Ask a Question related to ASP.NET Security, Design and Development.
-
Dima Semensky #1
Access network resources from ASP.NET
Hi!
after extensive research of this topic, I'm still not sure what is
"official" way to do it.
Task:
1. User submits some request to ASP.NET application and the app should
write the result to a network share.
2. Integrated Authentication must be used
3. No open password are allowed to be specified in any config files
4. Can't assign special domain user as Local Administrator
Problem:
With default setup, it is not possible due to security reasons.
Related topics:
- impersonation
- machine.config - processModel.userName
- IUSR_MACHINE user
- delagation
Here is where I'm stuck: I'd like to use impersonation like this:
<identity impersonate="true" userName="Bob" password="pwd" />
but this topic explains that it's not possible:
[url]http://groups.google.com/groups?q=impersonate+Logon+failure:+unknown+user+n ame+or+bad+password.++group:microsoft.public.dotne t.*&hl=en&lr=&ie=UTF-8&oe=UTF-8&group=microsoft.public.dotnet.*&selm=uzT4T%23%23 wCHA.2680%40TK2MSFTNGP09&rnum=1[/url]
Any ideas?
Dima Semenskyy.
Dima Semensky Guest
-
SDK Resources & Microsoft Access
We own Acrobat 9.0 Standard, and I have the SDK installed on my machine. We develop and market a Microsoft Access application that comes with a... -
Impersonation and UNC network resources
Hi guys - I've been getting knotted up with this for a few days now. Originally I was in an ASP.NET context (using VFP8 OleDB to access tables... -
Accessing remote network resources from ASP.NET applications
Hi All Sorry to bring up a beaten-down-to-death topic. But I seem to be running into a wall whatever I try here. To cut a long story short, I... -
accessing network resources from Flash
I built a static site with a flash front end and no back end. It allows e-learning students to click a link to their course on-line. The LCMS... -
Help with accessing network resources
Simply, I wish to return System.IO.File.Exists ("\\myserver_1\myshare\myfolder\myfile.doc") within an ASP.NET web application that sits on... -
Jim Cheshire [MSFT] #2 RE: Access network resources from ASP.NET
Dima,
What you are doing is possible. What Mitch is talking about in his post is
delegation of credentials. Essentially, this means that if you are
browsing the site and using your credentials sent by the browser, those
same credentials cannot be used to access another resource on a machine
remote to the Web server. In that scenario, the Web server is delegating
your credentials, and such is prevented when using NTLM authentication. If
all of the boxes are using Windows 2000 or later, you can use Kerberos and
delegation to get around that.
However, what you really want to do is impersonate this user just to run a
certain section of code and to write to the network resource. In that
case, code-level impersonation using PInvoke to call LogonUser is the
perfect solution.
Here is an article that explains how to do that:
306158 INFO: Implementing Impersonation in an ASP.NET Application
[url]http://support.microsoft.com/?id=306158[/url]
Jim Cheshire [MSFT]
Developer Support
ASP.NET
[email]jamesche@online.microsoft.com[/email]
This post is provided as-is with no warranties and confers no rights.
--------------------microsoft.public.dotnet.framework.aspnet.security: 7296>From: "Dima Semensky" <dsemen@bellsouth.net>
>Subject: Access network resources from ASP.NET
>Date: Thu, 23 Oct 2003 10:55:28 -0400
>Lines: 34
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <O#lL0WXmDHA.708@TK2MSFTNGP10.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>NNTP-Posting-Host: 208.18.161.2
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
>Xref: cpmsftngxa06.phx.gblame+or+bad+password.++group:microsoft.public.dotne t.*&hl=en&lr=&ie=UTF-8&oe=>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>Hi!
>
>after extensive research of this topic, I'm still not sure what is
>"official" way to do it.
>
>Task:
>
> 1. User submits some request to ASP.NET application and the app should
>write the result to a network share.
> 2. Integrated Authentication must be used
> 3. No open password are allowed to be specified in any config files
> 4. Can't assign special domain user as Local Administrator
>
>Problem:
>
> With default setup, it is not possible due to security reasons.
