Re: Thread identity
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: Thu, 6 Oct 2005 17:06:44 -0500
Agreed. I was just trying to explain the available approaches. The COM+
method is definitely the way to go. However, he may not want to deal with
that. As long as the risks are known (which I did not explain in any good
"Dominick Baier [DevelopMentor]" <firstname.lastname@example.org>
wrote in message news:email@example.com...
> Hello Joe,
> please - don't use impersonation for that -
> both approaches using impersonation will get you in trouble -
> a) WP runs as admin
> when an attacker can take over the application - he is admin
> b) WP runs as ASPNET - you impersonate admin
> you need to use LogonUser for that - where do you want to store the admin
> pwd - what happens with password change policy a.s.o...
> write a local COM+ server (even remoting would be ok :) that has the
> necessary privileges - factor out the code - and call into it from your
> ASP.NET app
> Dominick Baier - DevelopMentor
>> You can impersonate an administrator for the duration of the call, or
>> you can run the worker process as the administrator and undo the
>> impersonation during the call. You can also put the admin code in a
>> COM+ application that runs under a different identity.
>> The WindowsImpersonationContext starts and stops impersonation. The
>> only other thing is getting the logon token for the administrator to
>> use to impersonate. The MSDN docs on WindowsImpersonationContext have
>> a good sample on that though. Then the problem is securely storing
>> the credentials...
>> Joe K.
>> "Raster Space" <firstname.lastname@example.org> wrote in message
>>> I have managed Web Application running on ASPNET user rights. How can
>>> I execute certain (not all) methods with administrator privileges?
>>> Any ideas?