impersonate/delegate problem

Jerry · Jerry

Ok.. so I've read and seen lot of messages and MSDN docs concerning the
above issue.. how do I get it to work?
I want to impersonate the current user accessing my website...
so I turn on the site directory security to NOT allow anonymous but turn ON
integrated windows authentication.
Then I change the web.config to allow impersonate = "true".

So far so good.. this setting will allow me to run the request process from
the user to the webserver under the current users identity...

Now that same process needs to access some network resources..specifically
see if some windows services are running on network servers... so I need to
"delegate" the current users identity to the ASPNET...

but I thought the impersonate="true" would do that but I guess it doesn't..
It looks like the impersonate is only for the process b/w the client and
webserver.

seeing how we are running Win2000 servers and desktops.. and using Active
Directory..
what more do I need to get delegate to work?

I want to be able to use the user's identity for the delegate..

I've tried setting a valid username and password in the webconfig but I
don't want to use that.. since it opens up the
id/pwd to everyone in the development group..

Do I have to turn on the property for the webserver to support delegate in
the AD?

Thanks,
Jerry

Jerry · Jerry

Also, the machines involved are all Win2000 running Active Directory...
The client machine is Win2000Pro. The servers are all Win2000 servers.
-jerry

"Jerry" <jerryy@solutionbuildersinc.com> wrote in message
news:O3BwlNUXDHA.1640@TK2MSFTNGP10.phx.gbl...

> I've been trying to do what you suggest for #2 but that does not work..
> Simply setting the <impersonate="true"/> in the web.config and allowing

for

> windows auth. does not work.
>
> Using computer A connect to website on computer B (web server) and try
> to see the status of a windows service on computer C on the same network
> can not be done by what you suggest as solution #2.
>
> Although from what I've read from MS doc.. you should be able to but

not...

>
> Jerry
>
> "Aadil Abbas" <maa49@cornell.edu> wrote in message
> news:uX$4HpPXDHA.2328@TK2MSFTNGP12.phx.gbl...

> > There can be two things:
> > 1. You can create an assembly to programmatically impersonate the part

of

> > your application's code that is accessing Network Resources. Make sure

to

> > encrypt the assembly, so that it cannot be disassembled easily. You can
> > distribute this assembly to the development team.
> >
> > 2. If your application clients are domain users and already have access

to

> > Network Resources, then you can access the Network Resources using their
> > impersonated thread, which would just require <impersonate = "true"/>.

> This

> > way you can control access to the Network by changing privileges on

Active

> > Directory (A fine-grained control).
> >
> > Thanks
> > Aadil
> >
> > 1. If your ASPNET application is being accessed on an intranet, and you

> have

> > all its users already added in Active Directory, then you can grant

access

> > to these users on the network resources through Active Directory and

they

> > should be able to access the Network Resources depending on their

rights.

> > The impersonated thread in ASP.NET itself inherits all user rights,

> because

> > its running as the user, however if you spawn a process from this thread
> > using Process.Start(), then this new process won't inherit the user's
> > security context and would instead run as ASPNET or Network Service

user.

> >
> > 2. You can alternatively, make an assmebly If you wan't to access

Network

> > Resources
> >
> > "Jerry" <jerryy@solutionbuildersinc.com> wrote in message
> > news:ePdAEzOXDHA.2424@TK2MSFTNGP12.phx.gbl...

> > > Ok.. so I've read and seen lot of messages and MSDN docs concerning

the

> > > above issue.. how do I get it to work?
> > > I want to impersonate the current user accessing my website...
> > > so I turn on the site directory security to NOT allow anonymous but

turn

> > ON

> > > integrated windows authentication.
> > > Then I change the web.config to allow impersonate = "true".
> > >
> > > So far so good.. this setting will allow me to run the request process

> > from

> > > the user to the webserver under the current users identity...
> > >
> > > Now that same process needs to access some network

> resources..specifically

> > > see if some windows services are running on network servers... so I

> need

> > to

> > > "delegate" the current users identity to the ASPNET...
> > >
> > > but I thought the impersonate="true" would do that but I guess it

> > doesn't..

> > > It looks like the impersonate is only for the process b/w the client

and

> > > webserver.
> > >
> > > seeing how we are running Win2000 servers and desktops.. and using

> Active

> > > Directory..
> > > what more do I need to get delegate to work?
> > >
> > > I want to be able to use the user's identity for the delegate..
> > >
> > > I've tried setting a valid username and password in the webconfig but

I

> > > don't want to use that.. since it opens up the
> > > id/pwd to everyone in the development group..
> > >
> > > Do I have to turn on the property for the webserver to support

delegate

> in

> > > the AD?
> > >
> > >
> > > Thanks,
> > > Jerry
> > >
> > >
> > >

> >
> >

>
>

Steffen Krause · Steffen Krause

Is the "trust this computer for delegation" checkbox checked for all
servers?

Regards,
Steffen

On Fri, 8 Aug 2003 08:08:52 -0400, "Jerry"
<jerryy@solutionbuildersinc.com> wrote:

>Also, the machines involved are all Win2000 running Active Directory...
>The client machine is Win2000Pro. The servers are all Win2000 servers.
>-jerry

Jerry · Jerry

NO, they are not.. in fact that is my question..
In AD, does "trust this computer to delegate" must be checked to have
delegation work across
the network?

-jerry

"Steffen Krause" <skrause@vertex.de> wrote in message
news:jg87jvo5njjdpfl9pd6h2obo5e4v4dj2ke@4ax.com...

