RE: UNC file share and NTLM user identity

From: Bassel Tabbara [MSFT] (basselt@online.microsoft.com)
Date: 04/22/03


From: basselt@online.microsoft.com ("Bassel Tabbara [MSFT]")
Date: Tue, 22 Apr 2003 21:44:33 GMT


Hello Michael,
I am sorry for the confusion for the last post, my correct answer is as
follows:
You need to create a HTTPModule that will handle the authentication there.
HTTP modules and HTTP handlers are an integral part of the ASP.NET
architecture. While a request is being processed, each request is processed
by multiple HTTP modules (for example, the authentication module and the
session module) and is then processed by a single HTTP handler. After the
handler has processed the request, the request flows back through the HTTP
modules.

Modules are called before and after the handler executes. Modules enable
developers to intercept, participate in, or modify each individual request.
Modules implement the IHttpModule interface, which is located in the
System.Web namespace.
An HttpApplication class provides a number of events with which modules can
synchronize. The following events are available for modules to synchronize
with on each request. These events are listed in sequential order:

- BeginRequest.
- AuthenticateRequest
- AuthorizeRequest
- ResolveRequestCache
- AcquireRequestState
- PreRequestHandlerExecute
- PostRequestHandlerExecute
- ReleaseRequestState
- UpdateRequestCache
- EndRequest

The following events are available for modules to synchronize with for each
request transmission. The order of these events is non-deterministic.

- PreSendRequestHeaders
- PreSendRequestContent
- Error

For more information refer to the following Kb articles:

307996 HOW TO: Create an ASP.NET HTTP Module Using Visual C# .NET
http://support.microsoft.com/?id=307996

308000 HOW TO: Create an ASP.NET HTTP Module Using Visual Basic .NET
http://support.microsoft.com/?id=308000

Thanks,
Bassel Tabbara
Microsoft, ASP.NET

This posting is provided "AS IS", with no warranties, and confers no rights.

