Re: LogonUser from ASP.NET
From: laimis (simulai_at_NOSPAMiit.edu)
Date: 01/26/05
- Next message: Ravi Singh (UCSD): "SHA256 C# vs FIPS 180"
- Previous message: Rich: "Custom Error pages"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: LogonUser from ASP.NET"
- Next in thread: sgelfmann_at_yahoo.com: "Re: LogonUser from ASP.NET"
- Reply: sgelfmann_at_yahoo.com: "Re: LogonUser from ASP.NET"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: LogonUser from ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 Jan 2005 11:11:17 -0600
COM+ application is running under the priviledged account so that the
LogonUser could be invoked.
I do call impersonate with the token received.
I was just wondering if the impersonization was done on one thread that COM+
is running under and the ASP.NET request handling thread was not affected by
the impersonization since i call impersonate in the COM+ component.
I tried returning the Identity object that was created using the token
obtained from the LogonUser and then calling Impersonate from ASP.NET app.
However I would get error message saying that impersonation not allowed and
that web config should be modified or security setting for the application
chagned. What should I change in the config file to allow ASP.NET app to
call Impersonate?
Laimis
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:esa6u7yAFHA.3376@TK2MSFTNGP12.phx.gbl...
> Also, after you call LogonUser, do you take the resulting token and
> impersonate it?
>
> Joe K.
>
> "Paul Clement" <UseAdddressAtEndofMessage@swspectrum.com> wrote in message
> news:05cdv0tr1hbhft9b56vh8eqp5j2d8c7aoe@4ax.com...
> > On Tue, 25 Jan 2005 10:37:39 -0600, "laimis" <simulai@NOSPAMiit.edu>
> > wrote:
> >
> > ¤ Hello everybody,
> > ¤
> > ¤ this is rather complicated, but intriguing problem that I have been
> > having.
> > ¤ What I want to do is: after user connects to my asp.net application, I
> > want
> > ¤ to elevate the thread's user from ASPNET to let's say administrator so
> > that
> > ¤ priviledged operation could be performed. I don't want to change
account
> > ¤ under which ASP.NET runs. My idea is to impersonate in COM+ app that
> > runs
> > ¤ under priviledged account.
> > ¤
> > ¤ Currently here is how I have it implemented.
> > ¤
> > ¤ 1. HttpModule intercepts the request for the application.
> > ¤ 2. Module calls COM+ app that runs with priviledged account
> > ¤ 3. COM+ app calls LogonUser to obtain security handle which later is
> > used in
> > ¤ creating windows identity and impersonaiting the identity, thus
> > receiving
> > ¤ context.
> > ¤ 4. Context is returned to the module
> > ¤ 5. Module uses it to assign to the current context of the executing
> > thread
> > ¤
> > ¤ All of the steps work just fine. I call LogonUser, I can see in the
> > security
> > ¤ log the succesful audit event. However, the context assigned doesn't
> > make a
> > ¤ difference to the running thread and the thread's user still returns
> > ASPNET.
> > ¤
> > ¤ Does anyone see a problem with my method?
> > ¤
> >
> > Not sure if I understand your configuration completely. Is the
privileged
> > operation being performed
> > by the COM+ application? From your description is appears that the COM+
> > application is already
> > running under a privileged account.
> >
> >
> > Paul ~~~ pclement@ameritech.net
> > Microsoft MVP (Visual Basic)
>
>
- Next message: Ravi Singh (UCSD): "SHA256 C# vs FIPS 180"
- Previous message: Rich: "Custom Error pages"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: LogonUser from ASP.NET"
- Next in thread: sgelfmann_at_yahoo.com: "Re: LogonUser from ASP.NET"
- Reply: sgelfmann_at_yahoo.com: "Re: LogonUser from ASP.NET"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: LogonUser from ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
