Professional Web Applications Themes

impersonate/delegate problem - ASP.NET Security

Ok.. so I've read and seen lot of messages and MSDN docs concerning the above issue.. how do I get it to work? I want to impersonate the current user accessing my website... so I turn on the site directory security to NOT allow anonymous but turn ON integrated windows authentication. Then I change the web.config to allow impersonate = "true". So far so good.. this setting will allow me to run the request process from the user to the webserver under the current users identity... Now that same process needs to access some network resources..specifically see if some windows ...

  1. #1

    Default impersonate/delegate problem

    Ok.. so I've read and seen lot of messages and MSDN docs concerning the
    above issue.. how do I get it to work?
    I want to impersonate the current user accessing my website...
    so I turn on the site directory security to NOT allow anonymous but turn ON
    integrated windows authentication.
    Then I change the web.config to allow impersonate = "true".

    So far so good.. this setting will allow me to run the request process from
    the user to the webserver under the current users identity...

    Now that same process needs to access some network resources..specifically
    see if some windows services are running on network servers... so I need to
    "delegate" the current users identity to the ASPNET...

    but I thought the impersonate="true" would do that but I guess it doesn't..
    It looks like the impersonate is only for the process b/w the client and
    webserver.

    seeing how we are running Win2000 servers and desktops.. and using Active
    Directory..
    what more do I need to get delegate to work?

    I want to be able to use the user's identity for the delegate..

    I've tried setting a valid username and password in the webconfig but I
    don't want to use that.. since it opens up the
    id/pwd to everyone in the development group..

    Do I have to turn on the property for the webserver to support delegate in
    the AD?


    Thanks,
    Jerry



    Jerry Guest

  2. #2

    Default Re: impersonate/delegate problem

    Also, the machines involved are all Win2000 running Active Directory...
    The client machine is Win2000Pro. The servers are all Win2000 servers.
    -jerry


    "Jerry" <jerryysolutionbuildersinc.com> wrote in message
    news:O3BwlNUXDHA.1640TK2MSFTNGP10.phx.gbl...
    > I've been trying to do what you suggest for #2 but that does not work..
    > Simply setting the <impersonate="true"/> in the web.config and allowing
    for
    > windows auth. does not work.
    >
    > Using computer A connect to website on computer B (web server) and try
    > to see the status of a windows service on computer C on the same network
    > can not be done by what you suggest as solution #2.
    >
    > Although from what I've read from MS doc.. you should be able to but
    not...
    >
    > Jerry
    >
    > "Aadil Abbas" <maa49cornell.edu> wrote in message
    > news:uX$4HpPXDHA.2328TK2MSFTNGP12.phx.gbl...
    > > There can be two things:
    > > 1. You can create an assembly to programmatically impersonate the part
    of
    > > your application's code that is accessing Network Resources. Make sure
    to
    > > encrypt the assembly, so that it cannot be disassembled easily. You can
    > > distribute this assembly to the development team.
    > >
    > > 2. If your application clients are domain users and already have access
    to
    > > Network Resources, then you can access the Network Resources using their
    > > impersonated thread, which would just require <impersonate = "true"/>.
    > This
    > > way you can control access to the Network by changing privileges on
    Active
    > > Directory (A fine-grained control).
    > >
    > > Thanks
    > > Aadil
    > >
    > > 1. If your ASPNET application is being accessed on an intranet, and you
    > have
    > > all its users already added in Active Directory, then you can grant
    access
    > > to these users on the network resources through Active Directory and
    they
    > > should be able to access the Network Resources depending on their
    rights.
    > > The impersonated thread in ASP.NET itself inherits all user rights,
    > because
    > > its running as the user, however if you spawn a process from this thread
    > > using Process.Start(), then this new process won't inherit the user's
    > > security context and would instead run as ASPNET or Network Service
    user.
    > >
    > > 2. You can alternatively, make an assmebly If you wan't to access
    Network
    > > Resources
    > >
    > > "Jerry" <jerryysolutionbuildersinc.com> wrote in message
    > > news:ePdAEzOXDHA.2424TK2MSFTNGP12.phx.gbl...
    > > > Ok.. so I've read and seen lot of messages and MSDN docs concerning
    the
    > > > above issue.. how do I get it to work?
    > > > I want to impersonate the current user accessing my website...
    > > > so I turn on the site directory security to NOT allow anonymous but
    turn
    > > ON
    > > > integrated windows authentication.
    > > > Then I change the web.config to allow impersonate = "true".
    > > >
    > > > So far so good.. this setting will allow me to run the request process
    > > from
    > > > the user to the webserver under the current users identity...
    > > >
    > > > Now that same process needs to access some network
    > resources..specifically
    > > > see if some windows services are running on network servers... so I
    > need
    > > to
    > > > "delegate" the current users identity to the ASPNET...
    > > >
    > > > but I thought the impersonate="true" would do that but I guess it
    > > doesn't..
    > > > It looks like the impersonate is only for the process b/w the client
    and
    > > > webserver.
    > > >
    > > > seeing how we are running Win2000 servers and desktops.. and using
    > Active
    > > > Directory..
    > > > what more do I need to get delegate to work?
    > > >
    > > > I want to be able to use the user's identity for the delegate..
    > > >
    > > > I've tried setting a valid username and password in the webconfig but
    I
    > > > don't want to use that.. since it opens up the
    > > > id/pwd to everyone in the development group..
    > > >
    > > > Do I have to turn on the property for the webserver to support
    delegate
    > in
    > > > the AD?
    > > >
    > > >
    > > > Thanks,
    > > > Jerry
    > > >
    > > >
    > > >
    > >
    > >
    >
    >