>
>Related topics:
> - impersonation
> - machine.config - processModel.userName
> - IUSR_MACHINE user
> - delagation
>
>Here is where I'm stuck: I'd like to use impersonation like this:
> <identity impersonate="true" userName="Bob" password="pwd" />
>
>but this topic explains that it's not possible:
>[url]http://groups.google.com/groups?q=impersonate+Logon+failure:+unknown+user+n[/url]
UTF-8&group=microsoft.public.dotnet.*&selm=uzT4T%23%23 wCHA.2680%40TK2MSFTNGP
09&rnum=1>
>Any ideas?
>
>Dima Semenskyy.
>
>
>Jim Cheshire [MSFT] Guest
-
AlKa #3 Re: Access network resources from ASP.NET
THANK YOU JIM!!!
I looked for it (306158 INFO) for a long long time ... I love you!
Alessandro
"Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> ha scritto nel
messaggio news:ssXEm8YmDHA.2464@cpmsftngxa06.phx.gbl...is> Dima,
>
> What you are doing is possible. What Mitch is talking about in his postIf> delegation of credentials. Essentially, this means that if you are
> browsing the site and using your credentials sent by the browser, those
> same credentials cannot be used to access another resource on a machine
> remote to the Web server. In that scenario, the Web server is delegating
> your credentials, and such is prevented when using NTLM authentication.should> all of the boxes are using Windows 2000 or later, you can use Kerberos and
> delegation to get around that.
>
> However, what you really want to do is impersonate this user just to run a
> certain section of code and to write to the network resource. In that
> case, code-level impersonation using PInvoke to call LogonUser is the
> perfect solution.
>
> Here is an article that explains how to do that:
> 306158 INFO: Implementing Impersonation in an ASP.NET Application
> [url]http://support.microsoft.com/?id=306158[/url]
>
> Jim Cheshire [MSFT]
> Developer Support
> ASP.NET
> [email]jamesche@online.microsoft.com[/email]
>
> This post is provided as-is with no warranties and confers no rights.
>
> --------------------> microsoft.public.dotnet.framework.aspnet.security: 7296> >From: "Dima Semensky" <dsemen@bellsouth.net>
> >Subject: Access network resources from ASP.NET
> >Date: Thu, 23 Oct 2003 10:55:28 -0400
> >Lines: 34
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> >Message-ID: <O#lL0WXmDHA.708@TK2MSFTNGP10.phx.gbl>
> >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> >NNTP-Posting-Host: 208.18.161.2
> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
> >Xref: cpmsftngxa06.phx.gbl> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> >
> >Hi!
> >
> >after extensive research of this topic, I'm still not sure what is
> >"official" way to do it.
> >
> >Task:
> >
> > 1. User submits some request to ASP.NET application and the appame+or+bad+password.++group:microsoft.public.dotne t.*&hl=en&lr=&ie=UTF-8&oe=>> >write the result to a network share.
> > 2. Integrated Authentication must be used
> > 3. No open password are allowed to be specified in any config files
> > 4. Can't assign special domain user as Local Administrator
> >
> >Problem:
> >
> > With default setup, it is not possible due to security reasons.
> >
> >Related topics:
> > - impersonation
> > - machine.config - processModel.userName
> > - IUSR_MACHINE user
> > - delagation
> >
> >Here is where I'm stuck: I'd like to use impersonation like this:
> > <identity impersonate="true" userName="Bob" password="pwd" />
> >
> >but this topic explains that it's not possible:
>[url]http://groups.google.com/groups?q=impersonate+Logon+failure:+unknown+user+n[/url]
>UTF-8&group=microsoft.public.dotnet.*&selm=uzT4T%23%23 wCHA.2680%40TK2MSFTNGP>> 09&rnum=1>> >
> >Any ideas?
> >
> >Dima Semenskyy.
> >
> >
> >
AlKa Guest
-
Jim Cheshire [MSFT] #4 Re: Access network resources from ASP.NET
Alessandro,
Thanks for the sentiment. Glad to have resolved your issue. :)
Jim Cheshire [MSFT]
Developer Support
ASP.NET
[email]jamesche@online.microsoft.com[/email]
This post is provided as-is with no warranties and confers no rights.
