Re: Impersonation through HttpModule
From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 05/26/05
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: sslstream and certificates"
- Previous message: Dominick Baier [DevelopMentor]: "Re: sslstream and certificates"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Impersonation through HttpModule"
- Next in thread: otto: "Re: Impersonation through HttpModule"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 May 2005 09:56:58 -0700
Hello Joe,
yes!
i recommend to move away from IIS5 and use app pools. Use impersonation only
if you have to.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
> Programmatic impersonation on IIS5 is painful because normal accounts
> can't call the LogonUser API on Win2K. This restriction is removed in
> XP and 2K3.
>
> On IIS6, I would recommend you do this without using impersonation,
> especially programmatic. It is much easier to set up a single AppPool
> for each application that runs under the specified domain account (and
> disable impersonation in web.config). The other option would be to
> use explicit impersonation in web.config, supplying a username and
> password there.
>
> On IIS 5 this is harder. There are no AppPools, so there is no good
> way to have a process account for each app as there is only one
> process. You can't use programmatic impersonation (or explicit
> impersonation of a specific user via web.config) with the default
> settings because you won't have rights to call LogonUser.
>
> The first thing you will need to do is figure out how you will get the
> necessary permissions to call LogonUser in the first place. One way
> might be to give the ASPNET account the "Act as part of the operating
> system" privilege in local security policy, but that also seriously
> compromises the security of the web server (although possible not as
> much as simplying running it as SYSTEM).
>
> Joe K.
> "otto" <otto@discussions.microsoft.com> wrote in message
> news:074DE94A-0BB6-4C3F-85DC-240DEC6D7CA8@microsoft.com...
>> Hi, Dominick:
>>
>> both of them. What´s the difference? I have few experience with IIS
>> 6.0
>>
>> "Dominick Baier [DevelopMentor]" wrote:
>>
>>> Hello otto,
>>>
>>> on which platform (IIS5 or 6)
>>>
>>> ---------------------------------------
>>> Dominick Baier - DevelopMentor
>>> http://www.leastprivilege.com
>>>> Hi, all:
>>>> I have a question about security in ASP.NET applications. We´ve to
>>>> develop
>>>> several applications. All of them with Windows integrated security
>>>> in
>>>> IIS.
>>>> Each application must run under one domain account (each
>>>> application
>>>> has its
>>>> own account), so we´ve to use impersonation. How can I do this with
>>>> HttpModule´s?
>>>> Thanks a lot.
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: sslstream and certificates"
- Previous message: Dominick Baier [DevelopMentor]: "Re: sslstream and certificates"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Impersonation through HttpModule"
- Next in thread: otto: "Re: Impersonation through HttpModule"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
