RE: UNC file share and NTLM user identity
From: Michael Leung (kmleung@hec.com.hk)
Date: 04/23/03
- Next message: Roger Down: "Re: Win2k3 Event Log and Security: Must choose between security and trustworthy"
- Previous message: Victor Garcia Aprea [MVP]: "Re: Error in request"
- In reply to: Bassel Tabbara [MSFT]: "RE: UNC file share and NTLM user identity"
- Next in thread: Mike Moore [MSFT]: "RE: UNC file share and NTLM user identity"
- Reply: Mike Moore [MSFT]: "RE: UNC file share and NTLM user identity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Michael Leung" <kmleung@hec.com.hk> Date: Tue, 22 Apr 2003 18:47:44 -0700
Hi Bassel Tabbara,
Thanks for your effort. I actually did some reading on the
httpmodule topic and recognize its power.
However, I can't figure out how it is related to my
problem. My Web application (internal intranet using
AD+NTLM) is running perfectly OK if the I host the web
site on a local C drive. Using NTLM, I can get
User.Identity.Name, build principal, get roles in
Global.asa.
The trouble started when I want to scale-out using NLB. I
don't want to take the risk of having un-sync copies in
NLBs because there are quite frequent program releases.
So, all NLBs points to a single copy using UNC file share
on SAN. Then, User.Identity.Name is lost. According to
your colleague Mike Moore, "A security change from ASP to
ASP.NET required that the user information of
a web request be changed to the UNC "connect as" user when
the web application is accessed by IIS via a UNC share.
This overrides the impersonated user. This affects
User.Identity.Name and the ServerVariables."
If Mike is correct, you cannot get back the original
User.Identity even by building your own httpmodule.
Hope you can shed some light on my problem.
Thanks,
Michael Leung
>-----Original Message-----
>Hello Michael,
>I am sorry for the confusion for the last post, my
correct answer is as
>follows:
>You need to create a HTTPModule that will handle the
authentication there.
>HTTP modules and HTTP handlers are an integral part of
the ASP.NET
>architecture. While a request is being processed, each
request is processed
>by multiple HTTP modules (for example, the authentication
module and the
>session module) and is then processed by a single HTTP
handler. After the
>handler has processed the request, the request flows back
through the HTTP
>modules.
>
>Modules are called before and after the handler executes.
Modules enable
>developers to intercept, participate in, or modify each
individual request.
>Modules implement the IHttpModule interface, which is
located in the
>System.Web namespace.
>An HttpApplication class provides a number of events with
which modules can
>synchronize. The following events are available for
modules to synchronize
>with on each request. These events are listed in
sequential order:
>
>- BeginRequest.
>- AuthenticateRequest
>- AuthorizeRequest
>- ResolveRequestCache
>- AcquireRequestState
>- PreRequestHandlerExecute
>- PostRequestHandlerExecute
>- ReleaseRequestState
>- UpdateRequestCache
>- EndRequest
>
>The following events are available for modules to
synchronize with for each
>request transmission. The order of these events is non-
deterministic.
>
>- PreSendRequestHeaders
>- PreSendRequestContent
>- Error
>
>For more information refer to the following Kb articles:
>
>307996 HOW TO: Create an ASP.NET HTTP Module Using Visual
C# .NET
>http://support.microsoft.com/?id=307996
>
>308000 HOW TO: Create an ASP.NET HTTP Module Using Visual
Basic .NET
>http://support.microsoft.com/?id=308000
>
>
>
>Thanks,
>Bassel Tabbara
>Microsoft, ASP.NET
>
>This posting is provided "AS IS", with no warranties, and
confers no rights.
