Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / March 2005

Tip: Looking for answers? Try searching our database.

Impersonation

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Viorel Ghilas - 24 Feb 2005 16:00 GMT
Hi all

   I have webserver that share common services and i set in web config
<identity impersonate="true" /> and on IIS I set specific user account that
will be used. The main problem that when the IIS start applicaton and
execute the methods from Global.asax.cs it use ASPNET account but not my,
after that it switch to impersonate account. But in my situation I use WSE2
where I need to check password in UsernameTokenManager for that I need to
connect to DB, but I use SSPI connection (with user from impersonate) that
fail. How to solve this problem, I need trusted connection that use my user
from IIS. I need only one user everywhere, how to do that in
UsernameTokenManager.AuthenticateToken(UsernameToken token) to use
impersonate account ?

with best reagrd
Viorel
Reply to this Message
Martin Kulov - 25 Feb 2005 00:27 GMT
Hi Viorel,

These are completely different things. The authentication to IIS and
impersonation in WSE are separate from each other and you must make the
difference. When you need to connect to IIS to access specific web service
you are most likely use anonymous authentication, because your web service
must be called from different sources. However if your case requires windows
authentication, the client must authenticate to IIS and show valid
credentials. These credentials are separate to the ones that you pass to WSE
in the next step. Suppose that you authenticate to IIS and you call the web
service. The web service will run under preconfigured account for ASP.NET
service which is ASPNET in Windows XP or NETWORK SERVICE in Windows 2003.
This account could be set up in machine.config file in <processModel> tag.
So finally you sent a packet containing your WSE credentials for accessing
the web service protected by WSE. WSE will then check if the provided
username and password exist in the local machine or domain and will either
accept or reject your request.

So what you need to do is go and configure the ASP.NET service to run under
account that has access to your SQL server (preferably a domain account). In
Windows 2003 this is handled very nicely by creating a separate application
pool i.e. no need to change the .config file. Then you need to send WSE
UsernameToken with specific username and password. AFAIK there is no way to
use impersonated account in WSE. This account will be used to authenticate
your call in WSE and then the WSE will be running in the domain account that
you have specified in the previous step. So it will be able to connect to
SQL database. The only drawback is that you have to send plain text password
to WSE service. You can either user SecureConversation with server
certificate or you can use Willam's solution [1] to encrypt the token
without having to create X509 server certificate.

[1]
http://www.codeattest.com/blogs/martin/2005/01/stacey-finds-missing-piece-in-wse.html

Signature

Martin Kulov
http://www.codeattest.com/blogs/martin

MCAD Charter Member
MCSD.NET Early Achiever
MCSD

> Hi all
>
[quoted text clipped - 12 lines]
> with best reagrd
> Viorel
Reply to this Message
Viorel Ghilas - 25 Feb 2005 07:07 GMT
Hi Martin

   I know the diference between IIS and WSE authentication mecanism. I have
made some systems that use impersonation mecanism, that is great (I create
only one user account and set it directly in IIS not in machine confige,
it's secure nobody can't see the password and no need encryption mecanism
all are based on windows security). I hear a lot about WSE and I try to use
it. From client I send user name and hash on the server I need to check the
the passwor in UsernameTokenManager derivede class, for this I need to
access DB, so I thought that I could use impersonation for trusted SPPI
connection but it's fail and I use connection string with the same user name
and password in encrypted form, but it's not so cool, because I use every
where in all applications trusted connection. The problem is that ASPNET
impersonate my account more late :(, but why. Request come to IIS and then
to ASPNET, and if in config <identity impersonate="true" /> framework must
run all process from this account, why not?

> Hi Viorel,
>
[quoted text clipped - 28 lines]
>
> [1]

http://www.codeattest.com/blogs/martin/2005/01/stacey-finds-missing-piece-in
-wse.html

> --
> Martin Kulov
[quoted text clipped - 23 lines]
> > with best reagrd
> > Viorel
Reply to this Message
William Stacey [MVP] - 26 Feb 2005 15:43 GMT
Not exactly sure what your issue is from the text.   You might review why
you need impersonation - you may not.  Once you get a UsernameToken or
SecurityContextToken (holding a UT), you can then just use Code Access
Security and verify roles for any secure method.   If can factor your
methods in such a way where you don't need to mess with windows
impersonation, unless you actually need to be userX for some file operation,
etc.  I also wonder why folks always talk about using a seperate account DB.
Why not just use AD or SAM for your account DB and leverage all user/group
tools?

Signature

William Stacey, MVP
http://mvp.support.microsoft.com

> Hi Martin
>
[quoted text clipped - 54 lines]
> >
> > [1]

http://www.codeattest.com/blogs/martin/2005/01/stacey-finds-missing-piece-in
> -wse.html
> >
[quoted text clipped - 28 lines]
> > > with best reagrd
> > > Viorel
Reply to this Message
Viorel Ghilas - 04 Mar 2005 10:25 GMT
Hi

The reason was to use one account for all system as you could read from
first message. The problem appear on I need to override method
AuthenticateToken and access DB for request some credentials, my DB
connection use trusted connection, but impersonate will enable after this
step, my questino was why, and how to solve the prblem?. 1.   One solution
was to use encrypted connection string, but my application architecture was
based on impersonation     mechanism,
2. To change in machine config ASPNET account to my account, but this method
require password in plain text, that     is not secure

if I will not found the answer I will use the first method, but again it's a
bad idea :(

> Not exactly sure what your issue is from the text.   You might review why
> you need impersonation - you may not.  Once you get a UsernameToken or
[quoted text clipped - 82 lines]
> > >
> > > [1]

http://www.codeattest.com/blogs/martin/2005/01/stacey-finds-missing-piece-in
> > -wse.html
> > >
[quoted text clipped - 29 lines]
> > > > with best reagrd
> > > > Viorel
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.