Ask a Question related to ASP.NET Security, Design and Development.
-
Alan Chen #1
ASP.NET security and RSA SecurID
Hi,
I have a dll that wraps RSA SecurID package. It works great if I call
the api from a Console app. But SD_Check() always failed (Access
denied even if I passed in correct user id and passcode) every time
when I call the api from a web service or a web app. I suspect that
web.config or IIS need to be modified but don't know how.
Any suggestions? Thanks.
Alan Chen Guest
-
SecurID Token Support
I work for a company that hosts bank websites, therefore our security policy is very tough. We give all FTP users a SecurID keychain with a changing... -
Change Flash Security Settings? Security ManagerOffline?
Hello I have downloaded firefox and flash player, I have content which when I run it, flash blocks it wisely and reports that the page is trying... -
using SecurID security with Contribute
greetings My company uses RSA SecurID? authentication to SFTP to our development environment. one of our internal clients would like to use... -
Using RSA's SecurID fab for Application Authentication
Hey there, I'm working with a systems guy to get RSA's SecurID working with ColdFusion applications to replace any sort of custom login (i.e.... -
Security tool to check CGI scripts for security holes/vulnerabities
I'm searching for a good security tool that I can use regularly to scan all the programs/scripts in my web servers cgi-bin directory to identify... -
Joe Kaplan \(MVP - ADSI\) #2 Re: ASP.NET security and RSA SecurID
What if you change the processModel or App Pool ID to a more privileged
account such as an administrator or SYSTEM? It could be that it is trying
to access a file or registry key that requires a more privileged account
than what ASP.NET is running under.
Regmon or Filemon from SysInternals is often very helpful at tracking this
kind of thing down. Running the console app under a regular user account
might be good too.
I'd love to see your code if you'd be interested in sharing. I've got ACE
servers out the wazoo here!
HTH,
Joe K.
"Alan Chen" <liqiang_chen@hotmail.com> wrote in message
news:4cdf263f.0409151519.560a0af7@posting.google.c om...> Hi,
> I have a dll that wraps RSA SecurID package. It works great if I call
> the api from a Console app. But SD_Check() always failed (Access
> denied even if I passed in correct user id and passcode) every time
> when I call the api from a web service or a web app. I suspect that
> web.config or IIS need to be modified but don't know how.
> Any suggestions? Thanks.
Joe Kaplan \(MVP - ADSI\) Guest
-
Alan Chen #3 Re: ASP.NET security and RSA SecurID
Joe,
Thanks for your reply.
You are right and nice tool you suggested, I use Regmon and found the
difference as follow:
10:07:52
AM aspnet_wp.exe:1104 OpenKey HKLM\SOFTWARE\SDTI\ACECLIENT ACCDENIED
9:59:47
AM ConsoleApplicat:3696 OpenKey HKLM\SOFTWARE\SDTI\ACECLIENT SUCCESS
The first item is from Web app and second is from Console app.
For quick experiment, I just gave ASPNET user a Admin priviledge
temperarely and the web app passed the check!
I will probably use impersonate to get a more elegant solution.
For you reference, I got most of the code from here:
[url]http://groups.google.com/groups?q=sd_check&hl=en&lr=&ie=UTF-8&selm=%235y[/url]
FTrV7DHA.1428%40TK2MSFTNGP12.phx.gbl&rnum=1
I made it a dll and reference in both console and web app. The test I
used is very simple:
private void Button1_Click(object sender, System.EventArgs e)
{
string userName = TextBox1.Text;
string passcode = TextBox2.Text;
int status = Authentication.VerifySecurID(userName, passcode);
TextBox3.Text = status.ToString();
}
*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!
Alan Chen Guest
-
Dominick Baier #4 Re: ASP.NET security and RSA SecurID
just give the ASPNET account read/write access to the registry key - avoid impersonation whenever possible...
---
Dominick Baier - DevelopMentor
[url]http://www.leastprivilege.com[/url]
nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<u9zGYiBnEHA.2372@TK2MSFTNGP10.phx.gbl>
Joe,
Thanks for your reply.
You are right and nice tool you suggested, I use Regmon and found the
difference as follow:
10:07:52
AM aspnet_wp.exe:1104 OpenKey HKLM\SOFTWARE\SDTI\ACECLIENT ACCDENIED
9:59:47
AM ConsoleApplicat:3696 OpenKey HKLM\SOFTWARE\SDTI\ACECLIENT SUCCESS
The first item is from Web app and second is from Console app.
For quick experiment, I just gave ASPNET user a Admin priviledge
temperarely and the web app passed the check!
I will probably use impersonate to get a more elegant solution.
For you reference, I got most of the code from here:
[url]http://groups.google.com/groups?q=sd_check&hl=en&lr=&ie=UTF-8&selm=%235y[/url]
FTrV7DHA.1428%40TK2MSFTNGP12.phx.gbl&rnum=1
I made it a dll and reference in both console and web app. The test I
used is very simple:
private void Button1_Click(object sender, System.EventArgs e)
{
string userName = TextBox1.Text;
string passcode = TextBox2.Text;
int status = Authentication.VerifySecurID(userName, passcode);
TextBox3.Text = status.ToString();
}
*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!
[microsoft.public.dotnet.framework.aspnet.security]
Dominick Baier Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