>
>
>
>
>--------------------
>| X-Tomcat-ID: 534762234
>| References: <01ed01c2fc3f$53a88f10$a601280a@phx.gbl>
><002YkTM$CHA.1636@cpmsftngxa06.phx.gbl>
>| MIME-Version: 1.0
>| Content-Type: text/plain
>| Content-Transfer-Encoding: 7bit
>| From: basselt@online.microsoft.com ("Bassel Tabbara
[MSFT]")
>| Organization: Microsoft
>| Date: Mon, 21 Apr 2003 23:50:24 GMT
>| Subject: RE: UNC file share and NTLM user identity
>| X-Tomcat-NG:
microsoft.public.dotnet.framework.aspnet.security
>| Message-ID: <eQSfODGCDHA.1636@cpmsftngxa06.phx.gbl>
>| Newsgroups:
microsoft.public.dotnet.framework.aspnet.security
>| Lines: 135
>| Path: cpmsftngxa06.phx.gbl
>| Xref: cpmsftngxa06.phx.gbl
>microsoft.public.dotnet.framework.aspnet.security:4880
>| NNTP-Posting-Host: TOMCATIMPORT2 10.201.218.182
>|
>| Hello Michael,
>|
>| Basically, Context.User is what ASP.Net uses. The
HttpContext.User
>property
>| provides programmatic access to the properties and
methods of the
>| IPrincipal interface. Because ASP.NET pages contain a
default reference
>to
>| the System.Web namespace (which contains the
HttpContext class), you can
>| reference the members of HttpContext on an .aspx page
without the fully
>| qualified class reference to HttpContext. For example,
you can use just
>| User.Identity.Name to get the name of the user on whose
behalf the
>current
>| process is running. It will return the authenticated
user.
>|
>| System.Threading.Thread.CurrentPrincipal is used as a
local storage of
>the
>| thread. It Gets or sets the thread's current principal
(for role-based
>| security).
>| Without impersonation, this identity will be empty.
Only in ASP.Net, it
>| will be equal to Context.User. In normal windows apps
this will return
>null
>| value.
>| You have to set it in your application, for example in
a thread pool you
>| will set the currentPrincipal to an identity for a
particular thread.
>|
>| I hope this helps.
>|
>| Thanks,
>| Bassel Tabbara
>| Microsoft, ASP.NET
>|
>| This posting is provided "AS IS", with no warranties,
and confers no
>rights.
>|
>|
>| --------------------
>| | X-Tomcat-ID: 11309804
>| | References: <01ed01c2fc3f$53a88f10$a601280a@phx.gbl>
>| | MIME-Version: 1.0
>| | Content-Type: text/plain
>| | Content-Transfer-Encoding: 7bit
>| | From: basselt@online.microsoft.com ("Bassel Tabbara
[MSFT]")
>| | Organization: Microsoft
>| | Date: Mon, 07 Apr 2003 05:16:41 GMT
>| | Subject: RE: UNC file share and NTLM user identity
>| | X-Tomcat-NG:
microsoft.public.dotnet.framework.aspnet.security
>| | Message-ID: <002YkTM$CHA.1636@cpmsftngxa06.phx.gbl>
>| | Newsgroups:
microsoft.public.dotnet.framework.aspnet.security
>| | Lines: 81
>| | NNTP-Posting-Host: TOMCATIMPORT2 10.201.218.182
>| | Path: cpmsftngxa08.phx.gbl!cpmsftngxa06.phx.gbl
>| | Xref: cpmsftngxa08.phx.gbl
>| microsoft.public.dotnet.framework.aspnet.security:4717
>| |
>| | Hello Michael,
>| | I will do more research on this and will provide you
with a viable
>| solution.
>| |
>| | Thanks,
>| | Bassel Tabbara
>| | Microsoft, ASP.NET
>| |
>| | This posting is provided "AS IS", with no warranties,
and confers no
>| rights.
