Re: NTFS + Impersonation + Asp.Net

From: David Fanning (dfanning@europeancredit.com)
Date: 09/20/02 

From: "David Fanning" <dfanning@europeancredit.com>
Date: Fri, 20 Sep 2002 05:49:48 -0700

Sorry for the confusion.

This is the SetUp:
1. processModel is machine.config is running as "machine".
2. Website is set for windows authen. + impersonate user.
3. IIS set for Windows Authen. + certificate required.
4. Certificate is mapped to a user account 'TestUser'.
5. I apply NTFS DENY permissions for the 'TestUser' to an
aspx file within the site.
6. When accessing the aspx via a url, the certificates
correctly map the user to 'TestUser', however the page is
still shown.

The page is shown even though the user identity as set by
IIS is 'TestUser' and the aspx file has DENY permissions
for the 'TestUser'.

So basically if you map a user to a certain NT account
when accessing a site, can you not deny that user access
to aspx files through NTFS, it appears not!

David

>-----Original Message-----
>i'm a little confused here now :(
>
>i thought if you set a username and password in the
>processModel part of the machine.config file (is this
what
>u did David?) you then ran .NET under that account at all
>times, so that you could uniform all NTFS permissions on
>web folders, SQL server roles, Active Directory LDAP
>permissions, etc and have everything running under a
>single managed account instead of switching between the
>ASPNET worker process and the user accounts?
>
>>-----Original Message-----
>>Ok, so is the bottom line is that you cannot protect
>>aspx, asmx files with NTFS using NT User accounts?
>>
>>Isn't that quite a big oversight on security?
>>
>>David
>>
>>
>>
>>>-----Original Message-----
>>>No, the worker process runs as "aspnet" or any other
>>principal as configured in your machine.config file,
note
>>that the process is
>>>shared by all asp.net applications and that process
must
>>be able to touch/compile all pages, your code actualy
>>never touches a page.
>>>Your request will be handled by a "worker process"
>>thread from the thread pool, and only this thread will
>run
>>with the
>>>impersonation access token, when your code loads a new
>>page/assembly or calls a not yet JITTED method, a thread
>>switch will occur
>>>and the loader or Jitter will run using the "aspnet"
>>process token.
>>>
>>>Willy.
>>>
>>>
>>>
>>>"David Fanning" <dfanning@europeancredit.com> wrote in
>>message news:3f8701c26093$a7b08e20
>$35ef2ecf@TKMSFTNGXA11...
>>>> Sorry for the last reply, guess I didn't read your
>>reply.
>>>>
>>>> So are you saying that it's not possible to protect
>>>> framework recognised pages (aspx, etc.) with NTFS
>>>> permissions because you still have to give
permissions
>>to
>>>> the asp.net worker process to access the page?
>>>>
>>>> I thought since I'm using impersonation and that the
>>>> worker process would take the identity of the NT User
>>>> account and so allow me to place permissions on files
>>for
>>>> that user account.
>>>>
>>>> Thanks
>>>>
>>>> David
>>>>
>>>>
>>>> >-----Original Message-----
>>>> >What page are you talking about?
>>>> >Note that .aspx .asmx etc. pages are read by the
>worker
>>>> asp.net process BEFORE your code executes.
>>>> >
>>>> >Willy.
>>>> >
>>>> >"David Fanning" <dfanning@europeancredit.com> wrote
in
>>>> message news:380e01c2608f$4426f9b0$2ae2c90a@phx.gbl...
>>>> >>
>>>> >> Ok, appologies I know Impersonation has been done
to
>>>> death
>>>> >> however I couldn't find much help about NTFS file
>>>> >> permissions and Asp.Net.
>>>> >>
>>>> >> My problem is as follows;
>>>> >> I've deployed an Asp.Net app so it impersonates
the
>>user
>>>> >> logging in with a valid certificate (certificate
>>>> mapping).
>>>> >> I'm pretty sure the impersonation is working
>>correctly,
>>>> >> I've check both the User.Identity.Name and the more
>>>> useful
>>>> >>
System.Security.Principal.WindowsIdentity.GetCurrent
>>>> >> ().Name and both appeared to reflect the correct NT
>>>> >> Account.
>>>> >>
>>>> >> HOWEVER, as a test I set NTFS file permisions to
>>refuse
>>>> >> access to a web page for this NT Account
(TestUser).
>>>> Guess
>>>> >> what, the web page was still shown.
>>>> >>
>>>> >> What's going on here, I thought any 'Deny' NTFS
>>>> >> permissions take precendence over 'Grant'.
>>>> >>
>>>> >> Are there any good resources that explains,
>>preferably
>>>> >> with an example exactly how to setup NTFS file
>>security
>>>> >> with an Asp.Net app executing under a
>>specific 'User' NT
>>>> >> account.
>>>> >>
>>>> >> Many Thanks
>>>> >>
>>>> >> David
>>>> >>
>>>> >>
>>>> >
>>>> >
>>>> >.
>>>> >
>>>
>>>
>>>.
>>>
>>.
>>
>.
>