Re: LogonUser from ASP.NET
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 01/27/05
- Next message: Nick Palmer: "Security/Permission issue with OWC 11.0 on a Windows 2003 server"
- Previous message: Ryan Hanisco: "Re: Access Authentication"
- In reply to: laimis: "Re: LogonUser from ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Jan 2005 13:19:00 -0600
This is a Code Access Security issue then. Apparently, your web application
is running in partial trust then and you don't have the SecurityPermission
with SecurityPermissionFlag.ControlPrincipal flag. According to the docs,
creating a WindowsIdentity from a token or impersonating a token directly
requires this:
.NET Framework Security:
a.. SecurityPermission for ability to manipulate the principal object.
Associated enumeration: SecurityPermissionFlag.ControlPrincipal.
What's in your <securityPolicy> node in web.config under system.web? Note
that this could be defined at the root website level or could be defined in
machine.config by the admin. I think SharePoint uses partial trust by
default, but plain ASP.NET does not.
Joe K.
"laimis" <simulai@NOSPAMiit.edu> wrote in message
news:eYHeqaIBFHA.3376@TK2MSFTNGP12.phx.gbl...
> Alright, that is what I was afraid, that the impersonation call in COM+
> will
> affect only the process that COM+ runs under. That's ok, since I just need
> COM+ to call LogonUser to get the token handle.
>
> The exception that I get while trying to call Impersonate from the ASP.NET
> app is the SecurityException. Is the call to Impersonate() on the identity
> also a priviledged operation that ASP.NET is not allowed to perform while
> running under the machine account?
>
> Thanks guys for the discussion and your suggestions and help,
>
> Laimis
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:u8I0b8%23AFHA.3940@TK2MSFTNGP09.phx.gbl...
>> What error did you get when you tried to impersonate? Was it a
>> SecurityException or some other type of exception?
>>
>> If the COM+ component is running as a separate server process, then the
>> impersonation will happen in the context of that process. It won't
>> affect
>> what's going on the ASP.NET process.
>>
>> Joe K.
>>
>> "laimis" <simulai@NOSPAMiit.edu> wrote in message
>> news:eJ18Mo8AFHA.2156@TK2MSFTNGP10.phx.gbl...
>> > COM+ application is running under the priviledged account so that the
>> > LogonUser could be invoked.
>> >
>> > I do call impersonate with the token received.
>> >
>> > I was just wondering if the impersonization was done on one thread that
>> > COM+
>> > is running under and the ASP.NET request handling thread was not
> affected
>> > by
>> > the impersonization since i call impersonate in the COM+ component.
>> >
>> > I tried returning the Identity object that was created using the token
>> > obtained from the LogonUser and then calling Impersonate from ASP.NET
> app.
>> > However I would get error message saying that impersonation not allowed
>> > and
>> > that web config should be modified or security setting for the
> application
>> > chagned. What should I change in the config file to allow ASP.NET app
>> > to
>> > call Impersonate?
>> >
>> > Laimis
>> >
>> > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
> wrote
>> > in message news:esa6u7yAFHA.3376@TK2MSFTNGP12.phx.gbl...
>> >> Also, after you call LogonUser, do you take the resulting token and
>> >> impersonate it?
>> >>
>> >> Joe K.
>> >>
>> >> "Paul Clement" <UseAdddressAtEndofMessage@swspectrum.com> wrote in
>> >> message
>> >> news:05cdv0tr1hbhft9b56vh8eqp5j2d8c7aoe@4ax.com...
>> >> > On Tue, 25 Jan 2005 10:37:39 -0600, "laimis" <simulai@NOSPAMiit.edu>
>> >> > wrote:
>> >> >
>> >> > ¤ Hello everybody,
>> >> > ¤
>> >> > ¤ this is rather complicated, but intriguing problem that I have
>> >> > been
>> >> > having.
>> >> > ¤ What I want to do is: after user connects to my asp.net
> application,
>> >> > I
>> >> > want
>> >> > ¤ to elevate the thread's user from ASPNET to let's say
>> >> > administrator
>> >> > so
>> >> > that
>> >> > ¤ priviledged operation could be performed. I don't want to change
>> > account
>> >> > ¤ under which ASP.NET runs. My idea is to impersonate in COM+ app
> that
>> >> > runs
>> >> > ¤ under priviledged account.
>> >> > ¤
>> >> > ¤ Currently here is how I have it implemented.
>> >> > ¤
>> >> > ¤ 1. HttpModule intercepts the request for the application.
>> >> > ¤ 2. Module calls COM+ app that runs with priviledged account
>> >> > ¤ 3. COM+ app calls LogonUser to obtain security handle which later
> is
>> >> > used in
>> >> > ¤ creating windows identity and impersonaiting the identity, thus
>> >> > receiving
>> >> > ¤ context.
>> >> > ¤ 4. Context is returned to the module
>> >> > ¤ 5. Module uses it to assign to the current context of the
>> >> > executing
>> >> > thread
>> >> > ¤
>> >> > ¤ All of the steps work just fine. I call LogonUser, I can see in
>> >> > the
>> >> > security
>> >> > ¤ log the succesful audit event. However, the context assigned
> doesn't
>> >> > make a
>> >> > ¤ difference to the running thread and the thread's user still
> returns
>> >> > ASPNET.
>> >> > ¤
>> >> > ¤ Does anyone see a problem with my method?
>> >> > ¤
>> >> >
>> >> > Not sure if I understand your configuration completely. Is the
>> > privileged
>> >> > operation being performed
>> >> > by the COM+ application? From your description is appears that the
> COM+
>> >> > application is already
>> >> > running under a privileged account.
>> >> >
>> >> >
>> >> > Paul ~~~ pclement@ameritech.net
>> >> > Microsoft MVP (Visual Basic)
>> >>
>> >>
>> >
>> >
>>
>>
>
>
- Next message: Nick Palmer: "Security/Permission issue with OWC 11.0 on a Windows 2003 server"
- Previous message: Ryan Hanisco: "Re: Access Authentication"
- In reply to: laimis: "Re: LogonUser from ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
