Re: Framework v1.1 & LogonUser workaround
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 01/27/04
- Next message: smita: "Re: FormsAuthentication using xml file"
- Previous message: Yan-Hong Huang[MSFT]: "Re: Can I pass ASP Basic Auth Credentials to an APS.NET Forms Authentication site?"
- In reply to: Bill Belliveau: "Framework v1.1 & LogonUser workaround"
- Next in thread: Bill Belliveau: "Re: Framework v1.1 & LogonUser workaround"
- Reply: Bill Belliveau: "Re: Framework v1.1 & LogonUser workaround"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 27 Jan 2004 00:10:59 -0600
In many ways, this is an OS issue. Win2K generally only lets the SYSTEM
account call LogonUser, as that is the only account by default with the
SE_TCB_NAME privilege (act as part of the OS), and that is a good thing. In
WinXP and 2003, LogonUser no longer requires SE_TCB_NAME, so many more
accounts may call it.
Framework 1.1 helps with this situation in that there is a nice overload on
the WindowsIdentity constructor that creates a new WindowsIdentity from
username/password, but it still doesn't defeat OS security rules.
The best thing you could do from a security perspective is move to 2K3
server so that you can call LogonUser without any real issues. On 2000, you
must run as SYSTEM (or given another account SE_TCB_NAME, essentially making
it SYSTEM if it wants to be) to do what you want. ASP.NET and IIS let you
do this, but it is better to avoid it.
The other thing to do would be to move away from Forms auth. so that you can
let IIS do the authentication for you, but that doesn't sound like what you
want.
I'm not sure if I helped, but hopefully this was useful.
Joe K.
"Bill Belliveau" <anonymous@discussions.microsoft.com> wrote in message
news:24E1DCFE-F4F1-479E-BC13-95B2507E376E@microsoft.com...
> Greetings.
> I am working on a project that can be configured to use Windows or Forms
authentication. Occasionally the process may need to impersonate the
calling user.
>
> Using Windows Authentication was fairly easy:
> -- ms code snippet --
> System.Security.Principal.WindowsImpersonationContext
impersonationContext;
> impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
> ----
>
> To handle a forms logon:
> -- code snippet --
> IntPtr token = IntPtr.Zero;
> if(LogonUser(txtUserName.Text, txtDomainName.Text, txtPassword.Text,
> LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token) != 0)
> {
> System.Security.Principal.WindowsImpersonationContext
impersonationContext;
> impersonationContext =
System.Security.Principal.WindowsIdentity.Impersonate(token);
> }
>
> Of course LogonUser requires that the process have "Act as part of the
operating system" permissions, which by default the ASPNET process does not.
My confusion comes from reading Microsoft's patterns and practices,
"Building Secure Microsoft ASP.NET Application". LogonUser is mentioned
many times and usually has a warning block stating the above issue and that
the .NET Framework v1.1 will work around the issue by having the IIS process
perform the logon instead. That doesn't appear to be the case however. Can
anyone confirm if a workaround was in fact implemented?
>
> Thanks,
> Bill
- Next message: smita: "Re: FormsAuthentication using xml file"
- Previous message: Yan-Hong Huang[MSFT]: "Re: Can I pass ASP Basic Auth Credentials to an APS.NET Forms Authentication site?"
- In reply to: Bill Belliveau: "Framework v1.1 & LogonUser workaround"
- Next in thread: Bill Belliveau: "Re: Framework v1.1 & LogonUser workaround"
- Reply: Bill Belliveau: "Re: Framework v1.1 & LogonUser workaround"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