> Is the "trust this computer for delegation" checkbox checked for all
> servers?
>
> Regards,
> Steffen
>
> On Fri, 8 Aug 2003 08:08:52 -0400, "Jerry"
> <jerryy@solutionbuildersinc.com> wrote:
>

> >Also, the machines involved are all Win2000 running Active Directory...
> >The client machine is Win2000Pro. The servers are all Win2000 servers.
> >-jerry

>
>

Steffen Krause · Steffen Krause

Yes. This is one of the (many) requirements.

Regards,
Steffen

On Fri, 8 Aug 2003 09:53:02 -0400, "Jerry"
<jerryy@solutionbuildersinc.com> wrote:

>NO, they are not.. in fact that is my question..
>In AD, does "trust this computer to delegate" must be checked to have
>delegation work across
>the network?
>
>-jerry
>
>
>"Steffen Krause" <skrause@vertex.de> wrote in message
>news:jg87jvo5njjdpfl9pd6h2obo5e4v4dj2ke@4ax.com.. .

>> Is the "trust this computer for delegation" checkbox checked for all
>> servers?
>>
>> Regards,
>> Steffen
>>
>> On Fri, 8 Aug 2003 08:08:52 -0400, "Jerry"
>> <jerryy@solutionbuildersinc.com> wrote:
>>

>> >Also, the machines involved are all Win2000 running Active Directory...
>> >The client machine is Win2000Pro. The servers are all Win2000 servers.
>> >-jerry

>>
>>

>

Rich · Rich

Not sure if you found the answer to this question, but
that's exactly what we had to do(enable delegation on the
webserver from within AD users and computers) to pass the
original callers identity to our remote resource. Our
network folks are looking into the cons of allowing this
on our production network. They don't want to create a
possible security risk. I'm trying to find out more info
about the potential risks of turning this on.

>-----Original Message-----
>Ok.. so I've read and seen lot of messages and MSDN docs

concerning the

>above issue.. how do I get it to work?
>I want to impersonate the current user accessing my

website...

>so I turn on the site directory security to NOT allow

anonymous but turn ON

>integrated windows authentication.
>Then I change the web.config to allow impersonate

= "true".

>
>So far so good.. this setting will allow me to run the

request process from

>the user to the webserver under the current users

identity...

>
>Now that same process needs to access some network

resources..specifically

>see if some windows services are running on network

servers... so I need to

>"delegate" the current users identity to the ASPNET...
>
>but I thought the impersonate="true" would do that but I

guess it doesn't..

>It looks like the impersonate is only for the process b/w

the client and

>webserver.
>
>seeing how we are running Win2000 servers and desktops..

and using Active

>Directory..
>what more do I need to get delegate to work?
>
>I want to be able to use the user's identity for the

delegate..

>
>I've tried setting a valid username and password in the

webconfig but I

>don't want to use that.. since it opens up the
>id/pwd to everyone in the development group..
>
>Do I have to turn on the property for the webserver to

support delegate in

>the AD?
>
>
>Thanks,
>Jerry
>
>
>
>.
>

Jerry · Jerry

Thanks Rich..

I did get it to work once that was turned on..
Without that feature, you don't have delegation so I'm not sure if you have
a choice...

"Rich" <reedr@saccounty.net> wrote in message
news:0d2201c365e1$710cd820$a001280a@phx.gbl...

> Not sure if you found the answer to this question, but
> that's exactly what we had to do(enable delegation on the
> webserver from within AD users and computers) to pass the
> original callers identity to our remote resource. Our
> network folks are looking into the cons of allowing this
> on our production network. They don't want to create a
> possible security risk. I'm trying to find out more info
> about the potential risks of turning this on.
>

> >-----Original Message-----
> >Ok.. so I've read and seen lot of messages and MSDN docs

> concerning the

> >above issue.. how do I get it to work?
> >I want to impersonate the current user accessing my

> website...

> >so I turn on the site directory security to NOT allow

> anonymous but turn ON

> >integrated windows authentication.
> >Then I change the web.config to allow impersonate

> = "true".

> >
> >So far so good.. this setting will allow me to run the

> request process from

> >the user to the webserver under the current users

> identity...

> >
> >Now that same process needs to access some network

> resources..specifically

> >see if some windows services are running on network

> servers... so I need to

> >"delegate" the current users identity to the ASPNET...
> >
> >but I thought the impersonate="true" would do that but I

> guess it doesn't..

> >It looks like the impersonate is only for the process b/w

> the client and

> >webserver.
> >
> >seeing how we are running Win2000 servers and desktops..

> and using Active

> >Directory..
> >what more do I need to get delegate to work?
> >
> >I want to be able to use the user's identity for the

> delegate..

> >
> >I've tried setting a valid username and password in the

> webconfig but I

> >don't want to use that.. since it opens up the
> >id/pwd to everyone in the development group..
> >
> >Do I have to turn on the property for the webserver to

> support delegate in

> >the AD?
> >
> >
> >Thanks,
> >Jerry
> >
> >
> >
> >.
> >

impersonate/delegate problem

Thread Tools

Display

impersonate/delegate problem

Similar Questions and Discussions

OneWay and Impersonate problem

impersonate problem

ASP.NET Webservice Impersonate problem

DirectoryEntry Impersonate or WindowsIdentity Impersonate?

Problem with refresh after delegate event fires. c# and asp.net.

Re: impersonate/delegate problem

Re: impersonate/delegate problem

Re: impersonate/delegate problem

Re: impersonate/delegate problem

impersonate/delegate problem

Re: impersonate/delegate problem

Posting Permissions