>| |
>| |
>| | --------------------
>| | | Content-Class: urn:content-classes:message
>| | | From: "Michael Leung" <kmleung@hec.com.hk>
>| | | Sender: "Michael Leung" <kmleung@hec.com.hk>
>| | | Subject: UNC file share and NTLM user identity
>| | | Date: Sun, 6 Apr 2003 06:20:43 -0700
>| | | Lines: 57
>| | | Message-ID: <01ed01c2fc3f$53a88f10$a601280a@phx.gbl>
>| | | MIME-Version: 1.0
>| | | Content-Type: text/plain;
>| | | charset="iso-8859-1"
>| | | Content-Transfer-Encoding: 7bit
>| | | X-Newsreader: Microsoft CDO for Windows 2000
>| | | Thread-Index: AcL8P1OoE8DJP0gfTA+5GVVr9H8ANw==
>| | | X-MimeOLE: Produced By Microsoft MimeOLE
V5.50.4910.0300
>| | | Newsgroups:
microsoft.public.dotnet.framework.aspnet.security
>| | | Path: cpmsftngxa08.phx.gbl
>| | | Xref: cpmsftngxa08.phx.gbl
>| | microsoft.public.dotnet.framework.aspnet.security:4716
>| | | NNTP-Posting-Host: TK2MSFTNGXA14 10.40.1.166
>| | | X-Tomcat-NG:
microsoft.public.dotnet.framework.aspnet.security
>| | |
>| | | Hi,
>| | |
>| | | I have used a wrong email address. This one belongs
to my
>| | | MSDN subscription. I do a re-post.
>| | |
>| | | All machines are in the same domain (AOL_DEV). I
have a
>| | | W2KAS running IIS having two web sites. port 80
points to
>| | | c:\inetpub\wwwroot and port 81 points to
\\192.168.8.1
>| | | \fileshare\wwwroot\
>| | |
>| | | In both port 80 & 81, I have the following ASP page
>| | | statement
>| | | Welcomes <%=Request.ServerVariables("REMOTE_USER")%>
>| | | It works fine. I get "Welcomes AOL_DEV\dcs4585"
>| | |
>| | | I followed Microsoft's document
>| | | "http://msdn.microsoft.com/library/en-
>| | | us/dnbda/html/authaspdotnet.asp" to create a
domain
>| | | account for .NET Process model in machine.config
and
>| | | impersonation in WEB.config. I granted that account
TCB
>| | | privilege. I used the local administration account
for IIS
>| | | UNC Token to create the WEB site.
>| | |
>| | | In both port 80 and 81, I have the following
ASP.NET
>| | | statements.
>| | |
>| | | Response.Write("You are : " +
>| | | Context.User.Identity.Name.ToString() + "<BR>");
>| | | Response.Write("Page run as : " +
>| | | System.Security.Principal.WindowsIdentity.GetCurrent
>| | | ().Name.ToString() + "<BR>");
>| | | Response.Write("Root is : " +
>| | | Request.PhysicalApplicationPath.ToString()
+ "<BR>");
>| | |
>| | | In Port 80, I get the following response:-
>| | | You are : AOL_DEV\dcs4585
>| | | Page run as : AOL_DEV\dcszcluster
>| | | Root is : c:\inetpub\wwwroot\
>| | |
>| | | Unluckily in Port 81, I get the following response:-
>| | | You are : DCSCS5\Administrator
>| | | Page run as : AOL_DEV\dcszcluster
>| | | Root is : \\192.168.8.1\fileshare\wwwroot\
>| | |
>| | | Questions?????
>| | | The whole purpose of impersonation is to keep the
original
>| | | authenticated user's identity while executing in
another
>| | | user's privileges. The response from port 80
(without UNC
>| | | file share) is correct but that from port 81 (with
UNC
>| | | file share) is not. I believe it is a bug.
>| | |
>| | | Imagine you have 20 NLBs for load balancing. Is it
better
>| | | to deploy the .NET application to one single UNC
directory
>| | | rather that to deploy it to 20 local machines?
>| | |
>| | | Michael Leung
>| | |
>| | |
>| |
>| |
>|
>|
>|
>
>
>.
>
- Next message: Roger Down: "Re: Win2k3 Event Log and Security: Must choose between security and trustworthy"
- Previous message: Victor Garcia Aprea [MVP]: "Re: Error in request"
- In reply to: Bassel Tabbara [MSFT]: "RE: UNC file share and NTLM user identity"
- Next in thread: Mike Moore [MSFT]: "RE: UNC file share and NTLM user identity"
- Reply: Mike Moore [MSFT]: "RE: UNC file share and NTLM user identity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
