Re: Impersonation through HttpModule
From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 05/27/05
- Next message: Fabrice: "Protect source"
- Previous message: edwards: "CAPICOM problem:cannot access certificate store"
- In reply to: otto: "Re: Impersonation through HttpModule"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Impersonation through HttpModule"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 27 May 2005 04:09:12 -0700
Hello otto,
you can use the
<identity impersonate="true" /> element in web.config.
as i said - when you are impersonating you are in a wacky state...try to
keep it to a minimum.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
> Hi, Joe:
> Is there another way to make impersonation instead using LogonUser?
> Using
> IPrincipal objects or Thread objects, HttpContext...
> Thanks for your help.
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> Programmatic impersonation on IIS5 is painful because normal accounts
>> can't call the LogonUser API on Win2K. This restriction is removed
>> in XP and 2K3.
>>
>> On IIS6, I would recommend you do this without using impersonation,
>> especially programmatic. It is much easier to set up a single
>> AppPool for each application that runs under the specified domain
>> account (and disable impersonation in web.config). The other option
>> would be to use explicit impersonation in web.config, supplying a
>> username and password there.
>>
>> On IIS 5 this is harder. There are no AppPools, so there is no good
>> way to have a process account for each app as there is only one
>> process. You can't use programmatic impersonation (or explicit
>> impersonation of a specific user via web.config) with the default
>> settings because you won't have rights to call LogonUser.
>>
>> The first thing you will need to do is figure out how you will get
>> the necessary permissions to call LogonUser in the first place. One
>> way might be to give the ASPNET account the "Act as part of the
>> operating system" privilege in local security policy, but that also
>> seriously compromises the security of the web server (although
>> possible not as much as simplying running it as SYSTEM).
>>
>> Joe K.
>> "otto" <otto@discussions.microsoft.com> wrote in message
>> news:074DE94A-0BB6-4C3F-85DC-240DEC6D7CA8@microsoft.com...
>>> Hi, Dominick:
>>>
>>> both of them. What´s the difference? I have few experience with IIS
>>> 6.0
>>>
>>> "Dominick Baier [DevelopMentor]" wrote:
>>>
>>>> Hello otto,
>>>>
>>>> on which platform (IIS5 or 6)
>>>>
>>>> ---------------------------------------
>>>> Dominick Baier - DevelopMentor
>>>> http://www.leastprivilege.com
>>>>> Hi, all:
>>>>> I have a question about security in ASP.NET applications. We´ve to
>>>>> develop
>>>>> several applications. All of them with Windows integrated security
>>>>> in
>>>>> IIS.
>>>>> Each application must run under one domain account (each
>>>>> application
>>>>> has its
>>>>> own account), so we´ve to use impersonation. How can I do this
>>>>> with
>>>>> HttpModule´s?
>>>>> Thanks a lot.
- Next message: Fabrice: "Protect source"
- Previous message: edwards: "CAPICOM problem:cannot access certificate store"
- In reply to: otto: "Re: Impersonation through HttpModule"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Impersonation through HttpModule"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
