Re: NTFS + Impersonation + Asp.Net

From: dirk diggler (shoveyerspamupyer@ss.com)
Date: 09/20/02 

From: "dirk diggler" <shoveyerspamupyer@ss.com>
Date: Fri, 20 Sep 2002 05:30:11 -0700

i'm a little confused here now :(

i thought if you set a username and password in the
processModel part of the machine.config file (is this what
u did David?) you then ran .NET under that account at all
times, so that you could uniform all NTFS permissions on
web folders, SQL server roles, Active Directory LDAP
permissions, etc and have everything running under a
single managed account instead of switching between the
ASPNET worker process and the user accounts?

>-----Original Message-----
>Ok, so is the bottom line is that you cannot protect
>aspx, asmx files with NTFS using NT User accounts?
>
>Isn't that quite a big oversight on security?
>
>David
>
>
>
>>-----Original Message-----
>>No, the worker process runs as "aspnet" or any other
>principal as configured in your machine.config file, note
>that the process is
>>shared by all asp.net applications and that process must
>be able to touch/compile all pages, your code actualy
>never touches a page.
>>Your request will be handled by a "worker process"
>thread from the thread pool, and only this thread will
run
>with the
>>impersonation access token, when your code loads a new
>page/assembly or calls a not yet JITTED method, a thread
>switch will occur
>>and the loader or Jitter will run using the "aspnet"
>process token.
>>
>>Willy.
>>
>>
>>
>>"David Fanning" <dfanning@europeancredit.com> wrote in
>message news:3f8701c26093$a7b08e20
$35ef2ecf@TKMSFTNGXA11...
>>> Sorry for the last reply, guess I didn't read your
>reply.
>>>
>>> So are you saying that it's not possible to protect
>>> framework recognised pages (aspx, etc.) with NTFS
>>> permissions because you still have to give permissions
>to
>>> the asp.net worker process to access the page?
>>>
>>> I thought since I'm using impersonation and that the
>>> worker process would take the identity of the NT User
>>> account and so allow me to place permissions on files
>for
>>> that user account.
>>>
>>> Thanks
>>>
>>> David
>>>
>>>
>>> >-----Original Message-----
>>> >What page are you talking about?
>>> >Note that .aspx .asmx etc. pages are read by the
worker
>>> asp.net process BEFORE your code executes.
>>> >
>>> >Willy.
>>> >
>>> >"David Fanning" <dfanning@europeancredit.com> wrote in
>>> message news:380e01c2608f$4426f9b0$2ae2c90a@phx.gbl...
>>> >>
>>> >> Ok, appologies I know Impersonation has been done to
>>> death
>>> >> however I couldn't find much help about NTFS file
>>> >> permissions and Asp.Net.
>>> >>
>>> >> My problem is as follows;
>>> >> I've deployed an Asp.Net app so it impersonates the
>user
>>> >> logging in with a valid certificate (certificate
>>> mapping).
>>> >> I'm pretty sure the impersonation is working
>correctly,
>>> >> I've check both the User.Identity.Name and the more
>>> useful
>>> >> System.Security.Principal.WindowsIdentity.GetCurrent
>>> >> ().Name and both appeared to reflect the correct NT
>>> >> Account.
>>> >>
>>> >> HOWEVER, as a test I set NTFS file permisions to
>refuse
>>> >> access to a web page for this NT Account (TestUser).
>>> Guess
>>> >> what, the web page was still shown.
>>> >>
>>> >> What's going on here, I thought any 'Deny' NTFS
>>> >> permissions take precendence over 'Grant'.
>>> >>
>>> >> Are there any good resources that explains,
>preferably
>>> >> with an example exactly how to setup NTFS file
>security
>>> >> with an Asp.Net app executing under a
>specific 'User' NT
>>> >> account.
>>> >>
>>> >> Many Thanks
>>> >>
>>> >> David
>>> >>
>>> >>
>>> >
>>> >
>>> >.
>>> >
>>
>>
>>.
>>
>.
>

Relevant Pages

  • Re: One PC / Multiple Users newbie help needed
    ... > each with permissions to access certain files / apps only. ... NTFS file system. ... FAT32 has *no* security capabilities. ... HOW TO Create and Configure User Accounts in Windows XP ...
    (microsoft.public.windowsxp.security_admin)
  • Re: NTFS + Impersonation + Asp.Net
    ... asmx files with NTFS using NT User accounts? ... the worker process runs as "aspnet" or any other ... >> framework recognised pages (aspx, etc.) with NTFS ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • HELP - different users on my pc can see ALL the files
    ... WIN XP - I've created other user accounts, ... permissions. ... My pc is NTFS so should ... be allowed to......any help or advice would be great. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Inheriting Permissions from Parent
    ... When you delegate permissions using the Delegation of Control wizard, these permissions rely on the user object that inherits the permissions from the parent container. ... Members of protected groups do not inherit permissions from the parent container. ... Within one of my OU's I have many user accounts ...
    (microsoft.public.windows.server.active_directory)
  • Re: Inheriting Permissions from Parent
    ... When you delegate permissions using the Delegation of Control wizard, ... Members of protected groups do not inherit permissions ... these permissions are not applied to members ... Within one of my OU's I have many user accounts ...
    (microsoft.public.windows.server.active_directory)