RE: Newbie security frustration

From: Bernie (anonymous_at_discussions.microsoft.com)
Date: 04/23/04 

Date: Fri, 23 Apr 2004 08:11:02 -0700

Thanks, that is part of my frustration. I'm not sure what account is used during impersonation, vs non-impersonation. The differences between how .net works with impersonation and non .net uses it are obviously important, but I can't seem to find any clear information on the subject.

I've tried a series of different things. My final attempt was to swing the door wide open to everything by:
I enabled impersonation in machine.config
I entered a Administrator account and password into the IIS anynonmous username and password (for testing purposes only)
I continue to get the same error message although this account should have free run of the system. So I suspect that .net must be using a different account to attempt to read and write the files to the ".../Temporary ASP.NET Files" folder, but that is the million dollar question, what account?
     
     ----- "Shawn Farkas" wrote: -----
     
     Are you using impersonation? If you are, does the impersonated user have access to the path below? You might also be able to find more help
     on the microsoft.public.dotnet.aspnet.security newsgroup
     
     -Shawn
     http://blogs.msdn.com/shawnfa
     
     --
     
     This posting is provided "AS IS" with no warranties, and confers no rights.
     Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they
     originated.
     --------------------
>Thread-Topic: Newbie security frustration
>thread-index: AcQovbgNgil7T+r3TN+LcZSJ9EU/UA==
>X-WN-Post: microsoft.public.dotnet.security
>From: =?Utf-8?B?QmVybmll?= <anonymous@discussions.microsoft.com>>Subject: Newbie security frustration
>Date: Thu, 22 Apr 2004 16:01:17 -0700
>Lines: 14
>Message-ID: <658E5812-226A-45FB-9810-E040C6FF7BB7@microsoft.com>>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.dotnet.security
>Path: cpmsftngxa10.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:5825
>NNTP-Posting-Host: tk2msftcmty1.phx.gbl 10.40.1.180
>X-Tomcat-NG: microsoft.public.dotnet.security
>>I'm familiar with IIS (not an expert) and write ASP coding a bunch. I understand anonymous usernames and the basics behind IIS 6.0
     impersonation, but, I'm now trying to get an .net app to run on a Windows 2k3 server. It appears that it is much more complicated than it used to be.
     So here we go...
     
     
     
     I've added the files that make up the app to the IIS 6.0 wesite. I attempt to run it from a browser and get an error that I see many others getting:
     
     Error Msg:
     
     *********************
     
     Exception Details: System.UnauthorizedAccessException: Access to the path "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary
     ASP.NET Files\ilearn\ef80c615\45266ffc\hash.web" is denied.
     
     **********************
     
     
     
     Based on what I've read, this has to do with the configuration in the machine.config file, specifically the impersonate= and settings in the <process
     model> key. But I'm stuck there and can't disect what is going on with my coinfig in order to fix it. In other words, how do I figure out exactly what
     account the system is using? I've tried to use the ASPNET account and even added that to the administrators group but that doesn't work (I
     removed it now). Blah, blah, blah.
     
     
     
     It appears that .Net is trying to make copies of the files. Why? If it is going to try to do this by default, why aren't the default security settings ready
     to go? Additionally, I'm having a very difficulty time finding a resouce that spells out the concepts behind what is going on, and how to fix it. Can
     anyone point me in the right direction?
     
     
     
     Thanks
     
     B
>

Relevant Pages

  • RE: Newbie security frustration
    ... > I enabled impersonation in machine.config ... > I entered a Administrator account and password into the IIS anynonmous username and password ... Blah, blah, blah. ... Additionally, I'm having a very difficulty time finding a resouce that spells out the concepts behind what is going on, and how to fix it. ...
    (microsoft.public.dotnet.security)
  • Re: SetPassword access denied
    ... safely invoke SetPassword etc..... ... impersonation or using the process token without impersonation) is NOT ... account that is used for performing remote activities in the directory. ... Co-author of "The .NET Developer's Guide to Directory Services ...
    (microsoft.public.windows.server.active_directory)
  • Re: VS.NET 2005 and the "allowDefinition=MachineToApplication" error
    ... Your description of impersonation is great. ... If you want to use the default configured account, eliminate that entry, or configure it as: ... The easiest way to assign correct permissions to all required directories is to run: ... I re-started IIS and tried to access my ASPX page again -- same ...
    (microsoft.public.dotnet.framework.aspnet)
  • [Full-disclosure] Maybe nothing so shady; depends on the motive.
    ... There may be no impersonation going on. ... attempted use of a disabled account would produce messages about "account foo login fail" ... SecureWorks was still reading email addressed to David Maynor. ...
    (Full-Disclosure)
  • Re: SetPassword access denied
    ... That said, I think one thing worth pointing out is that in both cases here, your code is supplying credentials to the DirectoryEntry constructor. ... the identity of the current thread (established either via impersonation or using the process token without impersonation) is NOT the account that is used for performing remote activities in the directory. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)