Re: ASP.NET Process Identity???

• Previous message: Hamid: "My web site not working with domain in my intranet"
• In reply to: Joe Kaplan \(MVP - ADSI\): "Re: ASP.NET Process Identity???"
• Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: ASP.NET Process Identity???"
• Reply: Joe Kaplan \(MVP - ADSI\): "Re: ASP.NET Process Identity???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 2 Aug 2003 21:59:48 +0200

In the application I not need/want to create user accounts into SQL Server.
To control the security I have created a personalized security system. Only
Domain trusted users can access to the application and I have created some
roles. It´s a little more complicated because the security in some cases
depends of the data that is trying to access. Eg. I have a table into SQL
Server that is "Projects". There is a field of the table that is
"UsersAssigned", it contains a list of ActiveDirectory users that can work
with the project. To assign this permissions I use a class to obtain a list
of Users of Active Directory that are members of a specific Group. With this
approximation the application runs ok and It´s secure (I hope). The only
system to access restricted data is to log in as a trusted domain user.

Tell me your comments about this system. Thanks.

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
escribió en el mensaje news:u8OENSJWDHA.384@TK2MSFTNGP12.phx.gbl...
> Under Windows 2000, a thread need to have the "Act As Part of the
Operating
> System" privilege to call LogonUser, and generally only SYSTEM has this
> privilege. Thus your need to run as SYSTEM (or an equally powerful
account)
> to call LogonUser.
>
> There are other ways you can connect to a remote network resource as the
> user logging in to the web application though. Kerberos delegation allows
> this for example. It requires Kerberos authentication and requires that
the
> accounts in AD be enabled for delegation (the users and the machine), but
IF
> you have that working, you can simply enable impersonation in your web
> config and should get successful windows authentication to the SQL server.
> Using that, you can switch back to normal ASPNET machine account for the
> ASP.NET processModel.
>
> Supposedly if you use Basic authentication you can get this to work
without
> Kerberos or delegation.
>
> However, there are a bunch of reasons why you might not want to be
> connecting to SQL as the current logged on user. Doing that defeats the
> ability to use connection pooling which could seriously hurt your
> scalability. It is more common to use a single account in SQL with the
> appropriate permissions and manage role-based security through your code
(in
> the business objects for example).
>
> Do you absolutely need to connect to SQL as the current user?
>
> Joe K.
>
> "Roberto López" <rlopez@eurosistemas.net> wrote in message
> news:%23VYz7OBWDHA.548@tk2msftngp13.phx.gbl...
> > I have Added "SYSTEM" to machine.config because if not do this my app
> > doesn´t runs properly, i have readed something
> > about this is something with SQLServer but I don´t know what.
> > In my IIS i have only Windows Security activated, not allow anonymous
> users.
> > To impersonate a user I used this code:
> > Public Class Personificacion
> >
> > Private LOGON32_LOGON_INTERACTIVE As Integer = 2
> >
> > Private LOGON32_PROVIDER_DEFAULT As Integer = 0
> >
> > Private ImpersonationContext As WindowsImpersonationContext
> >
> > *************************************************************
> >
> > Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal lpszUsername
As
> > String, _
> >
> > ByVal lpszDomain As String, _
> >
> > ByVal lpszPassword As String, _
> >
> > ByVal dwLogonType As Integer, _
> >
> > ByVal dwLogonProvider As Integer, _
> >
> > ByRef phToken As IntPtr) As Integer
> >
> >
>
'***************************************************************************
> > **
> >
> > Declare Auto Function DuplicateToken Lib "advapi32.dll" (ByVal
> > ExistingTokenHandle As IntPtr, _
> >
> > ByVal ImpersonationLevel As Integer, _
> >
> > ByRef DuplicateTokenHandle As IntPtr) As Integer
> >
> >
>
'***************************************************************************
> > **
> >
> > Public Function Personificar() As Boolean
> >
> > Dim tempWindowsIdentity As WindowsIdentity
> >
> > Dim Token As IntPtr
> >
> > Dim TokenDuplicado As IntPtr
> >
> > If LogonUser(_Usuario, _Dominio, _Password, LOGON32_LOGON_INTERACTIVE,
> > LOGON32_PROVIDER_DEFAULT, Token) <> 0 Then
> >
> > If DuplicateToken(Token, 2, TokenDuplicado) <> 0 Then
> >
> > tempWindowsIdentity = New WindowsIdentity(TokenDuplicado)
> >
> > ImpersonationContext = tempWindowsIdentity.Impersonate()
> >
> > If ImpersonationContext Is Nothing Then
> >
> > Personificar = False
> >
> > Else
> >
> > Personificar = True
> >
> > End If
> >
> > Else
> >
> > Personificar = False
> >
> > End If
> >
> > Else
> >
> > Personificar = False
> >
> > End If
> >
> > End Function
> >
> > '****************************************************************
> >
> > Public Sub DesPersonificar()
> >
> > impersonationContext.Undo()
> >
> > End Sub
> >
> > End Class
> >
> >
> > There is a good article in MSDN that reviews in depth the process of
> > impersonation in ASP.NET.
> > I don´t have the url, sorry.
> >
> >
> > "Chris Jackson" <chrisj@mvps.org> escribió en el mensaje
> > news:eZTP3v5VDHA.2100@TK2MSFTNGP11.phx.gbl...
> > > > In my machine.config file i have writed "SYSTEM" as user for
> > > > ASP.NET (into the process model section). For security reasons
> > > > the directories where users upload and download files are protected
> > > > whit NTFS permssions that allows access only for Administrators.
> > >
> > > This is a very bad idea. You don't want your ASP.NET code to run with
> > system
> > > privileges. That is why they created the low-privilege ASPNET
account -
> to
> > > get out of the mindset of giving every service unmitigated
permissions.
> I
> > > would switch back to the ASPNET account. Your ASP.NET process should
be
> > > running with just enough permissions to do what it has to do, and no
> more.
> > >
> > > > I planned to use a function to impersonate an administrator user
when
> > > > I upload and download files, buy I encountered that it is not
> neccesary
> > > > and I don´t know why.
> > >
> > > What code are you using for this? If it is being handled by IIS rather
> > than
> > > ASP.NET, then you'll want to follow the credentials path of the IIS
> > process
> > > to see if it would be authorized to do so.
> > >
> > > --
> > > Chris Jackson
> > > Software Engineer
> > > Microsoft MVP - Windows XP
> > > Windows XP Associate Expert
> > > --
> > >
> > >
> >
> >
>
>

• Previous message: Hamid: "My web site not working with domain in my intranet"
• In reply to: Joe Kaplan \(MVP - ADSI\): "Re: ASP.NET Process Identity???"
• Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: ASP.NET Process Identity???"
• Reply: Joe Kaplan \(MVP - ADSI\): "Re: ASP.NET Process Identity???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]