Re: NTFS + Impersonation + Asp.Net
From: Ricardo Augusto (ricardo.augusto@terra.com.br)
Date: 09/27/02
- Next message: Patrick C. Cole: "RE: Web Serivce and Required Privilege"
- Previous message: Paul: "IUSER_Machine vs. Everyone?"
- In reply to: Willy Denoyette [MVP]: "Re: NTFS + Impersonation + Asp.Net"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ricardo Augusto" <ricardo.augusto@terra.com.br> Date: Fri, 27 Sep 2002 12:47:25 -0300
I set impersonation to true in machine.config.
How can I prevent the user from changing this setting in his web.config file?
I don't want the user to use the asp.net process account. I must be sure that he can't RevertToSelf and use the asp.net account.
Obs: I can't set an web.config file in his web site. This must be done at global level.
Thanks,
Ricardo Augusto
SA (MCSE)
"Willy Denoyette [MVP]" <willy.denoyette@pandora.be> wrote in message news:ek#18iJYCHA.2640@tkmsftngp10...
No, the worker process runs as "aspnet" or any other principal as configured in your machine.config file, note that the process is
shared by all asp.net applications and that process must be able to touch/compile all pages, your code actualy never touches a page.
Your request will be handled by a "worker process" thread from the thread pool, and only this thread will run with the
impersonation access token, when your code loads a new page/assembly or calls a not yet JITTED method, a thread switch will occur
and the loader or Jitter will run using the "aspnet" process token.
Willy.
"David Fanning" <dfanning@europeancredit.com> wrote in message news:3f8701c26093$a7b08e20$35ef2ecf@TKMSFTNGXA11...
> Sorry for the last reply, guess I didn't read your reply.
>
> So are you saying that it's not possible to protect
> framework recognised pages (aspx, etc.) with NTFS
> permissions because you still have to give permissions to
> the asp.net worker process to access the page?
>
> I thought since I'm using impersonation and that the
> worker process would take the identity of the NT User
> account and so allow me to place permissions on files for
> that user account.
>
> Thanks
>
> David
>
>
> >-----Original Message-----
> >What page are you talking about?
> >Note that .aspx .asmx etc. pages are read by the worker
> asp.net process BEFORE your code executes.
> >
> >Willy.
> >
> >"David Fanning" <dfanning@europeancredit.com> wrote in
> message news:380e01c2608f$4426f9b0$2ae2c90a@phx.gbl...
> >>
> >> Ok, appologies I know Impersonation has been done to
> death
> >> however I couldn't find much help about NTFS file
> >> permissions and Asp.Net.
> >>
> >> My problem is as follows;
> >> I've deployed an Asp.Net app so it impersonates the user
> >> logging in with a valid certificate (certificate
> mapping).
> >> I'm pretty sure the impersonation is working correctly,
> >> I've check both the User.Identity.Name and the more
> useful
> >> System.Security.Principal.WindowsIdentity.GetCurrent
> >> ().Name and both appeared to reflect the correct NT
> >> Account.
> >>
> >> HOWEVER, as a test I set NTFS file permisions to refuse
> >> access to a web page for this NT Account (TestUser).
> Guess
> >> what, the web page was still shown.
> >>
> >> What's going on here, I thought any 'Deny' NTFS
> >> permissions take precendence over 'Grant'.
> >>
> >> Are there any good resources that explains, preferably
> >> with an example exactly how to setup NTFS file security
> >> with an Asp.Net app executing under a specific 'User' NT
> >> account.
> >>
> >> Many Thanks
> >>
> >> David
> >>
> >>
> >
> >
> >.
> >
- Next message: Patrick C. Cole: "RE: Web Serivce and Required Privilege"
- Previous message: Paul: "IUSER_Machine vs. Everyone?"
- In reply to: Willy Denoyette [MVP]: "Re: NTFS + Impersonation + Asp.Net"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
