Re: Impersonation through HttpModule

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 05/27/05


Date: Fri, 27 May 2005 09:56:47 -0500

You might also consider using SSPI directly to create a token for a user,
but that is more complex and might not do what you want. Another
alternative for Win2K would be to place all of your code that needs a
special identity in a separate component that you set up under COM+ to run
as a special identity.

Joe K.

"otto" <otto@discussions.microsoft.com> wrote in message
news:C418EF05-A35D-4FC3-A79D-44F960A296AC@microsoft.com...
> Hi, Joe:
> Is there another way to make impersonation instead using LogonUser? Using
> IPrincipal objects or Thread objects, HttpContext...
> Thanks for your help.
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> Programmatic impersonation on IIS5 is painful because normal accounts
>> can't
>> call the LogonUser API on Win2K. This restriction is removed in XP and
>> 2K3.
>>
>> On IIS6, I would recommend you do this without using impersonation,
>> especially programmatic. It is much easier to set up a single AppPool
>> for
>> each application that runs under the specified domain account (and
>> disable
>> impersonation in web.config). The other option would be to use explicit
>> impersonation in web.config, supplying a username and password there.
>>
>> On IIS 5 this is harder. There are no AppPools, so there is no good way
>> to
>> have a process account for each app as there is only one process. You
>> can't
>> use programmatic impersonation (or explicit impersonation of a specific
>> user
>> via web.config) with the default settings because you won't have rights
>> to
>> call LogonUser.
>>
>> The first thing you will need to do is figure out how you will get the
>> necessary permissions to call LogonUser in the first place. One way
>> might
>> be to give the ASPNET account the "Act as part of the operating system"
>> privilege in local security policy, but that also seriously compromises
>> the
>> security of the web server (although possible not as much as simplying
>> running it as SYSTEM).
>>
>> Joe K.
>> "otto" <otto@discussions.microsoft.com> wrote in message
>> news:074DE94A-0BB6-4C3F-85DC-240DEC6D7CA8@microsoft.com...
>> > Hi, Dominick:
>> >
>> > both of them. What´s the difference? I have few experience with IIS 6.0
>> >
>> >
>> >
>> > "Dominick Baier [DevelopMentor]" wrote:
>> >
>> >> Hello otto,
>> >>
>> >> on which platform (IIS5 or 6)
>> >>
>> >> ---------------------------------------
>> >> Dominick Baier - DevelopMentor
>> >> http://www.leastprivilege.com
>> >>
>> >> > Hi, all:
>> >> > I have a question about security in ASP.NET applications. We´ve to
>> >> > develop
>> >> > several applications. All of them with Windows integrated security
>> >> > in
>> >> > IIS.
>> >> > Each application must run under one domain account (each application
>> >> > has its
>> >> > own account), so we´ve to use impersonation. How can I do this with
>> >> > HttpModule´s?
>> >> > Thanks a lot.
>> >> >
>> >>
>> >>
>> >>
>> >>
>>
>>
>>



Relevant Pages

  • Re: impersonation problem - any good resources ?
    ... "The LogonUser function attempts to log a user on to the local computer. ... > allow ' proper execution presents a security risk. ... > Imports System.Runtime.InteropServices ... It seems to me that it means that if the impersonation took, ...
    (microsoft.public.dotnet.security)
  • Re: Impersonation through HttpModule
    ... Programmatic impersonation on IIS5 is painful because normal accounts can't ... call the LogonUser API on Win2K. ... have a process account for each app as there is only one process. ...
    (microsoft.public.dotnet.security)
  • Re: Impersonation using WindowsIdentity( upn ) ctor
    ... You can definitely impersonate a token created with LogonUser. ... the token returned by the API will either be an Impersonation ... >> privilege. ... By default, only the SYSTEM account ...
    (microsoft.public.dotnet.security)
  • Re: Impersonation using WindowsIdentity( upn ) ctor
    ... You can definitely impersonate a token created with LogonUser. ... the token returned by the API will either be an Impersonation ... >> privilege. ... By default, only the SYSTEM account ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Impersonation and UNC network resources
    ... You definitely need to have your laptop be a domain member if you want to ... authenticate a domain account using LogonUser. ... 1314 if the account you are running under really has "act as OS" privilege. ... to run as the required domain user (and turn off impersonation). ...
    (microsoft.public.dotnet.framework.aspnet.security)