Re: <identity impersonate="true"> question

From: Aaron Margosis [MS] (aaronmaronline@microsoft.com)
Date: 07/25/02 

From: "Aaron Margosis [MS]" <aaronmaronline@microsoft.com>
Date: Wed, 24 Jul 2002 23:29:09 -0500

Did you originally have a beta version of the .NET Framework on your
development computer? The default setup used to be to run the ASPNET worker
process in the SYSTEM context. You may still be running in SYSTEM context
on your development box. The production system is probably running as the
unprivileged ASPNET local account.

Does your app actually need to create categories? Can the categories be
established by an interactively logged-on administrator instead? Or,
instead of having the app run as administrator all the time, can you use
Windows authentication, and impersonate the authenticating user? If the
user is an admin then your app can create new categories in that user's
session.

As discussed below, the TCB privilege (a.k.a., "act as part of the operating
system") needs to be granted to the aspnet_wp.exe's process account
(probably ASPNET on your production system) in order for it to use the
<identity> element with the userName/password attributes. (I strongly
recommend against using that form.)

-- Aaron

"Microsoft Newsgroups" <me@yahoo.com> wrote in message
news:OPZzxkyMCHA.2604@tkmsftngp11...
> What is required to make LogonUser work?
>
> I have an ASP.NET app that needs to create categories in the Event Log.
On
> my development box, setting impersonate true, and setting the username/pwd
> to the administrator works fine. But when I put it on the production IIS
> server (Win2K) I get an error something about invalid rights or
credentials.
> What am I missing?
>
> Thanks!
> <<Kevin Finck>>
>
> "Aaron Margosis [MS]" <aaronmaronline@microsoft.com> wrote in message
> news:OeJEhp6KCHA.1008@tkmsftngp10...
> > Good question! Impersonating an already authenticated (logged on) user
> does
> > not require TCB (trusted computing base, a.k.a. "act as part of the
> > operating system"). What does require TCB is use of the LogonUser API
to
> > create a new logon session. That comes up when you use this form of the
> > <identity> element:
> >
> > <identity impersonate="true" userName="YOYODYNE\JBigBoote"
> > password="Sekrit!" />
> >
> > Rather than impersonating the user authenticated by IIS (which is what
> > you're doing), the app always runs with the specified credentials. In
> order
> > to do this, ASPNET needs to be able to call LogonUser.
> >
> > HTH
> >
> > -- Aaron
> >
> >
> > "Dave" <DaveAtHome_spam@nc.rr.com> wrote in message
> > news:#L#Gcc0KCHA.1008@tkmsftngp10...
> > > I added <identity impersonate="true"> to my web.config file and was
> > > expecting to have to add "Act as part of the OS" to the local
machine's
> > > security policy for the ASPNET user as was posted various places but
in
> > fact
> > > did NOT have to do this for the impersonation to work. Is that not a
> > > required action? I'm running on Windows 2000 and not Windows XP where
my
> > > understanding was that policy for ASPNET would not need to be set.
There
> > are
> > > no users explicity added with that security right on my machine.
Thanks,
> > > Dave
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Debugger not working in Vs.net 2003
    ... I check The "Impersonate a client after authentication" user right, aspnet ...
    (microsoft.public.vsnet.debugging)
  • Re: IIS6 on DC failing ASP.Net Service Unavailable
    ... On IIS 6.0 ASP.NET does not use the ASPNET account. ... identity of the web app pool that it is assigned to. ... Q1) Does you app work if you use one of the standard process identities? ...
    (microsoft.public.inetserver.iis)
  • Re: Shared Hosting
    ... ASPNET account. ... a professional hosting company. ... they could put the application in its own app pool ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Cant get impersonation to work
    ... >it uses the ASPNET user account, which doesn't have access rights to the ... > I want to impersonate the authenticated user when I do the export, ... When I run the app, FileMon shows that it is still ...
    (microsoft.public.dotnet.security)
  • Architecture of my ASP.NET app
    ... A business object layer which is a group of custom classes that map to my database entities, items of each type, for example 'clientitem' and collection classes that are collections of items, for example 'clientcollection'. ... I've referenced the bol in my aspnet app and get some quite useful abstraction from the database using this method, my aspnet app is completely ignorant of any information regarding the database, field names, anything really. ...
    (microsoft.public.dotnet.framework.aspnet)