Catastrophic failure when Impersonate other user

Asked 9/10, 2012 at 0:16 Answered 16/1, 2020 at 17:17

I'm use Enterprise library Validation block intergrated with WCF. It reports System.Runtime.InteropServices.COMException (0x8000FFFF): Catastrophic failure (Exception from HRESULT: 0x8000FFFF (E_UNEXPECTED)) when I impersonate some other user with WIN32 API LogonUser and WindowsIdentity.Impersonate. It seems there is something wrong when to get security evidence on loading configuration. If I remove the coding of impersonation, it works without any errors. These are the part of the exception stack trace, hope you give some helpers. thanks.

System.Runtime.InteropServices.COMException (0x8000FFFF): Catastrophic failure (Exception from HRESULT: 0x8000FFFF (E_UNEXPECTED))
   at System.Security.Policy.PEFileEvidenceFactory.GetLocationEvidence(SafePEFileHandle peFile, SecurityZone& zone, StringHandleOnStack retUrl)
   at System.Security.Policy.PEFileEvidenceFactory.GenerateLocationEvidence()
   at System.Security.Policy.PEFileEvidenceFactory.GenerateEvidence(Type evidenceType)
   at System.Security.Policy.AssemblyEvidenceFactory.GenerateEvidence(Type evidenceType)
   at System.Security.Policy.Evidence.GenerateHostEvidence(Type type, Boolean hostCanGenerate)
   at System.Security.Policy.Evidence.GetHostEvidenceNoLock(Type type)
   at System.Security.Policy.Evidence.GetHostEvidence(Type type, Boolean markDelayEvaluatedEvidenceUsed)
   at System.Security.Policy.AppDomainEvidenceFactory.GenerateEvidence(Type evidenceType)
   at System.Security.Policy.Evidence.GenerateHostEvidence(Type type, Boolean hostCanGenerate)
   at System.Security.Policy.Evidence.GetHostEvidenceNoLock(Type type)
   at System.Security.Policy.Evidence.RawEvidenceEnumerator.MoveNext()
   at System.Security.Policy.Evidence.EvidenceEnumerator.MoveNext()
   at System.Configuration.ClientConfigPaths.GetEvidenceInfo(AppDomain appDomain, String exePath, String& typeName)
   at System.Configuration.ClientConfigPaths.GetTypeAndHashSuffix(AppDomain appDomain, String exePath)
   at System.Configuration.ClientConfigPaths..ctor(String exePath, Boolean includeUserConfig)
   at System.Configuration.ClientConfigPaths.GetPaths(String exePath, Boolean includeUserConfig)
   at System.Configuration.ClientConfigurationHost.CreateConfigurationContext(String configPath, String locationSubPath)
   at System.Configuration.Internal.DelegatingConfigHost.CreateConfigurationContext(String configPath, String locationSubPath)
   at System.Configuration.BaseConfigurationRecord.get_ConfigContext()

Enthrone answered 9/10, 2012 at 0:16 Comment(1)

fyi - similar: https://mcmap.net/q/1469061/-xmlschema-read-gives-comexception-quot-catastrophic-failure-quot – Lillis 23/2, 2018 at 13:40

It looks to me like the problem is that System.Configuration does impersonation itself when loading app.config. I was able to work around this issue by running

ConfigurationManager.GetSection("system.xml/xmlReader");

while not impersonating. Doing so caused the later impersonation to succeed.

EDIT: To clarify slightly, I believe that doing this causes app.config to be loaded and cached into memory, so the code path which causes the problem is executed only once and with the original credentials.

Moderation answered 3/4, 2014 at 18:49 Comment(4)

Thanks, this fixed things for me. This must be a bug in .NET 4.x ... at least in 4.5.1. It doesn't happen with .NET 2.0. I get the problem when attempting to set an XmlElement property value. However, if I create a new XmlDocument().CreateElement("Test"), set the property to that value, then set it to what I meant to set it to, it works. Very odd. – Nosey 15/5, 2014 at 13:11

This also fixed this problem for me, using .Net 4.6. I added "System.Configuration.ConfigurationManager.GetSection("dummy");" to the Main method in my console app, before I call LogonUser, WindowsIdentity.Impersonate and the SqlConnection constructor. I do not even have an exe.config file, and the exception was still being raised. The fix works with or without an exe.config. – Donough 13/9, 2018 at 15:1

@RichardAnthonyFreeman-Hein I'm having the same issue here - #73541168 How this fix works for me? Can you help me in this? – Trask 30/8, 2022 at 18:17

@Trask Sorry I am not sure, this was so long ago. – Nosey 31/8, 2022 at 16:36

After a long battle and many ProcMon captures, I have discovered that under some conditions, there is a failure when checking Security Zones during interop and while impersonating. It is related to this KB:

https://support.microsoft.com/en-us/kb/945701?wa=wsignin1.0

If you check the end where a registry node and key are added, instead of adding w3wp.exe as directed, add the filename of your own executable. This worked for me - YMMV.

Gilmer answered 30/4, 2015 at 14:19 Comment(0)

I am sharing this piece of code in a hope that would help future readers. It letterly helped me to get out of a 3-hour headache :)

        //This is an important line to write while impersonating.
        //It will allow SQL server connections to happen otherwise connection strings will error out.
        ConfigurationManager.GetSection("SqlColumnEncryptionEnclaveProviders");

        //Do the impersonation
        var credentials = new UserCredentials(DomainName, AccountName, Password);
        Impersonation.RunAsUser(credentials, LogonType.Interactive, () =>
        {
            //Your code here inside impersonation . . .
        });

Stenosis answered 16/1, 2020 at 17:17 Comment(0)

-1

Please see my response to this on this thread in the MS forums:

http://social.msdn.microsoft.com/Forums/en-US/adodotnetdataproviders/thread/b5b7a179-3737-4380-b6cf-843f3e71b317/

This is the thread title: Connection Pooling randomly throwing COM exceptions.

You can search the text on the page for LogonUser.

Allrud answered 27/5, 2013 at 16:23 Comment(1)

seems unrelated. The only common thing is "some problem with impersonation". The thread you pointed out is focused on handling LogonUser and handles. We have nothing such here. Here we have some problem with ConfigurationManager trying to do the impersonation under the hood just before reading the file and failing at it, probably because the process does not have priviledges to do the impersonation at all due to being ran as, i dont know, limited-user, non-interactive, etc. – Lillis 23/2, 2018 at 13:39

Recommended topics

Hot tags