User-499946135 posted
Hi again,
<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>I've
discovered that this is a permission access problem to the Certificate Authority on my Windows Server platform.<o:p></o:p>
When I try to create an object from the Certificate Authority service, I get the result: Access Denied :(
The problem is that I can’t impersonate my user as an administrator, the only configuration that will work is this syntax in the web.config file:
<identity impersonate=”true” userName=”myDomain\myAdministrator” password=”myPassword” />
The problem with this is that the user “myAdministrator” will be impersonated for the whole web application.
I've tried to use programmatic impersonation like the example below but
I still get the same "Access Denied" result :(
<o:p></o:p><o:p>
1 WindowsImpersonationContext impersonationContext = null;
2 IPrincipal principalUser = this.User;
3 WindowsIdentity principalID = (WindowsIdentity)principalUser.Identity;
4 impersonationContext = principalID.Impersonate();
5
6 CERTADMINLib.CCertAdmin myObject = new CERTADMINLib.CCertAdminClass();
7
8 try
9 {
10 myObject.OpenConnection("myServer\\myCA");
11 Response.Write("<b>Successfullt connected to the certificate authority service.</b>");
12 }
13 catch (Exception err)
14 {
15 Response.Write(err);
16 }
17 finally
18 {
19
20 }
21
22 impersonationContext.Undo();
23
<o:p></o:p> </o:p>
I've also tried to impersonate the user like the example below but I still get the same "Access Denied" result :(
1 using System;
2 using System.Collections;
3 using System.ComponentModel;
4 using System.Data;
5 using System.Drawing;
6 using System.Web;
7 using System.Web.SessionState;
8 using System.Web.UI;
9 using System.Web.UI.WebControls;
10 using System.Web.UI.HtmlControls;
11
12 using System.Runtime.InteropServices;
13 using System.Text;
14
15 namespace Westwind.WebStore.Demos
16 {
17 /// <summary>
18 /// Summary description for Test.
19 /// </summary>
20 public class Test : System.Web.UI.Page
21 {
22
23 const int LOGON32_LOGON_INTERACTIVE = 2;
24 const int LOGON32_LOGON_NETWORK = 3;
25 const int LOGON32_LOGON_BATCH = 4;
26 const int LOGON32_LOGON_SERVICE = 5;
27 const int LOGON32_LOGON_UNLOCK = 7;
28 const int LOGON32_LOGON_NETWORK_CLEARTEXT = 8;
29 const int LOGON32_LOGON_NEW_CREDENTIALS = 9;
30 const int LOGON32_PROVIDER_DEFAULT = 0;
31
32 [DllImport("advapi32.dll", SetLastError=true)]
33 public static extern int LogonUser(
34 string lpszUsername,
35 string lpszDomain,
36 string lpszPassword,
37 int dwLogonType,
38 int dwLogonProvider,
39 out IntPtr phToken
40 );
41 [DllImport("advapi32.dll", SetLastError=true)]
42 public static extern int ImpersonateLoggedOnUser(
43 IntPtr hToken
44 );
45
46 [DllImport("advapi32.dll", SetLastError=true)]
47 static extern int RevertToSelf();
48
49 [DllImport("kernel32.dll", SetLastError=true)]
50 static extern int CloseHandle(IntPtr hObject);
51
52 private void Page_Load(object sender, System.EventArgs e)
53 {
54 Response.Write( Environment.UserName + "<hr>");
55
56 IntPtr lnToken;
57 int TResult = LogonUser("myAdministrator","myDomain.com","myPassword", LOGON32_LOGON_NETWORK,LOGON32_PROVIDER_DEFAULT, out lnToken);
58 if ( TResult > 0 )
59 {
60 ImpersonateLoggedOnUser(lnToken);
61 StringBuilder sb = new StringBuilder(80,80);
62
63 uint Size = 79;
64 Response.Write( Environment.UserName + " - " + this.User.Identity.Name + "<hr>");
65
66 RevertToSelf();
67 Response.Write("<hr>" + Environment.UserName);
68
69 CloseHandle(lnToken);
70 }
71 else
72 {
73 Response.Write("Not logged on: " + Environment.UserName);
74 }
75
76
77 return;
78
79 }}
So, how can the impersonation through the web.config file (example above) work perfectly but not the programmatic impersonation?
[EDIT]
For your information: All of these examples above works perfectly if the certificate authority, domain controller and IIS are installed on the same server.
