|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
help on caller credentials !! :-(I start to loose my hairs. Hoep someone could help me to recover..:-) I have build a remote object hosted in a Windows Service runing as LocalService. I have then a claient application which calling that remote object and based on the caller credential I shouzld authorise hit or not to access to back end database. The situation is as follow : My client is running as BOB. BOB is calling the remote object for data storage. What I try to do is retriveing the caller credential from my remote object in order to athauticated for further process. The problem is that when I check the wndows identity on my server side, it return the context on which my service is running and not my caller's context. MY server config file is as follow : <channels> <!--<channel ref="tcp" port="8090" useDefaultCredentials="False">--> <channel ref="tcp" port="8090" secure="True" impersonationLevel="Impersonate" protectionLevel="EncryptAndSign"> <serverProviders> <formatter ref="binary" typeFilterLevel="Full"/> </serverProviders> </channel> </channels> Note that I am using .NEt 2.0 Thnaks again for your help ( I am fighting for a full week now on this grrr Show quoteHide quote :-() regards serge You shouldn't run as local service. You should run as Network Service
instead, as that will allow the service to access the network and participate in domain-based authentication. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "calderara" <calder***@discussions.microsoft.com> wrote in message news:551CC5DF-DF28-403E-A30C-A55CD8A2C520@microsoft.com... > Dear all, > > I start to loose my hairs. Hoep someone could help me to recover..:-) > I have build a remote object hosted in a Windows Service runing as > LocalService. > I have then a claient application which calling that remote object and > based > on the caller credential I shouzld authorise hit or not to access to back > end > database. > > The situation is as follow : > My client is running as BOB. BOB is calling the remote object for data > storage. What I try to do is retriveing the caller credential from my > remote > object in order to athauticated for further process. The problem is that > when > I check the wndows identity on my server side, it return the context on > which > my service is running and not my caller's context. > > MY server config file is as follow : > > <channels> > <!--<channel ref="tcp" port="8090" > useDefaultCredentials="False">--> > <channel ref="tcp" port="8090" secure="True" > impersonationLevel="Impersonate" protectionLevel="EncryptAndSign"> > <serverProviders> > <formatter ref="binary" typeFilterLevel="Full"/> > </serverProviders> > </channel> > </channels> > > Note that I am using .NEt 2.0 > > Thnaks again for your help ( I am fighting for a full week now on this > grrr > :-() > regards > serge By setting the Network Service instead of local, I will defintly be able to
reveive BOB under my Identity object ? hmmmm Looks so simple, I will give a try.. thnaks serge Show quoteHide quote "Joe Kaplan" wrote: > You shouldn't run as local service. You should run as Network Service > instead, as that will allow the service to access the network and > participate in domain-based authentication. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "calderara" <calder***@discussions.microsoft.com> wrote in message > news:551CC5DF-DF28-403E-A30C-A55CD8A2C520@microsoft.com... > > Dear all, > > > > I start to loose my hairs. Hoep someone could help me to recover..:-) > > I have build a remote object hosted in a Windows Service runing as > > LocalService. > > I have then a claient application which calling that remote object and > > based > > on the caller credential I shouzld authorise hit or not to access to back > > end > > database. > > > > The situation is as follow : > > My client is running as BOB. BOB is calling the remote object for data > > storage. What I try to do is retriveing the caller credential from my > > remote > > object in order to athauticated for further process. The problem is that > > when > > I check the wndows identity on my server side, it return the context on > > which > > my service is running and not my caller's context. > > > > MY server config file is as follow : > > > > <channels> > > <!--<channel ref="tcp" port="8090" > > useDefaultCredentials="False">--> > > <channel ref="tcp" port="8090" secure="True" > > impersonationLevel="Impersonate" protectionLevel="EncryptAndSign"> > > <serverProviders> > > <formatter ref="binary" typeFilterLevel="Full"/> > > </serverProviders> > > </channel> > > </channels> > > > > Note that I am using .NEt 2.0 > > > > Thnaks again for your help ( I am fighting for a full week now on this > > grrr > > :-() > > regards > > serge > > > I'm not certain that will solve all of your issues, but I'm pretty sure that
is a necessary step. In order to get Kerberos-based authentication, you'll likely need to do more than that, but I'm not sure. I'm also not sure if you need Kerberos or if NTLM will suffice. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "calderara" <calder***@discussions.microsoft.com> wrote in message news:8DA93168-6DA7-40E1-A6E7-1C1AF2AD223A@microsoft.com... > By setting the Network Service instead of local, I will defintly be able > to > reveive BOB under my Identity object ? hmmmm > Looks so simple, I will give a try.. > > thnaks > serge > > "Joe Kaplan" wrote: > >> You shouldn't run as local service. You should run as Network Service >> instead, as that will allow the service to access the network and >> participate in domain-based authentication. >> >> Joe K. >> >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "calderara" <calder***@discussions.microsoft.com> wrote in message >> news:551CC5DF-DF28-403E-A30C-A55CD8A2C520@microsoft.com... >> > Dear all, >> > >> > I start to loose my hairs. Hoep someone could help me to recover..:-) >> > I have build a remote object hosted in a Windows Service runing as >> > LocalService. >> > I have then a claient application which calling that remote object and >> > based >> > on the caller credential I shouzld authorise hit or not to access to >> > back >> > end >> > database. >> > >> > The situation is as follow : >> > My client is running as BOB. BOB is calling the remote object for data >> > storage. What I try to do is retriveing the caller credential from my >> > remote >> > object in order to athauticated for further process. The problem is >> > that >> > when >> > I check the wndows identity on my server side, it return the context on >> > which >> > my service is running and not my caller's context. >> > >> > MY server config file is as follow : >> > >> > <channels> >> > <!--<channel ref="tcp" port="8090" >> > useDefaultCredentials="False">--> >> > <channel ref="tcp" port="8090" secure="True" >> > impersonationLevel="Impersonate" protectionLevel="EncryptAndSign"> >> > <serverProviders> >> > <formatter ref="binary" typeFilterLevel="Full"/> >> > </serverProviders> >> > </channel> >> > </channels> >> > >> > Note that I am using .NEt 2.0 >> > >> > Thnaks again for your help ( I am fighting for a full week now on this >> > grrr >> > :-() >> > regards >> > serge >> >> >> several things..
