Re: Hosting multiple sites/ASP.NET security

From: Chip Andrews (chipandrews@usa.net)
Date: 09/19/02 

From: "Chip Andrews" <chipandrews@usa.net>
To: "Rado Stoyanov" <radostoyanov@softhome.net>, <focus-ms@securityfocus.com>
Date: Thu, 19 Sep 2002 15:38:14 -0400

Rado,

Check your machine.config file (or specify in your web.config files for more
granular control) to impersonate identity. By default impersonation is
turned off with the process model set to "machine". This results in all
applications running as ASPNET.

To change impersonation status:

        <!--
        identity Attributes:
          impersonate="[true|false]" - Impersonate Windows User
            userName="Windows user account to impersonate" | empty string
implies impersonate the LOGON user specified by IIS
            password="password of above specified account" | empty string
        -->

As you can see - leaving the username and password blank will result is
impersonating the IIS configured user (the old ASP behavior you are used
to).

To change process model credentials see the "processModel" key in MSDN or
see the description inside machine.config.

Chip Andrews
www.sqlsecurity.com

----- Original Message -----
From: "Rado Stoyanov" <radostoyanov@softhome.net>
To: <focus-ms@securityfocus.com>
Sent: Thursday, September 19, 2002 8:56 AM
Subject: Hosting multiple sites/ASP.NET security

> Hello,
>
> I host several web sites that I own on a single web server (Windows
> 2000). It's possible to choose a separate Anonymous web user account for
> each of the sites in IIS 5, and ASP applications run in the context of
> own anonymous users. This is wise, because each of the anon users is
> permitted to access only corresponding web site's directories, and not
> other web site's directories.
>
> Unfortunately, when I am migrating to ASP.NET, I have faced the problem
> that there's a single account called ASPNET and all web applications run
> under this account, no matter of which is the current IIS web's
> anonymous user.
>
> My question is: is there any method to achieve the same with ASP.NET, or
> are there any alternative considerations that can be taken, in order to
> have a secure multi-hosting environment.
>
> Thanks,
> Rado
>

Relevant Pages

  • Re: Using WMPLib in IIS
    ... I thought the same thing, Alessandro, and so I tried the following things: ... added Identity Impersonate = true ... especially since the code works outside of IIS. ... the correct number of songs are printed. ...
    (microsoft.public.windowsmedia.sdk)
  • Re: AD queries. Please, prove me being wrong...
    ... If you want to impersonate the authenticated user ... Kerberos delegation in AD to allow the web app to have the rights to ... delegate the user's credentials to AD. ... means that you must ensure that you use IWA auth in IIS and ensure that IWA ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: File copy via ASP.NET access errors?
    ... Where are the user credentials coming from? ... the <impersonate> web.config setting, then are you using a domain account? ... Basic Authentication means that IIS has the user's ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: File copy via ASP.NET access errors?
    ... Where are the user credentials coming from? ... the <impersonate> web.config setting, then are you using a domain account? ... Basic Authentication means that IIS has the user's ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: SQL2k3 connectivity problems
    ... I want one user that my app is running under. ... IIS is configured to use this user for anonymous. ... Why wouldn't ASP.Net just follow the rules, and impersonate ... > Why are you using integrated security in an ASP.NET app? ...
    (microsoft.public.dotnet.framework.adonet)