Re: Multiple Users with impersonation using one account

From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 27 Dec 2005 14:23:21 -0800

Hi,

ok .-

the client identity is in Context.User

WindowsIdentity.GetCurrent() give you the account the process is running under - this account is used for resource access when no impersonation is enabled.

Any reason why you are running as SYSTEM?? This is generally not recommended because this is a very high privileged account - this is also not the default for ASP.NET under Windows 2000 -

i guess you made changes to the processModel element in machine.config.

You be able to access resources on remote machines, you have several options

a) configure your worker process to run under a specific account, this could be a domain account or a local account, with a mirrored counterpart on the remote machine this will affect all applications on the server b) you can set impersonation in web.config for a fixed identity using <identity impersonate="true" username="xx" password="xx" /> - this will only affect the current application c) you can impersonate programmatically by using LogonUser / WindowsIdentiy.Impersonate

config vs. code

i would

a) lower the privileges of ASP.NET to the default (which is the ASPNET account) - if possible b) use programmatic impersonation when needed

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

I am using Windows Server 2000, not sure which SP.

The following line displays NT AUTHORITY\SYSTEM

Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent.Na
me )

Which I am assuming is the current user.  Yes, I do know what happens
when I assume!

Thanks,
Jeff
--
Sent via .NET Newsgroups
http://www.dotnetnewsgroups.com

References:
- Re: Multiple Users with impersonation using one account
  - From: Jeff

Prev by Date: Re: Multiple Users with impersonation using one account
Next by Date: Re: Multiple Users with impersonation using one account
Previous by thread: Re: Multiple Users with impersonation using one account
Next by thread: Re: Multiple Users with impersonation using one account
Index(es):
- Date
- Thread

Relevant Pages

Re: VS.NET 2005 and the "allowDefinition=MachineToApplication" error
... Your description of impersonation is great. ... If you want to use the default configured account, eliminate that entry, or configure it as: ... The easiest way to assign correct permissions to all required directories is to run: ... I re-started IIS and tried to access my ASPX page again -- same ...
(microsoft.public.dotnet.framework.aspnet)
[Full-disclosure] Maybe nothing so shady; depends on the motive.
... There may be no impersonation going on. ... attempted use of a disabled account would produce messages about "account foo login fail" ... SecureWorks was still reading email addressed to David Maynor. ...
(Full-Disclosure)
Re: Impersonation
... impersonation, unless you actually need to be userX for some file operation, ... I also wonder why folks always talk about using a seperate account DB. ... I know the diference between IIS and WSE authentication mecanism. ... >>> where I need to check password in UsernameTokenManager for that I need ...
(microsoft.public.dotnet.framework.webservices.enhancements)
Re: Problem with Protocol Transition
... I set up a domain account called DPool and gave it act as part of the ... then the token is impersonation level. ... Joe Kaplan-MS MVP Directory Services Programming ... I'm just setting httpcontext.current.user to be a new WindowsIdentity ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: ASP.NET Anonymous Impersonation
... - A process always has a token associated with a Windows account ... All resources are accessed with this thread. ... > With Integrated Windows Authentication and impersonation: ...
(microsoft.public.dotnet.framework.aspnet.security)