|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Impersonation through HttpModuleHi, all:
I have a question about security in ASP.NET applications. We´ve to develop several applications. All of them with Windows integrated security in IIS. Each application must run under one domain account (each application has its own account), so we´ve to use impersonation. How can I do this with HttpModule´s? Thanks a lot. Hello otto,
on which platform (IIS5 or 6) --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Hi, all: > I have a question about security in ASP.NET applications. We´ve to > develop > several applications. All of them with Windows integrated security in > IIS. > Each application must run under one domain account (each application > has its > own account), so we´ve to use impersonation. How can I do this with > HttpModule´s? > Thanks a lot. > Hi, Dominick:
both of them. What´s the difference? I have few experience with IIS 6.0 Show quoteHide quote "Dominick Baier [DevelopMentor]" wrote: > Hello otto, > > on which platform (IIS5 or 6) > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > > > Hi, all: > > I have a question about security in ASP.NET applications. We´ve to > > develop > > several applications. All of them with Windows integrated security in > > IIS. > > Each application must run under one domain account (each application > > has its > > own account), so we´ve to use impersonation. How can I do this with > > HttpModule´s? > > Thanks a lot. > > > > > > Programmatic impersonation on IIS5 is painful because normal accounts can't
call the LogonUser API on Win2K. This restriction is removed in XP and 2K3. On IIS6, I would recommend you do this without using impersonation, especially programmatic. It is much easier to set up a single AppPool for each application that runs under the specified domain account (and disable impersonation in web.config). The other option would be to use explicit impersonation in web.config, supplying a username and password there. On IIS 5 this is harder. There are no AppPools, so there is no good way to have a process account for each app as there is only one process. You can't use programmatic impersonation (or explicit impersonation of a specific user via web.config) with the default settings because you won't have rights to call LogonUser. The first thing you will need to do is figure out how you will get the necessary permissions to call LogonUser in the first place. One way might be to give the ASPNET account the "Act as part of the operating system" privilege in local security policy, but that also seriously compromises the security of the web server (although possible not as much as simplying running it as SYSTEM). Joe K. Show quoteHide quote "otto" <o***@discussions.microsoft.com> wrote in message news:074DE94A-0BB6-4C3F-85DC-240DEC6D7CA8@microsoft.com... > Hi, Dominick: > > both of them. What´s the difference? I have few experience with IIS 6.0 > > > > "Dominick Baier [DevelopMentor]" wrote: > >> Hello otto, >> >> on which platform (IIS5 or 6) >> >> --------------------------------------- >> Dominick Baier - DevelopMentor >> http://www.leastprivilege.com >> >> > Hi, all: >> > I have a question about security in ASP.NET applications. We´ve to >> > develop >> > several applications. All of them with Windows integrated security in >> > IIS. >> > Each application must run under one domain account (each application >> > has its >> > own account), so we´ve to use impersonation. How can I do this with >> > HttpModule´s? >> > Thanks a lot. >> > >> >> >> >> Hello Joe,
yes! i recommend to move away from IIS5 and use app pools. Use impersonation only if you have to. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Programmatic impersonation on IIS5 is painful because normal accounts > can't call the LogonUser API on Win2K. This restriction is removed in > XP and 2K3. > > On IIS6, I would recommend you do this without using impersonation, > especially programmatic. It is much easier to set up a single AppPool > for each application that runs under the specified domain account (and > disable impersonation in web.config). The other option would be to > use explicit impersonation in web.config, supplying a username and > password there. > > On IIS 5 this is harder. There are no AppPools, so there is no good > way to have a process account for each app as there is only one > process. You can't use programmatic impersonation (or explicit > impersonation of a specific user via web.config) with the default > settings because you won't have rights to call LogonUser. > > The first thing you will need to do is figure out how you will get the > necessary permissions to call LogonUser in the first