Re: help on caller credentials !! :-(
- From: calderara <calderara@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 15 May 2007 22:36:01 -0700
Hello again.
not easy for me to explain in english but lets try again.
Yes you are right by saying that I have an other stage where I will pas
credential to a back end database.
What I am trying to explain and do is to apply proper security to my remote
object in order that in works as a kind of gate keeper. The idea is that if
the client has not the rights to log into sql database or access tables then
I should refuse the acces and return an error. This is all what I am trying
to do.
The whole stuff will not belongs to a domain but a simple workgroup. Only
the back end SQL server maybe.
In fact I simply try to flow the client user until the database level.
Hosting my remote object in IIS would be much more simple but thi is not my
goal.
I have seen one way to do it was to identify the user from my remote object
host and then pass client credential as parmeter's for a store procedure that
will make the checks.
Thnaks for coments
regards
serge
"Dominick Baier" wrote:
Am i right that you want to do a 2nd hop? meaning bob will call the middle.
tier - and the middle tier will call a back end service using Bob's credentials??
If yes - then you need a domain environment - for delegation the Kerberos
authentication protocol is required - and you get that only by installing
Active Directory.
maybe this answers all of your questions...
otherwise you have to tell us exactly what you are trying to do...
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
hello dominick,
here are few test I have made. I hate things when I am not 100%
undersatnd what is going on.
I am runing my client application under user BOB on an Windows 2000
machine Then my server component is hosted in a windows service
runnning on Vista machine. So far so good.
First test BOB is nnot existing at all under vista machine: Running my
client will generate an InvaluidCredential Exception (sounds logic)
Then I create BOB account on my Vista machine and run the same test.
At this phase BOB has been identified and I can log credentila info
from
server side and I get :
Authentication Type=NTLM
isAuthenticated = True
Name : VISTA-PC\BOB
So first of all, I am able to read client credential from my remote
object whaterver my service is running under LocalService, Local
System, or Network System
So what are the difference at this stage of runing my Service as
Network Service ??
The impersonation level your are talking about in previous post, do I
have to set it from my server side or client side ?
Also I have read that setting "Delegation" or delegate is useonly
under windows 2000 and prefer mode should be "Impersonate" . Did I get
right info ?
Extratc form help on line:
------>
Anonymous:
The client is anonymous to the server. The server process can
impersonate
the client, but the impersonation token does not contain any
information
about the client.
Default:
Uses the default impersonation level for the specified authentication
service. In COM+, this setting is provided by the
DefaultImpersonationLevel
property in the LocalComputer collection.
Delegate:
The most powerful impersonation level. When this level is selected,
the
server (whether local or remote) can impersonate the client's security
context while acting on behalf of the client
Identify The system default level. The server can obtain the client's
identity, and the server can impersonate the client to do ACL checks.
Impersonate:
The server can impersonate the client's security context while acting
on
behalf of the client. The server can access local resources as the
client.
<-----
thanks to clarify my mind
regards
serge
"Dominick Baier" wrote:
several things..
a) as Joe pointed out - switch to Network Service
b) you get the client identity from Thread.CurrentPrincipal
c) if you want to delegate the token to a backend service you need an
impersonationLevel="Delegation"
d) you additionally need impersonate="true" in your config file, you
you
wanto to use the auto impersonation feature
very much like the sample you downloaded ;)
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Dear all,
I start to loose my hairs. Hoep someone could help me to
recover..:-)
I have build a remote object hosted in a Windows Service runing as
LocalService.
I have then a claient application which calling that remote object
and
based
on the caller credential I shouzld authorise hit or not to access to
back end
database.
The situation is as follow :
My client is running as BOB. BOB is calling the remote object for
data
storage. What I try to do is retriveing the caller credential from
my
remote
object in order to athauticated for further process. The problem is
that when
I check the wndows identity on my server side, it return the context
on which
my service is running and not my caller's context.
MY server config file is as follow :
<channels>
<!--<channel ref="tcp" port="8090"
useDefaultCredentials="False">-->
<channel ref="tcp" port="8090" secure="True"
impersonationLevel="Impersonate" protectionLevel="EncryptAndSign">
<serverProviders>
<formatter ref="binary" typeFilterLevel="Full"/>
</serverProviders>
</channel>
</channels>
Note that I am using .NEt 2.0
Thnaks again for your help ( I am fighting for a full week now on
this
grrr
:-()
regards
serge
- References:
- Re: help on caller credentials !! :-(
- From: Dominick Baier
- Re: help on caller credentials !! :-(
- From: calderara
- Re: help on caller credentials !! :-(
- From: Dominick Baier
- Re: help on caller credentials !! :-(
- Prev by Date: Re: Setting directory NTFS directory permissions (W2k3 Server)
- Next by Date: Similar Security Options in VB.Net 2005 like in ASP.Net 2.0 ?
- Previous by thread: Re: help on caller credentials !! :-(
- Next by thread: Re: help on caller credentials !! :-(
- Index(es):
Relevant Pages
|
