Re: security exception within Microsoft Application Block ExceptionManager.vb

From: Matjaz Ladava (matjaz_at__nospam_ladava.com)
Date: 05/29/03 

Date: Thu, 29 May 2003 20:03:55 +0200

I don't know if I understand your problem now. Why do you need impersonation
? You could just leave impersonation out and leave the system to run under
ASPNET account ? Why do you need IUSR_... account ?
Do you need to authenticate users with windows authentication ? If yes, than
you have to uncheck anonymous, because anonymous will precede NTLM. Can you
be more specific about what are you trying to achieve ?

Regards

Matjaz Ladava

"Hazzard" <hazz@sonic.net> wrote in message
news:eT2nWcgJDHA.1760@TK2MSFTNGP09.phx.gbl...
> I am still not getting it. I just 'unchecked' anonymous access with
username
> IUSR_TOSHIBA-USER and now I don't have a problem at that part of the code
> that wants to write to the eventlog. attached is a .jpg of that part of
the
> virtual directory security configuration setting that I too often forget
to
> check.
>
> I just don't get the connection yet. Kindof sortof...but not like I know
how
> to make a curry.
>
> I did add the eventlog entry to the registry hive as indicated on page 174
> of Building Secure ASP.NET Applications.
>
> Greg Hazzard
>
>
> "Hazzard" <hazz@sonic.net> wrote in message
> news:%23kWTW9WJDHA.2052@TK2MSFTNGP11.phx.gbl...
> > Thank you Matjaz !
> > Back to work. I am in the registry now.
> > I guess I should have continued on into Building Secure ASP.NET....
> > Page 174 and 175. Accessing the Event Log was right there in the table
of
> > contents.
> > I will post a reply after I have reached the light at the other end.
Thank
> > you for the flashlight.
> >
> > Appreciatively,
> > Greg Hazzard
> >
> > "Matjaz Ladava" <matjaz@_nospam_ladava.com> wrote in message
> > news:e0TquLWJDHA.336@tk2msftngp13.phx.gbl...
> > > If you set impersonation = true that you were impersonating IUSR
account
> > (If
> > > you had enabled anonymous on your IIS). To verify use
> > > WindowsIdentity.GetCurrent().Name in your ASP.NET application.
> > > ASPNET account doesn't have permission to create EventLog's, so it is
> > > advised (also in the pdf you mentioned) , to pre-create EventLog's by
> > > installation program. Don't leave you ASP.NET application in charge of
> > > creating Event's log.
> > > Quote taken from Building Secure ASP.NET....
> > >
> > > Accessing the Event Log
> > > Least privileged accounts have sufficient permissions to be able to
> write
> > > records to the event log by using existing event sources. However,
they
> do
> > > not have sufficient permissions to create new event sources. This
> requires
> > a
> > > new entry to be placed beneath the following registry hive.
> > >
> > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\<log>
> > > To avoid this issue, create the event sources used by your application
> at
> > > installation time, when administrator privileges are available. A good
> > > approach is to use a .NET installer class, which can be instantiated
by
> > the
> > > Windows Installer (if you are using .msi deployment) or by the
> > > InstallUtil.exe system utility if you are not.
> > >
> > > If you are unable to create event sources at installation time, you
must
> > add
> > > permission to the following registry key and grant access to the
ASP.NET
> > > process account (of any impersonated account if your application uses
> > > impersonation).
> > >
> > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
> > > The account(s) must have the following minimum permissions:
> > >
> > > a.. Query key value
> > > b.. Set key value
> > > c.. Create subkey
> > > d.. Enumerate subkeys
> > > e.. Notify
> > > f.. Read
> > > The following code can be used to write to the Application event log
> from
> > > ASP.NET once permissions have been applied to the registry:
> > >
> > > string source = "Your Application Source";
> > > string logToWriteTo = "Application";
> > > string eventText = "Sample Event";
> > >
> > > if (!EventLog.SourceExists(source))
> > > {
> > > EventLog.CreateEventSource(source, logToWriteTo);
> > > }
> > > EventLog.WriteEntry(source, eventText, EventLogEntryType.Warning,
> > > 234);
> > > Regards
> > >
> > > Matjaz Ladava
> > >
> > > "Hazzard" <hazz@sonic.net> wrote in message
> > > news:u%23bR6CWJDHA.1656@TK2MSFTNGP10.phx.gbl...
> > > > 70 KB .JPG attached as reference - Exhibit A.
> > > >
> > > > How do I solve this? Impersonation = true in machine.config or
> > web.config
> > > > does not work.
> > > >
> > > > I did remove ASP.NET from Group Administrator Policy - which not
only
> > did
> > > > not solve the problem but also would likely give away the store in a
> > > virtual
> > > > looting as I understand and do not want to ever test.
> > > >
> > > > I feel like I a well rounded solutions provider but I moments like
> this
> > > put
> > > > me in the 'developer in distress' category.
> > > >
> > > > I am getting better on the theory - impersonation - delegation -
iis -
> > > > IUSR - windows authentication --- but I am still in the paint by
> number
> > > mode
> > > > here.
> > > >
> > > > I was ready to plunge back into the 608 pages of secnet.pdf -
Building
> > > > Secure ASP.NET Applications..well, I am plunging back into it as I
> > write..
> > > >
> > > > but if someone can help....I would be very grateful. (shouldn't it
be
> > > > greatfull?) i would be full of great...
> > > >
> > > > Appreciatively,
> > > >
> > > > Greg Hazzard
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
>

Relevant Pages

  • Re: VS.NET 2005 and the "allowDefinition=MachineToApplication" error
    ... Your description of impersonation is great. ... If you want to use the default configured account, eliminate that entry, or configure it as: ... The easiest way to assign correct permissions to all required directories is to run: ... I re-started IIS and tried to access my ASPX page again -- same ...
    (microsoft.public.dotnet.framework.aspnet)
  • [Full-disclosure] Maybe nothing so shady; depends on the motive.
    ... There may be no impersonation going on. ... attempted use of a disabled account would produce messages about "account foo login fail" ... SecureWorks was still reading email addressed to David Maynor. ...
    (Full-Disclosure)
  • Re: Impersonation
    ... impersonation, unless you actually need to be userX for some file operation, ... I also wonder why folks always talk about using a seperate account DB. ... I know the diference between IIS and WSE authentication mecanism. ... >>> where I need to check password in UsernameTokenManager for that I need ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Problem with Protocol Transition
    ... I set up a domain account called DPool and gave it act as part of the ... then the token is impersonation level. ... Joe Kaplan-MS MVP Directory Services Programming ... I'm just setting httpcontext.current.user to be a new WindowsIdentity ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: ASP.NET Anonymous Impersonation
    ... - A process always has a token associated with a Windows account ... All resources are accessed with this thread. ... > With Integrated Windows Authentication and impersonation: ...
    (microsoft.public.dotnet.framework.aspnet.security)