none
Multiple user impersonation RRS feed

  • Question

  • I have an issue with .net impersonation, here I have a requirement like current login process have access to the source directory, while destination user is secure, now, I wish to place file under destination, so I must have to impersonate user while copy operation,

    now, the issue is after the impersonation block, a code having access on destination, but source path could not be accessible, so operation is going to fail 

    Example -
    Source: 
    User 1 has access on below path: c:\test\1.txt
    User 2 doesn't have an access on below path: c:\test\

    Destination: 
    User 1 doesn't have an access on below path: d:\test\
    User 2 has access on below path: d:\test\

    -- C# Sample code

                    WindowsIdentity idnt = new WindowsIdentity(Username, Password);
                    WindowsImpersonationContext context = idnt.Impersonate();
                    System.IO.File.Copy(srcPath1, desPath2, true);
                    context.Undo();

    Now the question is - Is it possibe System.IO.File.Copy(srcPath1, desPath2, true); funcation can allow code to execute with user 1 and user 2 power? 

    user 1 and user 2 (multipe user) can allow opration for System.IO.File.Copy ?

    


    Tuesday, December 18, 2018 10:00 AM

All replies

  • So why can't you put the users in a Windows domain group and give the group the appropriate rights to access resources? 
    Tuesday, December 18, 2018 11:18 AM
  • A couple of thoughts to consider -
    1) Use separate threads.  Reader as User1 reads file from source into a buffer.  Writer as User2 writes from buffer to destination.
    2) Copy file from source to location accessible to User1 and User2.
    3) Change ACL on source file to temporarily grant read access to User2.
    Tuesday, December 18, 2018 1:50 PM
  • Sorry, for the security reason, we cannot make the changes to the storage structure

    Tuesday, December 18, 2018 2:12 PM
  • Just I have a concern about impersonation,

    For a web application, we can impersonate the resource using configure in web.config file.

    For example, we create excel object from the web, it will not allow accessing a resource in general case, but when we impersonate using web config, a system will allow a user to export data using excel and also allow to write data on disk, so may it is working on the mixed mode.

    Now the question is, for the desktop application or windows application, there is no concept to add identity in app.config (see below) 

    <identity impersonate="true" userName="accountname" password="password" />

    now, alternate way to achive the goal using below coading.

    WindowsIdentity idnt = new WindowsIdentity(Username, Password);
    WindowsImpersonationContext context = idnt.Impersonate();
    System.IO.File.Copy(srcPath1, desPath2, true);
    context.Undo();

    now, it does not allow me to copy from source to destination so is there any settings like COPY operation can allow a user to access both the scope? (before impersonation and after impersonation) so may it can solve the issue.

    if someone has an idea, that would be a great help.



    Tuesday, December 18, 2018 2:26 PM

  • Now the question is, for the desktop application or windows application, there is no concept to add identity in app.config (see below) 

    <identity impersonate="true" userName="accountname" password="password" />

    now, alternate way to achive the goal using below coading.

    WindowsIdentity idnt = new WindowsIdentity(Username, Password);
    WindowsImpersonationContext context = idnt.Impersonate();
    System.IO.File.Copy(srcPath1, desPath2, true);
    context.Undo();

    now, it does not allow me to copy from source to destination so is there any settings like COPY operation can allow a user to access both the scope? (before impersonation and after impersonation) so may it can solve the issue.

    if someone has an idea, that would be a great help.

    This just repeats the question in the initial post.  Did you consider the options previously suggested?
    Tuesday, December 18, 2018 3:17 PM
  • Yes, I have taken a trial, here are the result

    1) Use separate threads.  A reader as User1 reads a file from a source into a buffer.  Writer as User2 writes from buffer to destination.

    An application is taking higher memory, may reason it used the application for buffer the file stream. 
    2) Copy file from source to a location accessible to User1 and User2.

    > It decreases the tool performance, a reason, for the single copy operation it is required multiple operations, first, copy to a temp directory and next move to target.

    3) Change ACL on source file to temporarily grant read access to User2

    > Apply for a grant on the source file it consuming time for each file. it also decreases the speed.





    Wednesday, December 19, 2018 8:21 AM
  • You could also try using file mapping objects to move the data.

    Focus on concepts.  For example, if you want to copy multiple files from the same folder you could adjust the ACL on the containing folder instead of every individual file.

    There is no magic solution to give you what you desire.  A thread can only impersonate one user at any given moment.

    As far as performance is concerned, a method that fails quickly is the fastest of all that probably uses the least resources.


    • Edited by RLWA32 Wednesday, December 19, 2018 11:38 AM
    Wednesday, December 19, 2018 11:09 AM
  • Folder holds a lot of files and folders when we are changing any ACL it will take times to apply new permission set to all the subfolders and files, so it is a time-consuming process.

    /* RLWA32: A thread can only impersonate one user at any given moment. */ mean when we copy data from one domain to another domain, there is no direct solution to impersonate multiple user right?


    Wednesday, December 19, 2018 2:32 PM
  • /* RLWA32: A thread can only impersonate one user at any given moment. */ mean when we copy data from one domain to another domain, there is no direct solution to impersonate multiple user right?


    What is unclear about this?  Windows security mechanisms control access by referencing a process token (when not impersonating) or a thread token (created by impersonation).
    Wednesday, December 19, 2018 3:28 PM