Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / February 2006

Tip: Looking for answers? Try searching our database.

Remote file access while impersonating with NTLM

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Doug V - 23 Feb 2006 16:28 GMT
I have a client app that remotely connects to a service app via .NET Remoting
using NTLM (custom sinks that do SSPI for .NET 1.1).  The service reads some
files while impersonating the client.  Works great if file is on the same
computer as the service.  A customer wants to move files to remote computer,
but the read fails since NTLM cannot delegate.  Read appears to be done as
anonymous.  Is there any way to configure Windows (W2K, W2K3, or XP) to allow
the read to be done under the identity of the service instead of anonymous?  
I'm looking for something my customer can do without any code changes from
me.  Everything is in a domain and the service runs as a domain user account.
Signature

Doug Van Vreede

Reply to this Message
Joe Kaplan (MVP - ADSI) - 23 Feb 2006 18:36 GMT
If you don't impersonate the client, then the file should be read with the
service account's network credentials.  If you do impersonate and you need
to delegate, then you need Kerberos delegation.

Joe K.

>I have a client app that remotely connects to a service app via .NET
>Remoting
[quoted text clipped - 11 lines]
> me.  Everything is in a domain and the service runs as a domain user
> account.
Reply to this Message
Narendra - 24 Feb 2006 12:20 GMT
As specified "Everything is in a domain and the service runs as a domain user
account". Good point is to use delegation. Also it is a good practise.

> If you don't impersonate the client, then the file should be read with the
> service account's network credentials.  If you do impersonate and you need
[quoted text clipped - 17 lines]
> > me.  Everything is in a domain and the service runs as a domain user
> > account.
Reply to this Message
Doug V - 24 Feb 2006 14:16 GMT
I'm not actually asking for delegation of the client's credentials.  I'm
asking if it is possible to somehow adjust Windows security, without changing
code, and force the credentials of the service (not the client) to be used to
validate the file read.  I thought we had done this in testing, but can't
reproduce it now (maybe it was a dream?).  This is an existing installation
that the customer wants to modify.  Kerberos will be implemented in a future
release.
Signature

Doug Van Vreede

> As specified "Everything is in a domain and the service runs as a domain user
> account". Good point is to use delegation. Also it is a good practise.
[quoted text clipped - 4 lines]
> >
> > Joe K.
Reply to this Message
Joe Kaplan (MVP - ADSI) - 24 Feb 2006 14:51 GMT
Basically, the code should use the client's credentials if you are
impersonating them and the service's credentials if not.  I'm not aware of
any configuration change that will allow you to use the service's
credentials if you are impersonating.  I think that would require a code
change.

Someone else might have some other ideas though.

Joe K.

> I'm not actually asking for delegation of the client's credentials.  I'm
> asking if it is possible to somehow adjust Windows security, without
[quoted text clipped - 7 lines]
> future
> release.
Reply to this Message
Dominick Baier [DevelopMentor] - 24 Feb 2006 23:37 GMT
if you are impersonating, you are impersonating - you had to write code to
do that - and you have to remove code to stop it - but maybe i am wrong....

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I'm not actually asking for delegation of the client's credentials.
> I'm asking if it is possible to somehow adjust Windows security,
[quoted text clipped - 14 lines]
>>>
>>> Joe K.
Reply to this Message
Doug V - 27 Feb 2006 14:01 GMT
That's what I thought too, but my test team claims (without any evidence of
course) that they saw it work they way I am trying to describe.
Signature

Doug Van Vreede

> if you are impersonating, you are impersonating - you had to write code to
> do that - and you have to remove code to stop it - but maybe i am wrong....
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.