Ask a Question related to ASP.NET Security, Design and Development.
-
szhang #1
Impersonation problem.
When I enable impersonation in web.config and show User identity in .aspx
page, it is the user IIS authenticates. But when I try to access Sql server,
I get an access denied error message. It looks like asp.net does not
impersonate it at sql server side. I can impersonate a specific user in
web.config without problem. Is this a bug or by design? I need to give users
permissions based on their Windows login and I have a lot of users, but they
are not going to access these web pages at the same time.
szhang Guest
-
IsolatedStorage with impersonation in ASP.NET problem
Hi, I have an ASP.NET application. I want to use IsolatedStorage in this application. When I run this application with anonymous access set in IIS... -
Impersonation problem
Hi ! I'm trying to secure my web application using impersonation within the web.config file as follows : <identity impersonate="true"... -
problem with impersonation using LogonUser
Hello All This is what I am tring to do: I have some folders shared for specific users on network. Now from my web appl I have to access them.... -
HttpWebRequest, impersonation and DefaultCredentials problem.
I'm trying to create a HttpWebRequest object that uses the current logged in user's credentials. It's currently setup with: <identity... -
Problem with Impersonation
I recently installed Active Directory on my webserver (yeah people say it's a bad idea but I had no other choice). Now when I access a web app with... -
Brock Allen #2 Re: Impersonation problem.
It sounds like you have the "network hop" authentication issue. If you're
authenticating from machine A to machine B (without passing a password across
the network, so think SSPI), then machine B tries to use those same credentials
to go to machine C, then it will fail unless you've configured your used
in AD to have the password stored with reversible encryption. Most security
experts think that's ridiculous as that's not secure. Thus you need to design
your app around this inherent problem.
-Brock
DevelopMentor
[url]http://staff.develop.com/ballen[/url]
> When I enable impersonation in web.config and show User identity in
> .aspx page, it is the user IIS authenticates. But when I try to access
> Sql server, I get an access denied error message. It looks like
> asp.net does not impersonate it at sql server side. I can impersonate
> a specific user in web.config without problem. Is this a bug or by
> design? I need to give users permissions based on their Windows login
> and I have a lot of users, but they are not going to access these web
> pages at the same time.
>
Brock Allen Guest
-
Joe Kaplan \(MVP - ADSI\) #3 Re: Impersonation problem.
Agreed.
The canonical solution to the double hop problem is to implement Kerberos
delegation. There are many references on this newsgroup and on Microsoft's
sites that you can search for.
Joe K.
"Brock Allen" <ballen@NOSPAMdevelop.com> wrote in message
news:294593632476972024608624@msnews.microsoft.com ...> It sounds like you have the "network hop" authentication issue. If you're
> authenticating from machine A to machine B (without passing a password
> across the network, so think SSPI), then machine B tries to use those same
> credentials to go to machine C, then it will fail unless you've configured
> your used in AD to have the password stored with reversible encryption.
> Most security experts think that's ridiculous as that's not secure. Thus
> you need to design your app around this inherent problem.
>
> -Brock
> DevelopMentor
> [url]http://staff.develop.com/ballen[/url]
>
>
>>>> When I enable impersonation in web.config and show User identity in
>> .aspx page, it is the user IIS authenticates. But when I try to access
>> Sql server, I get an access denied error message. It looks like
>> asp.net does not impersonate it at sql server side. I can impersonate
>> a specific user in web.config without problem. Is this a bug or by
>> design? I need to give users permissions based on their Windows login
>> and I have a lot of users, but they are not going to access these web
>> pages at the same time.
>>
>
>
Joe Kaplan \(MVP - ADSI\) Guest
-
Paul Clement #4 Re: Impersonation problem.
On Tue, 29 Mar 2005 07:29:08 -0800, szhang <szhang@discussions.microsoft.com> wrote:
¤ When I enable impersonation in web.config and show User identity in .aspx
¤ page, it is the user IIS authenticates. But when I try to access Sql server,
¤ I get an access denied error message. It looks like asp.net does not
¤ impersonate it at sql server side. I can impersonate a specific user in
¤ web.config without problem. Is this a bug or by design? I need to give users
¤ permissions based on their Windows login and I have a lot of users, but they
¤ are not going to access these web pages at the same time.
Is your SQL Server set up for integrated security and is it specified in your connection string?
Paul
~~~~
Microsoft MVP (Visual Basic)
Paul Clement Guest
-
szhang #5 Re: Impersonation problem.
