In my Page_load event, I am able to get the user's identity once he logs in to the app, and then I pass that identity to a SQL Server db to retrieve other info about the employee. Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load If Not Page.IsPostBack Then Dim wp As WindowsPrincipal If Page.User.Identity.IsAuthenticated AndAlso TypeOf User.Identity Is WindowsIdentity Then Try wp = DirectCast(Page.User, WindowsPrincipal) Session("FullDomainName") = wp.Identity.Name 'Check for valid employee in SQL Server db. If IsValidEmployee(Session("FullDomainName"), Session("ConnectStringSQL")) Then 'Welcome the user. lblUser.Text = "Welcome " & Session("FirstName") & " " & Session("LastName") & "!" Catch ex As Exception lblError.Text = ex.Message imbCreatePO.Visible = False imbTrackPO.Visible = False imbApprovePO.Visible = False End Try End If End If End If End Sub What am I missing that is causing the app to display the prompt for a user name and password? Shouldn't it recognize that the employee is already logged in to Windows? [allowsmilie] => 1 [showsignature] => 0 [ipaddress] => [iconid] => 0 [visible] => 1 [attach] => 0 [infraction] => 0 [reportthreadid] => 0 [isusenetpost] => 1 [msgid] => [ref] => [htmlstate] => on_nl2br [postusername] => Richard [ip] => Richard@discuss [isdeleted] => 0 [usergroupid] => [membergroupids] => [displaygroupid] => [password] => [passworddate] => [email] => [styleid] => [parentemail] => [homepage] => [icq] => [aim] => [yahoo] => [msn] => [skype] => [showvbcode] => [showbirthday] => [usertitle] => [customtitle] => [joindate] => [daysprune] => [lastvisit] => [lastactivity] => [lastpost] => [lastpostid] => [posts] => [reputation] => [reputationlevelid] => [timezoneoffset] => [pmpopup] => [avatarid] => [avatarrevision] => [profilepicrevision] => [sigpicrevision] => [options] => [akvbghsfs_optionsfield] => [birthday] => [birthday_search] => [maxposts] => [startofweek] => [referrerid] => [languageid] => [emailstamp] => [threadedmode] => [autosubscribe] => [pmtotal] => [pmunread] => [salt] => [ipoints] => [infractions] => [warnings] => [infractiongroupids] => [infractiongroupid] => [adminoptions] => [profilevisits] => [friendcount] => [friendreqcount] => [vmunreadcount] => [vmmoderatedcount] => [socgroupinvitecount] => [socgroupreqcount] => [pcunreadcount] => [pcmoderatedcount] => [gmmoderatedcount] => [assetposthash] => [fbuserid] => [fbjoindate] => [fbname] => [logintype] => [fbaccesstoken] => [newrepcount] => [vbseo_likes_in] => [vbseo_likes_out] => [vbseo_likes_unread] => [temp] => [field1] => [field2] => [field3] => [field4] => [field5] => [subfolders] => [pmfolders] => [buddylist] => [ignorelist] => [signature] => [searchprefs] => [rank] => [icontitle] => [iconpath] => [avatarpath] => [hascustomavatar] => 0 [avatardateline] => [avwidth] => [avheight] => [edit_userid] => [edit_username] => [edit_dateline] => [edit_reason] => [hashistory] => [pagetext_html] => [hasimages] => [signatureparsed] => [sighasimages] => [sigpic] => [sigpicdateline] => [sigpicwidth] => [sigpicheight] => [postcount] => 3 [islastshown] => [isfirstshown] => [attachments] => [allattachments] => ) --> Intranet security - ASP.NET Security

Intranet security - ASP.NET Security

Hi. I'm designing an intranet application in a heterogenious MS environment (XP, W2K Server, SQL Server 2K). The perfect security scenario for me is described in the Patterns & Practices guide entitled "Building Secure ASP.NET Applications". In the "Intranet Security" chapter [1] the text describes the "ASP.NET to SQL Server" architecture and recommends that impersonation be switched off and the machine.config file be amended to supply a known password for the ASPNET account. We use windows authentication throughout. However, the application is one of several on the machine so editing machine.config is not an option. It is an essential requirement ...

  1. #1

    Default Intranet security

    Hi. I'm designing an intranet application in a heterogenious MS environment (XP, W2K Server, SQL Server 2K). The perfect security scenario for me is described in the Patterns & Practices guide entitled "Building Secure ASP.NET Applications". In the "Intranet Security" chapter [1] the text describes the "ASP.NET to SQL Server" architecture and recommends that impersonation be switched off and the machine.config file be amended to supply a known password for the ASPNET account. We use windows authentication throughout.

    However, the application is one of several on the machine so editing machine.config is not an option. It is an essential requirement for me to be able to determine the user's identity when making changes to the database for audit purposes. How should I proceed?

    Many thanks

    kh

    [1] [url]http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetch05.asp[/url]
    kh Guest

  2. #2

    Default Re: Intranet security

    The easiest thing to do would be to switch to Win2K3 server. With that, you
    can easily set up an App Pool identity that is a domain account that can be
    used to connect to SQL Server. Then, you would just make sure that only
    apps that need to use that identity use that App Pool.

