UsernameToken & LogonAsUser

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Dominick Baier - 16 Sep 2004 08:42 GMT

what's in Context.User ??

---
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

nntp://news.microsoft.com/microsoft.public.dotnet.framework.webservices.enhancements/<uyQqG#zmEHA.3812@TK2MSFTNGP10.phx.gbl>

I've read in a number of articles that if you use a UsernameToken with a
plain text password in WSE2, the token will be validated against the Windows
accounts visible to the server and LogonAsUser() called for that user.

Now, it seems to work. My policy is set to mandate a usertoken and the
account is definitely being validated (it gives an exception if I put in a
bad user or password), but there's no sign of the LogonAsUser, since
Environmrnt.UserName called from the webmethod just gives me ASPNET, so it's
not impersonating the user defined in the token correctly.

Is there some other piece of setup I'm missing here? Are the articles
claiming that LogonAsUser is called all wrong? Do I need to do my own
impersonation here? Anyone got any examples?

Clearly, when this is fixed, my next step is to encrypt the user token. Any
good example policy files to do this would be most welcome.

Any good documentation suggestions would also be apreciated, as the bits and
pieces I have googled for so far are very scrappy.

Thanks,

Tim

[microsoft.public.dotnet.framework.webservices.enhancements]

Reply to this Message

Tim Haynes - 16 Sep 2004 09:23 GMT

Context.User.Identity.Name comes back with an empty string.
WindowsIdentity.GetCurrent().Name gives: machinename\ASPNET.

Any help?

Tim

> what's in Context.User ??
>
> ---
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com

nntp://news.microsoft.com/microsoft.public.dotnet.framework.webservices.enhancements/<uyQqG#zmEHA.3812@TK2MSFTNGP10.phx.gbl>

> I've read in a number of articles that if you use a UsernameToken with a
> plain text password in WSE2, the token will be validated against the Windows
[quoted text clipped - 21 lines]
>
> [microsoft.public.dotnet.framework.webservices.enhancements]

Reply to this Message

Tim Haynes - 17 Sep 2004 00:26 GMT

Saw another post about granting ASPNET the "ast as part of operating system"
priv. Tried that - no change.

Tim

> Context.User.Identity.Name comes back with an empty string.
> WindowsIdentity.GetCurrent().Name gives: machinename\ASPNET.
[quoted text clipped - 8 lines]
> > Dominick Baier - DevelopMentor
> > http://www.leastprivilege.com

nntp://news.microsoft.com/microsoft.public.dotnet.framework.webservices.enhancements/<uyQqG#zmEHA.3812@TK2MSFTNGP10.phx.gbl>

> > I've read in a number of articles that if you use a UsernameToken with a
> > plain text password in WSE2, the token will be validated against the
[quoted text clipped - 26 lines]
> >
> > [microsoft.public.dotnet.framework.webservices.enhancements]

Reply to this Message

Hervey Wilson [MSFT] - 25 Sep 2004 18:57 GMT

Tim, when you use a plaintext password with a UsernameToken (something you
should only do over a secure connection), WSE2 will perform a LogonUser call
to verify the user account. However, this call does NOT impersonate the
user, it simply verifies the users identity. If you want to subsequently
impersonate the user then you must do this using the UsernameToken.Principal
property, see the .NET Framework documentation for details of the IPrincipal
interface.

Signature

This posting is provided "AS IS", with no warranties, and confers no rights.

> Saw another post about granting ASPNET the "ast as part of operating
> system"
[quoted text clipped - 52 lines]
>> >
>> > [microsoft.public.dotnet.framework.webservices.enhancements]

Reply to this Message

UsernameToken & LogonAsUser

Free Magazines