To Be or To Impersonate, that is the Question

From: Gary Bagen (garbage400_at_hotmail.com)
Date: 03/05/04

Next message: JJJ: "caspol execution with cmd file error"

Previous message: Luca Vanuzzo: "Re: Help for ActiveX (2)"
Next in thread: Paul Glavich: "Re: To Be or To Impersonate, that is the Question"
Reply: Paul Glavich: "Re: To Be or To Impersonate, that is the Question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 5 Mar 2004 09:21:54 -0800

Alrighty, my continued foray into accessing network resources from the
web server continues...

When employees hit the intranet ASP.NET applications on our web
servers (dev, test, prod), they may need access to network resources
from those servers (like the network printer or another network
share).

We are not running Kerberos so that throws out IIS impersonation of
the Windows user hitting the app. (<identity impersonate="true" /> in
web.config).

That leaves three options that I have found:
1) In the web.config of each app: <identity impersonate="true"
username="registry:HKLM\Software\HiddenCredential\ASPNET_SETREG,userName"
password="registry:HKLM\Software\HiddenCredential\ASPNET_SETREG,password"
/>

2) In the machine.config of each server: <identity impersonate="true"
username="registry:HKLM\Software\HiddenCredential\ASPNET_SETREG,userName"
password="registry:HKLM\Software\HiddenCredential\ASPNET_SETREG,password"
/>

3) In the ProcessModel of machine.config using the registery pointers
as above. If IIS 6, then the GUI Admin.

Between option 2 & 3, which is the preferred method? The applications
don't care, they'll get that user in either situation (unless they
override identity in web.config).

When I present these three options to the group I want to be able to
tell them the pros and cons between 2 & 3 since they appear very
similar on the surface. I think I understand that underneath option 2
has the worker process imporsonating an identity while option 3 has
the inetinfo.exe being the identity.

Thanks,
Gar

Next message: JJJ: "caspol execution with cmd file error"

Previous message: Luca Vanuzzo: "Re: Help for ActiveX (2)"
Next in thread: Paul Glavich: "Re: To Be or To Impersonate, that is the Question"
Reply: Paul Glavich: "Re: To Be or To Impersonate, that is the Question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: impersonate/delegate problem
... The client machine is Win2000Pro. ... The servers are all Win2000 servers. ... > windows auth. ... >> your application's code that is accessing Network Resources. ...
(microsoft.public.dotnet.framework.aspnet.security)
Erratic access to network resources from service
... I have a service running under the LocalSystem account in a Win2K domain. ... service starts getting access denied on the network resources. ... domain\computername$ in the security log of the servers. ... in the security logs of the servers. ...
(microsoft.public.win32.programmer.networks)
Re: Erratic access to network resources from service
... > It accesses network resources on other ... > When things are working correctly, I see the expected logins from ... > domain\computername$ in the security log of the servers. ... > is running in the security logs of the servers. ...
(microsoft.public.win32.programmer.networks)
Re: SQLSVRAGENT credentials
... If it needs access to network resources (e.g. interact with ... other servers on the network). ... Local system does not have ...
(microsoft.public.sqlserver.security)
Re: list of all servers on the network
... It displays all the network resources on your doman or for that matter on ... > How can I get a list of all servers in the network??? ...
(microsoft.public.dotnet.languages.csharp)