Re: About ASP.Net Impersonation

I don't think the OP was specific about why he needed to access the remote
resource with the logged on user's credentials.

I always forget that you prefer to impersonate only when necessary by
creating a WindowsImpersaonationContext from Context.User.Identity. It is a
better solution for sure in terms of tightening up the security.

Don't you have a blog posting referencing this technique and expanding on it
more?

It seemed like his first order of business though was to get Kerberos
delegation working.

Joe K.

"Dominick Baier [DevelopMentor]" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:4580be6316a9d28c7cfbb79309862@xxxxxxxxxxxxxxxxxxxxx
> Hello Joe,
>
> First of all - why do you set impersonate to true - in the original
> question i cannot see that this is a requirement??
>
> :) just my usual rant about auto impersonation
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> In order to delegate a user's security context that was authenticated
>> with integrated Windows auth, you need to properly configure Kerberos
>> delegation.
>>
>> The best thing you can do for yourself is get yourself Keith Brown's
>> book (The .NET Developer's Guide to Windows Security) and read about
>> it. You can also read it online.
>> http://www.pluralsight.com/wiki/default.aspx/Keith.GuideBook.HomePage
>>
>> There are also some good articles on the MS website that you can
>> search for.
>>
>> Joe K.
>>
>> "Andrew" <Andrew@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:9DDEEDF4-0872-443A-9FAC-950FB58BCA22@xxxxxxxxxxxxxxxx
>>
>>> Hello, friends,
>>>
>>> Our asp.net app needs to access other servers from our IIS servers.
>>> In web.config, we set:
>>>
>>> <identity impersonate="true"/>
>>>
>>> However, this works on some IIS servers, and does not work on the
>>> rest of IIS servers. We have to explicitly set:
>>>
>>> <identity impersonate="true" userName="IISGroup\userName"
>>> password="password" />
>>>
>>> to make it work again.
>>>
>>> Why? Any ideas? We don't want to have userName/password in
>>> web.config...
>>>
>>> Thanks a lot.
>>>
>
>


.

Relevant Pages

  • Re: ASP.NET Impersonation / delegation
    ... ntlm will not delegate even if your security ... team allowed delegation, only digest allows delegation. ... the impersonated account and the computer on which the business logic runs ... alternative for ASP.NET impersonation/delegation? ...
    (microsoft.public.win2000.developer)
  • Re: ASP.NET Impersonation / delegation
    ... ntlm will not delegate even if your security ... team allowed delegation, only digest allows delegation. ... the impersonated account and the computer on which the business logic runs ... alternative for ASP.NET impersonation/delegation? ...
    (microsoft.public.dotnet.framework)
  • Re: ASP.NET Impersonation / delegation
    ... ntlm will not delegate even if your security ... team allowed delegation, only digest allows delegation. ... the impersonated account and the computer on which the business logic runs ... alternative for ASP.NET impersonation/delegation? ...
    (microsoft.public.dotnet.framework.interop)
  • Re: ASP.NET Impersonation / delegation
    ... ntlm will not delegate even if your security ... team allowed delegation, only digest allows delegation. ... the impersonated account and the computer on which the business logic runs ... alternative for ASP.NET impersonation/delegation? ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: ASP.NET Impersonation / delegation
    ... ntlm will not delegate even if your security ... team allowed delegation, only digest allows delegation. ... the impersonated account and the computer on which the business logic runs ... alternative for ASP.NET impersonation/delegation? ...
    (microsoft.public.dotnet.framework.aspnet.security)
Loading