Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > ASP.NET process impresonation on IIS6

Reply
Thread Tools

ASP.NET process impresonation on IIS6

 
 
Lauren Buchholz
Guest
Posts: n/a
 
      10-06-2003
Hi, I have an application that was originally designed under IIS5.1 and
ASP.NET that used used a setting in the machine.config that would allow my
worker process to run under a different account. I know that the new worker
process isolation mode changes how this works, but I have been unable to get
my application to run as the account I would like while keeping IIS in
native mode. Anyone know how to do this?

More specifically, we need a .NET app to connect to a PKI based SSL web
service. The way we had it working in the past is that we would create a
limited security account, install the proper certificates in that account,
and then run the worker process as that account. Is there a better way to
do this now in windows 2003?


 
Reply With Quote
 
 
 
 
Ram Sunkara [msft]
Guest
Posts: n/a
 
      10-07-2003
If IIS is running in worker process isolation mode (IIS6 native mode in
Widnows.NET server2003) "processModel" account specified in the
machine.config file is ignored.



If you want to run your web application on a specific account, just simply
change the application pool identity to the account you wanted to run your
web application under. And make sure this is account is a member of local
IIS_WGP group.



You may want to review your application architecture if this is an internet
facing box as there are lots of security issues involved in running the
application pool on a privileged account.



"Lauren Buchholz" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi, I have an application that was originally designed under IIS5.1 and
> ASP.NET that used used a setting in the machine.config that would allow my
> worker process to run under a different account. I know that the new

worker
> process isolation mode changes how this works, but I have been unable to

get
> my application to run as the account I would like while keeping IIS in
> native mode. Anyone know how to do this?
>
> More specifically, we need a .NET app to connect to a PKI based SSL web
> service. The way we had it working in the past is that we would create a
> limited security account, install the proper certificates in that account,
> and then run the worker process as that account. Is there a better way to
> do this now in windows 2003?
>
>



 
Reply With Quote
 
 
 
 
Lauren
Guest
Posts: n/a
 
      10-07-2003
Thanks, I will give that a shot today. When I was playing
around tried all of this, minus the step of adding the
account to the IIS_WPG on the machine and was getting some
strange errors.

Regards
>-----Original Message-----
>If IIS is running in worker process isolation mode (IIS6

native mode in
>Widnows.NET server2003) "processModel" account specified

in the
>machine.config file is ignored.
>
>
>
>If you want to run your web application on a specific

account, just simply
>change the application pool identity to the account you

wanted to run your
>web application under. And make sure this is account is a

member of local
>IIS_WGP group.
>
>
>
>You may want to review your application architecture if

this is an internet
>facing box as there are lots of security issues involved

in running the
>application pool on a privileged account.
>
>
>
>"Lauren Buchholz" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> Hi, I have an application that was originally designed

under IIS5.1 and
>> ASP.NET that used used a setting in the machine.config

that would allow my
>> worker process to run under a different account. I

know that the new
>worker
>> process isolation mode changes how this works, but I

have been unable to
>get
>> my application to run as the account I would like while

keeping IIS in
>> native mode. Anyone know how to do this?
>>
>> More specifically, we need a .NET app to connect to a

PKI based SSL web
>> service. The way we had it working in the past is that

we would create a
>> limited security account, install the proper

certificates in that account,
>> and then run the worker process as that account. Is

there a better way to
>> do this now in windows 2003?
>>
>>

>
>
>.
>

 
Reply With Quote
 
Lauren Buchholz
Guest
Posts: n/a
 
      10-07-2003
Is there a better way to have my asp.net account store the certificate that
it needs to access the web service I am trying to use? My original solution
although functional doesn't seem like it is optimal. I have tried using the
certificates MMC plugin to import the certificate, but the only service I
can see is the web server process itself, which I don't belive is the
correct service to store the personal certificate. Is the only way to have
ASP.NET contact a site via a personal certifcate to use an impersonated
account, or is there a more secure way to do this?

"Lauren" <(E-Mail Removed)> wrote in message
news:2471b01c38ced$fe7abbe0$(E-Mail Removed)...
> Thanks, I will give that a shot today. When I was playing
> around tried all of this, minus the step of adding the
> account to the IIS_WPG on the machine and was getting some
> strange errors.
>
> Regards
> >-----Original Message-----
> >If IIS is running in worker process isolation mode (IIS6

> native mode in
> >Widnows.NET server2003) "processModel" account specified

> in the
> >machine.config file is ignored.
> >
> >
> >
> >If you want to run your web application on a specific

> account, just simply
> >change the application pool identity to the account you

> wanted to run your
> >web application under. And make sure this is account is a

