Re: Total Confusion! - ACLs and Windows authentication with no impersonation

From: Raterus (raterus_at_spam.org)
Date: 07/19/04

  • Next message: Pete Beech: "Re: Total Confusion! - ACLs and Windows authentication with no impersonation" 
    Date: Mon, 19 Jul 2004 17:26:05 -0400

    Here is how I think of this process.

    You have aspx pages..and you have the resources this page wants to get at. When anonymous authentication is disabled, yes the page itself MUST have NTFS permissions set so the user can access the page, this is an IIS thing, you aren't even at ASP.NET yet at this step.

    After they have access to the page, if impersonation is disabled, this is when the aspnet user takes over the process, and access to other resourses is granted based on that, not the original user.

    You should be able to do what you are after, in your asp.net pages, use HttpContext.Current.User to get at the user who requested the page.

    Hope this helps,
    --Michael

    "Pete Beech" <peter.beech@iname.com> wrote in message news:7b400a8c.0407191019.7f15ef1@posting.google.com...
    > Hi all,
    > apologies if this has come up before, but I've been searching the
    > whole day and found nothing...
    >
    > If I have authentication set to "windows", and identity
    > impersonation="false", do I need to grant access to the authenticated
    > windows user on the website and its resources (aspx files, etc)?
    >
    > The MSDN VS.NET documention has the diagram in this link
    > (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconaspnetdataflow.asp)
    > - it looks like, if impersonation is set to false, it says it does
    > 'other security checks', but does not go through NTFS ACL security.
    > Other responses I've seen say that, if impersonation is false, then
    > you only need to grant access to the ASPNET user.
    >
    >
    > However, in the Building Secure ASP.NET application book, Chapter 8,
    > it states "Windows ACLs
    > Client Requested Resources. The ASP.NET FileAuthorizationModule
    > performs access checks for requested file types that are mapped to the
    > ASP.NET ISAPI. It uses the original caller's access token and ACL
    > attached to requested resources in order to perform access checks.
    > **** Impersonation is not required. ****"
    >
    > and later on, about Windows authentication,
    > "The access token of the authenticated caller (which may be the
    > Anonymous Internet user account if IIS is configured for Anonymous
    > authentication) is made available to the ASP.NET application. Note the
    > following:
    >
    > This allows the ASP.NET FileAuthorizationModule to perform access
    > checks against requested ASP.NET files using the original caller's
    > access token.
    > Important ASP.NET File authorization only performs access checks
    > against file types that are mapped to Aspnet_isapi.dll.
    > *** File authorization does not require impersonation. **** With
    > impersonation enabled any resource access performed by your
    > application uses the impersonated caller's identity. In this event,
    > ensure that the ACLs attached to resources contain an Access Control
    > Entry (ACE) that grants at least read access to the original caller's
    > identity."
    >
    >
    > When I actually try it out, it seems that I do need to have the user
    > granted access with an ACL on the resource, even with no
    > impersonation. But this seems to directly contradict the .NET
    > documentation.
    >
    > Does this really mean that, if I want to programmatically deny access
    > or use the authorization tag in the web.config, that I need to set
    > access to 'Everyone'? Can I really not just grant access to the ASPNET
    > account? Or am I just misunderstanding this completely?
    >
    > What I would like is to be able to just grant access to ASPNET, but
    > still obtain the Windows User identity to do my own custom
    > authorization. Is this possible?
    >
    > Hope someone can help me!,
    >
    > Cheers,
    > Pete

  • Next message: Pete Beech: "Re: Total Confusion! - ACLs and Windows authentication with no impersonation"

    Relevant Pages

    • Re: Total Confusion! - ACLs and Windows authentication with no impersonation
      ... permissions are checked, and not in IIS. ... account - regardless of the impersonation settings. ... You have aspx pages..and you have the resources this page wants to get at. ... When anonymous authentication is disabled, yes the page itself MUST have ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • RE: Web Serivce and Required Privilege
      ... This is due to the ASPNet account not having the required privileges to ... doesn't have the required privilege to perform this impersonation. ... the ASPNet user "act as operating system" should do the trick, ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: File upload problem with alternate drive
      ... Impersonation works, at least it does using someone with Administrative ... It's still a workaround though. ... I have given full rights to both ... the ASPNET user and the IUSR_servername to the directory. ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Is Delegation Necessary?
      ... allows you to use an impersonation token to access network resources." ... "In summary, impersonation is pretending to be someone else, other ... I don't have a lot of experience with impersonation and delegation so ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Multiple Users with impersonation using one account
      ... you don't need impersonation to check for user identity - Context.User.Identity.Name is populated with the clients name ... some applications use resources such as the file system for ... or for opening files on other network ...
      (microsoft.public.dotnet.framework.aspnet.security)