    This is harder to deal with in Win2K. The other supported way to do this is
    to have your ASP.NET application impersonate a known domain identity so that
    will be used to connect to SQL, but unfortunately, Win2K requires SYSTEM
    level permissions to impersonate a specific user (this is because the
    LogonUser API requires Act as part of the operating system privileges on
    Win2K to be called), so you'd need to change your ASP.NET processModel from
    Machine to System to get that which is a big security risk.

    Another option is to do all of your SQL access through a COM+ component that
    you configure with a known domain identity.

    The other easy option is to give up on SSPI access to SQL and use a SQL
    login. Then, be careful with your connection string.

    HTH,

    Joe K.

    "kh" <khdiscussions.microsoft.com> wrote in message
    news:23E85C78-D1E3-4F69-B926-465C9C778E0Dmicrosoft.com...
    > Hi. I'm designing an intranet application in a heterogenious MS
    environment (XP, W2K Server, SQL Server 2K). The perfect security scenario
    for me is described in the Patterns & Practices guide entitled "Building
    Secure ASP.NET Applications". In the "Intranet Security" chapter [1] the
    text describes the "ASP.NET to SQL Server" architecture and recommends that
    impersonation be switched off and the machine.config file be amended to
    supply a known password for the ASPNET account. We use windows
    authentication throughout.
    >
    > However, the application is one of several on the machine so editing
    machine.config is not an option. It is an essential requirement for me to be
    able to determine the user's identity when making changes to the database
    for audit purposes. How should I proceed?
    >
    > Many thanks
    >
    > kh
    >
    > [1] [url]http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetch05.asp[/url]

    Joe Kaplan \(MVP - ADSI\) Guest

  3. #3

    Default Intranet Security

    I'm building an Intranet Web app to track our company's purchase orders. I
    would like to have the employees use the app without being prompted for a
    user name and pw, hoping to catch their identities from their Windows account.

    Since it's an Intranet app, I'm using Windows authentication, and denying
    anonymous access.
    Here are the web.config settings for authentication and authorization:
    <authentication mode="Windows" />
    <identity impersonate="true"/>
    <authorization>
    <deny users="?" /> <!-- Allow all users -->
    </authorization>

    In my Page_load event, I am able to get the user's identity once he logs in
    to the app, and then I pass that identity to a SQL Server db to retrieve
    other info about the employee.

    Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles MyBase.Load

    If Not Page.IsPostBack Then
    Dim wp As WindowsPrincipal
    If Page.User.Identity.IsAuthenticated AndAlso TypeOf
    User.Identity Is WindowsIdentity Then

    Try
    wp = DirectCast(Page.User, WindowsPrincipal)
    Session("FullDomainName") = wp.Identity.Name

    'Check for valid employee in SQL Server db.
    If IsValidEmployee(Session("FullDomainName"),
    Session("ConnectStringSQL")) Then
    'Welcome the user.
    lblUser.Text = "Welcome " & Session("FirstName") & " "
    & Session("LastName") & "!"

    Catch ex As Exception
    lblError.Text = ex.Message
    imbCreatePO.Visible = False
    imbTrackPO.Visible = False
    imbApprovePO.Visible = False
    End Try

    End If
    End If
    End If
    End Sub

    What am I missing that is causing the app to display the prompt for a user
    name and password? Shouldn't it recognize that the employee is already logged
    in to Windows?


    Richard Guest

  4. #4

    Default Re: Intranet Security

    Richard when are u gettting the PROMPT??
    Are u redirecting them to another page in another domain or something..
    Pls elaborate..or have u solved it..
    Patrick



    *** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
    Don't just participate in USENET...get rewarded for it!
    Patrick Olurotimi Ige Guest

  5. #5

    Default Re: Intranet Security

    Hi Patrick, I'm getting the prompt immediately before the page displays. I'm
    not redirecting.

    "Patrick Olurotimi Ige" wrote:
    > Richard when are u gettting the PROMPT??
    > Are u redirecting them to another page in another domain or something..
    > Pls elaborate..or have u solved it..
    > Patrick
    >
    >
    >
    > *** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
    > Don't just participate in USENET...get rewarded for it!
    >
    Richard Guest

Similar Threads

  1. Intranet .NET and Contribute
    By jeremy_p in forum Macromedia Contribute General Discussion
    Replies: 0
    Last Post: October 19th, 05:57 PM
  2. Intranet Development
    By lynnie2 in forum Macromedia ColdFusion
    Replies: 0
    Last Post: June 24th, 01:55 PM
  3. caspol & local intranet security
    By adam in forum ASP.NET Security
    Replies: 4
    Last Post: January 19th, 09:45 AM
  4. Consume web service via XMLHTTP on intranet security problems
    By Chris Holliday in forum ASP.NET Web Services
    Replies: 1
    Last Post: September 16th, 09:34 PM
  5. Forms to be used on intranet
    By Mark in forum Microsoft Access
    Replies: 1
    Last Post: July 10th, 12:16 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139