Security problems when running code from different machine

John Boghossian · John Boghossian

Hi there,

On my develop machine i have a virtual root which requires integrated
security and doesn´t allow anonymous access and in my web.config i have
<identity impersonate="true" />.

In here i have a small web app that requests a OU list from AD and presents
it in a grid.
When i run it from my develop machine by requesting
[url]http://machine/vroot/page.aspx[/url] it works but when i run it from another
machines IE and open the page by enetering [url]http://machine/vroot/page.aspx[/url]
the result is empty.

There is NO runtime error going on because i have debugged the code and the
directorysearcher.findall just returns an empty result.

Any ideas

John Boghossian · John Boghossian

Actually i have come a bit closer to the problem but i am not sure what
solution i should implement.

As you indicated there is a problem with authority for the remote client to
run the code. When I tested, the remote user was logged on with the same
account as i use to run it locally. When debugging the code i found that
when the request came from the user requesting the page by localhost it´s
System.Security.Principal.WindowsIdentity.Authenti cationtype is Negotiate
and iwhen the code is run from a remote client the Authenticationtype is
NTLM.

So as a temporary solution I switch user in code by calling LogonUser in
"advapi32.dll"

I have attached the file clsad.txt which contains the code in question. In
the function createdatatable you will se the call to findall and the
temporary user switching.

"Lewis Wang [MSFT]" <v-lwang@online.microsoft.com> wrote in message
news:DLQ1DtraDHA.1608@cpmsftngxa06.phx.gbl...

> Hi John,
>
> The webmethod "directorysearcher.findall" may not be able to be accessed
> from a remote machine. Please open the webservice using IE from another
> machine, and click the "findall" method. Does the webservice give you any
> information like: "The test form is only available for requests from the
> local machine"? Please let me know if I misunderstood your concern,

thanks.

>
> To resolve this problem, you may add the following lines in web.config:
>
> <system.web>
> . .*
> <configuration>
> . .
> <webServices>
> <protocols>
> <add name="HttpSoap"/>
> <add name="HttpPost"/>
> <add name="HttpGet"/>
> <add name="Documentation"/>
> </protocols>
> </webServices>
>
> </system.web>
> </configuration>
>
> The following is an article for your reference.
> Configuration Options for XML Web Services Created Using ASP.NET
>

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm[/url]

> l/cpconconfigurationoptionsforaspnetwebservices.asp
>
> Hope this helps.
>
> Best regards,
> Lewis
>
> This posting is provided "AS IS" with no warranties, and confers no

rights.

>
> --------------------
> | From: "John Boghossian" <john.boghossian@investorab.com>
> | Subject: Security problems when running code from different machine
> | Date: Fri, 22 Aug 2003 14:26:08 +0200
> | Lines: 19
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> | Message-ID: <ulnUPiKaDHA.2572@TK2MSFTNGP12.phx.gbl>
> | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | NNTP-Posting-Host: 212.209.235.35
> | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP12.phx.gbl
> | Xref: cpmsftngxa06.phx.gbl
> microsoft.public.dotnet.framework.aspnet.security: 6397
> | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> |
> | Hi there,
> |
> | On my develop machine i have a virtual root which requires integrated
> | security and doesn´t allow anonymous access and in my web.config i have
> | <identity impersonate="true" />.
> |
> | In here i have a small web app that requests a OU list from AD and
> presents
> | it in a grid.
> | When i run it from my develop machine by requesting
> | [url]http://machine/vroot/page.aspx[/url] it works but when i run it from another
> | machines IE and open the page by enetering

[url]http://machine/vroot/page.aspx[/url]

> | the result is empty.
> |
> | There is NO runtime error going on because i have debugged the code and
> the
> | directorysearcher.findall just returns an empty result.
> |
> | Any ideas
> |
> |
> |
>

Lewis Wang [MSFT] · Lewis Wang [MSFT]

Lewis Wang [MSFT] · Lewis Wang [MSFT]

Hi John,

I am very sorry for the late reply.

