Can ASP.NET Impersonate a user to Delete a Performance Counter Category?
https://stackoverflow.com/questions/494036
-
20-08-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I believe that I have successfully impersonated my own user account while running an ASP.NET page on my local machine.
Using the method described here, I have successfully changed the WindowsIdentity.GetCurrent().Name from ASPNET to my domain account.
I can successfully write to a file on the file system that ONLY my account has permission to access. However when I try to delete a Performance Counter Category, I get Access Denied.
I have auditing on the branch of the registry and its telling me that MyMachine\ASPNET is Failing at Object Access.
Here is the code it is failing on:
if ( PerformanceCounterCategory.Exists ( PerfmonCategory ) )
PerformanceCounterCategory.Delete ( PerfmonCategory );
Its failing on the Delete Call.
(My account is admin and I can run the same code outside an ASP.NET context successfully).
I suspect that this System.Diagnostics namespace call is actually calling some COM process and somehow I am being bounced because of a 2nd hop. Can anyone confirm what might be going on?
Edit: The Exception: Access is denied Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details:
System.ComponentModel.Win32Exception: Access is denied
Running under full trust.
Solution
You could run your application on its own application pool (always a good thing) and assign it a service user the appropriate rights, that way you don't need to mess with impersonation.
OTHER TIPS
You do indeed need to be an admin in order to add or remove performance counters.
I'm not sure why you'd want to use Win32 API calls to do your impersonation - it's been a while since I've messed with it, but I think all you need to do is use
WindowsIdentity.GetCurrent().Impersonate()
To be clear, you'll first need to authenticate in your web application using Windows authentication, and then you should be able to make the call to Impersonate().