Thanks for your replies.
Here is my real problem. Our existing asp pages use windows authentication
and have no problem accessing sql server. All stored procedures use
is_member() function to determine user's permission. It will be too much to
rewrite all those stored procedures. Most users are computer illiterate and
all applications are on intranet, so security is not a big issue. The new web
server is on W2k3. The old one is on W2k and the PDC is still on a NT box.
What is the easiest way to get around this problem?
"Joe Kaplan (MVP - ADSI)" wrote:
> Agreed.
>
> The canonical solution to the double hop problem is to implement Kerberos
> delegation. There are many references on this newsgroup and on Microsoft's
> sites that you can search for.
>
> Joe K.
>
> "Brock Allen" <ballen@NOSPAMdevelop.com> wrote in message
> news:294593632476972024608624@msnews.microsoft.com ...>> > It sounds like you have the "network hop" authentication issue. If you're
> > authenticating from machine A to machine B (without passing a password
> > across the network, so think SSPI), then machine B tries to use those same
> > credentials to go to machine C, then it will fail unless you've configured
> > your used in AD to have the password stored with reversible encryption.
> > Most security experts think that's ridiculous as that's not secure. Thus
> > you need to design your app around this inherent problem.
> >
> > -Brock
> > DevelopMentor
> > [url]http://staff.develop.com/ballen[/url]
> >
> >
> >> >> >> When I enable impersonation in web.config and show User identity in
> >> .aspx page, it is the user IIS authenticates. But when I try to access
> >> Sql server, I get an access denied error message. It looks like
> >> asp.net does not impersonate it at sql server side. I can impersonate
> >> a specific user in web.config without problem. Is this a bug or by
> >> design? I need to give users permissions based on their Windows login
> >> and I have a lot of users, but they are not going to access these web
> >> pages at the same time.
> >>
> >
> >
>
>szhang Guest
-
Joe Kaplan \(MVP - ADSI\) #6 Re: Impersonation problem.
Ah, if you are using an NT4 domain controller, than Kerberos delegation is
right out as that requires AD.
Just out of curiosity, in the instance where access to SQL works, is SQL
server on the same box as the web server?
Joe K.
"szhang" <szhang@discussions.microsoft.com> wrote in message
news:58DEBED9-2793-46A8-818D-8CCE94EFB0A9@microsoft.com...> Thanks for your replies.
>
> Here is my real problem. Our existing asp pages use windows authentication
> and have no problem accessing sql server. All stored procedures use
> is_member() function to determine user's permission. It will be too much
> to
> rewrite all those stored procedures. Most users are computer illiterate
> and
> all applications are on intranet, so security is not a big issue. The new
> web
> server is on W2k3. The old one is on W2k and the PDC is still on a NT box.
> What is the easiest way to get around this problem?
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>>> Agreed.
>>
>> The canonical solution to the double hop problem is to implement Kerberos
>> delegation. There are many references on this newsgroup and on
>> Microsoft's
>> sites that you can search for.
>>
>> Joe K.
>>
>> "Brock Allen" <ballen@NOSPAMdevelop.com> wrote in message
>> news:294593632476972024608624@msnews.microsoft.com ...>>>> > It sounds like you have the "network hop" authentication issue. If
>> > you're
>> > authenticating from machine A to machine B (without passing a password
>> > across the network, so think SSPI), then machine B tries to use those
>> > same
>> > credentials to go to machine C, then it will fail unless you've
>> > configured
>> > your used in AD to have the password stored with reversible encryption.
>> > Most security experts think that's ridiculous as that's not secure.
>> > Thus
>> > you need to design your app around this inherent problem.
>> >
>> > -Brock
>> > DevelopMentor
>> > [url]http://staff.develop.com/ballen[/url]
>> >
>> >
>> >
>> >> When I enable impersonation in web.config and show User identity in
>> >> .aspx page, it is the user IIS authenticates. But when I try to access
>> >> Sql server, I get an access denied error message. It looks like
>> >> asp.net does not impersonate it at sql server side. I can impersonate
>> >> a specific user in web.config without problem. Is this a bug or by
>> >> design? I need to give users permissions based on their Windows login
>> >> and I have a lot of users, but they are not going to access these web
>> >> pages at the same time.
>> >>
>> >
>> >
>> >
>>
>>
Joe Kaplan \(MVP - ADSI\) Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
