Re: impersonating a user
From: daveg (davegrr@hotmail.com)
Date: 07/01/02
- Next message: Sagar Haval: "Re: Securing files in web site - ( Security, file protection)"
- Previous message: Andrew Cole: "How do I create online Certificate requests"
- In reply to: Scott Stahlman [MS]: "RE: impersonating a user"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: davegrr@hotmail.com (daveg) Date: 30 Jun 2002 21:00:27 -0700
Thanks for your post Scott.
I think i muddled my question a little.
Running the site as a pre-configured user is not what i want to do.
In effect, what i am after is the same outcome as if i was using
integrated windows authentication, with impersonation on, but through
a custom login form.
I don't mind denying users without NT accounts, i can redirect them to
another site with less functionality.
I saw the CreateProcessAsUser documentation, and i don't think thats
useful to me at the moment, either.
any further ideas?
thanks again
daveg
scotstah@Onlinemicrosoft.com (Scott Stahlman [MS]) wrote in message news:<$d4d#k3HCHA.1600@cpmsftngxa08>...
> In response to your question: Impersonating the user seems only to last
> for the duration of the
> thread or page access, whereas i would like to permanently have the
> process run as the user, while still allowing anonymous access.
>
> This can be done, security is a concern and testing is required. Threads
> have to be authenticated in order to have access to the CPU. Their
> authentication is what determines the context of the thread. In Static
> applications, IIS will read the HTTP, and when anonymous is selected IIS
> will , as you know, impersonate the IUSR_ account before attempting to
> access the file. After the request is handled IIS reverts back to the
> Local System account (which is the default account for Services that are
> running).
>
> You can set up your application to run in another context than IIS. If you
> make a directory into an application (by clicking on CREATE on the Dir Tab)
> and move it into High Security protection you will notice in the Component
> Services Snap-In that you can choose the identity in which to run the
> application (go to its properties). You can also choose the identity for
> the Out Of Process Pooled likewise.
>
> There is also a Windows API called CreateProcessAsUser which can be called
> for CGI and VB applications.
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q285879
>
> So it can be done, however, you can create other unexpected problems. A
> great resouce is the book Running Microsoft Internet Information Server 4.0
> cowritten by my colleague Leonid Braginski. On page 433 he discusses
> impersonation and authentication ( no code samples) very clearly. The book
> was published my Microsoft Press. It's really enjoyable reading too I
> might add!
>
> JUNE 12th: A new Security patch is available for IIS 4.0 and 5.0. This
> patch is not a cumulative patch.
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> bulletin/MS02-028.asp
>
> Thanks,
> Scott
> IIS Support
>
>
> This posting is provided AS IS with no warranties, and confers no rights.
- Next message: Sagar Haval: "Re: Securing files in web site - ( Security, file protection)"
- Previous message: Andrew Cole: "How do I create online Certificate requests"
- In reply to: Scott Stahlman [MS]: "RE: impersonating a user"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
