RE: impersonation or auditing issue ???

From: Jayant Sane (JayantSane_at_discussions.microsoft.com)
Date: 12/27/04

  • Next message: Dominick Baier: "RE: impersonation or auditing issue ???" 
    Date: Mon, 27 Dec 2004 13:37:03 -0800

    I too would think that way But then the security audit log shows 'UserC'
    being denied access to the file. which is throwing me off..

    thx
    Jay

    "Dominick Baier" wrote:

    > asp.net (under iis6) uses the app pool identity account for access to windows objects (e.g. files) - i assume you do something like
    >
    > FileStream fs = new FileStream("specific file in some folder");
    >
    > in this case _every_ file system access is under the security context of 'UserB' - in your "access denied" test - UserB is access denied - not UserC or UserA
    >
    >
    >
    > ---
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > nntp://news.microsoft.com/microsoft.public.dotnet.security/<709A0B81-03D2-4FB4-9463-2DF6123B8648@microsoft.com>
    >
    > Hi,
    >
    > I have a simple/test ASP.Net web app. On clicking a button on the page, it
    > does the following:
    > access a specific file in some folder. (there is no impersonation being
    > done here)
    >
    > The security on the above folder/file is configured such that only some
    > users are allowed access to it. The virtual directory hosting the
    > application in IIS is configured to use Windows Integrated Authentication
    > only (anonymous access is unchecked). The user to be used for anonymous
    > access is set to 'UserA'. The identity in the application pool to which this
    > app belongs is set to 'UserB'
    >
    > When I access the application with a user (say UserC) who is disallowed
    > access to the file and then press the button on the application's page to
    > actually access the file, I do get an error saying "access is denied ..."
    > which is what is expected here (fine).
    >
    > However the security audit log shows that "UserC failed to access the file"
    > when I would have expected it to be either 'UserB' or 'UserA'. Note that I am
    > not doing impersonation while accessing the file.
    >
    > Can some one tell what I am missing here:
    > - Does windows integrated authentication also does impersonation under the
    > covers? OR
    > - it is the audit system that is getting confused about the identity that is
    > trying to access the file?
    >
    > thx
    > Jay
    >
    > [microsoft.public.dotnet.security]
    >

  • Next message: Dominick Baier: "RE: impersonation or auditing issue ???"
    • Quantcast