Re: Queries in regards Intranet Security.

From: Shel Blauman [MSFT] (sheldonb@online.microsoft.com)
Date: 02/07/03 

From: "Shel Blauman [MSFT]" <sheldonb@online.microsoft.com>
Date: Fri, 7 Feb 2003 08:27:58 -0800

microsoft.public.dotnet.framework.aspnet.security might be a better
newsgroup for this question. 

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Ricky" <ricks_in@yahoo.com> wrote in message
news:051701c2ce8e$a0b3c8d0$a101280a@phx.gbl...
> Hi - I am going through MS provided security document and
> reading the part "Intranet Security: ASP.NET to SQL
> Server".
>
> It recommends followin config:
>
> For Authentication:
>
> 1. Use Integrated Windows Auth at IIS.
> 2. Use Windows Auth at ASP.NET (With Impersonation = False)
>
> For Authorization:
>
> 1. Use NTFS Permissions at IIS.
> 2. File Auth (.NET Roles ) at ASP.NET.
>
> Also it says, ASP.NET FileAuthorizationModule provides ACL
> checks against the original caller for ASP.NET files types
> that are mapped to IIS to the aspnet_isapi.dll.
>
> -------------------------
> My Question 1 - What does above statement means? Is this
> check made by ASP.NET by itself? If yes, When does it
> occurs?
>
> My Question 2 - Is this check made only for web site files
> which are mapped in IIS or for resources accessed by those
> files too?
>
> My Question 3 - What NTFS permissions does IIS makes here
> and on what files and resources??
> -------------------------
>
> There is also a question in document:
>
> Question - Why can't I enable impersonation for the web
> application and secure resources accessed by the web
> application using ACL's configured against the original
> caller?
>
> Answer - If you enable impersonation, the impersonated
> security context will not have network credentials
> (assuming delegation is not enabled and you are using
> integrated windows authentication)
>
> --------------------------
> My Question 4 - Why the impersonated security context will
> not have network credentials ??
> --------------------------
>
>
>

Relevant Pages

  • Re: Queries in regards Intranet Security.
    ... Use Integrated Windows Auth at IIS. ... > which are mapped in IIS or for resources accessed by those ... > Question - Why can't I enable impersonation for the web ... > My Question 4 - Why the impersonated security context will ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: aspnet_isapi.dll security limit access to all but 1 file
    ... What is not clear is an understanding of how the IIS 6.0 and ASP.Net ... if tom has access to that process ... AuthN/AuthZ protocol to access bob's resources. ... upload to his folder, but not be able to access anything in bobs folder, ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS on Domain Controller = Authorization Problem
    ... it means that IIS successfully authenticated with some ... but that account lacks NTFS permissions on the requested resource. ... A common misconception that enabling "Anonymous authentication" should ... identity to access resources for all requests, ...
    (microsoft.public.inetserver.iis)
  • Re: Total Confusion! - ACLs and Windows authentication with no impersonation
    ... permissions are checked, and not in IIS. ... account - regardless of the impersonation settings. ... You have aspx pages..and you have the resources this page wants to get at. ... When anonymous authentication is disabled, yes the page itself MUST have ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: ASP.NET 2.0 - Forms auth - no images and css on login page
    ... we can double check that the linked resources' path are correct. ... you using .net's buildin TestServer to developing the asp.net web app ... Developing the web application in IIS instead of the TestServer ...
    (microsoft.public.dotnet.framework.aspnet.security)