Re: Service Account replaced by IUSR ??

Joe Kaplan wrote:
It looks like the IIS anonymous user is being impersonated for some reason here. That should be the only reason why that user would get used at all. Can you see any reason how that might have happened? Is anonymous enabled in the application at all?

Out of curiosity, why are you enabling for delegation if you don't plan to delegate? Based on what I read below, it sounds like you just want to use the fixed process account for accessing remote resources, so delegation should not matter. As such, you should also able to avoid impersonation as well since you would generally only impersonate if you need to delegate or access local resources with the security context of the authenticated user.

Joe K.

Hi Joe,
(First off, I'm a *big* fan of your book about AD !)
Well, to get to the matter at hand, I'm quite sure that anonymous access is disabled. In fact, I did a check with the System.Security.Principal.WindowsIdentity.GetCurrent() and sure enough the application runs under the service account.
The only thing that is a bit different is that I'm running the application with a different port number (192.168.1.2:8080), but that should not affect the security, should it ?
As for the "trust account for delegation" option is concerned, I thought you had to enable this, based on this text fragment in the article I referred to :
"By using impersonation, ASP.NET applications can execute code or access resources with the identity of the authenticated user or a fixed Windows identity. Standard impersonate-level impersonation tokens that are usually created when you enable impersonation allow you to access local resources only. To be able to access remote network resources, you require a delegate-level token. To generate a delegate-level token when you impersonate, you need to use Kerberos authentication and your process account needs to be marked as trusted for delegation in Active Directory. "

But now that I read it again, I see your point. Anyway, it doesn't work either with or without this option checked, so I'll uncheck it. I like clean settings.

Erwin
.

Relevant Pages

  • RE: accessing WebService from asp.net App on load balanced Servers
    ... Would Constrained Delegation not give me a solution here? ... Original user impersonation will carry through to the back end server?? ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Kerberos delegation trauma
    ... Kerberos delegation won't solve this. ... > when the tool on my machine tries to access the server. ... On my machine I have set IE to have Enable Integrated Windows ... > my IIS for my web application directory and have impersonation set ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Expired Tickets - Delegation vs S4U
    ... I haven't as yet tried this method of mixing the two delegation models ... question is will it get round the ticket lifetime of ten hours - do S4U ... go from integrated authentication (with impersonation disabled at the ... Standard Kerberos delegation is being used for the authentication ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Application Flow / security issues
    ... just disable impersonation and make sure your process identity (the app ... If you have to delegate and can't configure Kerberos delegation, ... You want to use the credentials of the authenticated web app user to ... Kerberos authentication to the web app is enabled and working ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: About ASP.Net Impersonation
    ... better solution for sure in terms of tightening up the security. ... delegation working. ... > Hello Joe, ... >>> Our asp.net app needs to access other servers from our IIS servers. ...
    (microsoft.public.dotnet.framework.aspnet.security)