impersonation or auditing issue ???
From: Dominick Baier (dotnet_at_leastprivilege.com)
Date: 12/27/04
- Next message: Jayant Sane: "RE: impersonation or auditing issue ???"
- Previous message: Jayant Sane: "impersonation or auditing issue ???"
- Next in thread: Jayant Sane: "RE: impersonation or auditing issue ???"
- Reply: Jayant Sane: "RE: impersonation or auditing issue ???"
- Maybe reply: Dominick Baier: "RE: impersonation or auditing issue ???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: microsoft.public.dotnet.security Date: Mon, 27 Dec 2004 13:08:23 -0800
asp.net (under iis6) uses the app pool identity account for access to windows objects (e.g. files) - i assume you do something like
FileStream fs = new FileStream("specific file in some folder");
in this case _every_ file system access is under the security context of 'UserB' - in your "access denied" test - UserB is access denied - not UserC or UserA
---
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,
I have a simple/test ASP.Net web app. On clicking a button on the page, it
does the following:
access a specific file in some folder. (there is no impersonation being
done here)
The security on the above folder/file is configured such that only some
users are allowed access to it. The virtual directory hosting the
application in IIS is configured to use Windows Integrated Authentication
only (anonymous access is unchecked). The user to be used for anonymous
access is set to 'UserA'. The identity in the application pool to which this
app belongs is set to 'UserB'
When I access the application with a user (say UserC) who is disallowed
access to the file and then press the button on the application's page to
actually access the file, I do get an error saying "access is denied ..."
which is what is expected here (fine).
However the security audit log shows that "UserC failed to access the file"
when I would have expected it to be either 'UserB' or 'UserA'. Note that I am
not doing impersonation while accessing the file.
Can some one tell what I am missing here:
- Does windows integrated authentication also does impersonation under the
covers? OR
- it is the audit system that is getting confused about the identity that is
trying to access the file?
thx
Jay
[microsoft.public.dotnet.security]
- Next message: Jayant Sane: "RE: impersonation or auditing issue ???"
- Previous message: Jayant Sane: "impersonation or auditing issue ???"
- Next in thread: Jayant Sane: "RE: impersonation or auditing issue ???"
- Reply: Jayant Sane: "RE: impersonation or auditing issue ???"
- Maybe reply: Dominick Baier: "RE: impersonation or auditing issue ???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
