Problem using impersonation

[dsm1995gst]

Intranet web app, ASP, C# -

I'm trying to add some functionality that will read remote info from PC's on our network that requires accessing their registries remotely, etc. When I run the code locally on my PC, it runs fine. When I run it from our IIS server, I'm getting the error:

"System.Security.SecurityException: Requested registry access is not allowed."

I did some research and realized the problem was that it was using a generic username to run the app from IIS and then I came upon impersonation. So in order to impersonate the user logged into Windows (me), I used the following code around the code I'm running that requires the access, per Microsoft:

Code:

System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

//code

impersonationContext.undo();

Using the code below, I can verify that it does detect my username as the logged on user, whereas if I run it without the above impersonation code, it displays NT AUTHORITY\NETWORK SERVICE.

Code:

string username = System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString();

However, I am now getting the similar error:

"System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.

ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.

To grant ASP.NET access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access."

What am I doing wrong?

[dsm1995gst]

Also, if I simply edit the config file and use

Code:

<identity impersonate="true" userName="myusername" password="mypassword" />

Then it works properly.

[dsm1995gst]

Any ideas?

To sum up - if I impersonate my AD username in the config file (for the entire app) then the application is able to read remote registries with no problem.

If I use the C# code that according to Microsoft should allow me to impersonate the logged on user (my AD account) for a specific section of code, I get the authorization error.

[Silent Sojourner]

try
<identity impersonate="true" />

in your config, and config your IIS as using Windows Authentication, no anonymous login

[dsm1995gst]

try
<identity impersonate="true" />

in your config, and config your IIS as using Windows Authentication, no anonymous login

I'm using Windows Authentication, and when I simply put <identity impersonate="true" /> in the config file I get a 500 Internal Server Error before the page even loads.

[Silent Sojourner]

if you use windows authentication, and set impersonate="true", then System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString() should return the impersonated user name