Re: impersonate/delegate problem

From: Jerry (jerryy_at_solutionbuildersinc.com)
Date: 08/08/03 

Date: Fri, 8 Aug 2003 08:08:52 -0400

Also, the machines involved are all Win2000 running Active Directory...
The client machine is Win2000Pro. The servers are all Win2000 servers.
-jerry

"Jerry" <jerryy@solutionbuildersinc.com> wrote in message
news:O3BwlNUXDHA.1640@TK2MSFTNGP10.phx.gbl...
> I've been trying to do what you suggest for #2 but that does not work..
> Simply setting the <impersonate="true"/> in the web.config and allowing
for
> windows auth. does not work.
>
> Using computer A connect to website on computer B (web server) and try
> to see the status of a windows service on computer C on the same network
> can not be done by what you suggest as solution #2.
>
> Although from what I've read from MS doc.. you should be able to but
not...
>
> Jerry
>
> "Aadil Abbas" <maa49@cornell.edu> wrote in message
> news:uX$4HpPXDHA.2328@TK2MSFTNGP12.phx.gbl...
> > There can be two things:
> > 1. You can create an assembly to programmatically impersonate the part
of
> > your application's code that is accessing Network Resources. Make sure
to
> > encrypt the assembly, so that it cannot be disassembled easily. You can
> > distribute this assembly to the development team.
> >
> > 2. If your application clients are domain users and already have access
to
> > Network Resources, then you can access the Network Resources using their
> > impersonated thread, which would just require <impersonate = "true"/>.
> This
> > way you can control access to the Network by changing privileges on
Active
> > Directory (A fine-grained control).
> >
> > Thanks
> > Aadil
> >
> > 1. If your ASPNET application is being accessed on an intranet, and you
> have
> > all its users already added in Active Directory, then you can grant
access
> > to these users on the network resources through Active Directory and
they
> > should be able to access the Network Resources depending on their
rights.
> > The impersonated thread in ASP.NET itself inherits all user rights,
> because
> > its running as the user, however if you spawn a process from this thread
> > using Process.Start(), then this new process won't inherit the user's
> > security context and would instead run as ASPNET or Network Service
user.
> >
> > 2. You can alternatively, make an assmebly If you wan't to access
Network
> > Resources
> >
> > "Jerry" <jerryy@solutionbuildersinc.com> wrote in message
> > news:ePdAEzOXDHA.2424@TK2MSFTNGP12.phx.gbl...
> > > Ok.. so I've read and seen lot of messages and MSDN docs concerning
the
> > > above issue.. how do I get it to work?
> > > I want to impersonate the current user accessing my website...
> > > so I turn on the site directory security to NOT allow anonymous but
turn
> > ON
> > > integrated windows authentication.
> > > Then I change the web.config to allow impersonate = "true".
> > >
> > > So far so good.. this setting will allow me to run the request process
> > from
> > > the user to the webserver under the current users identity...
> > >
> > > Now that same process needs to access some network
> resources..specifically
> > > see if some windows services are running on network servers... so I
> need
> > to
> > > "delegate" the current users identity to the ASPNET...
> > >
> > > but I thought the impersonate="true" would do that but I guess it
> > doesn't..
> > > It looks like the impersonate is only for the process b/w the client
and
> > > webserver.
> > >
> > > seeing how we are running Win2000 servers and desktops.. and using
> Active
> > > Directory..
> > > what more do I need to get delegate to work?
> > >
> > > I want to be able to use the user's identity for the delegate..
> > >
> > > I've tried setting a valid username and password in the webconfig but
I
> > > don't want to use that.. since it opens up the
> > > id/pwd to everyone in the development group..
> > >
> > > Do I have to turn on the property for the webserver to support
delegate
> in
> > > the AD?
> > >
> > >
> > > Thanks,
> > > Jerry
> > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • To Be or To Impersonate, that is the Question
    ... my continued foray into accessing network resources from the ... web server continues... ... servers, they may need access to network resources ... has the worker process imporsonating an identity while option 3 has ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Erratic access to network resources from service
    ... I have a service running under the LocalSystem account in a Win2K domain. ... service starts getting access denied on the network resources. ... domain\computername$ in the security log of the servers. ... in the security logs of the servers. ...
    (microsoft.public.win32.programmer.networks)
  • Re: Erratic access to network resources from service
    ... > It accesses network resources on other ... > When things are working correctly, I see the expected logins from ... > domain\computername$ in the security log of the servers. ... > is running in the security logs of the servers. ...
    (microsoft.public.win32.programmer.networks)
  • Re: SQLSVRAGENT credentials
    ... If it needs access to network resources (e.g. interact with ... other servers on the network). ... Local system does not have ...
    (microsoft.public.sqlserver.security)
  • Re: list of all servers on the network
    ... It displays all the network resources on your doman or for that matter on ... > How can I get a list of all servers in the network??? ...
    (microsoft.public.dotnet.languages.csharp)