place. One way > might be to give the ASPNET account the "Act as part of the operating > system" privilege in local security policy, but that also seriously > compromises the security of the web server (although possible not as > much as simplying running it as SYSTEM). > > Joe K. > "otto" <o***@discussions.microsoft.com> wrote in message > news:074DE94A-0BB6-4C3F-85DC-240DEC6D7CA8@microsoft.com... >> Hi, Dominick: >> >> both of them. What´s the difference? I have few experience with IIS >> 6.0 >> >> "Dominick Baier [DevelopMentor]" wrote: >> >>> Hello otto, >>> >>> on which platform (IIS5 or 6) >>> >>> --------------------------------------- >>> Dominick Baier - DevelopMentor >>> http://www.leastprivilege.com >>>> Hi, all: >>>> I have a question about security in ASP.NET applications. We´ve to >>>> develop >>>> several applications. All of them with Windows integrated security >>>> in >>>> IIS. >>>> Each application must run under one domain account (each >>>> application >>>> has its >>>> own account), so we´ve to use impersonation. How can I do this with >>>> HttpModule´s? >>>> Thanks a lot. Hi, Joe:
Is there another way to make impersonation instead using LogonUser? Using IPrincipal objects or Thread objects, HttpContext... Thanks for your help. Show quoteHide quote "Joe Kaplan (MVP - ADSI)" wrote: > Programmatic impersonation on IIS5 is painful because normal accounts can't > call the LogonUser API on Win2K. This restriction is removed in XP and 2K3. > > On IIS6, I would recommend you do this without using impersonation, > especially programmatic. It is much easier to set up a single AppPool for > each application that runs under the specified domain account (and disable > impersonation in web.config). The other option would be to use explicit > impersonation in web.config, supplying a username and password there. > > On IIS 5 this is harder. There are no AppPools, so there is no good way to > have a process account for each app as there is only one process. You can't > use programmatic impersonation (or explicit impersonation of a specific user > via web.config) with the default settings because you won't have rights to > call LogonUser. > > The first thing you will need to do is figure out how you will get the > necessary permissions to call LogonUser in the first place. One way might > be to give the ASPNET account the "Act as part of the operating system" > privilege in local security policy, but that also seriously compromises the > security of the web server (although possible not as much as simplying > running it as SYSTEM). > > Joe K. > "otto" <o***@discussions.microsoft.com> wrote in message > news:074DE94A-0BB6-4C3F-85DC-240DEC6D7CA8@microsoft.com... > > Hi, Dominick: > > > > both of them. What´s the difference? I have few experience with IIS 6.0 > > > > > > > > "Dominick Baier [DevelopMentor]" wrote: > > > >> Hello otto, > >> > >> on which platform (IIS5 or 6) > >> > >> --------------------------------------- > >> Dominick Baier - DevelopMentor > >> http://www.leastprivilege.com > >> > >> > Hi, all: > >> > I have a question about security in ASP.NET applications. We´ve to > >> > develop > >> > several applications. All of them with Windows integrated security in > >> > IIS. > >> > Each application must run under one domain account (each application > >> > has its > >> > own account), so we´ve to use impersonation. How can I do this with > >> > HttpModule´s? > >> > Thanks a lot. > >> > > >> > >> > >> > >> > > > Hello otto,
you can use the <identity impersonate="true" /> element in web.config. as i said - when you are impersonating you are in a wacky state...try to keep it to a minimum. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Hi, Joe: > Is there another way to make impersonation instead using LogonUser? > Using > IPrincipal objects or Thread objects, HttpContext... > Thanks for your help. > "Joe Kaplan (MVP - ADSI)" wrote: > >> Programmatic impersonation on IIS5 is painful because normal accounts >> can't call the LogonUser API on Win2K. This restriction is removed >> in XP and 2K3. >> >> On IIS6, I would recommend you do this without using impersonation, >> especially programmatic. It is much easier to set up a single >> AppPool for each application that runs under the specified domain >> account (and disable impersonation in web.config). The other option >> would be to use explicit impersonation in web.config, supplying a >> username and password there. >> >> On IIS 5 this is harder. There are no AppPools, so there is no good >> way to have a process account for each app as there is only one >> process. You can't use programmatic impersonation (or explicit >> impersonation of a specific user via web.config) with