Intranet security

[kh]

Hi. I'm designing an intranet application in a heterogenious MS environment (XP, W2K Server, SQL Server 2K). The perfect security scenario for me is described in the Patterns & Practices guide entitled "Building Secure ASP.NET Applications". In the "Intranet Security" chapter [1] the text describes the "ASP.NET to SQL Server" architecture and recommends that impersonation be switched off and the machine.config file be amended to supply a known password for the ASPNET account. We use windows authentication throughout.

However, the application is one of several on the machine so editing machine.config is not an option. It is an essential requirement for me to be able to determine the user's identity when making changes to the database for audit purposes. How should I proceed?

Many thanks

kh

[1] [url]http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetch05.asp[/url]

[Joe Kaplan \(MVP - ADSI\)]

The easiest thing to do would be to switch to Win2K3 server. With that, you
can easily set up an App Pool identity that is a domain account that can be
used to connect to SQL Server. Then, you would just make sure that only
apps that need to use that identity use that App Pool.

This is harder to deal with in Win2K. The other supported way to do this is
to have your ASP.NET application impersonate a known domain identity so that
will be used to connect to SQL, but unfortunately, Win2K requires SYSTEM
level permissions to impersonate a specific user (this is because the
LogonUser API requires Act as part of the operating system privileges on
Win2K to be called), so you'd need to change your ASP.NET processModel from
Machine to System to get that which is a big security risk.

Another option is to do all of your SQL access through a COM+ component that
you configure with a known domain identity.

The other easy option is to give up on SSPI access to SQL and use a SQL
login. Then, be careful with your connection string.

HTH,

Joe K.

"kh" <kh@discussions.microsoft.com> wrote in message
news:23E85C78-D1E3-4F69-B926-465C9C778E0D@microsoft.com...

> Hi. I'm designing an intranet application in a heterogenious MS

environment (XP, W2K Server, SQL Server 2K). The perfect security scenario
for me is described in the Patterns & Practices guide entitled "Building
Secure ASP.NET Applications". In the "Intranet Security" chapter [1] the
text describes the "ASP.NET to SQL Server" architecture and recommends that
impersonation be switched off and the machine.config file be amended to
supply a known password for the ASPNET account. We use windows
authentication throughout.

>
> However, the application is one of several on the machine so editing

machine.config is not an option. It is an essential requirement for me to be
able to determine the user's identity when making changes to the database
for audit purposes. How should I proceed?

>
> Many thanks
>
> kh
>
> [1] [url]http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetch05.asp[/url]

[Richard]

I'm building an Intranet Web app to track our company's purchase orders. I
would like to have the employees use the app without being prompted for a
user name and pw, hoping to catch their identities from their Windows account.

Since it's an Intranet app, I'm using Windows authentication, and denying
anonymous access.
Here are the web.config settings for authentication and authorization:
<authentication mode="Windows" />
<identity impersonate="true"/>
<authorization>
<deny users="?" /> <!-- Allow all users -->
</authorization>

In my Page_load event, I am able to get the user's identity once he logs in
to the app, and then I pass that identity to a SQL Server db to retrieve
other info about the employee.

Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Load

If Not Page.IsPostBack Then
Dim wp As WindowsPrincipal
If Page.User.Identity.IsAuthenticated AndAlso TypeOf
User.Identity Is WindowsIdentity Then

Try
wp = DirectCast(Page.User, WindowsPrincipal)
Session("FullDomainName") = wp.Identity.Name

'Check for valid employee in SQL Server db.
If IsValidEmployee(Session("FullDomainName"),
Session("ConnectStringSQL")) Then
'Welcome the user.
lblUser.Text = "Welcome " & Session("FirstName") & " "
& Session("LastName") & "!"

Catch ex As Exception
lblError.Text = ex.Message
imbCreatePO.Visible = False
imbTrackPO.Visible = False
imbApprovePO.Visible = False
End Try

End If
End If
End If
End Sub

What am I missing that is causing the app to display the prompt for a user
name and password? Shouldn't it recognize that the employee is already logged
in to Windows?

[Patrick Olurotimi Ige]

Richard when are u gettting the PROMPT??
Are u redirecting them to another page in another domain or something..
Pls elaborate..or have u solved it..
Patrick



*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!

[Richard]

Hi Patrick, I'm getting the prompt immediately before the page displays. I'm
not redirecting.

"Patrick Olurotimi Ige" wrote:

> Richard when are u gettting the PROMPT??
> Are u redirecting them to another page in another domain or something..
> Pls elaborate..or have u solved it..
> Patrick
>
>
>
> *** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
> Don't just participate in USENET...get rewarded for it!
>