Re: Troubles with security hell
From: Thomas Deml [MS] (thomad@online.microsoft.com)
Date: 10/06/02
- Next message: Thomas Deml [MS]: "Re: Integrated NT Authentication for IIS with per seat CALs"
- Previous message: Thomas Deml [MS]: "Re: .exe file download through web server"
- In reply to: Phil: "Troubles with security hell"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Thomas Deml [MS]" <thomad@online.microsoft.com> Date: Sun, 6 Oct 2002 02:20:33 -0700
This is the expected behavior.
If this would be allowed an malicious IIS admin could do a lot of bad stuff
on a users behalf. Impersonated users don't have outbound credentials. The
impersonation token is only valid on the local machine and not on the
network.
What you can do :
1) NOT RECOMMENDED: use basic auth and it will work. Basic auth transfers
the credentials to the IIS box and IIS does a local logon (=outbound
credentials). Problme is that username/password go over the wire in clear
text.
2) BETTER: Use a trusted account and connect to AD with this account by
using OpenDSObject instead of GetObject. Problem is that your asp page will
have username and password of this trusted user.
Now it gets a bit more complicated:
3) Install a little COM object that exposes a method that calls ReverToSelf.
This reverts the ASP thread to its process identity. If you run your
site/vdir under low isolation this call will revert to LocalSystem.
LocalSystem acts as the machineaccount (machinename$) on the network
(typically somewhat trusted in AD)
4) MOST SECURE: Run your IIS site/vdir in high isolation. The base identity
will be IWAM by default. You can change the base identity of IIS to whatever
you want: Start - Administrative Tools - Component Services. In Component
Services: Computers - My Computer - COM+ Applications. Here you will find
your new high-isolated application. Run this application as a trusted
identity that is allowed to access the user information.
You find the ATL code on how to revert back to the process identity below if
you are interested.
Hope this helps.
--
Thomas Deml
Lead Program Manager
Internet Information Services
Microsoft Corp.
// IISRevertToSelf.cpp : Implementation of CIISRevertToSelf
#include "stdafx.h"
#include "IISRevertToSelf.h"
// CIISRevertToSelf
STDMETHODIMP CIISRevertToSelf::RevertToSelf(void)
{
// TODO: Add your implementation code here
::RevertToSelf();
return S_OK;
}
"Phil" <Filipe.MAtos@haerter.de> wrote in message
news:1090601c26ad9$71dad710$3bef2ecf@TKMSFTNGXA10...
> I'm trying to write a small asp application that tells me
> my Full name :-)
> It seems to me that i running into AD security issues,
> could you please help me?
>
> Here is a excerpt of the code:
>
> ----
> <%
> sFullUser = trim(Request.ServerVariables ("LOGON_USER"))
> sUser = Mid(sFullUser, iPos + 1)
>
> Set objUser = GetObject("WinNT://" & sDomain & "/" & sUser
> & ",user")
> %>
>
>
> ...
> ...
>
>
> <%= "<b>" & objUser.FullName & "</b><br>" %>
>
> ---
>
>
>
>
> If executed localy (http://localhost) works as expected,
> but
> if called from a remote client (within the same windows
> domain) i get the error:
>
> ----
> Active Directory (0x80070005)
> Allgemeiner "Zugriff verweigert"-Fehler
> ----
>
> The Security methods for the web site in question are:
> - No Anonymous access
> - Integrated Windows authentication
- Next message: Thomas Deml [MS]: "Re: Integrated NT Authentication for IIS with per seat CALs"
- Previous message: Thomas Deml [MS]: "Re: .exe file download through web server"
- In reply to: Phil: "Troubles with security hell"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
