="******" />' tag from the web.config file), .  For some reason, when I use impersonation, the System.IO.DirectoryInfo.Exists for all mapped drives and their subfolders is false.  This causes my code that ensures the existence of the directory to which the application is trying to write to try to create directories that already exist.  This is where the exception is being thrown.  Does anyone know why DirectoryInfo.Exists = false for the mapped drives, and what I should do about it?

public static void EnsureDirectory(System.IO.DirectoryInfo oDirInfo)
        {
            if (oDirInfo.Parent != null)
            {
                EnsureDirectory(oDirInfo.Parent);
            }
            if (!oDirInfo.Exists)
            {
                oDirInfo.Create();
            }
        }

Open in new window

0
 

Accepted Solution

by:
garyoallen earned 0 total points
ID: 24425891
I finally figured it out.  The impersonated user doesn't have access to the mapped drives because the impersonated user never actually logs on so the drives aren't mapped for the impersonated user.  Instead, I just used a UNC path, //serverName/shareName/fileName.
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 24426037
UNC's are a perfect way to go.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Relic: Our company recently started researching several products to figure out what were the best ways for us to increase our web page speed and to quickly identify performance problems that we may be having. One of the products we evaluated wa…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question