a) as Joe pointed out - switch to Network Service b) you get the client identity from Thread.CurrentPrincipal c) if you want to delegate the token to a backend service you need an impersonationLevel="Delegation" d) you additionally need impersonate="true" in your config file, you you wanto to use the auto impersonation feature very much like the sample you downloaded ;) ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) Show quoteHide quote > Dear all, > > I start to loose my hairs. Hoep someone could help me to recover..:-) > I have build a remote object hosted in a Windows Service runing as > LocalService. > I have then a claient application which calling that remote object and > based > on the caller credential I shouzld authorise hit or not to access to > back end > database. > The situation is as follow : > My client is running as BOB. BOB is calling the remote object for data > storage. What I try to do is retriveing the caller credential from my > remote > object in order to athauticated for further process. The problem is > that when > I check the wndows identity on my server side, it return the context > on which > my service is running and not my caller's context. > MY server config file is as follow : > > <channels> > <!--<channel ref="tcp" port="8090" > useDefaultCredentials="False">--> > <channel ref="tcp" port="8090" secure="True" > impersonationLevel="Impersonate" protectionLevel="EncryptAndSign"> > <serverProviders> > <formatter ref="binary" typeFilterLevel="Full"/> > </serverProviders> > </channel> > </channels> > Note that I am using .NEt 2.0 > > Thnaks again for your help ( I am fighting for a full week now on this > grrr > :-() > regards > serge hi dominick,
thanks for those points I will give a try. By the way concerning those sample I download did you see my last mesage based on the excfeption I get ? Could not make it run :-( regard serge Show quoteHide quote "Dominick Baier" wrote: > several things.. > > a) as Joe pointed out - switch to Network Service > b) you get the client identity from Thread.CurrentPrincipal > c) if you want to delegate the token to a backend service you need an impersonationLevel="Delegation" > d) you additionally need impersonate="true" in your config file, you you > wanto to use the auto impersonation feature > > > very much like the sample you downloaded ;) > > > ----- > Dominick Baier (http://www.leastprivilege.com) > > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) > > > Dear all, > > > > I start to loose my hairs. Hoep someone could help me to recover..:-) > > I have build a remote object hosted in a Windows Service runing as > > LocalService. > > I have then a claient application which calling that remote object and > > based > > on the caller credential I shouzld authorise hit or not to access to > > back end > > database. > > The situation is as follow : > > My client is running as BOB. BOB is calling the remote object for data > > storage. What I try to do is retriveing the caller credential from my > > remote > > object in order to athauticated for further process. The problem is > > that when > > I check the wndows identity on my server side, it return the context > > on which > > my service is running and not my caller's context. > > MY server config file is as follow : > > > > <channels> > > <!--<channel ref="tcp" port="8090" > > useDefaultCredentials="False">--> > > <channel ref="tcp" port="8090" secure="True" > > impersonationLevel="Impersonate" protectionLevel="EncryptAndSign"> > > <serverProviders> > > <formatter ref="binary" typeFilterLevel="Full"/> > > </serverProviders> > > </channel> > > </channels> > > Note that I am using .NEt 2.0 > > > > Thnaks again for your help ( I am fighting for a full week now on this > > grrr > > :-() > > regards > > serge > > > 
Other interesting topics
TcpChannel under .NET 2.0
Newbie question Accessing certificate store from ASP.NET web project logon as service privilege problem Triple DES keys distribution NegotiateStream delegation issue (or a bug?) X509 signed xml validates in .NET 2.0 but not in 1.1 Acced Adctive Directory in separate domain PermissionSetAttribute XmlSerialization Cannot encrypt web.config appSettings on virtual directory |
|||||||||||||||||||||||