> member of local
> >IIS_WGP group.
> >
> >
> >
> >You may want to review your application architecture if

> this is an internet
> >facing box as there are lots of security issues involved

> in running the
> >application pool on a privileged account.
> >
> >
> >
> >"Lauren Buchholz" <(E-Mail Removed)> wrote in message
> >news:(E-Mail Removed)...
> >> Hi, I have an application that was originally designed

> under IIS5.1 and
> >> ASP.NET that used used a setting in the machine.config

> that would allow my
> >> worker process to run under a different account. I

> know that the new
> >worker
> >> process isolation mode changes how this works, but I

> have been unable to
> >get
> >> my application to run as the account I would like while

> keeping IIS in
> >> native mode. Anyone know how to do this?
> >>
> >> More specifically, we need a .NET app to connect to a

> PKI based SSL web
> >> service. The way we had it working in the past is that

> we would create a
> >> limited security account, install the proper

> certificates in that account,
> >> and then run the worker process as that account. Is

> there a better way to
> >> do this now in windows 2003?
> >>
> >>

> >
> >
> >.
> >



 
Reply With Quote
 
Ram Sunkara [msft]
Guest
Posts: n/a
 
      10-09-2003
Well the easiest way would be import the certificate in to the user store
under which you wanted to run your web application. From your web
application before calling the web service do a RevertToSelf to impersonate
ASP.NET thread security context (in this case the user context you wanted
ASP.NET to run under).

When your call is completed make sure the thread impersonate back the
current user.



Calling RevertToSelf involves InteropServices.



Ram-





"Lauren Buchholz" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Is there a better way to have my asp.net account store the certificate

that
> it needs to access the web service I am trying to use? My original

solution
> although functional doesn't seem like it is optimal. I have tried using

the
> certificates MMC plugin to import the certificate, but the only service I
> can see is the web server process itself, which I don't belive is the
> correct service to store the personal certificate. Is the only way to have
> ASP.NET contact a site via a personal certifcate to use an impersonated
> account, or is there a more secure way to do this?
>
> "Lauren" <(E-Mail Removed)> wrote in message
> news:2471b01c38ced$fe7abbe0$(E-Mail Removed)...
> > Thanks, I will give that a shot today. When I was playing
> > around tried all of this, minus the step of adding the
> > account to the IIS_WPG on the machine and was getting some
> > strange errors.
> >
> > Regards
> > >-----Original Message-----
> > >If IIS is running in worker process isolation mode (IIS6

> > native mode in
> > >Widnows.NET server2003) "processModel" account specified

> > in the
> > >machine.config file is ignored.
> > >
> > >
> > >
> > >If you want to run your web application on a specific

> > account, just simply
> > >change the application pool identity to the account you

> > wanted to run your
> > >web application under. And make sure this is account is a

> > member of local
> > >IIS_WGP group.
> > >
> > >
> > >
> > >You may want to review your application architecture if

> > this is an internet
> > >facing box as there are lots of security issues involved

> > in running the
> > >application pool on a privileged account.
> > >
> > >
> > >
> > >"Lauren Buchholz" <(E-Mail Removed)> wrote in message
> > >news:(E-Mail Removed)...
> > >> Hi, I have an application that was originally designed

> > under IIS5.1 and
> > >> ASP.NET that used used a setting in the machine.config

> > that would allow my
> > >> worker process to run under a different account. I

> > know that the new
> > >worker
> > >> process isolation mode changes how this works, but I

> > have been unable to
> > >get
> > >> my application to run as the account I would like while

> > keeping IIS in
> > >> native mode. Anyone know how to do this?
> > >>
> > >> More specifically, we need a .NET app to connect to a

> > PKI based SSL web
> > >> service. The way we had it working in the past is that

> > we would create a
> > >> limited security account, install the proper

> > certificates in that account,
> > >> and then run the worker process as that account. Is

> > there a better way to
> > >> do this now in windows 2003?
> > >>
> > >>
> > >
> > >
> > >.
> > >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Process Cannot access file "file_name" because it is being used by another process Rithesh Pai ASP .Net 1 08-22-2005 03:02 PM
A process serving application pool 'DefaultAppPool' exceeded time limits during start up. The process id was '216'. jack ASP .Net 0 08-01-2004 09:49 PM
User Impresonation in Global.asax OnStart =?Utf-8?B?QWxleCBNYWdoZW4=?= ASP .Net 2 04-13-2004 12:48 AM
Still IIS6 do not process ASP pages Omar ASP General 5 02-17-2004 04:30 PM
Are all the signals read in the process should appear in the sensitivity list of the process? walala VHDL 3 09-09-2003 07:47 AM



Advertisments