 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Security / December 2005Multiple Users with impersonation using one account
Hi All, I have several intranet applications that use impersonate=true and anonymous turned off to allow me to check for certain network users to use the application. Works great. However, some applications use resources such as the file system for writing temporary files, or for opening files on other network servers. I don't want to maintain all of the security for each user on each resource. Is there a way to specify "when opening this file, don't use the credentials of who is logged in, use mydomain\joeuser instead? Thanks, Jeff Hi, you don't need impersonation to check for user identity - Context.User.Identity.Name is populated with the clients name is there any other need for impersonation?? you can revert back to process identity by calling WindowsIdentity.Impersonate(IntPtr.Zero) or use LogonUser to get a token for a different user that you can impersonate. But this also requires the password. Windows Server 2003 also offers Protocol Transition which allows you to get a token without knowledge of the password. But you should sort out first if impersonation is a requirement. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > Hi All, > [quoted text clipped - 12 lines] > Thanks, > Jef Dominick, Thanks for your great reply. I removed the <identity impersonate='True' /> and used your suggestion of Context.User.Identity.Name. Works great. I notice that the application is now acting as the user: NT AUTHORITY\SYSTEM. How can I give this user access to files on a different server? Thanks! Jeff -- Sent via .NET Newsgroups http://www.dotnetnewsgroups.com Hi, what operating system are you using? how did you figure out under which account the application is running - by calling WindowsIdentity.GetCurrent().Name ? --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > Dominick, > [quoted text clipped - 10 lines] > Sent via .NET Newsgroups > http://www.dotnetnewsgroups.co I am using Windows Server 2000, not sure which SP. The following line displays NT AUTHORITY\SYSTEM Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent.Name ) Which I am assuming is the current user. Yes, I do know what happens when I assume! Thanks, Jeff -- Sent via .NET Newsgroups http://www.dotnetnewsgroups.com Hi, ok .- the client identity is in Context.User WindowsIdentity.GetCurrent() give you the account the process is running under - this account is used for resource access when no impersonation is enabled. Any reason why you are running as SYSTEM?? This is generally not recommended because this is a very high privileged account - this is also not the default for ASP.NET under Windows 2000 - i guess you made changes to the processModel element in machine.config. You be able to access resources on remote machines, you have several options a) configure your worker process to run under a specific account, this could be a domain account or a local account, with a mirrored counterpart on the remote machine this will affect all applications on the server b) you can set impersonation in web.config for a fixed identity using <identity impersonate="true" username="xx" password="xx" /> - this will only affect the current application c) you can impersonate programmatically by using LogonUser / WindowsIdentiy.Impersonate config vs. code i would a) lower the privileges of ASP.NET to the default (which is the ASPNET account) - if possible b) use programmatic impersonation when needed --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > I am using Windows Server 2000, not sure which SP. > [quoted text clipped - 11 lines] > Sent via .NET Newsgroups > http://www.dotnetnewsgroups.co Oh - i forgot another option - upgrade to windows 2003 - IIS6 give you multiple worker processes which can all have distinct identities - that's the feature you really need. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > I am using Windows Server 2000, not sure which SP. > [quoted text clipped - 11 lines] > Sent via .NET Newsgroups > http://www.dotnetnewsgroups.co Dominick, That was great thanks. I added the userName password section to the identity tag, switched to using the Context to find the user and now I can set permissions once. Perfect! I would love to upgrade to 2003, but that is out of my hands. Thanks again Dominick!! Jeff -- Sent via .NET Newsgroups http://www.dotnetnewsgroups.com Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.