RE: SetPrincipalPolicy in ASP.NET



Hi Richlm,

From your description, you're wantting to build a trusted sub-system for
your ASP.NET application and wonder what's the proper way to configure
ASP.NET security settings, correct?

Based on my experience, the "AppDomain.CurrentDomain.SetPrincipalPolicy" is
seldom used in ASP.NET application. ASP.NET application has its own
security settings:

** the authentication (in IIS and ASP.NET side)

** the impersonate

the authentication will control whether the IIS will forward security
credential of client to ASP.NET and whether ASP.NET will populate it in
current Thread's principal. The impersonate will control whether the
ASP.NET will change the current worker thread's security account(either the
one you set in web.config or the account forwarded from IIS/CLIENT).

For your scenario, a typical trusted sub-system mainly require a powerful
process account. That means you can change the process account to a custom
account which will have sufficient permission to access any resource your
application requires. And you'll no longer need to do impersonate(to run
thread under client authenticated account or account set in web.config).

Here are some reference about ASP.NET security settings:

#Authentication in ASP.NET: .NET Security Guidance
http://msdn2.microsoft.com/en-us/library/ms978378.aspx

#Impersonation with ASP.NET 2.0
http://www.c-sharpcorner.com/UploadFile/manishkdwivedi/impersonation10092007
065217AM/impersonation.aspx

#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn2.microsoft.com/en-us/library/ms998351.aspx

#Configuring Process Identity for ASP.NET (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1
34d11d5-7676-4f59-936b-a59e7bca8515.mspx?mfr=true

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: "richlm" <niels_flensted@xxxxxxxxxxxxxxxxx>
Subject: SetPrincipalPolicy in ASP.NET
Date: Wed, 12 Mar 2008 13:12:11 +0100

Just curious really, I want to use a trusted subsystem approach in ASP.NET.
There are various ways to achieve it in config, e.g. impersonating the
anonymous user, but I observed that the following works too:

AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal
).

This results in Thread.CurrentPrincipal being set to the process identity
i.e. IIS worker process account.
Is this acceptable practice or could it cause problems in a web app?

(I had always associated the method with Winforms apps).




.



Relevant Pages

  • RE: "ASP.NET Machine Account" problem
    ... Since your ASP.NET application's work process account is "MACHINE\ASPNET", ... remote resource, I think you can consider configure your ASP.NET ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: "ASP.NET Machine Account" problem
    ... Since your ASP.NET application's work process account is "MACHINE\ASPNET", ... remote resource, I think you can consider configure your ASP.NET ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Really no answer?
    ... the logon error message I get is "Your account is ... and juicing a few security settings ... Since it isn't limited to merely the 500 builtin account, ... has Traversal Bypass and Local Logon rights, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Local Account & Password Policy Options Greyed out for Admins?
    ... > to have set the security settings back to what they should be. ... > settings for the password and account lockout policies are greyed out, ... I didn't run a the "net user" command on her account till ... > password and account never expire. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Log on as a service
    ... System and Network Service and if present Local Service ... or that some account or group has ... Security) ... e.g. Local Security Settings -> ...
    (microsoft.public.windowsxp.security_admin)