Professional Web Applications Themes

Access network resources from ASP.NET - ASP.NET Security

Hi! after extensive research of this topic, I'm still not sure what is "official" way to do it. Task: 1. User submits some request to ASP.NET application and the app should write the result to a network share. 2. Integrated Authentication must be used 3. No open password are allowed to be specified in any config files 4. Can't assign special domain user as Local Administrator Problem: With default setup, it is not possible due to security reasons. Related topics: - impersonation - machine.config - processModel.userName - IUSR_MACHINE user - delagation Here is where I'm stuck: I'd like to use ...

  1. #1

    Default Access network resources from ASP.NET

    Hi!

    after extensive research of this topic, I'm still not sure what is
    "official" way to do it.

    Task:

    1. User submits some request to ASP.NET application and the app should
    write the result to a network share.
    2. Integrated Authentication must be used
    3. No open password are allowed to be specified in any config files
    4. Can't assign special domain user as Local Administrator

    Problem:

    With default setup, it is not possible due to security reasons.

    Related topics:
    - impersonation
    - machine.config - processModel.userName
    - IUSR_MACHINE user
    - delagation

    Here is where I'm stuck: I'd like to use impersonation like this:
    <identity impersonate="true" userName="Bob" password="pwd" />

    but this topic explains that it's not possible:
    [url]http://groups.google.com/groups?q=impersonate+Logon+failure:+unknown+user+n ame+or+bad+password.++group:microsoft.public.dotne t.*&hl=en&lr=&ie=UTF-8&oe=UTF-8&group=microsoft.public.dotnet.*&selm=uzT4T%23%23 wCHA.2680%40TK2MSFTNGP09&rnum=1[/url]

    Any ideas?

    Dima Semenskyy.


    Dima Semensky Guest

  2. #2

    Default RE: Access network resources from ASP.NET

    Dima,

    What you are doing is possible. What Mitch is talking about in his post is
    delegation of credentials. Essentially, this means that if you are
    browsing the site and using your credentials sent by the browser, those
    same credentials cannot be used to access another resource on a machine
    remote to the Web server. In that scenario, the Web server is delegating
    your credentials, and such is prevented when using NTLM authentication. If
    all of the boxes are using Windows 2000 or later, you can use Kerberos and
    delegation to get around that.

    However, what you really want to do is impersonate this user just to run a
    certain section of code and to write to the network resource. In that
    case, code-level impersonation using PInvoke to call LogonUser is the
    perfect solution.

    Here is an article that explains how to do that:
    306158 INFO: Implementing Impersonation in an ASP.NET Application
    [url]http://support.microsoft.com/?id=306158[/url]

    Jim Cheshire [MSFT]
    Developer Support
    ASP.NET
    [email]jamescheonline.microsoft.com[/email]

    This post is provided as-is with no warranties and confers no rights.

    --------------------
    >From: "Dima Semensky" <dsemenbellsouth.net>
    >Subject: Access network resources from ASP.NET
    >Date: Thu, 23 Oct 2003 10:55:28 -0400
    >Lines: 34
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
    >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    >Message-ID: <O#lL0WXmDHA.708TK2MSFTNGP10.phx.gbl>
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >NNTP-Posting-Host: 208.18.161.2
    >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
    >Xref: cpmsftngxa06.phx.gbl
    microsoft.public.dotnet.framework.aspnet.security: 7296
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >Hi!
    >
    >after extensive research of this topic, I'm still not sure what is
    >"official" way to do it.
    >
    >Task:
    >
    > 1. User submits some request to ASP.NET application and the app should
    >write the result to a network share.
    > 2. Integrated Authentication must be used
    > 3. No open password are allowed to be specified in any config files
    > 4. Can't assign special domain user as Local Administrator
    >
    >Problem:
    >
    > With default setup, it is not possible due to security reasons.
    >
    >Related topics:
    > - impersonation
    > - machine.config - processModel.userName
    > - IUSR_MACHINE user
    > - delagation
    >
    >Here is where I'm stuck: I'd like to use impersonation like this:
    > <identity impersonate="true" userName="Bob" password="pwd" />
    >
    >but this topic explains that it's not possible:
    >[url]http://groups.google.com/groups?q=impersonate+Logon+failure:+unknown+user+n[/url]
    ame+or+bad+password.++group:microsoft.public.dotne t.*&hl=en&lr=&ie=UTF-8&oe=
    UTF-8&group=microsoft.public.dotnet.*&selm=uzT4T%23%23 wCHA.2680%40TK2MSFTNGP
    09&rnum=1
    >
    >Any ideas?
    >
    >Dima Semenskyy.
    >
    >
    >
    Jim Cheshire [MSFT] Guest

  3. #3

    Default Re: Access network resources from ASP.NET

    THANK YOU JIM!!!