the default >> settings because you won't have rights to call LogonUser. >> >> The first thing you will need to do is figure out how you will get >> the necessary permissions to call LogonUser in the first place. One >> way might be to give the ASPNET account the "Act as part of the >> operating system" privilege in local security policy, but that also >> seriously compromises the security of the web server (although >> possible not as much as simplying running it as SYSTEM). >> >> Joe K. >> "otto" <o***@discussions.microsoft.com> wrote in message >> news:074DE94A-0BB6-4C3F-85DC-240DEC6D7CA8@microsoft.com... >>> Hi, Dominick: >>> >>> both of them. What´s the difference? I have few experience with IIS >>> 6.0 >>> >>> "Dominick Baier [DevelopMentor]" wrote: >>> >>>> Hello otto, >>>> >>>> on which platform (IIS5 or 6) >>>> >>>> --------------------------------------- >>>> Dominick Baier - DevelopMentor >>>> http://www.leastprivilege.com >>>>> Hi, all: >>>>> I have a question about security in ASP.NET applications. We´ve to >>>>> develop >>>>> several applications. All of them with Windows integrated security >>>>> in >>>>> IIS. >>>>> Each application must run under one domain account (each >>>>> application >>>>> has its >>>>> own account), so we´ve to use impersonation. How can I do this >>>>> with >>>>> HttpModule´s? >>>>> Thanks a lot. You might also consider using SSPI directly to create a token for a user,
but that is more complex and might not do what you want. Another alternative for Win2K would be to place all of your code that needs a special identity in a separate component that you set up under COM+ to run as a special identity. Joe K. Show quoteHide quote "otto" <o***@discussions.microsoft.com> wrote in message news:C418EF05-A35D-4FC3-A79D-44F960A296AC@microsoft.com... > Hi, Joe: > Is there another way to make impersonation instead using LogonUser? Using > IPrincipal objects or Thread objects, HttpContext... > Thanks for your help. > > "Joe Kaplan (MVP - ADSI)" wrote: > >> Programmatic impersonation on IIS5 is painful because normal accounts >> can't >> call the LogonUser API on Win2K. This restriction is removed in XP and >> 2K3. >> >> On IIS6, I would recommend you do this without using impersonation, >> especially programmatic. It is much easier to set up a single AppPool >> for >> each application that runs under the specified domain account (and >> disable >> impersonation in web.config). The other option would be to use explicit >> impersonation in web.config, supplying a username and password there. >> >> On IIS 5 this is harder. There are no AppPools, so there is no good way >> to >> have a process account for each app as there is only one process. You >> can't >> use programmatic impersonation (or explicit impersonation of a specific >> user >> via web.config) with the default settings because you won't have rights >> to >> call LogonUser. >> >> The first thing you will need to do is figure out how you will get the >> necessary permissions to call LogonUser in the first place. One way >> might >> be to give the ASPNET account the "Act as part of the operating system" >> privilege in local security policy, but that also seriously compromises >> the >> security of the web server (although possible not as much as simplying >> running it as SYSTEM). >> >> Joe K. >> "otto" <o***@discussions.microsoft.com> wrote in message >> news:074DE94A-0BB6-4C3F-85DC-240DEC6D7CA8@microsoft.com... >> > Hi, Dominick: >> > >> > both of them. What´s the difference? I have few experience with IIS 6.0 >> > >> > >> > >> > "Dominick Baier [DevelopMentor]" wrote: >> > >> >> Hello otto, >> >> >> >> on which platform (IIS5 or 6) >> >> >> >> --------------------------------------- >> >> Dominick Baier - DevelopMentor >> >> http://www.leastprivilege.com >> >> >> >> > Hi, all: >> >> > I have a question about security in ASP.NET applications. We´ve to >> >> > develop >> >> > several applications. All of them with Windows integrated security >> >> > in >> >> > IIS. >> >> > Each application must run under one domain account (each application >> >> > has its >> >> > own account), so we´ve to use impersonation. How can I do this with >> >> > HttpModule´s? >> >> > Thanks a lot. >> >> > >> >> >> >> >> >> >> >> >> >> >> 
Other interesting topics
Appl. Security Problems
Private member access. Security exception related to network hotmail IIS / SQL Server impersonation How many keys? Data security/filtering on attribute values Why CAS doesn't stop things in ASP.NET apps Migrating users to asp.net 2.0 from CSK and setting passwords problem:referenced assembly "XPCommonControls(a free third party component)" has no strongName. |
|||||||||||||||||||||||
