RE: impersonation or auditing issue ???

From: Dominick Baier (dotnet_at_leastprivilege.com)
Date: 12/27/04

• Next message: Armando Ruiz: "Calling not signed dlls"
• Previous message: Jayant Sane: "RE: impersonation or auditing issue ???"
• Maybe in reply to: Dominick Baier: "impersonation or auditing issue ???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

To: microsoft.public.dotnet.security
Date: Mon, 27 Dec 2004 14:37:02 -0800

check your web.config - maybe some hidden <identity impersonate="true" /> ??

 

 ---
 Dominick Baier - DevelopMentor
 http://www.leastprivilege.com

   nntp://news.microsoft.com/microsoft.public.dotnet.security/>

 
 I too would think that way But then the security audit log shows 'UserC'
 being denied access to the file. which is throwing me off..
 
 thx
 Jay
 
 "Dominick Baier" wrote:
 
> asp.net (under iis6) uses the app pool identity account for access to windows objects (e.g. files) - i assume you do something like
>
> FileStream fs = new FileStream("specific file in some folder");
>
> in this case _every_ file system access is under the security context of 'UserB' - in your "access denied" test - UserB is access denied - not UserC or UserA
>
>
>
> ---
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> nntp://news.microsoft.com/microsoft.public.dotnet.security/<709A0B81-03D2-4FB4-9463-2DF6123B8648@microsoft.com>
>
> Hi,
>
> I have a simple/test ASP.Net web app. On clicking a button on the page, it
> does the following:
> access a specific file in some folder. (there is no impersonation being
> done here)
>
> The security on the above folder/file is configured such that only some
> users are allowed access to it. The virtual directory hosting the
> application in IIS is configured to use Windows Integrated Authentication
> only (anonymous access is unchecked). The user to be used for anonymous
> access is set to 'UserA'. The identity in the application pool to which this
> app belongs is set to 'UserB'
>
> When I access the application with a user (say UserC) who is disallowed
> access to the file and then press the button on the application's page to
> actually access the file, I do get an error saying "access is denied ..."
> which is what is expected here (fine).
>
> However the security audit log shows that "UserC failed to access the file"
> when I would have expected it to be either 'UserB' or 'UserA'. Note that I am
> not doing impersonation while accessing the file.
>
> Can some one tell what I am missing here:
> - Does windows integrated authentication also does impersonation under the
> covers? OR
> - it is the audit system that is getting confused about the identity that is
> trying to access the file?
>
> thx
> Jay
>
> [microsoft.public.dotnet.security]
>
 
 [microsoft.public.dotnet.security]

---

• Next message: Armando Ruiz: "Calling not signed dlls"
• Previous message: Jayant Sane: "RE: impersonation or auditing issue ???"
• Maybe in reply to: Dominick Baier: "impersonation or auditing issue ???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.dotnet.security  > 2004-12