--------------------<ssXEm8YmDHA.2464@cpmsftngxa06.phx.gbl>>From: "AlKa" <me@office>
>References: <O#lL0WXmDHA.708@TK2MSFTNGP10.phx.gbl>microsoft.public.dotnet.framework.aspnet.security: 7476>Subject: Re: Access network resources from ASP.NET
>Date: Sun, 9 Nov 2003 00:29:10 +0100
>Lines: 99
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <#SdS#7kpDHA.2012@TK2MSFTNGP12.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>NNTP-Posting-Host: host106-159.pool217222.interbusiness.it 217.222.159.106
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP12.phx.gbl
>Xref: cpmsftngxa06.phx.gbland>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>THANK YOU JIM!!!
>
>I looked for it (306158 INFO) for a long long time ... I love you!
>
>Alessandro
>
>"Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> ha scritto nel
>messaggio news:ssXEm8YmDHA.2464@cpmsftngxa06.phx.gbl...>is>> Dima,
>>
>> What you are doing is possible. What Mitch is talking about in his post>If>> delegation of credentials. Essentially, this means that if you are
>> browsing the site and using your credentials sent by the browser, those
>> same credentials cannot be used to access another resource on a machine
>> remote to the Web server. In that scenario, the Web server is delegating
>> your credentials, and such is prevented when using NTLM authentication.>> all of the boxes are using Windows 2000 or later, you can use Kerberosa>> delegation to get around that.
>>
>> However, what you really want to do is impersonate this user just to runn>should>> certain section of code and to write to the network resource. In that
>> case, code-level impersonation using PInvoke to call LogonUser is the
>> perfect solution.
>>
>> Here is an article that explains how to do that:
>> 306158 INFO: Implementing Impersonation in an ASP.NET Application
>> [url]http://support.microsoft.com/?id=306158[/url]
>>
>> Jim Cheshire [MSFT]
>> Developer Support
>> ASP.NET
>> [email]jamesche@online.microsoft.com[/email]
>>
>> This post is provided as-is with no warranties and confers no rights.
>>
>> -------------------->> microsoft.public.dotnet.framework.aspnet.security: 7296>> >From: "Dima Semensky" <dsemen@bellsouth.net>
>> >Subject: Access network resources from ASP.NET
>> >Date: Thu, 23 Oct 2003 10:55:28 -0400
>> >Lines: 34
>> >X-Priority: 3
>> >X-MSMail-Priority: Normal
>> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>> >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>> >Message-ID: <O#lL0WXmDHA.708@TK2MSFTNGP10.phx.gbl>
>> >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>> >NNTP-Posting-Host: 208.18.161.2
>> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
>> >Xref: cpmsftngxa06.phx.gbl>> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>> >
>> >Hi!
>> >
>> >after extensive research of this topic, I'm still not sure what is
>> >"official" way to do it.
>> >
>> >Task:
>> >
>> > 1. User submits some request to ASP.NET application and the app>>>> >write the result to a network share.
>> > 2. Integrated Authentication must be used
>> > 3. No open password are allowed to be specified in any config files
>> > 4. Can't assign special domain user as Local Administrator
>> >
>> >Problem:
>> >
>> > With default setup, it is not possible due to security reasons.
>> >
>> >Related topics:
>> > - impersonation
>> > - machine.config - processModel.userName
>> > - IUSR_MACHINE user
>> > - delagation
>> >
>> >Here is where I'm stuck: I'd like to use impersonation like this:
>> > <identity impersonate="true" userName="Bob" password="pwd" />
>> >
>> >but this topic explains that it's not possible:
>>[url]http://groups.google.com/groups?q=impersonate+Logon+failure:+unknown+user+[/url]=>ame+or+bad+password.++group:microsoft.public.dotn et.*&hl=en&lr=&ie=UTF-8&oe>>P>UTF-8&group=microsoft.public.dotnet.*&selm=uzT4T%23%23 wCHA.2680%40TK2MSFTNG>>>>> 09&rnum=1>>>> >
>> >Any ideas?
>> >
>> >Dima Semenskyy.
>> >
>> >
>> >
>
>Jim Cheshire [MSFT] Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
