RE: UNC file share and NTLM user identity
From: Mike Moore [MSFT] (michmo@online.microsoft.com)
Date: 04/24/03
- Previous message: Sean: "ASPNET user"
- In reply to: Michael Leung: "RE: UNC file share and NTLM user identity"
- Next in thread: Mike Moore [MSFT]: "RE: UNC file share and NTLM user identity"
- Reply: Mike Moore [MSFT]: "RE: UNC file share and NTLM user identity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: michmo@online.microsoft.com ("Mike Moore [MSFT]") Date: Wed, 23 Apr 2003 23:08:06 GMT
Hi Michael,
We will investigate this further. This may take a few days. Also, I don't
know yet, but our conclusion may be that the configuration you wish is not
supported with ASP.NET.
Thank you, Mike Moore
Microsoft, ASP.NET
This posting is provided "AS IS", with no warranties, and confers no rights.
--------------------
| >Content-Class: urn:content-classes:message
| >From: "Michael Leung" <kmleung@hec.com.hk>
| >Sender: "Michael Leung" <kmleung@hec.com.hk>
| >References: <01ed01c2fc3f$53a88f10$a601280a@phx.gbl>
<002YkTM$CHA.1636@cpmsftngxa06.phx.gbl>
<eQSfODGCDHA.1636@cpmsftngxa06.phx.gbl>
<6Y0hhhRCDHA.1120@cpmsftngxa06.phx.gbl>
| >Subject: RE: UNC file share and NTLM user identity
| >Date: Tue, 22 Apr 2003 18:47:44 -0700
| >Lines: 329
| >Message-ID: <03f801c3093a$558d90c0$a401280a@phx.gbl>
| >MIME-Version: 1.0
| >Content-Type: text/plain;
| > charset="iso-8859-1"
| >Content-Transfer-Encoding: 7bit
| >X-Newsreader: Microsoft CDO for Windows 2000
| >X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| >Thread-Index: AcMJOlWNsCUQ/JpUTE6IX41vcLatIw==
| >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| >Path: cpmsftngxa06.phx.gbl
| >Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:4895
| >NNTP-Posting-Host: TK2MSFTNGXA12 10.40.1.164
| >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| >
| >Hi Bassel Tabbara,
| >
| >Thanks for your effort. I actually did some reading on the
| >httpmodule topic and recognize its power.
| >
| >However, I can't figure out how it is related to my
| >problem. My Web application (internal intranet using
| >AD+NTLM) is running perfectly OK if the I host the web
| >site on a local C drive. Using NTLM, I can get
| >User.Identity.Name, build principal, get roles in
| >Global.asa.
| >
| >The trouble started when I want to scale-out using NLB. I
| >don't want to take the risk of having un-sync copies in
| >NLBs because there are quite frequent program releases.
| >So, all NLBs points to a single copy using UNC file share
| >on SAN. Then, User.Identity.Name is lost. According to
| >your colleague Mike Moore, "A security change from ASP to
| >ASP.NET required that the user information of
| >a web request be changed to the UNC "connect as" user when
| >the web application is accessed by IIS via a UNC share.
| >This overrides the impersonated user. This affects
| >User.Identity.Name and the ServerVariables."
| >
| >If Mike is correct, you cannot get back the original
| >User.Identity even by building your own httpmodule.
| >
| >
| >Hope you can shed some light on my problem.
| >
| >Thanks,
| >Michael Leung
| >
| >
| >
| >
| >
| >>-----Original Message-----
| >>Hello Michael,
| >>I am sorry for the confusion for the last post, my
| >correct answer is as
| >>follows:
| >>You need to create a HTTPModule that will handle the
| >authentication there.
| >>HTTP modules and HTTP handlers are an integral part of
| >the ASP.NET
| >>architecture. While a request is being processed, each
| >request is processed
| >>by multiple HTTP modules (for example, the authentication
| >module and the
| >>session module) and is then processed by a single HTTP
| >handler. After the
| >>handler has processed the request, the request flows back
| >through the HTTP
| >>modules.
| >>
| >>Modules are called before and after the handler executes.
| >Modules enable
| >>developers to intercept, participate in, or modify each
| >individual request.
| >>Modules implement the IHttpModule interface, which is
| >located in the
| >>System.Web namespace.
| >>An HttpApplication class provides a number of events with
| >which modules can
| >>synchronize. The following events are available for
| >modules to synchronize
| >>with on each request. These events are listed in
| >sequential order:
| >>
| >>- BeginRequest.
| >>- AuthenticateRequest
| >>- AuthorizeRequest
| >>- ResolveRequestCache
| >>- AcquireRequestState
| >>- PreRequestHandlerExecute
| >>- PostRequestHandlerExecute
| >>- ReleaseRequestState
| >>- UpdateRequestCache
| >>- EndRequest
| >>
| >>The following events are available for modules to
| >synchronize with for each
| >>request transmission. The order of these events is non-
| >deterministic.
