Re: LogonUser from ASP.NET
sgelfmann_at_yahoo.com
Date: 01/26/05
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: LogonUser from ASP.NET"
- Previous message: sgelfmann_at_yahoo.com: "Impersonation"
- In reply to: laimis: "Re: LogonUser from ASP.NET"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: LogonUser from ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 26 Jan 2005 13:01:44 -0800
There's an article that you might find helpful:
http://www.devx.com/SummitDays/Article/6666/0/page/1
If fact it mentions this on page 2:
"Since the worker process normally runs as ASPNET (with very few
privileges), this attempt to elevate privileges will fail. ".
laimis wrote:
> COM+ application is running under the priviledged account so that the
> LogonUser could be invoked.
>
> I do call impersonate with the token received.
>
> I was just wondering if the impersonization was done on one thread
that COM+
> is running under and the ASP.NET request handling thread was not
affected by
> the impersonization since i call impersonate in the COM+ component.
>
> I tried returning the Identity object that was created using the
token
> obtained from the LogonUser and then calling Impersonate from ASP.NET
app.
> However I would get error message saying that impersonation not
allowed and
> that web config should be modified or security setting for the
application
> chagned. What should I change in the config file to allow ASP.NET app
to
> call Impersonate?
>
> Laimis
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
wrote
> in message news:esa6u7yAFHA.3376@TK2MSFTNGP12.phx.gbl...
> > Also, after you call LogonUser, do you take the resulting token and
> > impersonate it?
> >
> > Joe K.
> >
> > "Paul Clement" <UseAdddressAtEndofMessage@swspectrum.com> wrote in
message
> > news:05cdv0tr1hbhft9b56vh8eqp5j2d8c7aoe@4ax.com...
> > > On Tue, 25 Jan 2005 10:37:39 -0600, "laimis"
<simulai@NOSPAMiit.edu>
> > > wrote:
> > >
> > > ¤ Hello everybody,
> > > ¤
> > > ¤ this is rather complicated, but intriguing problem that I have
been
> > > having.
> > > ¤ What I want to do is: after user connects to my asp.net
application, I
> > > want
> > > ¤ to elevate the thread's user from ASPNET to let's say
administrator so
> > > that
> > > ¤ priviledged operation could be performed. I don't want to
change
> account
> > > ¤ under which ASP.NET runs. My idea is to impersonate in COM+
app that
> > > runs
> > > ¤ under priviledged account.
> > > ¤
> > > ¤ Currently here is how I have it implemented.
> > > ¤
> > > ¤ 1. HttpModule intercepts the request for the application.
> > > ¤ 2. Module calls COM+ app that runs with priviledged account
> > > ¤ 3. COM+ app calls LogonUser to obtain security handle which
later is
> > > used in
> > > ¤ creating windows identity and impersonaiting the identity,
thus
> > > receiving
> > > ¤ context.
> > > ¤ 4. Context is returned to the module
> > > ¤ 5. Module uses it to assign to the current context of the
executing
> > > thread
> > > ¤
> > > ¤ All of the steps work just fine. I call LogonUser, I can see
in the
> > > security
> > > ¤ log the succesful audit event. However, the context assigned
doesn't
> > > make a
> > > ¤ difference to the running thread and the thread's user still
returns
> > > ASPNET.
> > > ¤
> > > ¤ Does anyone see a problem with my method?
> > > ¤
> > >
> > > Not sure if I understand your configuration completely. Is the
> privileged
> > > operation being performed
> > > by the COM+ application? From your description is appears that
the COM+
> > > application is already
> > > running under a privileged account.
> > >
> > >
> > > Paul ~~~ pclement@ameritech.net
> > > Microsoft MVP (Visual Basic)
> >
> >
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: LogonUser from ASP.NET"
- Previous message: sgelfmann_at_yahoo.com: "Impersonation"
- In reply to: laimis: "Re: LogonUser from ASP.NET"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: LogonUser from ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
