 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / October 2005Security issue with win integrated authentication
I setup a intranet application based on windows integrated authentication . windows integrated authentication checked in IIS and anonymous access unchecked. i have used impersonation in my web config file <identity impersonate="true" > <authorization> <allow roles="mydomain\group_a"/> <deny users="*/> </authorization> a User A belongs to group_a but not to group_b group_b is a group that i have added to SQL server in order to set permissions on data. i'm using a trusted connection to the SQL database throught a webservice. when i try to access the application in my browser with user A , as A is member of the group_a , his access is granted to the page but he can also access data in the database although he doesn't belong to group_b configured in SQL server to access data.this user A doesn't belong to any other group and has no login in SQL as well. Why does this user have access to data although he has neither login nor belongs to any groups that have access to sql server? if we are using impersonation=true without any username and login specified it's normally the authenticated user token that is used to check the access to SQL server or did i missunderstood the mecanism? if some could tell me what i did wrong , i would be very grateful. Thank in advance for any help. Eric I'm not sure that I've understood your application architecture correctly. Could you please confirm which of the following is in use: (1) browser -> web app -> web service -> SQL Server OR (2) browser -> web app -> SQL Server If it's #1, are both the web app and web service configured to use impersonation? If not, which is the one that is using impersonation? >I setup a intranet application based on windows integrated > authentication . [quoted text clipped - 35 lines] > > Eric Hi Nicole, It's #1 and both web app and web service are using impersonation. Nicole Calinoiu a écrit : > I'm not sure that I've understood your application architecture correctly. > Could you please confirm which of the following is in use: [quoted text clipped - 47 lines] > > > > Eric Your central problem is almost certainly a credentials double-hop issue, with the caller credentials from either the web app and/or the web service not being useable downstream at either the web service and/or the database. If you're unfamiliar with the double-hop problem, you might want to take a look at http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/ for an introduction to the double hop issue and how to deal with it. For a more in-depth treatment of your various options for addressing the flow of caller identity across the tiers of your web application, see http://msdn.microsoft.com/library/en-us/dnnetsec/html/secnetlpMSDN.asp. If you've already tried to address the double-hop problem by configuring delegation, have you verified the user context in the web service and database in order to confirm that it is flowing through as expected? Hi Nicole, It's #1 and both web app and web service are using impersonation. Nicole Calinoiu a écrit : > I'm not sure that I've understood your application architecture correctly. > Could you please confirm which of the following is in use: [quoted text clipped - 47 lines] > > > > Eric Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.