Re: impersonation for file & DB access

---

• From: David Thielen <thielen@xxxxxxxxxxxxx>
• Date: Fri, 2 Jun 2006 10:06:02 -0700

---

I would be happy to elaborate - this whole thing has me nervous that we will
end up with a bigger security exposure than necessary.

We are creating a reporting portal. It's an extension of
http://www.windwardreports.com where no programmer is required. So they go in
and upload a report template and define datasources. Datasources are xml
files (or urls) and/or sql databases.

If the company using the portal has all users as domain users, then windows
authentication works great - except for sql databases other than Sql Server.
Other databases don't have SSPI login so we must have a username/password.

If the company is not on a domain, or will have people accessing the portal
that are not domain users, then we are stuck with forms authentication. I can
see this happening: 1) Big company, small group using it - they can't get our
4 required groups added to the domain; 2) Small company, not on a domain
server; 3) Some of the users are not domain users.

I don't want to have us handling access rights to files and databases for
two big reasons. First, if we screw it up, we've let people in and we're
responsible for the security breach. Second, a company has already put in the
effort to set access rights for users to files and databases. It's additional
work for them to duplicate it in our system.

So I want to impersonate, then open a data file or sql database connection.
And in the case of not Sql Server, use the client user's uname/pw in the
connection string.

We are giving the user's the option of we store their uname/pw in our
database or we prompt them the first time and store it in memory, prompting
again if the session expires.

What do you think?

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



"Joe Kaplan (MVP - ADSI)" wrote:

The thing I'm confused about is that if the backend of your app requires
Windows authentication features, why use anything but Windows
authentication? It seems to me like you end up at cross purposes if you are
trying to use SQL membership and roles if you still needs Windows security
features to drive important parts of your app.

Can you elaborate on this?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"David Thielen" <thielen@xxxxxxxxxxxxx> wrote in message
news:5A8C8D58-6257-4072-985B-3441AF65F6C3@xxxxxxxxxxxxxxxx

Hi;

Thank you and I would NEVER store the uname/password in our database. As
it
is I'm very very nervous that I prompt them for it and have it in memory
long
enough to create a WindowsIdentity.

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



"Dominick Baier [DevelopMentor]" wrote:

with Windows auth you have the option to impersonate for the whole length
of the request with <identity impersonate="true" />.

Or you grab Context.User.Identity and call Impersonate() to impersonate
temporarily.

with forms auth you can use the uname and pwd to call Win32 LogonUser.
This
implies that you have to store the password for the user (bad) or that
you
create a WindowsIdentity and cache it.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi;

I thought I asked this before - but I can't find it. So apologies if I
did.

I need to access both files (opening/reading) and databases (connect
using SSPI) impersonating the client user. THere are two modes for
this:

1) Windows authentication - we use the credentials from the client to
impersonate. How do I do this?

2) AspNetSqlMembershipProvider - I prompt them for their Windows
username & password and use that to impersonate them. Once I have the
username/password, how do I set up the impersonation?

.

---

• Follow-Ups:
  • Re: impersonation for file & DB access
    • From: Joe Kaplan \(MVP - ADSI\)

• References:
  • Re: impersonation for file & DB access
    • From: Dominick Baier [DevelopMentor]
  • Re: impersonation for file & DB access
    • From: Joe Kaplan \(MVP - ADSI\)

• Prev by Date: Re: impersonation for file & DB access
• Next by Date: Re: impersonation for file & DB access
• Previous by thread: Re: impersonation for file & DB access
• Next by thread: Re: impersonation for file & DB access
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: impersonation for file & DB access ... The Windows domain environment will also have additional ... files and/or sql databases. ... authentication works great - except for sql databases other than Sql ... So I want to impersonate, then open a data file or sql database ... (microsoft.public.dotnet.framework.aspnet.security) Save File to Server on Different Domain ... The file server is on a different domain than the web server. ... Sometimes you might need to obtain a Windows NT account token to impersonate ... Imports System.Collections ... (microsoft.public.dotnet.framework.aspnet.security) Save File to Different Domain - 2nd Post ... Sometimes you might need to obtain a Windows NT account token to impersonate ... Imports System.Collections ... (microsoft.public.dotnet.framework.aspnet.security) Re: Using Access 2003 & 2007 databases ... databases in use. ... A couple of art designers are required to use the ... it's never going to be as fast as a real Windows computer. ... use VirtualPC) ... ... (comp.databases.filemaker) Re: Save File to Different Domain - 2nd Post ... maybe the user doesn't have logon permissions on the server ... > impersonate a user with the proper permissions on the file server: ... > Sometimes you might need to obtain a Windows NT account token to ... > Imports System.Collections ... (microsoft.public.dotnet.framework.aspnet.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.dotnet.framework.aspnet.security  > 2006-06