Re: How to let users log on from internet with admin privilges?
From: Christopher Grace ([remove)
Date: 07/10/02
- Next message: Simon Pallister: "Re: Process Model"
- Previous message: Michael Howard [MS]: "Re: Web Service & Crypto API"
- In reply to: Christopher Grace: "Re: How to let users log on from internet with admin privilges?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Christopher Grace" <[remove]conceptualcoding@yahoo.com> Date: Wed, 10 Jul 2002 00:02:40 -0600
Check out this behavior when multithreading in a ASP.NET app.
I setup a new asp app that uses impersonation. I add a bunch of trace lines
to track user name values. I trace when the page is loading, within a new
worker thread that I start, and then again after the worker thread
terminates.
Here's the output:
------------------------------
System.Diagnostics.Process.GetCurrentProcess.Id = 2676 0.003363
0.002451
Current Thread = Main thread 0.003474 0.000111
System.Security.Principal.WindowsIdentity.GetCurrent.Name =
MyMachineName\MyUserName 0.004331 0.000857
System.Threading.Thread.CurrentPrincipal.Identity.Name =
MyMachineName\MyUserName 0.004435 0.000104
System.Environment.UserName = MyUserName 0.004641 0.000206
Verify R/W access to registry key. GetKey= HKEY_CURRENT_USER\Software
[0x728] 0.005571 0.000929
0.005660 0.000089
System.Diagnostics.Process.GetCurrentProcess.Id = 2676 0.009854
0.004195
Current Thread = Worker thread 0.009983 0.000128
System.Security.Principal.WindowsIdentity.GetCurrent.Name =
MyMachineName\ASPNET 0.010948 0.000965
System.Threading.Thread.CurrentPrincipal.Identity.Name =
MyMachineName\MyUserName 0.011050 0.000102
System.Environment.UserName = ASPNET 0.012084 0.001034
Verify R/W access to registry key. GetKey= Access Denied Exception
0.012188 0.000103
System.Diagnostics.Process.GetCurrentProcess.Id = 2676 0.013622
0.001434
Current Thread = Main thread 0.013741 0.000120
System.Security.Principal.WindowsIdentity.GetCurrent.Name =
MyMachineName\MyUserName 0.014708 0.000966
System.Threading.Thread.CurrentPrincipal.Identity.Name =
MyMachineName\MyUserName 0.014810 0.000102
System.Environment.UserName = MyUserName 0.015366 0.000556
Verify R/W access to registry key. GetKey= HKEY_CURRENT_USER\Software
[0x590] 0.015530 0.000163
---------------------------
System.Environment.UserName changes to ASPNET when in the worker thread, but
System.Threading.Thread.CurrentPrincipal.Identity.Name continues to return
my account name. It looks like my token is not being used to access
resources while in the worker thread.
"Christopher Grace" <[remove]conceptualcoding@yahoo.com> wrote in message
news:u081AbxJCHA.208@tkmsftngp08...
> This is for a home automation application that will allow users to control
> their home from the internet. It integrates with other applications, some
> unmanaged, and calls on files and registry settings created when the user
> works on their computer locally. Users will need many privileges.
>
> It looks like it is going to be up to each user to setup their own IIS
> security on their home server, so maybe I could just warn them about basic
> authentication and recommend they buy a certificate and use SSL. Some
will
> only use the app from other computers within their home. They can just
use
> Windows authentication and have it all behind a firewall. I want to make
it
> easy for them though. Setting up IIS security sure isn't easy to me. My
> discomfort over creating gaping security holes on my own system is only
> starting to diminish after being immersed in the subject for a couple of
> weeks.
>
> I'm now stuck trying to get a debugging session going where the asp
process
> has enough privileges. It seems it wants to run under the ASPNET account
> even when I connect using Windows authentication and impersonation on.
The
> IIS log says the login was okay with my user name, but
> System.Environment.Username turns up ASPNET. Maybe that has something to
do
> with the process 'reverting to self'?