The Active Directory (AD) relies on the security mechanism of the Windows
2000 server. To access most information in the AD, you must provide
credentials to the Windows 2000 server when requesting the AD information.
The credentials you provide must be in a primary token, which just means
that the IIS server has a password (not just a hash of the password) to
pass to the AD.

Double-Hop Issue

The double-hop issue is when the ASPX page tries to use resources that are
located on a server that is different from the IIS server. In our case, the
first "hop" is from the web browser client to the IIS ASPX page; the second
hop is to the AD. The AD requires a primary token. Therefore, the IIS
server must know the password for the client to pass a primary token to the
AD. If the IIS server has a secondary token, the NTAUTHORITY\ANONYMOUS
account credentials are used. This account is not a domain account and has
very limited access to the AD.

The double-hop using a secondary token occurs, for example, when the
browser client is authenticated to the IIS ASPX page by using NTLM
authentication. In this example, the IIS server has a hashed version of the
password as a result of using NTLM. If IIS turns around and passes the
credentials to the AD, IIS is passing a hashed password. The AD cannot
verify the password and, instead, authenticates by using the
NTAUTHORITY\ANONYMOUS LOGON.

On the other hand, if your browser client is authenticated to the IIS ASPX
page by using Basic authentication, the IIS server has the client password
and can make a primary token to pass to the AD. The AD can verify the
password and does authenticate as the domain user.

For more information, you may check the following links.
329986 HOW TO: Use the System.DirectoryServices Namespace in ASP.NET
[url]http://support.microsoft.com/?id=329986[/url]

323459 INFO: Using System.DirectoryServices in ASP.NET
[url]http://support.microsoft.com/?id=323459[/url]

Hope this helps.

