Forms Authentication and Impersonation

From: Mike (mikeschall@hotmail.com)
Date: 11/15/02


From: "Mike" <mikeschall@hotmail.com>
Date: Fri, 15 Nov 2002 05:52:33 -0800


I am trying to use impersonation for part of my site. I
have files that I don't want to be able to be downloaded
directly. Only authenticated users should be able to
download them.

My current direction is to have an aspx file that will
pick the bytes off the disk and binary write them down to
the client. The anonymous user will not have rights to the
directory with the files. I would like the aspx page to
impersonate another user to get the file.

The major problem is that the directory with the files
will be a virtual directory stored on another machine.

The steps I have taken so for is to change my
machine.config to use the system account. I wasn't able to
use impersonation without this. Is the correct? I would
like to leave the machine config alone if possible.

I can get access to the files if I set the <identity>
section of the web.config to impersonate and give a domain
username and password. This works, but fails my goal
because now the files are available to the anonymous user
again.

Any ideas would be great. Thanks for your time.
Mike



Relevant Pages

  • Re: Win32 security limitations: why?
    ... Impersonation allows a process to run with the credentials ... the Iwam account, for support of the anonymous users. ... this allows the anonymous user to have a process with a higher security ... Microsoft MVP (Windows Security) ...
    (microsoft.public.security)
  • Re: Forms Authentication and Impersonation
    ... > I am trying to use impersonation for part of my site. ... > download them. ... The anonymous user will not have rights to the ... as long as you don't use the system account and set ...
    (microsoft.public.inetserver.iis.security)
  • Re: Win32 security limitations: why?
    ... Impersonation allows a process to run with the credentials ... > the Iwam account, for support of the anonymous users. ... > this allows the anonymous user to have a process with a higher security ...
    (microsoft.public.security)