Need help with asp.net, web.config, & <identity impersonate="true"> tag.

Posted on 2009-05-15
Medium Priority
Last Modified: 2013-11-08
I no clue what to do about this problem.  I am developing a web application which creates PDF documents on one server using data from a database on another server.  The application impersonates a useraccount that was set up specifically for the application and noone else uses it.  The application throws a 'Sys.WebForms.PageRequestManagerServerErrorException: Object reference not set to an instance of an object' whenever it trys to create a PDF document while impersonating a user.  It throws the exception from the published version of the application on the server and from the development version on my laptop while impersonating the useraccount that was set up for the application and also while impersonating my own useraccount.  I have full administrative rights in my company's domain.  When I comment out the '<identity impersonate="true" userName=OMITTED password=OMITTED />' tag in the web.config file, the application works perfectly on my laptop while I'm logged on with my username.  The people who will be using the final version of this application won't have the access rights necessary to that a possible solution to my problem, though, so I'm in desperate need of help.
Question by:garyoallen
  • 2
  • 2
LVL 96

Expert Comment

by:Bob Learned
ID: 24402221
Hmmm...that is a great question.

Here are some possibilities:

Understanding ASP.NET Impersonation Security

If you are running IIS 5, the default account that IIS runs ASP.NET under is the ASPNET account. The actual account is configurable in machine.config. The ASPNET account is an account that ASP.NET installs and has fairly low rights. One big drawback in IIS 5 is that this account cannot be customized for each application  the ProcessModel key that sets this account lives in machine.config and cannot be overridden in web.config, so you basically end up with having the same account run all your ASP.NET applications.

On IIS 6 things are much more configurable. The default account used is NETWORK SERVICE but its actually configurable via a new feature called an Application Pool. With IIS 6 all processing no longer occurs in the INETINFO.EXE process, but rather is offloaded into one or more daemon process (w3wp.exe). You can configure one or more of these processes by adding Application Pools in the IIS management Console. You can then add virtual directories to specific Application Pools. Application Pools are quite configurable and one of the key options is the ability to specify an Identity that this process runs under.

or this:

Using programmatic Impersonation from an ASP.NET Page
using System;
using System.Collections;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Web;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;
using System.Runtime.InteropServices;
using System.Text;
namespace Westwind.WebStore.Demos
/// <summary>
/// Summary description for Test.
/// </summary>
public class Test : System.Web.UI.Page
	const int LOGON32_LOGON_INTERACTIVE       = 2;
	const int LOGON32_LOGON_NETWORK           = 3;
	const int LOGON32_LOGON_BATCH             = 4;
	const int LOGON32_LOGON_SERVICE           = 5;
	const int LOGON32_LOGON_UNLOCK            = 7;
	const int LOGON32_PROVIDER_DEFAULT        = 0;
	[DllImport("advapi32.dll", SetLastError=true)]
	public static extern int LogonUser(
		string lpszUsername, 
		string lpszDomain, 
		string lpszPassword, 
		int dwLogonType, 
		int dwLogonProvider, 
		out IntPtr phToken
	[DllImport("advapi32.dll", SetLastError=true)]
	public static extern int ImpersonateLoggedOnUser(
		IntPtr hToken
	[DllImport("advapi32.dll", SetLastError=true)]
	static extern int RevertToSelf();
	[DllImport("kernel32.dll", SetLastError=true)]
	static extern int CloseHandle(IntPtr hObject);
	private void Page_Load(object sender, System.EventArgs e)
		Response.Write( Environment.UserName + "<hr>");
		IntPtr lnToken;
		int TResult = LogonUser("ricks",".","supersecret",					LOGON32_LOGON_NETWORK,LOGON32_PROVIDER_DEFAULT,					out lnToken);
		if ( TResult > 0 )
			StringBuilder sb = new StringBuilder(80,80);
			uint Size = 79;
			Response.Write( Environment.UserName + " - " + 					this.User.Identity.Name + "<hr>");
			Response.Write("<hr>" + Environment.UserName);
			Response.Write("Not logged on: " + Environment.UserName);

Open in new window


Author Comment

ID: 24416338
I've done a bit more debugging and I've discovered one cause of my error.  I'm getting a System.IO.DirectoryNotFoundException when I use impersonation, even when impersonating my own user account (which the application works perfectly well under when I comment out the '<identity impersonate="true" userName="******" password="******" />' tag from the web.config file), .  For some reason, when I use impersonation, the System.IO.DirectoryInfo.Exists for all mapped drives and their subfolders is false.  This causes my code that ensures the existence of the directory to which the application is trying to write to try to create directories that already exist.  This is where the exception is being thrown.  Does anyone know why DirectoryInfo.Exists = false for the mapped drives, and what I should do about it?

public static void EnsureDirectory(System.IO.DirectoryInfo oDirInfo)
            if (oDirInfo.Parent != null)
            if (!oDirInfo.Exists)

Open in new window


Accepted Solution

garyoallen earned 0 total points
ID: 24425891
I finally figured it out.  The impersonated user doesn't have access to the mapped drives because the impersonated user never actually logs on so the drives aren't mapped for the impersonated user.  Instead, I just used a UNC path, //serverName/shareName/fileName.
LVL 96

Expert Comment

by:Bob Learned
ID: 24426037
UNC's are a perfect way to go.

Featured Post

7 new features that'll make your work life better

It’s our mission to create a product that solves the huge challenges you face at work every day. In case you missed it, here are 7 delightful things we've added recently to monday to make it even more awesome.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question