Best regards,
Lewis

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "John Boghossian" <john.boghossian@investorab.com>
| References: <ulnUPiKaDHA.2572@TK2MSFTNGP12.phx.gbl>
<DLQ1DtraDHA.1608@cpmsftngxa06.phx.gbl>
<O#dKNefbDHA.3360@tk2msftngp13.phx.gbl>
<N55znihbDHA.2164@cpmsftngxa06.phx.gbl>
| Subject: Re: Security problems when running code from different machine
| Date: Mon, 1 Sep 2003 10:18:08 +0200
| Lines: 161
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <OdN9YGGcDHA.2688@TK2MSFTNGP11.phx.gbl>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: 212.209.235.35
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP11.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet.security: 6479
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| Looking forward to see if you find any solution for this.
|
| Regards
| Johnny
|
|
| "Lewis Wang [MSFT]" <v-lwang@online.microsoft.com> wrote in message
| news:N55znihbDHA.2164@cpmsftngxa06.phx.gbl...
| > Hi John,
| >
| > Thanks for your posting. I am checking this issue, and will get back to
| you
| > with my findings.
| >
| > Best regards,
| > Lewis
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| rights.
| > --------------------
| > | From: "John Boghossian" <john.boghossian@investorab.com>
| > | References: <ulnUPiKaDHA.2572@TK2MSFTNGP12.phx.gbl>
| > <DLQ1DtraDHA.1608@cpmsftngxa06.phx.gbl>
| > | Subject: Re: Security problems when running code from different
machine
| > | Date: Fri, 29 Aug 2003 08:34:04 +0200
| > | Lines: 275
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | Message-ID: <O#dKNefbDHA.3360@tk2msftngp13.phx.gbl>
| > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| > | NNTP-Posting-Host: 212.209.235.35
| > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftn gp13.phx.gbl
| > | Xref: cpmsftngxa06.phx.gbl
| > microsoft.public.dotnet.framework.aspnet.security: 6464
| > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| > |
| > | Actually i have come a bit closer to the problem but i am not sure
what
| > | solution i should implement.
| > |
| > | As you indicated there is a problem with authority for the remote
client
| > to
| > | run the code. When I tested, the remote user was logged on with the
same
| > | account as i use to run it locally. When debugging the code i found
that
| > | when the request came from the user requesting the page by localhost
| it´s
| > | System.Security.Principal.WindowsIdentity.Authenti cationtype is
| Negotiate
| > | and iwhen the code is run from a remote client the Authenticationtype
| is
| > | NTLM.
| > |
| > | So as a temporary solution I switch user in code by calling LogonUser
in
| > | "advapi32.dll"
| > |
| > | I have attached the file clsad.txt which contains the code in
question.
| In
| > | the function createdatatable you will se the call to findall and the
| > | temporary user switching.
| > |
| > |
| > | "Lewis Wang [MSFT]" <v-lwang@online.microsoft.com> wrote in message
| > | news:DLQ1DtraDHA.1608@cpmsftngxa06.phx.gbl...
| > | > Hi John,
| > | >
| > | > The webmethod "directorysearcher.findall" may not be able to be
| accessed
| > | > from a remote machine. Please open the webservice using IE from
| another
| > | > machine, and click the "findall" method. Does the webservice give
you
| > any
| > | > information like: "The test form is only available for requests from
| the
| > | > local machine"? Please let me know if I misunderstood your concern,
| > | thanks.
| > | >
| > | > To resolve this problem, you may add the following lines in
| web.config:
| > | >
| > | > <system.web>
| > | > . .*
| > | > <configuration>
| > | > . .
| > | > <webServices>
| > | > <protocols>
| > | > <add name="HttpSoap"/>
| > | > <add name="HttpPost"/>
| > | > <add name="HttpGet"/>
| > | > <add name="Documentation"/>
| > | > </protocols>
| > | > </webServices>
| > | >
| > | > </system.web>
| > | > </configuration>
| > | >
| > | > The following is an article for your reference.
| > | > Configuration Options for XML Web Services Created Using ASP.NET
| > | >
| > |
| >
|
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm[/url]
| > | > l/cpconconfigurationoptionsforaspnetwebservices.asp
| > | >
| > | > Hope this helps.
| > | >
| > | > Best regards,
| > | > Lewis
| > | >
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > | rights.
| > | >
| > | > --------------------
| > | > | From: "John Boghossian" <john.boghossian@investorab.com>
| > | > | Subject: Security problems when running code from different
machine
| > | > | Date: Fri, 22 Aug 2003 14:26:08 +0200
| > | > | Lines: 19
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | > | Message-ID: <ulnUPiKaDHA.2572@TK2MSFTNGP12.phx.gbl>
| > | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| > | > | NNTP-Posting-Host: 212.209.235.35
| > | > | Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP12.phx.gbl
| > | > | Xref: cpmsftngxa06.phx.gbl
| > | > microsoft.public.dotnet.framework.aspnet.security: 6397
| > | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| > | > |
| > | > | Hi there,
| > | > |
| > | > | On my develop machine i have a virtual root which requires
| integrated
| > | > | security and doesn´t allow anonymous access and in my web.config i
| > have
| > | > | <identity impersonate="true" />.
| > | > |
| > | > | In here i have a small web app that requests a OU list from AD and
| > | > presents
| > | > | it in a grid.
| > | > | When i run it from my develop machine by requesting
| > | > | [url]http://machine/vroot/page.aspx[/url] it works but when i run it from
| another
| > | > | machines IE and open the page by enetering
| > | [url]http://machine/vroot/page.aspx[/url]
| > | > | the result is empty.
| > | > |
| > | > | There is NO runtime error going on because i have debugged the
code
| > and
| > | > the
| > | > | directorysearcher.findall just returns an empty result.
| > | > |
| > | > | Any ideas
| > | > |
| > | > |
| > | > |
| > | >
| > |
| > |
| > |
| >
|
|
|

Security problems when running code from different machine

Thread Tools

Display

Security problems when running code from different machine

Similar Questions and Discussions

Running compiled Inline C perl scripts on more than one machine

CFEXECUTE not running batch (Security Permissions?)

A basic security setup for running ASP.Net applcations

Setting of client machine in running Asp .Net

Security problem with Managed Code calling Unmanaged Code in a Web Page

Re: Security problems when running code from different machine

Re: Security problems when running code from different machine

Re: Security problems when running code from different machine

Posting Permissions