| >>
| >>- PreSendRequestHeaders
| >>- PreSendRequestContent
| >>- Error
| >>
| >>For more information refer to the following Kb articles:
| >>
| >>307996 HOW TO: Create an ASP.NET HTTP Module Using Visual
| >C# .NET
| >>http://support.microsoft.com/?id=307996
| >>
| >>308000 HOW TO: Create an ASP.NET HTTP Module Using Visual
| >Basic .NET
| >>http://support.microsoft.com/?id=308000
| >>
| >>
| >>
| >>Thanks,
| >>Bassel Tabbara
| >>Microsoft, ASP.NET
| >>
| >>This posting is provided "AS IS", with no warranties, and
| >confers no rights.
| >>
| >>
| >>
| >>
| >>--------------------
| >>| X-Tomcat-ID: 534762234
| >>| References: <01ed01c2fc3f$53a88f10$a601280a@phx.gbl>
| >><002YkTM$CHA.1636@cpmsftngxa06.phx.gbl>
| >>| MIME-Version: 1.0
| >>| Content-Type: text/plain
| >>| Content-Transfer-Encoding: 7bit
| >>| From: basselt@online.microsoft.com ("Bassel Tabbara
| >[MSFT]")
| >>| Organization: Microsoft
| >>| Date: Mon, 21 Apr 2003 23:50:24 GMT
| >>| Subject: RE: UNC file share and NTLM user identity
| >>| X-Tomcat-NG:
| >microsoft.public.dotnet.framework.aspnet.security
| >>| Message-ID: <eQSfODGCDHA.1636@cpmsftngxa06.phx.gbl>
| >>| Newsgroups:
| >microsoft.public.dotnet.framework.aspnet.security
| >>| Lines: 135
| >>| Path: cpmsftngxa06.phx.gbl
| >>| Xref: cpmsftngxa06.phx.gbl
| >>microsoft.public.dotnet.framework.aspnet.security:4880
| >>| NNTP-Posting-Host: TOMCATIMPORT2 10.201.218.182
| >>|
| >>| Hello Michael,
| >>|
| >>| Basically, Context.User is what ASP.Net uses. The
| >HttpContext.User
| >>property
| >>| provides programmatic access to the properties and
| >methods of the
| >>| IPrincipal interface. Because ASP.NET pages contain a
| >default reference
| >>to
| >>| the System.Web namespace (which contains the
| >HttpContext class), you can
| >>| reference the members of HttpContext on an .aspx page
| >without the fully
| >>| qualified class reference to HttpContext. For example,
| >you can use just
| >>| User.Identity.Name to get the name of the user on whose
| >behalf the
| >>current
| >>| process is running. It will return the authenticated
| >user.
| >>|
| >>| System.Threading.Thread.CurrentPrincipal is used as a
| >local storage of
| >>the
| >>| thread. It Gets or sets the thread's current principal
| >(for role-based
| >>| security).
| >>| Without impersonation, this identity will be empty.
| >Only in ASP.Net, it
| >>| will be equal to Context.User. In normal windows apps
| >this will return
| >>null
| >>| value.
| >>| You have to set it in your application, for example in
| >a thread pool you
| >>| will set the currentPrincipal to an identity for a
| >particular thread.
| >>|
| >>| I hope this helps.
| >>|
| >>| Thanks,
| >>| Bassel Tabbara
| >>| Microsoft, ASP.NET
| >>|
| >>| This posting is provided "AS IS", with no warranties,
| >and confers no
| >>rights.
| >>|
| >>|
| >>| --------------------
| >>| | X-Tomcat-ID: 11309804
| >>| | References: <01ed01c2fc3f$53a88f10$a601280a@phx.gbl>
| >>| | MIME-Version: 1.0
| >>| | Content-Type: text/plain
| >>| | Content-Transfer-Encoding: 7bit
| >>| | From: basselt@online.microsoft.com ("Bassel Tabbara
| >[MSFT]")
| >>| | Organization: Microsoft
| >>| | Date: Mon, 07 Apr 2003 05:16:41 GMT
| >>| | Subject: RE: UNC file share and NTLM user identity
| >>| | X-Tomcat-NG:
| >microsoft.public.dotnet.framework.aspnet.security
| >>| | Message-ID: <002YkTM$CHA.1636@cpmsftngxa06.phx.gbl>
| >>| | Newsgroups:
| >microsoft.public.dotnet.framework.aspnet.security
| >>| | Lines: 81
| >>| | NNTP-Posting-Host: TOMCATIMPORT2 10.201.218.182
| >>| | Path: cpmsftngxa08.phx.gbl!cpmsftngxa06.phx.gbl
| >>| | Xref: cpmsftngxa08.phx.gbl
| >>| microsoft.public.dotnet.framework.aspnet.security:4717
| >>| |
| >>| | Hello Michael,
| >>| | I will do more research on this and will provide you
| >with a viable
| >>| solution.
| >>| |
| >>| | Thanks,
| >>| | Bassel Tabbara
| >>| | Microsoft, ASP.NET
| >>| |
| >>| | This posting is provided "AS IS", with no warranties,
| >and confers no
| >>| rights.