--------------------
| X-Tomcat-ID: 534762234
| References: <01ed01c2fc3f$53a88f10$a601280a@phx.gbl>
<002YkTM$CHA.1636@cpmsftngxa06.phx.gbl>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: basselt@online.microsoft.com ("Bassel Tabbara [MSFT]")
| Organization: Microsoft
| Date: Mon, 21 Apr 2003 23:50:24 GMT
| Subject: RE: UNC file share and NTLM user identity
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| Message-ID: <eQSfODGCDHA.1636@cpmsftngxa06.phx.gbl>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| Lines: 135
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:4880
| NNTP-Posting-Host: TOMCATIMPORT2 10.201.218.182
|
| Hello Michael,
|
| Basically, Context.User is what ASP.Net uses. The HttpContext.User
property
| provides programmatic access to the properties and methods of the
| IPrincipal interface. Because ASP.NET pages contain a default reference
to
| the System.Web namespace (which contains the HttpContext class), you can
| reference the members of HttpContext on an .aspx page without the fully
| qualified class reference to HttpContext. For example, you can use just
| User.Identity.Name to get the name of the user on whose behalf the
current
| process is running. It will return the authenticated user.
|
| System.Threading.Thread.CurrentPrincipal is used as a local storage of
the
| thread. It Gets or sets the thread's current principal (for role-based
| security).
| Without impersonation, this identity will be empty. Only in ASP.Net, it
| will be equal to Context.User. In normal windows apps this will return
null
| value.
| You have to set it in your application, for example in a thread pool you
| will set the currentPrincipal to an identity for a particular thread.
|
| I hope this helps.
|
| Thanks,
| Bassel Tabbara
| Microsoft, ASP.NET
|
| This posting is provided "AS IS", with no warranties, and confers no
rights.
|
|
| --------------------
| | X-Tomcat-ID: 11309804
| | References: <01ed01c2fc3f$53a88f10$a601280a@phx.gbl>
| | MIME-Version: 1.0
| | Content-Type: text/plain
| | Content-Transfer-Encoding: 7bit
| | From: basselt@online.microsoft.com ("Bassel Tabbara [MSFT]")
| | Organization: Microsoft
| | Date: Mon, 07 Apr 2003 05:16:41 GMT
| | Subject: RE: UNC file share and NTLM user identity
| | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| | Message-ID: <002YkTM$CHA.1636@cpmsftngxa06.phx.gbl>
| | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| | Lines: 81
| | NNTP-Posting-Host: TOMCATIMPORT2 10.201.218.182
| | Path: cpmsftngxa08.phx.gbl!cpmsftngxa06.phx.gbl
| | Xref: cpmsftngxa08.phx.gbl
| microsoft.public.dotnet.framework.aspnet.security:4717
| |
| | Hello Michael,
| | I will do more research on this and will provide you with a viable
| solution.
| |
| | Thanks,
| | Bassel Tabbara
| | Microsoft, ASP.NET
| |
| | This posting is provided "AS IS", with no warranties, and confers no
| rights.
| |
| |
| | --------------------
| | | Content-Class: urn:content-classes:message
| | | From: "Michael Leung" <kmleung@hec.com.hk>
| | | Sender: "Michael Leung" <kmleung@hec.com.hk>
| | | Subject: UNC file share and NTLM user identity
| | | Date: Sun, 6 Apr 2003 06:20:43 -0700
| | | Lines: 57
| | | Message-ID: <01ed01c2fc3f$53a88f10$a601280a@phx.gbl>
| | | MIME-Version: 1.0
| | | Content-Type: text/plain;
| | | charset="iso-8859-1"
| | | Content-Transfer-Encoding: 7bit
| | | X-Newsreader: Microsoft CDO for Windows 2000
| | | Thread-Index: AcL8P1OoE8DJP0gfTA+5GVVr9H8ANw==
| | | X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| | | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| | | Path: cpmsftngxa08.phx.gbl
| | | Xref: cpmsftngxa08.phx.gbl
| | microsoft.public.dotnet.framework.aspnet.security:4716
| | | NNTP-Posting-Host: TK2MSFTNGXA14 10.40.1.166
| | | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| | |
| | | Hi,
| | |
| | | I have used a wrong email address. This one belongs to my
| | | MSDN subscription. I do a re-post.
| | |
| | | All machines are in the same domain (AOL_DEV). I have a
| | | W2KAS running IIS having two web sites. port 80 points to
| | | c:\inetpub\wwwroot and port 81 points to \\192.168.8.1
| | | \fileshare\wwwroot\
| | |
| | | In both port 80 & 81, I have the following ASP page
| | | statement
| | | Welcomes <%=Request.ServerVariables("REMOTE_USER")%>
| | | It works fine. I get "Welcomes AOL_DEV\dcs4585"
| | |
| | | I followed Microsoft's document
| | | "http://msdn.microsoft.com/library/en-
| | | us/dnbda/html/authaspdotnet.asp" to create a domain
| | | account for .NET Process model in machine.config and
| | | impersonation in WEB.config. I granted that account TCB
| | | privilege. I used the local administration account for IIS
| | | UNC Token to create the WEB site.
| | |
| | | In both port 80 and 81, I have the following ASP.NET
| | | statements.
| | |
| | | Response.Write("You are : " +
| | | Context.User.Identity.Name.ToString() + "<BR>");
| | | Response.Write("Page run as : " +
| | | System.Security.Principal.WindowsIdentity.GetCurrent
| | | ().Name.ToString() + "<BR>");
| | | Response.Write("Root is : " +
| | | Request.PhysicalApplicationPath.ToString() + "<BR>");
| | |
| | | In Port 80, I get the following response:-
| | | You are : AOL_DEV\dcs4585
| | | Page run as : AOL_DEV\dcszcluster
| | | Root is : c:\inetpub\wwwroot\
| | |
| | | Unluckily in Port 81, I get the following response:-
| | | You are : DCSCS5\Administrator
| | | Page run as : AOL_DEV\dcszcluster
| | | Root is : \\192.168.8.1\fileshare\wwwroot\
| | |
| | | Questions?????
| | | The whole purpose of impersonation is to keep the original
| | | authenticated user's identity while executing in another
| | | user's privileges. The response from port 80 (without UNC
| | | file share) is correct but that from port 81 (with UNC
| | | file share) is not. I believe it is a bug.
| | |
| | | Imagine you have 20 NLBs for load balancing. Is it better
| | | to deploy the .NET application to one single UNC directory
| | | rather that to deploy it to 20 local machines?
| | |
| | | Michael Leung
| | |
| | |
| |
| |
|
|
|