Re: Forms Authentication and Impersonation

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 11/15/02 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Fri, 15 Nov 2002 09:10:50 -0500

"Mike" <mikeschall@hotmail.com> wrote in message
news:1b3d01c28cae$3f8d2cd0$8df82ecf@TK2MSFTNGXA02...
> I am trying to use impersonation for part of my site. I
> have files that I don't want to be able to be downloaded
> directly. Only authenticated users should be able to
> download them.
>
> My current direction is to have an aspx file that will
> pick the bytes off the disk and binary write them down to
> the client. The anonymous user will not have rights to the
> directory with the files. I would like the aspx page to
> impersonate another user to get the file.

I"m kind of fuzzy on the details, but I'm having a hard time understanding
how this is better than removing anonymous access from the folder and using
basic or windows integrated authentication. To me it doesn't seem to matter
whether the user can see the files on the web server or can see a copy of
the files on the local hard drive.

> The major problem is that the directory with the files
> will be a virtual directory stored on another machine.

Shouldn't be a problem, as long as you don't use the system account and set
up an identical user ID and password on both machines with the necessary
permissions.

> The steps I have taken so for is to change my
> machine.config to use the system account. I wasn't able to
> use impersonation without this. Is the correct? I would
> like to leave the machine config alone if possible.

Well, I'm not sure what you mean by machine.config, but the system account
isn't going to have access to other machines, unless you mean that the IIS
www service is running as system, in which case this shouldn't be a problem.

> I can get access to the files if I set the <identity>
> section of the web.config to impersonate and give a domain
> username and password. This works, but fails my goal
> because now the files are available to the anonymous user
> again.

Is there a reason not to remove anonymous access from the folder and use
basic or windows integrated authentication?

Check out www.iisfaq.com, it's a pretty good resource as well. Maybe also
www.microsoft.com/support.

Relevant Pages

  • Forms Authentication and Impersonation
    ... I am trying to use impersonation for part of my site. ... download them. ... The anonymous user will not have rights to the ... like to leave the machine config alone if possible. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Win32 security limitations: why?
    ... Impersonation allows a process to run with the credentials ... the Iwam account, for support of the anonymous users. ... this allows the anonymous user to have a process with a higher security ... Microsoft MVP (Windows Security) ...
    (microsoft.public.security)
  • Re: system user
    ... > Look for "Client impersonation" in the SDK documentation. ... >>>LOCAL SYSTEM account (though now that I look I don't see anything like ... Then have the LOCAL SYSTEM process ...
    (microsoft.public.development.device.drivers)
  • Re: system user
    ... Look for "Client impersonation" in the SDK documentation. ... LOCAL SYSTEM account (though now that I look I don't see anything like ... Then have the LOCAL SYSTEM process ... I'm guessing that the reasoning for not letting SYSTEM have access to ...
    (microsoft.public.development.device.drivers)
  • Re: system user
    ... Look for "Client impersonation" in the SDK documentation. ... Hence it is usually referred to as the LOCAL SYSTEM account (though now that I look I don't see anything like that in the user namespace... ... Then have the LOCAL SYSTEM process impersonate that user when trying to access the file. ... I'm guessing that the reasoning for not letting SYSTEM have access to ...
    (microsoft.public.development.device.drivers)