Re: ASP.NET Fixed Identity Impersonation

From: J-T (Ray5531_at_microsoft.com)
Date: 07/19/05

  • Next message: Joe Kaplan \(MVP - ADSI\): "Re: ASP.NET Fixed Identity Impersonation" 
    Date: Mon, 18 Jul 2005 20:51:32 -0700

    >>but I'm learning. :)
    That's very good.So do I.

    >>so our LAN team added the account to the local security policy.

    Exactly what I was going to say that sometimes developers grant some
    permissions to an account and they don;t let eachother know.Everything is
    fine ,but when it gose to production it is another story.I persoanlly have
    found 40% of ASP.NET problems have something to do with security issue of
    Worker process and I think the root of all this evil is NTLM and not having
    the ability to flow the identity across the bounries.I would appreciate if
    you could let me know of the outcome to bahrez_AT_nospam_yahoo.com.I'm so
    interested to see what the problem was.

    Thanks a million for your valuable time .

    J-T

    "ADavis" <ADavis@discussions.microsoft.com> wrote in message
    news:9338CAB9-0537-448D-937A-4362453919DF@microsoft.com...
    > That's okay, I'm glad I can help. It's working in our development
    > envirnoment, and it's passing the account information to the remote sql
    > server box. Our LAN team called MS and they think the problem is the
    > production webserver machine account (which is a domain account as well)
    > didn't have the ability to impersonate, so our LAN team added the account
    > to
    > the local security policy. We have to schedule a downtime to cycle IIS to
    > see if it works, I will keep you posted. From what I've read, the client
    > sends it's token to IIS, which in turn passes it to the ASP.NET engine,
    > this
    > is where the impersonation takes place, so instead of using the machine
    > account to authicate to the SQL Server we're telling it to use the windows
    > account created for the web application. My problem is, it isn't even
    > getting that far. We are getting an access denied to the web folder. Like
    > I
    > said earlier, it's working in our development envirnoment, weird stuff,
    > but
    > I'm learning. :)
    >
    > "J-T" wrote:
    >
    >> ADavis,
    >>
    >> Have you ever tested this in this scenario(because we are sharing exactly
    >> the same thing).When you use impersonation using fixed identity ,Is
    >> worker
    >> process Identity (ASPNET in IIS 5.x and Identity of application pool in
    >> IIS
    >> 6.0) taken into account at all or not? I think when impersonating the
    >> worker
    >> process accoutn is forced to be your impersonated user .What do you
    >> think?
    >> My focous is cross-machine,from webserver to Database server.
    >>
    >> Actually you wanted to get an answer for yur problem and u got trapped by
    >> sb's else questions.Sorry about that.
    >>
    >> Thanks
    >> "ADavis" <ADavis@discussions.microsoft.com> wrote in message
    >> news:BECB4ACF-5BD8-475E-B3E5-4FD05051F0DF@microsoft.com...
    >> > Yes, we only give exec permission to our stored procedures to the
    >> > domain
    >> > account specifically created for the web application.
    >> >
    >> > "J-T" wrote:
    >> >
    >> >> If you are using a Trusted connection,it means that you don;t specify
    >> >> username and password in your connection string then in Sql server
    >> >> side
    >> >> you
    >> >> give the appropriate permissions to that domain account,right?
    >> >> Thanks
    >> >>
    >> >> "ADavis" <ADavis@discussions.microsoft.com> wrote in message
    >> >> news:02DE37C7-7928-47D1-9D29-B65B07D11EA4@microsoft.com...
    >> >> > 1) Yes
    >> >> > 2) We are using a domain account
    >> >> > 3) Trusted connection.
    >> >> >
    >> >> > "J-T" wrote:
    >> >> >
    >> >> >> ADavis,
    >> >> >>
    >> >> >> WE are doing the same thing ,can I ask you couple of questions?
    >> >> >>
    >> >> >> 1)Are you using NTLM? for each website?
    >> >> >> 2) When you impersonated under a fixed account,Is it a domain
    >> >> >> account
    >> >> >> or
    >> >> >> a
    >> >> >> local account of the webserver?
    >> >> >>
    >> >> >> 3) How your connection string to the database looks like? I mean is
    >> >> >> it
    >> >> >> using
    >> >> >> Trusted Connection or Sql server account?
    >> >> >>
    >> >> >>
    >> >> >> Thanks a lot
    >> >> >>
    >> >> >> "ADavis" <ADavis@discussions.microsoft.com> wrote in message
    >> >> >> news:334A6387-584C-41DE-8D32-EDB11B4F5422@microsoft.com...
    >> >> >> > Also, I just wanted to add that the machine.config file is
    >> >> >> > configured
    >> >> >> > to
    >> >> >> > use
    >> >> >> > impersonation as well on both servers (this is from our
    >> >> >> > development
    >> >> >> > server):
    >> >> >> >
    >> >> >> > <identity impersonate="true" userName="domain\servername_ASPNET"
    >> >> >> > password="*******!"/>
    >> >> >> >
    >> >> >> > "ADavis" wrote:
    >> >> >> >
    >> >> >> >> We have a development web server (Windows 2000 Server) and a
    >> >> >> >> production
    >> >> >> >> web
    >> >> >> >> server (Windows 2000 Server) both are running IIS 5.0 and have
    >> >> >> >> the
    >> >> >> >> .NET
    >> >> >> >> Framework 1.1. We have asp.net fixed identity impersonation
    >> >> >> >> running
    >> >> >> >> on
    >> >> >> >> the
    >> >> >> >> development server and it's fine. We moved the website to the
    >> >> >> >> production
    >> >> >> >> server and we're getting the following error:
    >> >> >> >>
    >> >> >> >> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx',
    >> >> >> >> Failed
    >> >> >> >> to
    >> >> >> >> start
    >> >> >> >> monitoring file changes.
    >> >> >> >>
    >> >> >> >> did a search in Google and found this article:
    >> >> >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317955
    >> >> >> >>
    >> >> >> >> We followed Method 1 - didn't work.
    >> >> >> >>
    >> >> >> >> We are reluctant to follow Method 2 because the individual web
    >> >> >> >> site
    >> >> >> >> folders
    >> >> >> >> are set to inherit permission from the parent.
    >> >> >> >>
    >> >> >> >> Any help will be appreciated.
    >> >> >> >>
    >> >> >> >> Sincerely,
    >> >> >> >>
    >> >> >> >> ADavis
    >> >> >>
    >> >> >>
    >> >> >>
    >> >>
    >> >>
    >> >>
    >>
    >>
    >>

