Re: ASP.NET Impersonation in a Windows 2003 non domain member serv

From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 21 Apr 2007 08:32:15 +0000 (UTC)

or maybe (though i haven't tried that) - you could impersonate a domain account using a token created with the NEW_CREDENTIAL option.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

you cannot impersonate a domain account on a non-domain machine.

What would work is to have mirrored accounts on both sides. This means
that on the server and the internal machine/domain there are two
matching account with the same uname/password.

Either the worker process runs as such an account - or this account is
impersonated before doing internal component access.

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

It sounds to me like he just wants a way to call the component period
and needs to impersonate any domain account. Whether or not it is
the client's credential and he is delegating seems to be not as
important.

I'm saying that I don't think you can impersonate a domain account on
a non-domain machine, but I'm not totaly positive, so I'm asking you.
:)

Joe K.

Follow-Ups:
- Re: ASP.NET Impersonation in a Windows 2003 non domain member serv
  - From: Joe Kaplan

References:
- Re: ASP.NET Impersonation in a Windows 2003 non domain member serv
  - From: Dominick Baier

Prev by Date: Re: ASP.NET Impersonation in a Windows 2003 non domain member serv
Next by Date: Re: ASP.NET Impersonation in a Windows 2003 non domain member serv
Previous by thread: Re: ASP.NET Impersonation in a Windows 2003 non domain member serv
Next by thread: Re: ASP.NET Impersonation in a Windows 2003 non domain member serv
Index(es):
- Date
- Thread

Relevant Pages

Re: Domain could not be contacted problem
... > can either make the process run under a domain account, ... > To impersonate a domain account, you generally do this by enabling ... > impersonating the authenticated user in IIS. ...
(microsoft.public.dotnet.framework.aspnet.webservices)
Re: Domain could not be contacted problem
... > can either make the process run under a domain account, ... > To impersonate a domain account, you generally do this by enabling ... > impersonating the authenticated user in IIS. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Sql Reporting Serviced - > ASP.NET ACCESS DENIED!
... The account you are logging in to when on the server doesn't have the ... do you have <Impersonate> set to True? ... > Exception Details: System.UnauthorizedAccessException: Access to the path ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: How to use WindowsPrincipal properly??
... > If you want to check if the user is in the local computers security group ... > used by the general public you have to use Basic Authentication of course. ... You can logon a set account ... > WindowsIndentity which is then used to Impersonate. ...
(microsoft.public.dotnet.framework.aspnet.security)
RE: Impersonate
... saving a Excel document in ASP.NET webapplication, ... Regarding on the problem you mentioned, I think the account is the first ... You should either impersonate through the web.config setting or use code. ... Microsoft MSDN Online Support Lead ...
(microsoft.public.dotnet.framework.aspnet.security)