Re: IIS 7 and WindowsIdentity



Hi Peter,

With Windows authentication, either the Windows user must belong to a
privileged Windows group such as ORA_DBA on the Oracle server or external
authentication must be enabled. External authentication is not recommended,
because it is less secure than access through group membership.

Are the users which you want to impersonate belong to the Windows group
such as ORA_DBA?

For ASP.NET, we have to use <identity impersonate="true" /> to impersonate
the current logon user to process something rather than to use the default
NETWORK SERVICE account. I think the problem drop down to how the Orcale
database know the Windows acount is in the sercurity user list. Just like
we need to add the Windows account to the Security/Logins list in the
Microsoft SQL Server Management Studio. I think so does the Orcale databse
need your impersonated account to be added into his user list. And you also
said that the impersonation works on you local machine but not on the ISS
server, so I think it is a configuration problem on Orcale database. (Sorry
I'm not quite familiar with Orcale.)

Oracle database security problems are out of the support boundaries of this
managed newsgroups. So I also think we can find more help about how to
implementing Window Authentication for Orcale from the oracle.com. But I
still try my best to provide some useful clues to resolve your issue. Here
I found some useful links from third part websites.

Securing a .NET Application on the Oracle Database
http://www.oracle.com/technology/pub/articles/mastering_dotnet_oracle/cook_m
asteringdotnet.html

This response contains a reference to a third party World Wide Web site.
Microsoft is providing this information as a convenience to you. Microsoft
does not control these sites and has not tested any software or information
found on these sites; therefore, Microsoft cannot make any representations
regarding the quality, safety, or suitability of any software or
information found there. There are inherent dangers in the use of any
software found on the Internet, and Microsoft cautions you to make sure
that you completely understand the risk before retrieving any software from
the Internet.
--------------------
| From: "Peter Larsen [CPH]" <PeterLarsen@xxxxxxxxxxxxxxxx>
| References: <uvUaEbaLLHA.5792@xxxxxxxxxxxxxxxxxxxx>
<wj4dn$fLLHA.2348@xxxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: IIS 7 and WindowsIdentity
| Date: Wed, 28 Jul 2010 14:12:40 +0200
| Lines: 63
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5931
| Message-ID: <eOeLu4kLLHA.5196@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: edge1.bankinvest.dk 131.165.55.124
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP06.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:85
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| Hi Jerry,
|
| I can't get it to work.
|
| I use the following sample to test with:
|
| string cs = ConfigurationManager.AppSettings["main.connectionstring"];
| Oracle.DataAccess.Client.OracleConnection oc = new OracleConnection(cs);
| string sql = "select * from table_name t";
| using (OracleCommand com = new OracleCommand(sql, oc))
| {
| oc.Open();
| OracleDataReader odr = com.ExecuteReader();
| }
|
| The web.config contains "identity impersonate = true" and user id=/; in
the
| connection string.
|
| On my own machine, this works just fine, but it fails on the ISS with the
| error "Oracle.DataAccess.Client.OracleException: ORA-1017".
|
| I log the text from the below line + checks that the logoff/logon events
| exist in the Security Log (on the server).
|
| string text = string.Format("windowsidentity:{0}:{1},
| currentthread:{2}:{3}",
| System.Security.Principal.WindowsIdentity.GetCurrent().Name,
| System.Security.Principal.WindowsIdentity.GetCurrent().IsAuthenticated,
| System.Threading.Thread.CurrentPrincipal.Identity.Name,
| System.Threading.Thread.CurrentPrincipal.Identity.IsAuthenticated);
|
| It all seems ok, but it doesn't work.
| What do i do wrong here ??
|
| Thank you.
|
| BR
| Peter
|
|
|
| "Jerry Weng" <v-jewen@xxxxxxxxxxxxx> wrote in message
| news:wj4dn$fLLHA.2348@xxxxxxxxxxxxxxxxxxxxxxxxx
| > Hello Peter Larsen,
| > Thank you for posting.
| > From your post, my understanding on this issue is: login to the database
| > with the current user which authenticated in your web system. If I'm off
| > base, please feel free to let me know.
| >
| > We need to impersonate the user to meet the requirement.
| >
| > So the connectionString need to be like this:
| > <add key="Main.ConnectionString" value="data source=DATABASE;User
| > Id=/;"/>
| >
| > And we need to add <identity impersonate="true"> to the web.config.
| >
| > <system.web>
| > <identity impersonate="true"/>
| > </system.web>
| >
|
|
|

.



Relevant Pages

  • Re: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm
    ... You must provide Windows account credentials when you connect to Exchange ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... <The reason I had unchecked the Integrated Windows Authentication is ...
    (microsoft.public.exchange.admin)
  • RE: Cant access public folders from System Manager, SBS 2003
    ... How to configure Internet access in Windows Small Business Server 2003 ... type the exact error message to the Newsgroup. ... Microsoft CSS Online Newsgroup Support ... click Edit under Authentication and ...
    (microsoft.public.windows.server.sbs)
  • Re: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm
    ... NTLM authentication works fine for domain authentication. ... However, I still cannot authenticate using a Kerberos Realm account, event if I logged into Windows using those credentials. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.exchange.admin)
  • Re: Oracle Database Access via IIS 6.0 ASP Pages on Windows 2003 Serve
    ... >10g client connectivity but nothing works from ASP applications. ... >eliminated the Windows Server and the Oracle drivers as a problem. ... >technologies and in my world I would prefer everything be Microsoft. ...
    (microsoft.public.inetserver.iis)
  • Re: IIS 7 and WindowsIdentity
    ... How can it be a oracle privileged issue, ... It does work if using Basic Authentication and ASP.NET Impersonation. ... With Windows authentication, either the Windows user must belong to a ... I think the problem drop down to how the Orcale ...
    (microsoft.public.dotnet.framework.aspnet.security)