| >>| |
| >>| |
| >>| | --------------------
| >>| | | Content-Class: urn:content-classes:message
| >>| | | From: "Michael Leung" <kmleung@hec.com.hk>
| >>| | | Sender: "Michael Leung" <kmleung@hec.com.hk>
| >>| | | Subject: UNC file share and NTLM user identity
| >>| | | Date: Sun, 6 Apr 2003 06:20:43 -0700
| >>| | | Lines: 57
| >>| | | Message-ID: <01ed01c2fc3f$53a88f10$a601280a@phx.gbl>
| >>| | | MIME-Version: 1.0
| >>| | | Content-Type: text/plain;
| >>| | | charset="iso-8859-1"
| >>| | | Content-Transfer-Encoding: 7bit
| >>| | | X-Newsreader: Microsoft CDO for Windows 2000
| >>| | | Thread-Index: AcL8P1OoE8DJP0gfTA+5GVVr9H8ANw==
| >>| | | X-MimeOLE: Produced By Microsoft MimeOLE
| >V5.50.4910.0300
| >>| | | Newsgroups:
| >microsoft.public.dotnet.framework.aspnet.security
| >>| | | Path: cpmsftngxa08.phx.gbl
| >>| | | Xref: cpmsftngxa08.phx.gbl
| >>| | microsoft.public.dotnet.framework.aspnet.security:4716
| >>| | | NNTP-Posting-Host: TK2MSFTNGXA14 10.40.1.166
| >>| | | X-Tomcat-NG:
| >microsoft.public.dotnet.framework.aspnet.security
| >>| | |
| >>| | | Hi,
| >>| | |
| >>| | | I have used a wrong email address. This one belongs
| >to my
| >>| | | MSDN subscription. I do a re-post.
| >>| | |
| >>| | | All machines are in the same domain (AOL_DEV). I
| >have a
| >>| | | W2KAS running IIS having two web sites. port 80
| >points to
| >>| | | c:\inetpub\wwwroot and port 81 points to
| >\\192.168.8.1
| >>| | | \fileshare\wwwroot\
| >>| | |
| >>| | | In both port 80 & 81, I have the following ASP page
| >>| | | statement
| >>| | | Welcomes <%=Request.ServerVariables("REMOTE_USER")%>
| >>| | | It works fine. I get "Welcomes AOL_DEV\dcs4585"
| >>| | |
| >>| | | I followed Microsoft's document
| >>| | | "http://msdn.microsoft.com/library/en-
| >>| | | us/dnbda/html/authaspdotnet.asp" to create a
| >domain
| >>| | | account for .NET Process model in machine.config
| >and
| >>| | | impersonation in WEB.config. I granted that account
| >TCB
| >>| | | privilege. I used the local administration account
| >for IIS
| >>| | | UNC Token to create the WEB site.
| >>| | |
| >>| | | In both port 80 and 81, I have the following
| >ASP.NET
| >>| | | statements.
| >>| | |
| >>| | | Response.Write("You are : " +
| >>| | | Context.User.Identity.Name.ToString() + "<BR>");
| >>| | | Response.Write("Page run as : " +
| >>| | | System.Security.Principal.WindowsIdentity.GetCurrent
| >>| | | ().Name.ToString() + "<BR>");
| >>| | | Response.Write("Root is : " +
| >>| | | Request.PhysicalApplicationPath.ToString()
| >+ "<BR>");
| >>| | |
| >>| | | In Port 80, I get the following response:-
| >>| | | You are : AOL_DEV\dcs4585
| >>| | | Page run as : AOL_DEV\dcszcluster
| >>| | | Root is : c:\inetpub\wwwroot\
| >>| | |
| >>| | | Unluckily in Port 81, I get the following response:-
| >>| | | You are : DCSCS5\Administrator
| >>| | | Page run as : AOL_DEV\dcszcluster
| >>| | | Root is : \\192.168.8.1\fileshare\wwwroot\
| >>| | |
| >>| | | Questions?????
| >>| | | The whole purpose of impersonation is to keep the
| >original
| >>| | | authenticated user's identity while executing in
| >another
| >>| | | user's privileges. The response from port 80
| >(without UNC
| >>| | | file share) is correct but that from port 81 (with
| >UNC
| >>| | | file share) is not. I believe it is a bug.
| >>| | |
| >>| | | Imagine you have 20 NLBs for load balancing. Is it
| >better
| >>| | | to deploy the .NET application to one single UNC
| >directory
| >>| | | rather that to deploy it to 20 local machines?
| >>| | |
| >>| | | Michael Leung
| >>| | |
| >>| | |
| >>| |
| >>| |
| >>|
| >>|
| >>|
| >>
| >>
| >>.
| >>
| >
- Previous message: Sean: "ASPNET user"
- In reply to: Michael Leung: "RE: UNC file share and NTLM user identity"
- Next in thread: Mike Moore [MSFT]: "RE: UNC file share and NTLM user identity"
- Reply: Mike Moore [MSFT]: "RE: UNC file share and NTLM user identity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
