I have a web service configured with Anonymous access disabled.
The calling client, prior to executing a method on the service,
sets its network credentials for the IIS to authenticate:


CredentialCache cacheVU = new CredentialCache();
cacheVU.Add( new Uri(<my url here>), "Negotiate",new
NetworkCredential( Username, Password, Domain) );


          WebServiceProxy.Credentials = cacheVU;


My web service method works OK.  However, I need to access a network
share, so I wanted to use the


<identity impersonate="true" />


setting in my web service's web.config file.  However,
when I try to access the remote share, I get an access denied error:
Access to the path "..." is denied


However, if I change the <identity> element and add the "username"
and "password" attributes - which are the same username and password
that the web service authentication use, it works OK.


I thought the <identity> w/o the username/password should
inherit the user context.


I added some debug statements, and displayed:


- Thread.CurrentPrincipal.Identi­ty
- WindowsIdentity.GetCurrent
- User.Identity


and in both cases ( with and without explicit username/password in the
<identity> element), the
dumped names are the same, so I am assuming the impersonation is
enabled.  So, why are my access rights denied for the case w/o the
explicit username/password defined?

¤
¤
¤ I have a web service configured with Anonymous access disabled.
¤ The calling client, prior to executing a method on the service,
¤ sets its network credentials for the IIS to authenticate:
¤
¤
¤  CredentialCache cacheVU = new CredentialCache();
¤  cacheVU.Add( new Uri(<my url here>), "Negotiate",new
¤  NetworkCredential( Username, Password, Domain) );
¤
¤
¤           WebServiceProxy.Credentials = cacheVU;
¤
¤
¤ My web service method works OK.  However, I need to access a network
¤ share, so I wanted to use the
¤
¤
¤ <identity impersonate="true" />
¤
¤
¤ setting in my web service's web.config file.  However,
¤ when I try to access the remote share, I get an access denied error:
¤ Access to the path "..." is denied
¤
¤
¤ However, if I change the <identity> element and add the "username"
¤ and "password" attributes - which are the same username and password
¤ that the web service authentication use, it works OK.
¤
¤
¤ I thought the <identity> w/o the username/password should
¤ inherit the user context.
¤
¤
¤ I added some debug statements, and displayed:
¤
¤
¤ - Thread.CurrentPrincipal.Identi­ty
¤ - WindowsIdentity.GetCurrent
¤ - User.Identity
¤
¤
¤ and in both cases ( with and without explicit username/password in the
¤ <identity> element), the
¤ dumped names are the same, so I am assuming the impersonation is
¤ enabled.  So, why are my access rights denied for the case w/o the
¤ explicit username/password defined?

Probably because you cannot impersonate and delegate the encrypted credentials (authenticated via
IIS) to the remote server in order to access the resource. This is not supported through Integrated
Windows authentication. It would probably work with Basic authentication. When using the web.config
identity you not only have the credentials to delegate but they are unencrypted.

You may want to check the following article on delegation:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconaspnetdelegation.asp


Paul
~~~~
Microsoft MVP (Visual Basic)

Thanks.

LogonUser Succeeds - but fails later
Forms Authentication Not Redirecting To Login Page
Why defaultcredential doesn't use the impersonated user?
Java security api - DCE 128bit encryption with .NET
SecurityException: Request Failed on CreateInstanceAndUnwrap
HttpWebRequest.GetRequestStream - Trust Failure In Windows Service
Decrypt file in VB6 encrypted in vb.net
Runtime error when running caspol w/ -pub -hex
Propagate Credentials from Internet Explorer Host Instead of Defau
problem to run WINDOW user control in IE