Re: LogonUser from ASP.NET
From: laimis (simulai_at_NOSPAMiit.edu)
Date: 01/27/05
- Previous message: donotspam: "Re: Image doesn't load and security on folder is the cause??"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: LogonUser from ASP.NET"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: LogonUser from ASP.NET"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: LogonUser from ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Jan 2005 09:41:26 -0600
Alright, that is what I was afraid, that the impersonation call in COM+ will
affect only the process that COM+ runs under. That's ok, since I just need
COM+ to call LogonUser to get the token handle.
The exception that I get while trying to call Impersonate from the ASP.NET
app is the SecurityException. Is the call to Impersonate() on the identity
also a priviledged operation that ASP.NET is not allowed to perform while
running under the machine account?
Thanks guys for the discussion and your suggestions and help,
Laimis
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:u8I0b8%23AFHA.3940@TK2MSFTNGP09.phx.gbl...
> What error did you get when you tried to impersonate? Was it a
> SecurityException or some other type of exception?
>
> If the COM+ component is running as a separate server process, then the
> impersonation will happen in the context of that process. It won't affect
> what's going on the ASP.NET process.
>
> Joe K.
>
> "laimis" <simulai@NOSPAMiit.edu> wrote in message
> news:eJ18Mo8AFHA.2156@TK2MSFTNGP10.phx.gbl...
> > COM+ application is running under the priviledged account so that the
> > LogonUser could be invoked.
> >
> > I do call impersonate with the token received.
> >
> > I was just wondering if the impersonization was done on one thread that
> > COM+
> > is running under and the ASP.NET request handling thread was not
affected
> > by
> > the impersonization since i call impersonate in the COM+ component.
> >
> > I tried returning the Identity object that was created using the token
> > obtained from the LogonUser and then calling Impersonate from ASP.NET
app.
> > However I would get error message saying that impersonation not allowed
> > and
> > that web config should be modified or security setting for the
application
> > chagned. What should I change in the config file to allow ASP.NET app to
> > call Impersonate?
> >
> > Laimis
> >
> > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
wrote
> > in message news:esa6u7yAFHA.3376@TK2MSFTNGP12.phx.gbl...
> >> Also, after you call LogonUser, do you take the resulting token and
> >> impersonate it?
> >>
> >> Joe K.
> >>
> >> "Paul Clement" <UseAdddressAtEndofMessage@swspectrum.com> wrote in
> >> message
> >> news:05cdv0tr1hbhft9b56vh8eqp5j2d8c7aoe@4ax.com...
> >> > On Tue, 25 Jan 2005 10:37:39 -0600, "laimis" <simulai@NOSPAMiit.edu>
> >> > wrote:
> >> >
> >> > ¤ Hello everybody,
> >> > ¤
> >> > ¤ this is rather complicated, but intriguing problem that I have been
> >> > having.
> >> > ¤ What I want to do is: after user connects to my asp.net
application,
> >> > I
> >> > want
> >> > ¤ to elevate the thread's user from ASPNET to let's say administrator
> >> > so
> >> > that
> >> > ¤ priviledged operation could be performed. I don't want to change
> > account
> >> > ¤ under which ASP.NET runs. My idea is to impersonate in COM+ app
that
> >> > runs
> >> > ¤ under priviledged account.
> >> > ¤
> >> > ¤ Currently here is how I have it implemented.
> >> > ¤
> >> > ¤ 1. HttpModule intercepts the request for the application.
> >> > ¤ 2. Module calls COM+ app that runs with priviledged account
> >> > ¤ 3. COM+ app calls LogonUser to obtain security handle which later
is
> >> > used in
> >> > ¤ creating windows identity and impersonaiting the identity, thus
> >> > receiving
> >> > ¤ context.
> >> > ¤ 4. Context is returned to the module
> >> > ¤ 5. Module uses it to assign to the current context of the executing
> >> > thread
> >> > ¤
> >> > ¤ All of the steps work just fine. I call LogonUser, I can see in the
> >> > security
> >> > ¤ log the succesful audit event. However, the context assigned
doesn't
> >> > make a
> >> > ¤ difference to the running thread and the thread's user still
returns
> >> > ASPNET.
> >> > ¤
> >> > ¤ Does anyone see a problem with my method?
> >> > ¤
> >> >
> >> > Not sure if I understand your configuration completely. Is the
> > privileged
> >> > operation being performed
> >> > by the COM+ application? From your description is appears that the
COM+
> >> > application is already
> >> > running under a privileged account.
> >> >
> >> >
> >> > Paul ~~~ pclement@ameritech.net
> >> > Microsoft MVP (Visual Basic)
> >>
> >>
> >
> >
>
>
- Previous message: donotspam: "Re: Image doesn't load and security on folder is the cause??"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: LogonUser from ASP.NET"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: LogonUser from ASP.NET"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: LogonUser from ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
