Re: Thread identity

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 10/07/05

  • Next message: Ken Yee: "wildcard extension ASP.Net httphandler gives 401.3 ACL permission denied error on a directory"
    Date: Thu, 6 Oct 2005 17:06:44 -0500
    
    

    Agreed. I was just trying to explain the available approaches. The COM+
    method is definitely the way to go. However, he may not want to deal with
    that. As long as the risks are known (which I did not explain in any good
    detail :)).

    Joe K.

    "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
    wrote in message news:42565460feb538c798e19ee8f701@news.microsoft.com...
    > Hello Joe,
    >
    > please - don't use impersonation for that -
    > both approaches using impersonation will get you in trouble -
    >
    > a) WP runs as admin
    > when an attacker can take over the application - he is admin
    >
    > b) WP runs as ASPNET - you impersonate admin
    > you need to use LogonUser for that - where do you want to store the admin
    > pwd - what happens with password change policy a.s.o...
    >
    > write a local COM+ server (even remoting would be ok :) that has the
    > necessary privileges - factor out the code - and call into it from your
    > ASP.NET app
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> You can impersonate an administrator for the duration of the call, or
    >> you can run the worker process as the administrator and undo the
    >> impersonation during the call. You can also put the admin code in a
    >> COM+ application that runs under a different identity.
    >>
    >> The WindowsImpersonationContext starts and stops impersonation. The
    >> only other thing is getting the logon token for the administrator to
    >> use to impersonate. The MSDN docs on WindowsImpersonationContext have
    >> a good sample on that though. Then the problem is securely storing
    >> the credentials...
    >>
    >> Joe K.
    >>
    >> "Raster Space" <raster2000@hotmail.com> wrote in message
    >> news:di3v0t$pdn$1@phys-news1.kolumbus.fi...
    >>
    >>> I have managed Web Application running on ASPNET user rights. How can
    >>> I execute certain (not all) methods with administrator privileges?
    >>> Any ideas?
    >>>
    >
    >


  • Next message: Ken Yee: "wildcard extension ASP.Net httphandler gives 401.3 ACL permission denied error on a directory"

    Relevant Pages

    • Re: Thread identity
      ... both approaches using impersonation will get you in trouble - ... when an attacker can take over the application - he is admin ... > The WindowsImpersonationContext starts and stops impersonation. ... > only other thing is getting the logon token for the administrator to ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: Programmatic Subsite Creation
      ... I working with a webpart and have I tried impersonation of the admin, ... I ended doing a work around by creating a site template for the top level ... > untighten your portal security trust level in web.config too. ...
      (microsoft.public.sharepoint.portalserver.development)
    • Re: Creating local user
      ... > Hi Joe, ... > The following newsgroup threads will be very helpful. ... > Also, if you need to do this as the administrator, you need to do the> impersonation. ... Create a user and assign to a group without being an administrator. ...
      (microsoft.public.scripting.vbscript)
    • RE: Azman: AzAuthorizationStoreClass.Initialize
      ... AzMan does not require admin rights to initialize. ... Have you tried to allow the ASPNET local account to read your physical store? ... > asp.net and i am doing impersonation. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Webpart to create new subweb and a list item
      ... The Create Subweb part works great when I bypass the ... impersonation and log in as an administrator. ... authenticate, ... As the user I'm trying to impersonate is an admin on the ...
      (microsoft.public.sharepoint.windowsservices)