RE: Impersonation question regarding a microsoft article

From: Jim Cheshire [MSFT] (jamesche_at_online.microsoft.com)
Date: 12/23/03


Date: Tue, 23 Dec 2003 18:01:23 GMT

Brian,

That documentation is incorrect. The process account has to have full
control on that folder, but the impersonated account does not in the case
of first-time JIT compile.

Jim Cheshire, MCSE, MCSD [MSFT]
Developer Support
ASP.NET
jamesche@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.

--------------------
>Content-Class: urn:content-classes:message
>From: "Brian Newtz" <anonymous@discussions.microsoft.com>
>Sender: "Brian Newtz" <anonymous@discussions.microsoft.com>
>Subject: Impersonation question regarding a microsoft article
>Date: Tue, 23 Dec 2003 08:17:43 -0800
>Lines: 40
>Message-ID: <09b201c3c970$4b509c00$a601280a@phx.gbl>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="iso-8859-1"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Thread-Index: AcPJcEtQodKge0h2Sd+UR2DdUFfdag==
>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>Path: cpmsftngxa07.phx.gbl
>Xref: cpmsftngxa07.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:8036
>NNTP-Posting-Host: tk2msftngxa14.phx.gbl 10.40.1.166
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>Hello everyone!
>
>I recently read "ASP.NET Impersonation" from the .NET
>Framework Developer's Guide
>(http://msdn.microsoft.com/library/default.asp?
>url=/library/en-
>us/cpguide/html/cpconaspnetimpersonation.asp) and it says
>the following:
>
>"Only application code is impersonated; compilation and
>configuration are read as the process token. The result
>of the compilation is put in the "Temporary ASP.NET
>files" directory. The account that is being impersonated
>needs to have read/write access to this directory."
>
>So, this is basically telling me that every authenticated
>user has to have access to my 'Temporary ASP.NET files'
>directory in order to view the pages??? I've verified
>that this is definitely not the case, as my 'Temporary
>ASP.NET files' directory has only the following security
>permissions(my computer name is BNEWTZ):
>
>Administrators (BNEWTZ\Administrators)
>aspnet (aspnet@mycompanysdomain.local)
>CREATOR OWNER
>LOCAL SERVICE
>NETWORK SERVICE
>Power Users (BNEWTZ\Administrators)
>SYSTEM
>Users (BNEWTZ\Users)
>
>With these permissions (which are the default, except
>that I've added the domain aspnet account which I use in
>the processmodel section of machine.config) any domain
>user can get to the website just fine. So is the article
>incorrect in that statement?
>
>Thanks!
>-Brian
>
>



Relevant Pages

  • Re: SetPassword access denied
    ... safely invoke SetPassword etc..... ... impersonation or using the process token without impersonation) is NOT ... account that is used for performing remote activities in the directory. ... Co-author of "The .NET Developer's Guide to Directory Services ...
    (microsoft.public.windows.server.active_directory)
  • Re: VS.NET 2005 and the "allowDefinition=MachineToApplication" error
    ... Your description of impersonation is great. ... If you want to use the default configured account, eliminate that entry, or configure it as: ... The easiest way to assign correct permissions to all required directories is to run: ... I re-started IIS and tried to access my ASPX page again -- same ...
    (microsoft.public.dotnet.framework.aspnet)
  • [Full-disclosure] Maybe nothing so shady; depends on the motive.
    ... There may be no impersonation going on. ... attempted use of a disabled account would produce messages about "account foo login fail" ... SecureWorks was still reading email addressed to David Maynor. ...
    (Full-Disclosure)
  • Re: SetPassword access denied
    ... That said, I think one thing worth pointing out is that in both cases here, your code is supplying credentials to the DirectoryEntry constructor. ... the identity of the current thread (established either via impersonation or using the process token without impersonation) is NOT the account that is used for performing remote activities in the directory. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Re: Impersonation
    ... impersonation, unless you actually need to be userX for some file operation, ... I also wonder why folks always talk about using a seperate account DB. ... I know the diference between IIS and WSE authentication mecanism. ... >>> where I need to check password in UsernameTokenManager for that I need ...
    (microsoft.public.dotnet.framework.webservices.enhancements)