    I looked for it (306158 INFO) for a long long time ... I love you!

    Alessandro

    "Jim Cheshire [MSFT]" <jamescheonline.microsoft.com> ha scritto nel
    messaggio news:ssXEm8YmDHA.2464cpmsftngxa06.phx.gbl...
    > Dima,
    >
    > What you are doing is possible. What Mitch is talking about in his post
    is
    > delegation of credentials. Essentially, this means that if you are
    > browsing the site and using your credentials sent by the browser, those
    > same credentials cannot be used to access another resource on a machine
    > remote to the Web server. In that scenario, the Web server is delegating
    > your credentials, and such is prevented when using NTLM authentication.
    If
    > all of the boxes are using Windows 2000 or later, you can use Kerberos and
    > delegation to get around that.
    >
    > However, what you really want to do is impersonate this user just to run a
    > certain section of code and to write to the network resource. In that
    > case, code-level impersonation using PInvoke to call LogonUser is the
    > perfect solution.
    >
    > Here is an article that explains how to do that:
    > 306158 INFO: Implementing Impersonation in an ASP.NET Application
    > [url]http://support.microsoft.com/?id=306158[/url]
    >
    > Jim Cheshire [MSFT]
    > Developer Support
    > ASP.NET
    > [email]jamescheonline.microsoft.com[/email]
    >
    > This post is provided as-is with no warranties and confers no rights.
    >
    > --------------------
    > >From: "Dima Semensky" <dsemenbellsouth.net>
    > >Subject: Access network resources from ASP.NET
    > >Date: Thu, 23 Oct 2003 10:55:28 -0400
    > >Lines: 34
    > >X-Priority: 3
    > >X-MSMail-Priority: Normal
    > >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
    > >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    > >Message-ID: <O#lL0WXmDHA.708TK2MSFTNGP10.phx.gbl>
    > >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    > >NNTP-Posting-Host: 208.18.161.2
    > >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
    > >Xref: cpmsftngxa06.phx.gbl
    > microsoft.public.dotnet.framework.aspnet.security: 7296
    > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > >
    > >Hi!
    > >
    > >after extensive research of this topic, I'm still not sure what is
    > >"official" way to do it.
    > >
    > >Task:
    > >
    > > 1. User submits some request to ASP.NET application and the app
    should
    > >write the result to a network share.
    > > 2. Integrated Authentication must be used
    > > 3. No open password are allowed to be specified in any config files
    > > 4. Can't assign special domain user as Local Administrator
    > >
    > >Problem:
    > >
    > > With default setup, it is not possible due to security reasons.
    > >
    > >Related topics:
    > > - impersonation
    > > - machine.config - processModel.userName
    > > - IUSR_MACHINE user
    > > - delagation
    > >
    > >Here is where I'm stuck: I'd like to use impersonation like this:
    > > <identity impersonate="true" userName="Bob" password="pwd" />
    > >
    > >but this topic explains that it's not possible:
    >
    >[url]http://groups.google.com/groups?q=impersonate+Logon+failure:+unknown+user+n[/url]
    >
    ame+or+bad+password.++group:microsoft.public.dotne t.*&hl=en&lr=&ie=UTF-8&oe=
    >
    UTF-8&group=microsoft.public.dotnet.*&selm=uzT4T%23%23 wCHA.2680%40TK2MSFTNGP
    > 09&rnum=1
    > >
    > >Any ideas?
    > >
    > >Dima Semenskyy.
    > >
    > >
    > >
    >

    AlKa Guest

  4. #4

    Default Re: Access network resources from ASP.NET

    Alessandro,

    Thanks for the sentiment. Glad to have resolved your issue. :)

    Jim Cheshire [MSFT]
    Developer Support
    ASP.NET
    [email]jamescheonline.microsoft.com[/email]

    This post is provided as-is with no warranties and confers no rights.

