Re: Impersonation through HttpModule
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 05/26/05
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: sslstream and certificates"
- Previous message: Nicole Calinoiu: "Re: Appl. Security Problems"
- In reply to: otto: "Re: Impersonation through HttpModule"
- Next in thread: Dominick Baier [DevelopMentor]: "Re: Impersonation through HttpModule"
- Reply: Dominick Baier [DevelopMentor]: "Re: Impersonation through HttpModule"
- Reply: otto: "Re: Impersonation through HttpModule"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 May 2005 09:42:43 -0500
Programmatic impersonation on IIS5 is painful because normal accounts can't
call the LogonUser API on Win2K. This restriction is removed in XP and 2K3.
On IIS6, I would recommend you do this without using impersonation,
especially programmatic. It is much easier to set up a single AppPool for
each application that runs under the specified domain account (and disable
impersonation in web.config). The other option would be to use explicit
impersonation in web.config, supplying a username and password there.
On IIS 5 this is harder. There are no AppPools, so there is no good way to
have a process account for each app as there is only one process. You can't
use programmatic impersonation (or explicit impersonation of a specific user
via web.config) with the default settings because you won't have rights to
call LogonUser.
The first thing you will need to do is figure out how you will get the
necessary permissions to call LogonUser in the first place. One way might
be to give the ASPNET account the "Act as part of the operating system"
privilege in local security policy, but that also seriously compromises the
security of the web server (although possible not as much as simplying
running it as SYSTEM).
Joe K.
"otto" <otto@discussions.microsoft.com> wrote in message
news:074DE94A-0BB6-4C3F-85DC-240DEC6D7CA8@microsoft.com...
> Hi, Dominick:
>
> both of them. What´s the difference? I have few experience with IIS 6.0
>
>
>
> "Dominick Baier [DevelopMentor]" wrote:
>
>> Hello otto,
>>
>> on which platform (IIS5 or 6)
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>
>> > Hi, all:
>> > I have a question about security in ASP.NET applications. We´ve to
>> > develop
>> > several applications. All of them with Windows integrated security in
>> > IIS.
>> > Each application must run under one domain account (each application
>> > has its
>> > own account), so we´ve to use impersonation. How can I do this with
>> > HttpModule´s?
>> > Thanks a lot.
>> >
>>
>>
>>
>>
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: sslstream and certificates"
- Previous message: Nicole Calinoiu: "Re: Appl. Security Problems"
- In reply to: otto: "Re: Impersonation through HttpModule"
- Next in thread: Dominick Baier [DevelopMentor]: "Re: Impersonation through HttpModule"
- Reply: Dominick Baier [DevelopMentor]: "Re: Impersonation through HttpModule"
- Reply: otto: "Re: Impersonation through HttpModule"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
