Re: declarative security and impersonation

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 04/28/05 

Date: Thu, 28 Apr 2005 09:22:09 -0700

Hello lloyd,

aah - the unsupported ones :)

well - it's been quite a while i looked at this -

can't you retrieve the client principal through some property - you have
to set it on CurrentPrincipal on the current thread -

as i said - get the client principal somehow on that property - all PrincipalPermission
is doing is calling - Thread.CurrentPrincipal.IsInRole()...

HTH

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I'm using the Microsoft.Samples.Runtime.Remoting.Security library,
> this is a console application hosting remoted objects. The calling
> application is also a console app where i change its user with
> LogonUser before remoting (really just so i can test). FWIW i guess
> the Microsoft.Samples.. etc doesnt have much effect because I also
> have this same behavior when i set up the remoting with just a simple
> tcpchannel programmatically. I dont think the thread / impersonation
> behavior you mention is happening here, the impersonation happens
> after the thread is created. thanks for the reply btw.
>
> Lloyd Christopher
> SLOW30
> "Dominick Baier [DevelopMentor]"
> <dbaier@pleasepleasenospamdevelop.com> wrote in message
> news:315684632502849780322224@news.microsoft.com...
>
>> Hello lloyd,
>>
>> What kind of application is that? asp.net / desktop / nt service How
>> are you starting the new thread?
>>
>> Generally, all that [PrincipalPermission] does is calling IsInRole on
>> Thread.CurrentPrincipal - regardless of impersonation or whatever -
>> another point to note is - if you impersonate and AFTER that start a
>> new thread - the impersonation token will not get copied to the new
>> thread and you end up with Process Identity again....
>>
>> If you give me more info we should be able to troubleshoot that
>> problem
>>
>> HTH
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> I'm trying to use declarative security on an impersonated thread but
>>> i'm getting "System.Security.SecurityException: Request for
>>> principal permission failed". Here is the code, havent had any luck
>>> finding anything on google so far.
>>>
>>> Dim currentIdentity As WindowsIdentity =
>>> DirectCast(Thread.CurrentPrincipal.Identity, WindowsIdentity)
>>> Dim windowsImpersonationContext As WindowsImpersonationContext =
>>> currentIdentity.Impersonate
>>> Console.WriteLine(String.Format("1 thread {0:S}, user1 {1:S}, user2
>>> {2:S}",
>>> _
>>> AppDomain.GetCurrentThreadId.ToString,
>>> Thread.CurrentPrincipal.Identity.Name,
>>> WindowsIdentity.GetCurrent.Name))
>>> If Thread.CurrentPrincipal.IsInRole("LLOYDATLARGE\GRS") Then
>>> TestInternal()
>>> End if
>>> the WriteLine statement outputs the correct impersonated username
>>> for
>>> both, but when when it calls TestInternal (obviously indicating that
>>> i
>>> do have that group), i get the exception. here is TestInternal.
>>> <System.Security.Permissions.PrincipalPermission(Permissions.Securit
>>> yA
>>> ction.Demand,
>>> Role:="LLOYDLATLARGE\GRS")> _
>>> Public Sub TestInternal() As String
>>> Console.WriteLine("testing.")
>>> End Sub
>>> same if i replace the call to TestInternal() with
>>> Dim ppPrincPermis As New
>>> System.Security.Permissions.PrincipalPermission(Nothing,
>>> "LLOYDATLARGE\grs") ppPrincPermis.Demand
>>>
>>> any ideas? probably something dumb and i've just been staring at
>>> this too long.. thanks
>>>
>>> Lloyd Christopher
>>> SLOW30

Relevant Pages

  • Re: declarative security and impersonation
    ... also a console app where i change its user with LogonUser before remoting ... the thread / impersonation behavior you mention is happening here, ... impersonation happens after the thread is created. ... >> Lloyd Christopher ...
    (microsoft.public.dotnet.security)
  • Re: declarative security and impersonation
    ... but PrincipalPermission in the same block does not... ... >> application is also a console app where i change its user with ... >> LogonUser before remoting. ... >> Lloyd Christopher ...
    (microsoft.public.dotnet.security)
  • Re: Impersonation of Client on Application Server
    ... i guess remoting - and the answer is NO. ... > accessing the application server using a Smart Client application. ... > Presently the user is authenticated by getting their IIdentity by ... > server for impersonation because I don't believe our client will like ...
    (microsoft.public.dotnet.security)
  • Re: impersonation from IIS to a Windows Service
    ... Impersonation only works with one server hop. ... >I have an existing Windows Forms application that uses remoting to talk ... >get the remoting calls to be made successfully from IIS to my Windows ...
    (microsoft.public.dotnet.framework.remoting)
  • Re: Fatal Execution Engine Error while creating a DataTable on a new Windows 2003 Server
    ... My app is already a console app. ... server in a state where my app cannot create a DataTable! ... Before the impersonation, ... but at least this tells me the problem is a permissions issue. ...
    (microsoft.public.dotnet.framework)