    --------------------
    >From: "AlKa" <meoffice>
    >References: <O#lL0WXmDHA.708TK2MSFTNGP10.phx.gbl>
    <ssXEm8YmDHA.2464cpmsftngxa06.phx.gbl>
    >Subject: Re: Access network resources from ASP.NET
    >Date: Sun, 9 Nov 2003 00:29:10 +0100
    >Lines: 99
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    >Message-ID: <#SdS#7kpDHA.2012TK2MSFTNGP12.phx.gbl>
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >NNTP-Posting-Host: host106-159.pool217222.interbusiness.it 217.222.159.106
    >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP12.phx.gbl
    >Xref: cpmsftngxa06.phx.gbl
    microsoft.public.dotnet.framework.aspnet.security: 7476
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >THANK YOU JIM!!!
    >
    >I looked for it (306158 INFO) for a long long time ... I love you!
    >
    >Alessandro
    >
    >"Jim Cheshire [MSFT]" <jamescheonline.microsoft.com> ha scritto nel
    >messaggio news:ssXEm8YmDHA.2464cpmsftngxa06.phx.gbl...
    >> Dima,
    >>
    >> What you are doing is possible. What Mitch is talking about in his post
    >is
    >> delegation of credentials. Essentially, this means that if you are
    >> browsing the site and using your credentials sent by the browser, those
    >> same credentials cannot be used to access another resource on a machine
    >> remote to the Web server. In that scenario, the Web server is delegating
    >> your credentials, and such is prevented when using NTLM authentication.
    >If
    >> all of the boxes are using Windows 2000 or later, you can use Kerberos
    and
    >> delegation to get around that.
    >>
    >> However, what you really want to do is impersonate this user just to run
    a
    >> certain section of code and to write to the network resource. In that
    >> case, code-level impersonation using PInvoke to call LogonUser is the
    >> perfect solution.
    >>
    >> Here is an article that explains how to do that:
    >> 306158 INFO: Implementing Impersonation in an ASP.NET Application
    >> [url]http://support.microsoft.com/?id=306158[/url]
    >>
    >> Jim Cheshire [MSFT]
    >> Developer Support
    >> ASP.NET
    >> [email]jamescheonline.microsoft.com[/email]
    >>
    >> This post is provided as-is with no warranties and confers no rights.
    >>
    >> --------------------
    >> >From: "Dima Semensky" <dsemenbellsouth.net>
    >> >Subject: Access network resources from ASP.NET
    >> >Date: Thu, 23 Oct 2003 10:55:28 -0400
    >> >Lines: 34
    >> >X-Priority: 3
    >> >X-MSMail-Priority: Normal
    >> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
    >> >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    >> >Message-ID: <O#lL0WXmDHA.708TK2MSFTNGP10.phx.gbl>
    >> >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >> >NNTP-Posting-Host: 208.18.161.2
    >> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
    >> >Xref: cpmsftngxa06.phx.gbl
    >> microsoft.public.dotnet.framework.aspnet.security: 7296
    >> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >> >
    >> >Hi!
    >> >
    >> >after extensive research of this topic, I'm still not sure what is
    >> >"official" way to do it.
    >> >
    >> >Task:
    >> >
    >> > 1. User submits some request to ASP.NET application and the app
    >should
    >> >write the result to a network share.
    >> > 2. Integrated Authentication must be used
    >> > 3. No open password are allowed to be specified in any config files
    >> > 4. Can't assign special domain user as Local Administrator
    >> >
    >> >Problem:
    >> >
    >> > With default setup, it is not possible due to security reasons.
    >> >
    >> >Related topics:
    >> > - impersonation
    >> > - machine.config - processModel.userName
    >> > - IUSR_MACHINE user
    >> > - delagation
    >> >
    >> >Here is where I'm stuck: I'd like to use impersonation like this:
    >> > <identity impersonate="true" userName="Bob" password="pwd" />
    >> >
    >> >but this topic explains that it's not possible:
    >>
    >>[url]http://groups.google.com/groups?q=impersonate+Logon+failure:+unknown+user+[/url]
    n
    >>
    >ame+or+bad+password.++group:microsoft.public.dotn et.*&hl=en&lr=&ie=UTF-8&oe
    =
    >>
    >UTF-8&group=microsoft.public.dotnet.*&selm=uzT4T%23%23 wCHA.2680%40TK2MSFTNG
    P
    >> 09&rnum=1
    >> >
    >> >Any ideas?
    >> >
    >> >Dima Semenskyy.
    >> >
    >> >
    >> >
    >>
    >
    >
    >
    Jim Cheshire [MSFT] Guest

Similar Threads

  1. Impersonation and UNC network resources
    By Colin Nicholls in forum ASP.NET Security
    Replies: 11
    Last Post: March 11th, 08:41 PM
  2. Replies: 2
    Last Post: April 13th, 01:51 PM
  3. accessing network resources from Flash
    By The Law in forum Macromedia Flash Sitedesign
    Replies: 0
    Last Post: February 16th, 10:22 AM
  4. Help with accessing network resources
    By lrw in forum ASP.NET Security
    Replies: 1
    Last Post: November 20th, 02:36 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139