.Net Remoting and Stored Usernames and Passwords - Is this a Bug?!
- From: cindy.fisher@xxxxxxxxxxxxxxxxxx
- Date: 6 Apr 2006 15:01:26 -0700
I'm hoping that this is a bug (that WILL BE FIXXED) and not intended
behavior by Microsoft.
Apparently, entries in "stored usernames and passwords" (which is
enabled by default when you install the OS) overrides the user's
security credentials when a .Net Remoting call is made to a machine
that has an entry in the list. This a HUGE security breach and a
potential nightmare for software developers using .Net Remoting.
I cam across this while I was testing an application I wrote using .Net
Remoting 2.0. I kept getting access denied in the remoting call on my
client (Windows Server 2003) and when I traced it I saw that I was
coming into the server as a different user than the one logged onto my
client machine. I spent a couple of days trying to figure out how this
could be and then I learned about "stored usernames and passwords". It
was using security credentials that were stored and the password had
expired. This is impersonation without the software intending to
impersonate!
Example: A user of your software attempts to perform a task on your
application that does Remoting. In the past they have made a remote
connection to the machine that hosts the remoting server. The
credentials they used to make the remote connection are no longer valid
(account was deleted, password changed, etc.). The task fails, the
functionality doesn't work, and unless they find out about stored
usernames and passwords (and delete\disable it), it will never work.
Microsoft, this is a serious security violation. Additionally, no where
could I find this little tidbit documented in any of your .Net Remoting
documentation. So I ask you, is this a bug? And I beg you, please fix
it!!!
Cindy
.
- Prev by Date: Re: LDAP, Email
- Next by Date: Re: pass login to application
- Previous by thread: Re: Vista and CAS
- Next by thread: Re: ASP .NET Configuration Tool
- Index(es):
Relevant Pages
|
