Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Security / July 2004

Tip: Looking for answers? Try searching our database.

Impersonation in asp.net

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Samuel Shum - 14 Jul 2004 05:27 GMT
Hello, I have a problem on the impersonation in asp.net: I've developed some
components which can create user accounts on the web server. The asp files
resided on the server will call these components to do the job BUT the
"aspnet" (asp.net worker process account) doesn't have enough privilege to
do so... (as the components are called in the context of this "low
privilege" account). I understand that .Net framework has something called
"impersonation" which can run the worker process in the context of some
"higher" account (in this case, accounts under administrators group). The
problem seems to be solved with this approach but now the problem is that
the "impersonated" account, which is the "admin" account's name and
password, is stored in "cleartext" in the web.config file which imposes
serious security issue... A solution solving this is to store the username
and password in the registry and encrypt them... however, the debugger
returns error that the "password" entry cannot be read from the registry...
even I did give the permission "read" to the worker process... so how can
this be resolved? Or is this the right way to do this kind of job?

Thanks in advance.

Samuel
Reply to this Message
Mark Duregon - 14 Jul 2004 06:33 GMT
Use the DPAPI or one of the .NET encryption methods to encrpt the information in the web.config file.  Information on this topic is in the Building Secure ASP.NET practices paper http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/s
ecnetlpMSDN.asp?frame=true

> Hello, I have a problem on the impersonation in asp.net: I've developed some
> components which can create user accounts on the web server. The asp files
[quoted text clipped - 16 lines]
>
> Samuel
Reply to this Message
Samuel Shum - 14 Jul 2004 07:53 GMT
Thanks Mark for the information, sorry if my query mislead you. I'd done the
encryption part: the username and password are encrypted and stored in the
registry with the tool "aspnet_setreg"
(http://support.microsoft.com/default.aspx?scid=kb;en-us;329290) and those
can be retrieved by stating the following entry in the web.config file:

   <identity impersonate="true"
userName="registry:HKLM\Software\DummyApplication\Identity\ASPNET_SETREG,use
rName"
password="registry:HKLM\Software\DummyApplication\Identity\ASPNET_SETREG,pas
sword" />

I follow the procedures exactly but the browser returns the following error:
***
Configuration Error
Description: An error occurred during the processing of a configuration file
required to service this request. Please review the specific error details
below and modify your configuration file appropriately.

Parser Error Message: Error reading the password from the registry.

Source Error:

Line 83:     <globalization requestEncoding="utf-8" responseEncoding="utf-8"
/>
Line 84:
Line 85:     <identity impersonate="true"
userName="registry:HKLM\Software\DummyApplication\Identity\ASPNET_SETREG,use
rName"
password="registry:HKLM\Software\DummyApplication\Identity\ASPNET_SETREG,pas
sword" />
Line 86:     </system.web>

Source File: c:\inetpub\wwwroot\Encryption\web.config    Line: 85

----------------------------------------------------------------------------
----
Version Information: Microsoft .NET Framework Version:1.1.4322.573; ASP.NET
Version:1.1.4322.573
***

  I'd given the "aspnet" account the permission to read the entries, just
don't know what the error exactly means.

Samuel
Reply to this Message
Stephen Shirley, MCSD .NET - 27 Jul 2004 21:45 GMT
Possible Solution:  I have wrestled with this one also.  I finally got
it to work by giving the MachineName(change this)\ASPNET account
permissions to read the registry key ASPNET_SETREG directly, not the
Identity key.  Note, everytime you run aspnet_setreg it will drop and
recreate the key, so you will have to add the permissions everytime
you run it.  Hope this helps.

Stephen Shirley,
MCSD .NET

> Thanks Mark for the information, sorry if my query mislead you. I'd done the
> encryption part: the username and password are encrypted and stored in the
[quoted text clipped - 41 lines]
>
> Samuel
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.