Re: To Be or To Impersonate, that is the Question
From: Paul Glavich [MVP - ASP.NET] (glav_at_aspalliance.com-NOSPAM)
Date: 03/13/04
- Next message: WJ: "Re: Writing to a network drive from ASPX, as another user, please guide me :-)"
- Previous message: Chris Moore: "RE: LogonUser Error -1314 on Window2000"
- In reply to: Gary Bagen: "Re: To Be or To Impersonate, that is the Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 13 Mar 2004 21:34:08 +1100
To be honest, I dont think there really is too much difference in either
option. Still, I would determine whether you are going to be able to use
IIS6 and if so, you can define a specific application pool, using a specific
user account for that application pool only. That way, you can simply turn
on impersonation and assume that identity, with the user credentials not
being stored in a plain text file anywhere.
Not much help I know, but if I had to choose out of the options 2 & 3 you
described, I'd probably go for 2, as it seems cleaner and I like to leave
the processModel for altering specific process settings (as opposed to
identity based settings). I dont particularly like either because its such a
global change.
Also, you could always use DPAPI to encrypt/decrypt the identity
credentials, and read them in using your application to perform
impersonation that way. Its more work but it also only limits the effect of
impersonation to your application, not all applications.
HTH,
- Paul Glavich
Microsoft MVP - ASP.NET
"Gary Bagen" <garbage400@hotmail.com> wrote in message
news:8b702e36.0403090712.719d7bbc@posting.google.com...
> Our solution is pretty close to what you describe. The network user
> and credentials will be controlled by the Windows Admin team.
>
> We plan on staying out of web.config on the servers but it may need to
> have settings for the developer workstations.
>
> So the question on the servers comes down to changing machine.config.
> We can either change ProcessModel or the Identity element to all
> applications impersonate the network user. Changing the impersonation
> would mean the ProcessModel would continue to run as its default
> setting. So the question is which is the best way?
>
>
>
>
> "Paul Glavich" <glav@aspalliance.com-NOSPAM> wrote in message
news:<OGdfUdBBEHA.4028@TK2MSFTNGP10.phx.gbl>...
> > With option 1, obviously web.config is easier to access for a malicious
user
> > than the machine.config (yes, you have the credentials encrypted, but it
is
> > still easier to find this 'clue' than with the machine.config) as the
> > machine.config is locked down further using ACL's.
> >
> > The machine.config option affects ASP.NET globally though, so any other
> > ASP.NET applications on the machine would also be affected.
> >
> > What about setting up a defined network user, with only minimum
priveleges
> > (to the printer and network share), and storing these credentials in the
> > database, to use for you to programmatically impersonate. Just a
thought.
> >
> > --
> > - Paul Glavich
> >
> >
> > "Gary Bagen" <garbage400@hotmail.com> wrote in message
> > news:8b702e36.0403050921.ca7e364@posting.google.com...
> > > Alrighty, my continued foray into accessing network resources from the
> > > web server continues...
> > >
> > > When employees hit the intranet ASP.NET applications on our web
> > > servers (dev, test, prod), they may need access to network resources
> > > from those servers (like the network printer or another network
> > > share).
> > >
> > > We are not running Kerberos so that throws out IIS impersonation of
> > > the Windows user hitting the app. (<identity impersonate="true" /> in
> > > web.config).
> > >
> > > That leaves three options that I have found:
> > > 1) In the web.config of each app: <identity impersonate="true"
> > >
username="registry:HKLM\Software\HiddenCredential\ASPNET_SETREG,userName"
> > >
password="registry:HKLM\Software\HiddenCredential\ASPNET_SETREG,password"
> > > />
> > >
> > > 2) In the machine.config of each server: <identity impersonate="true"
> > >
username="registry:HKLM\Software\HiddenCredential\ASPNET_SETREG,userName"
> > >
password="registry:HKLM\Software\HiddenCredential\ASPNET_SETREG,password"
> > > />
> > >
> > > 3) In the ProcessModel of machine.config using the registery pointers
> > > as above. If IIS 6, then the GUI Admin.
> > >
> > > Between option 2 & 3, which is the preferred method? The applications
> > > don't care, they'll get that user in either situation (unless they
> > > override identity in web.config).
> > >
> > > When I present these three options to the group I want to be able to
> > > tell them the pros and cons between 2 & 3 since they appear very
> > > similar on the surface. I think I understand that underneath option 2
> > > has the worker process imporsonating an identity while option 3 has
> > > the inetinfo.exe being the identity.
> > >
> > > Thanks,
> > > Gar
- Next message: WJ: "Re: Writing to a network drive from ASPX, as another user, please guide me :-)"
- Previous message: Chris Moore: "RE: LogonUser Error -1314 on Window2000"
- In reply to: Gary Bagen: "Re: To Be or To Impersonate, that is the Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