>
>
> "Aaron Margosis [MS]" <aaronmaronline@microsoft.com> wrote in message
> news:enmfzSvJCHA.1600@tkmsftngp13...
> > My understanding is that with Basic authentication, the credentials can
be
> > passed on any or all requests. You should use SSL for the entire
session.
> >
> > Again, you need only one certificate, which is installed on the web
server
> > along with its corresponding private key. The certificate contains a
> public
> > key which is used to negotiate a key exchange with clients. This allows
> > encryption of the communication, as well as authentication of the server
> to
> > the client.
> >
> > The sequence does go more smoothly if the client has the root
certificate
> of
> > the certificate authority that issued you the server authentication
cert.
> > Most clients will already have root certificates for authorities such as
> > Verisign.
> >
> > I don't know how non-IE browsers deal with untrusted server
certificates.
> > IE will display a dialog to the user asking whether to continue if any
of
> > the following are true:
> > 1) the certificate was issued by an authority not already trusted;
> > 2) the name on the certificate does not match the name used to contact
the
> > server (can be IP address or DNS name);
> > 3) the certificate is not yet valid or no longer valid.
> > #1 is your concern here. Users can still choose to browse the site, and
> can
> > also (IIRC) choose to install the server certificate so that it can be
> > trusted for future sessions.
> >
> > What kind of program are you setting up that will require that users
have
> > administrator permissions on the web server?
> >
> > -- Aaron
> >
> >
> > "Christopher Grace" <[remove]conceptualcoding@yahoo.com> wrote in
message
> > news:uas1o6eJCHA.2664@tkmsftngp09...
> > > Yes, basic authentication looks like the way to go. Thanks for
clearing
> > > that up.
> > >
> > > SSL is looking more difficult. This app will be used primarily by
home
> > > users. IIS will be running on WinXP and 2k Pro more often than Win2k
> > > server. I think this rules out using certificate services, unless I
> could
> > > somehow create the certs myself and distribute one to each end user .
> > > Having each buyer purchase and install a cert from a company like
> Verisign
> > > is not a very attractive option either.
> > >
> > > Aaron writes: "Yes, you should use SSL to protect the credentials on t
he
> > > wire (as well as
> > > the rest of the content)."
> > >
> > > Once authentication is done, the user will just be operating the
program
> > > (without entering in any sensitive data). Do I run the risk of a
hacker
> > > hijacking the communications and impersonating the authenticated user
if
> I
> > > don't encrypt the whole session?
> > >
> > > Aaron writes: "SSL requires only a server authentication certificate"
> > >
> > > Doesn't the client need a public key to encrypt the transmission?
> > >
> > >
> > > "Christopher Grace" <conceptualcoding@yahoo.com> wrote in message
> > > news:OlBPHbFJCHA.2032@tkmsftngp08...
> > > > I am trying to build an ASP.Net app that will allow users to log on
to
> > > their
> > > > windows account from the internet. The app will then run with the
> > > > privileges of their users account.
> > > >
> > > > I gather from documentation that since I want to support any browser
I
> > > > should use forms authentication. If I want to prevent bad guys from
> > > > eavesdropping and getting passwords sent over the internet when
> > submitting
> > > > the form, I need SSL.
> > > >
> > > > SSL uses certificates right? Does that mean every machine running
> this
> > > app
> > > > would need to have a certificate, and every remote user would need
one
> > > too?
> > > > I guess Windows 2000 server can issue certificates, but that's not
an
> > > option
> > > > in this case. Does that mean the only way to get certs is to buy
them
> > > from
> > > > companies like Verisign? I just want a simple way to encrypt the
data
> > > sent
> > > > from the authentication form. Once that's done and the user is
> > > > authenticated, no more encryption is necessary.
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Simon Pallister: "Re: Process Model"
- Previous message: Michael Howard [MS]: "Re: Web Service & Crypto API"
- In reply to: Christopher Grace: "Re: How to let users log on from internet with admin privilges?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
