Impersonation in ASP.NET: System.UnauthorizedAccessException, "ASP.NET is not authorized to access the requested resource", and you

Assume your ASP or ASP.NET page needs to access a network share or some other domain resource, but you need to run that page under a different account other than the default anonymous user account. Let’s say you want to run it under your domain username. When you try to run an ASP or ASP.NET page under your account initially, you may get an “ASP.NET is not authorized to access the requested resource” error.

For the solution, you have a few options:

  • You can create a COM object that accesses the resource, put that COM object into a COM+ Server Application, & run that application under your username/password.

  • Or, if you’re on Windows 2003, you can create a new Application Pool, run it under your account, then set your virtual directory to use that pool instead of the default pool.

  • Or, for ASP.NET pages, you can use impersonation:
    1. Choose Windows authentication in the web.config file
      <authentication mode="Windows" />

    2. Disable anonymous access in IIS and instead choose Integrated, Basic (not recommended), or Digest.

    3. Add the identity tag to your web config
      <identity impersonate="true" userName="YOURDOMAINyourusername" password="yourpassword"/>

    4. Ensure the aspnet_wp process has the “Act as part of the operating system” privilege by assigning that privilege to the ASPNET account.

    • The above steps should get you further along towards accessing network shares, deleting system files, or whatever other nefarious deed you had in mind. 🙂

    Other References:

    ASP.NET Identity Matrix

    ASP.NET Impersonation

    0

    Written by Ben Strackany -- December 1, 2004

    Ben worked for a variety of tech startups in Chicago before moving to Portland and starting DevelopmentNow in 2005. When he's not herding cats, stirring pots, and taking names, he enjoys drinking coffee while irritating the studio audience with bad puns.