    Jerry Guest

  3. #3

    Default Re: impersonate/delegate problem

    Is the "trust this computer for delegation" checkbox checked for all
    servers?

    Regards,
    Steffen

    On Fri, 8 Aug 2003 08:08:52 -0400, "Jerry"
    <jerryysolutionbuildersinc.com> wrote:
    >Also, the machines involved are all Win2000 running Active Directory...
    >The client machine is Win2000Pro. The servers are all Win2000 servers.
    >-jerry

    Steffen Krause Guest

  4. #4

    Default Re: impersonate/delegate problem

    NO, they are not.. in fact that is my question..
    In AD, does "trust this computer to delegate" must be checked to have
    delegation work across
    the network?

    -jerry


    "Steffen Krause" <skrausevertex.de> wrote in message
    news:jg87jvo5njjdpfl9pd6h2obo5e4v4dj2ke4ax.com...
    > Is the "trust this computer for delegation" checkbox checked for all
    > servers?
    >
    > Regards,
    > Steffen
    >
    > On Fri, 8 Aug 2003 08:08:52 -0400, "Jerry"
    > <jerryysolutionbuildersinc.com> wrote:
    >
    > >Also, the machines involved are all Win2000 running Active Directory...
    > >The client machine is Win2000Pro. The servers are all Win2000 servers.
    > >-jerry
    >
    >

    Jerry Guest

  5. #5

    Default Re: impersonate/delegate problem

    Yes. This is one of the (many) requirements.

    Regards,
    Steffen


    On Fri, 8 Aug 2003 09:53:02 -0400, "Jerry"
    <jerryysolutionbuildersinc.com> wrote:
    >NO, they are not.. in fact that is my question..
    >In AD, does "trust this computer to delegate" must be checked to have
    >delegation work across
    >the network?
    >
    >-jerry
    >
    >
    >"Steffen Krause" <skrausevertex.de> wrote in message
    >news:jg87jvo5njjdpfl9pd6h2obo5e4v4dj2ke4ax.com.. .
    >> Is the "trust this computer for delegation" checkbox checked for all
    >> servers?
    >>
    >> Regards,
    >> Steffen
    >>
    >> On Fri, 8 Aug 2003 08:08:52 -0400, "Jerry"
    >> <jerryysolutionbuildersinc.com> wrote:
    >>
    >> >Also, the machines involved are all Win2000 running Active Directory...
    >> >The client machine is Win2000Pro. The servers are all Win2000 servers.
    >> >-jerry
    >>
    >>
    >
    Steffen Krause Guest