  • Next message: Joe Kaplan \(MVP - ADSI\): "Re: ASP.NET Fixed Identity Impersonation"

    Relevant Pages

    • Re: WCF and ASP.Net wsHTTPBinding Access Denied
      ... Just turning on impersonation i.e. ... "Same" IIS server, ... rights of the ASP.Net worker process? ... The Web.config section defines what identity (Windows account) to ...
      (microsoft.public.dotnet.framework.webservices)
    • Re: impersonating a user
      ... > authentication is what determines the context of the thread. ... > applications, IIS will read the HTTP, and when anonymous is selected IIS ... > Local System account (which is the default account for Services that are ... > impersonation and authentication very clearly. ...
      (microsoft.public.inetserver.iis.security)
    • Re: Impersonation
      ... I hear a lot about WSE and I try to use ... so I thought that I could use impersonation for trusted SPPI ... impersonate my account more late:(, ... Request come to IIS and then ...
      (microsoft.public.dotnet.framework.webservices.enhancements)
    • Re: DCOM calls fails - access denied
      ... IIS security. ... That means the worker ... If you set there a domain account, ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • ASP.NET wont work with my machine.config?
      ... My IIS won't even render a test.aspx which contains: ... > workerprocess's execute account. ... > when accessing serverside resources. ... > Below are some references on ASP.NET impersonation; ...
      (microsoft.public.dotnet.framework.aspnet)