|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Impersonation testingI am trying to build some testing tools for Kerberos and Kerberos delegation. Where I am headed currenty is a simple webpage that calls a webservice. The webservices only job in life is to return the identity of the calling user. While this is simplistic in nature it can be a good start. Ideally I would like much more information but i need to start somewhere. Long term I would like to the method of authentication used, and anything else that would help me understand how authenticaiton is working between the page and the web service. So I am putting code into the webpage that impersonates the user opening it for the call to the web service. Then the webservice simply returns the name of the person that called it. Does this make sense? Better Ideas? Am I re-inventing the wheel of something already out there? I have seen so many different opinions as to the best way to do this so any opinions are appreciated. Anyone have good samples? This sounds like a good approach to me. I've done similar things for
testing purposes. There isn't enough code to make it worthwhile to show any samples. Make sure you use DefaultCredentials on your web services proxy and return Context.User.Identity.Name from the web service. The rest is all configuration stuff. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "Chris Geier" <chris.geier at gmail.com> wrote in message news:E7C1BD2A-7BA9-4644-AD33-0A078C85846C@microsoft.com... > Greetings and Thanks for reading. > > I am trying to build some testing tools for Kerberos and Kerberos > delegation. Where I am headed currenty is a simple webpage that calls a > webservice. The webservices only job in life is to return the identity of > the calling user. While this is simplistic in nature it can be a good > start. > Ideally I would like much more information but i need to start somewhere. > Long term I would like to the method of authentication used, and anything > else that would help me understand how authenticaiton is working between > the > page and the web service. > > So I am putting code into the webpage that impersonates the user opening > it > for the call to the web service. Then the webservice simply returns the > name > of the person that called it. Does this make sense? Better Ideas? Am I > re-inventing the wheel of something already out there? I have seen so > many > different opinions as to the best way to do this so any opinions are > appreciated. > > Anyone have good samples? > also return WindowsIdentity.GetCurrent().Name which is the currently effective
security context in your service - if you are impersonating this should be the same as Context.User. Otherwise this would show the process identity. --- Dominick Baier, DevelopMentor http://www.leastprivilege.com Show quoteHide quote > This sounds like a good approach to me. I've done similar things for > testing purposes. > > There isn't enough code to make it worthwhile to show any samples. > Make sure you use DefaultCredentials on your web services proxy and > return Context.User.Identity.Name from the web service. > > The rest is all configuration stuff. > > Joe K. > 
Other interesting topics
accessing emails using owa ... traceable?
System.String vs SecureString Security problems in .Net web application Unhandled exception vs handled (security issue) Kerberos Token Renewal WinForm user authentication Help!! InvalidOperationException in GetProcessesByName!! Can I retrieve Unix box OS info using DirectoryEntry Property OS? Move.file False |
|||||||||||||||||||||||
