Re: Impersonation in ASP.NET 2.0 (works from XP, not 2003)

From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 22 Mar 2006 19:41:52 +0000 (UTC)

In 2.0 - and i am pretty sure thats it is absolutely the same in 1.1 - the <identity> element with explicit credentials causes the ISAPI to call LogonUser - but LogonUser requires a password - so i am not sure why this should work without supplying a password.

It would be a much better alternative to use app pools in IIS6. And they run under NETWORK service by default.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

We have a C# webapp which we recently upgraded from .NET 1.1 to .NET
2.0.
We need to access remote fileshares from our app, so we enabled
impersonation in the web.config file by doing:
<identity impersonate="true" userName="NT AUTHORITY\NetworkService"/>
While redundant on Windows 2003 since ASP.NET actually runs as
NetworkService already, it is required on Windows XP for the app to
function properly.

Since updating to .NET 2.0, having this line in the config file gives
an
error when loading the webapp from a Windows 2003 web server:
"Could not create Windows user token from the credentails specified in
the
config file. Error from the operating system 'Access is denied.'"
This works fine under Windows XP, and worked fine under both XP and
Windows 2003 in .NET 1.1.

What changed that broke this in .NET 2.0 and Windows 2003?

Thanks!

Follow-Ups:
- Re: Impersonation in ASP.NET 2.0 (works from XP, not 2003)
  - From: Adam Clauss

References:
- Impersonation in ASP.NET 2.0 (works from XP, not 2003)
  - From: Adam Clauss

Prev by Date: Re: ActiveDirectoryMembershipProvider - IsInRole problem
Next by Date: RE: Best way to provide security when need a WindowsIdentity
Previous by thread: Impersonation in ASP.NET 2.0 (works from XP, not 2003)
Next by thread: Re: Impersonation in ASP.NET 2.0 (works from XP, not 2003)
Index(es):
- Date
- Thread

Relevant Pages

Re: impersonation in vb.net
... As the documentation for LogonUser states, ... (act as part of the operating system) ... under Windows 2000. ... Public Declare Auto Function CloseHandle Lib "kernel32.dll" _ ...
(microsoft.public.dotnet.security)
Re: LogonUser failed with error code : 1314 [After explicitly giving T
... You need to call LogonUser to create a token that you can use to create the ... WindowsIdentity.GetCurrentreturns the name of the anonymous user. ... Doing ACLs on the file system so that you can write to specific locations is ... I cannot recommend enough to read Keith Brown's Windows ...
(microsoft.public.dotnet.security)
Using LogonUser API in ASP.net with an account other than ASPNet account
... I am trying to use the LogonUser API function from ASP.Net. ... on windows 2000 server. ... part of operating system" is permission is needed for using LogonUser ... When I give this permission to the asp.net account ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Using LoginUser for Authentication
... This is sort of a problem on windows 2000, because LogonUser only ... What you might consider is using SSPI to authenticate the user's ... >using Administrator user accounts. ...
(microsoft.public.dotnet.framework.aspnet)
Re: WindowsPrinciple.IsInRole not working with cached info
... LogonUser talks to the local LSA and it will ... Windows API function that generally results in an RPC call to the DC to do ... I can't really think of a good way to get around this with IsInRole though. ... >> I'm not doing anything that I know about to cache role credentials. ...
(microsoft.public.dotnet.security)