Re: help on caller credentials !! :-(



hello dominick,

here are few test I have made. I hate things when I am not 100% undersatnd
what is going on.

I am runing my client application under user BOB on an Windows 2000 machine
Then my server component is hosted in a windows service runnning on Vista
machine. So far so good.

First test BOB is nnot existing at all under vista machine:
Running my client will generate an InvaluidCredential Exception (sounds logic)

Then I create BOB account on my Vista machine and run the same test.
At this phase BOB has been identified and I can log credentila info from
server side and I get :
Authentication Type=NTLM
isAuthenticated = True
Name : VISTA-PC\BOB

So first of all, I am able to read client credential from my remote object
whaterver my service is running under LocalService, Local System, or Network
System

So what are the difference at this stage of runing my Service as Network
Service ??

The impersonation level your are talking about in previous post, do I have
to set it from my server side or client side ?

Also I have read that setting "Delegation" or delegate is useonly under
windows 2000 and prefer mode should be "Impersonate" . Did I get right info ?

Extratc form help on line:
------>
Anonymous:
The client is anonymous to the server. The server process can impersonate
the client, but the impersonation token does not contain any information
about the client.

Default:
Uses the default impersonation level for the specified authentication
service. In COM+, this setting is provided by the DefaultImpersonationLevel
property in the LocalComputer collection.

Delegate:
The most powerful impersonation level. When this level is selected, the
server (whether local or remote) can impersonate the client's security
context while acting on behalf of the client
Identify The system default level. The server can obtain the client's
identity, and the server can impersonate the client to do ACL checks.

Impersonate:
The server can impersonate the client's security context while acting on
behalf of the client. The server can access local resources as the client.
<-----


thanks to clarify my mind
regards
serge



"Dominick Baier" wrote:

several things..

a) as Joe pointed out - switch to Network Service
b) you get the client identity from Thread.CurrentPrincipal
c) if you want to delegate the token to a backend service you need an impersonationLevel="Delegation"
d) you additionally need impersonate="true" in your config file, you you
wanto to use the auto impersonation feature


very much like the sample you downloaded ;)


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Dear all,

I start to loose my hairs. Hoep someone could help me to recover..:-)
I have build a remote object hosted in a Windows Service runing as
LocalService.
I have then a claient application which calling that remote object and
based
on the caller credential I shouzld authorise hit or not to access to
back end
database.
The situation is as follow :
My client is running as BOB. BOB is calling the remote object for data
storage. What I try to do is retriveing the caller credential from my
remote
object in order to athauticated for further process. The problem is
that when
I check the wndows identity on my server side, it return the context
on which
my service is running and not my caller's context.
MY server config file is as follow :

<channels>
<!--<channel ref="tcp" port="8090"
useDefaultCredentials="False">-->
<channel ref="tcp" port="8090" secure="True"
impersonationLevel="Impersonate" protectionLevel="EncryptAndSign">
<serverProviders>
<formatter ref="binary" typeFilterLevel="Full"/>
</serverProviders>
</channel>
</channels>
Note that I am using .NEt 2.0

Thnaks again for your help ( I am fighting for a full week now on this
grrr
:-()
regards
serge



.



Relevant Pages

  • Re: remoting options
    ... client project and add a remote object reference just like they have the ... > apply if you're using IIS to host the server) and the version of the ... > application that you want the server to use. ... > client code somehow so that it can be loaded/instantiated on the client. ...
    (microsoft.public.dotnet.distributed_apps)
  • Re: remoting serialization exception
    ... Is the same remote object being ... >> client and server using slightly different versions of the remote object ... > objectId, BinaryAssemblyInfo assemblyInfo, SizedArray ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: remoting serialization exception
    ... Is the same remote object being ... > client and server using slightly different versions of the remote object ... objectId, BinaryAssemblyInfo assemblyInfo, SizedArray ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: What doesnt lend itself to OO?
    ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
    (comp.object)
  • Re: help on caller credentials !! :-(
    ... the back end SQL server maybe. ... In fact I simply try to flow the client user until the database level. ... Hosting my remote object in IIS would be much more simple but thi is not my ... under windows 2000 and prefer mode should be "Impersonate". ...
    (microsoft.public.dotnet.security)