Re: NTFS + Impersonation + Asp.Net

From: David Fanning (dfanning@europeancredit.com)
Date: 09/20/02 

From: "David Fanning" <dfanning@europeancredit.com>
Date: Fri, 20 Sep 2002 04:52:57 -0700

Ok, so is the bottom line is that you cannot protect
aspx, asmx files with NTFS using NT User accounts?

Isn't that quite a big oversight on security?

David

>-----Original Message-----
>No, the worker process runs as "aspnet" or any other
principal as configured in your machine.config file, note
that the process is
>shared by all asp.net applications and that process must
be able to touch/compile all pages, your code actualy
never touches a page.
>Your request will be handled by a "worker process"
thread from the thread pool, and only this thread will run
with the
>impersonation access token, when your code loads a new
page/assembly or calls a not yet JITTED method, a thread
switch will occur
>and the loader or Jitter will run using the "aspnet"
process token.
>
>Willy.
>
>
>
>"David Fanning" <dfanning@europeancredit.com> wrote in
message news:3f8701c26093$a7b08e20$35ef2ecf@TKMSFTNGXA11...
>> Sorry for the last reply, guess I didn't read your
reply.
>>
>> So are you saying that it's not possible to protect
>> framework recognised pages (aspx, etc.) with NTFS
>> permissions because you still have to give permissions
to
>> the asp.net worker process to access the page?
>>
>> I thought since I'm using impersonation and that the
>> worker process would take the identity of the NT User
>> account and so allow me to place permissions on files
for
>> that user account.
>>
>> Thanks
>>
>> David
>>
>>
>> >-----Original Message-----
>> >What page are you talking about?
>> >Note that .aspx .asmx etc. pages are read by the worker
>> asp.net process BEFORE your code executes.
>> >
>> >Willy.
>> >
>> >"David Fanning" <dfanning@europeancredit.com> wrote in
>> message news:380e01c2608f$4426f9b0$2ae2c90a@phx.gbl...
>> >>
>> >> Ok, appologies I know Impersonation has been done to
>> death
>> >> however I couldn't find much help about NTFS file
>> >> permissions and Asp.Net.
>> >>
>> >> My problem is as follows;
>> >> I've deployed an Asp.Net app so it impersonates the
user
>> >> logging in with a valid certificate (certificate
>> mapping).
>> >> I'm pretty sure the impersonation is working
correctly,
>> >> I've check both the User.Identity.Name and the more
>> useful
>> >> System.Security.Principal.WindowsIdentity.GetCurrent
>> >> ().Name and both appeared to reflect the correct NT
>> >> Account.
>> >>
>> >> HOWEVER, as a test I set NTFS file permisions to
refuse
>> >> access to a web page for this NT Account (TestUser).
>> Guess
>> >> what, the web page was still shown.
>> >>
>> >> What's going on here, I thought any 'Deny' NTFS
>> >> permissions take precendence over 'Grant'.
>> >>
>> >> Are there any good resources that explains,
preferably
>> >> with an example exactly how to setup NTFS file
security
>> >> with an Asp.Net app executing under a
specific 'User' NT
>> >> account.
>> >>
>> >> Many Thanks
>> >>
>> >> David
>> >>
>> >>
>> >
>> >
>> >.
>> >
>
>
>.
>

Relevant Pages

  • Re: NTFS + Impersonation + Asp.Net
    ... so that you could uniform all NTFS permissions on ... ASPNET worker process and the user accounts? ... asmx files with NTFS using NT User accounts? ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: OT Rant! Why Asp? For SBS?
    ... The slowness is actually the initial compilation of the ASPX the first time ... the Worker Process is spawn. ... "Russ" wrote in message ... > I know I can change the my company to my prefered PHP page. ...
    (microsoft.public.windows.server.sbs)
  • Re: IIS 6 question
    ... On Jun 1, 6:01 pm, Peter Bromberg [C# MVP] ... worker process, w3wp.exe. ... If you request an ASP.NET (aspx) page, you can see W3WP.exe in the processes ...
    (microsoft.public.dotnet.framework.aspnet)