  6. #6

    Default impersonate/delegate problem

    Not sure if you found the answer to this question, but
    that's exactly what we had to do(enable delegation on the
    webserver from within AD users and computers) to pass the
    original callers identity to our remote resource. Our
    network folks are looking into the cons of allowing this
    on our production network. They don't want to create a
    possible security risk. I'm trying to find out more info
    about the potential risks of turning this on.
    >-----Original Message-----
    >Ok.. so I've read and seen lot of messages and MSDN docs
    concerning the
    >above issue.. how do I get it to work?
    >I want to impersonate the current user accessing my
    website...
    >so I turn on the site directory security to NOT allow
    anonymous but turn ON
    >integrated windows authentication.
    >Then I change the web.config to allow impersonate
    = "true".
    >
    >So far so good.. this setting will allow me to run the
    request process from
    >the user to the webserver under the current users
    identity...
    >
    >Now that same process needs to access some network
    resources..specifically
    >see if some windows services are running on network
    servers... so I need to
    >"delegate" the current users identity to the ASPNET...
    >
    >but I thought the impersonate="true" would do that but I
    guess it doesn't..
    >It looks like the impersonate is only for the process b/w
    the client and
    >webserver.
    >
    >seeing how we are running Win2000 servers and desktops..
    and using Active
    >Directory..
    >what more do I need to get delegate to work?
    >
    >I want to be able to use the user's identity for the
    delegate..
    >
    >I've tried setting a valid username and password in the
    webconfig but I
    >don't want to use that.. since it opens up the
    >id/pwd to everyone in the development group..
    >
    >Do I have to turn on the property for the webserver to
    support delegate in
    >the AD?
    >
    >
    >Thanks,
    >Jerry
    >
    >
    >
    >.
    >
    Rich Guest

  7. #7

    Default Re: impersonate/delegate problem

    Thanks Rich..

    I did get it to work once that was turned on..
    Without that feature, you don't have delegation so I'm not sure if you have
    a choice...


    "Rich" <reedrsaccounty.net> wrote in message
    news:0d2201c365e1$710cd820$a001280aphx.gbl...
    > Not sure if you found the answer to this question, but
    > that's exactly what we had to do(enable delegation on the
    > webserver from within AD users and computers) to pass the
    > original callers identity to our remote resource. Our
    > network folks are looking into the cons of allowing this
    > on our production network. They don't want to create a
    > possible security risk. I'm trying to find out more info
    > about the potential risks of turning this on.
    >
    > >-----Original Message-----
    > >Ok.. so I've read and seen lot of messages and MSDN docs
    > concerning the
    > >above issue.. how do I get it to work?
    > >I want to impersonate the current user accessing my
    > website...
    > >so I turn on the site directory security to NOT allow
    > anonymous but turn ON
    > >integrated windows authentication.
    > >Then I change the web.config to allow impersonate
    > = "true".
    > >
    > >So far so good.. this setting will allow me to run the
    > request process from
    > >the user to the webserver under the current users
    > identity...
    > >
    > >Now that same process needs to access some network
    > resources..specifically
    > >see if some windows services are running on network
    > servers... so I need to
    > >"delegate" the current users identity to the ASPNET...
    > >
    > >but I thought the impersonate="true" would do that but I
    > guess it doesn't..
    > >It looks like the impersonate is only for the process b/w
    > the client and
    > >webserver.
    > >
    > >seeing how we are running Win2000 servers and desktops..
    > and using Active
    > >Directory..
    > >what more do I need to get delegate to work?
    > >
    > >I want to be able to use the user's identity for the
    > delegate..
    > >
    > >I've tried setting a valid username and password in the
    > webconfig but I
    > >don't want to use that.. since it opens up the
    > >id/pwd to everyone in the development group..
    > >
    > >Do I have to turn on the property for the webserver to
    > support delegate in
    > >the AD?
    > >
    > >
    > >Thanks,
    > >Jerry
    > >
    > >
    > >
    > >.
    > >

    Jerry Guest

Similar Threads

  1. impersonate problem
    By zino in forum ASP.NET Security
    Replies: 13
    Last Post: September 7th, 08:50 AM
  2. OneWay and Impersonate problem
    By Davide Bedin in forum ASP.NET Web Services
    Replies: 0
    Last Post: July 13th, 07:55 AM
  3. ASP.NET Webservice Impersonate problem
    By Aras Kucinskas in forum ASP.NET Web Services
    Replies: 1
    Last Post: August 31st, 02:07 PM
  4. DirectoryEntry Impersonate or WindowsIdentity Impersonate?
    By Bill Belliveau in forum ASP.NET Security
    Replies: 3
    Last Post: January 31st, 04:19 AM
  5. Replies: 4
    Last Post: November 24th, 11:40 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139