Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Access network resources from ASP.NET

Reply
Thread Tools

Access network resources from ASP.NET

 
 
Dima Semensky
Guest
Posts: n/a
 
      10-23-2003
Hi!

after extensive research of this topic, I'm still not sure what is
"official" way to do it.

Task:

1. User submits some request to ASP.NET application and the app should
write the result to a network share.
2. Integrated Authentication must be used
3. No open password are allowed to be specified in any config files
4. Can't assign special domain user as Local Administrator

Problem:

With default setup, it is not possible due to security reasons.

Related topics:
- impersonation
- machine.config - processModel.userName
- IUSR_MACHINE user
- delagation

Here is where I'm stuck: I'd like to use impersonation like this:
<identity impersonate="true" userName="Bob" password="pwd" />

but this topic explains that it's not possible:
http://groups.google.com/groups?q=im...FTNGP09&rnum=1

Any ideas?

Dima Semenskyy.


 
Reply With Quote
 
 
 
 
Jim Cheshire [MSFT]
Guest
Posts: n/a
 
      10-23-2003
Dima,

What you are doing is possible. What Mitch is talking about in his post is
delegation of credentials. Essentially, this means that if you are
browsing the site and using your credentials sent by the browser, those
same credentials cannot be used to access another resource on a machine
remote to the Web server. In that scenario, the Web server is delegating
your credentials, and such is prevented when using NTLM authentication. If
all of the boxes are using Windows 2000 or later, you can use Kerberos and
delegation to get around that.

However, what you really want to do is impersonate this user just to run a
certain section of code and to write to the network resource. In that
case, code-level impersonation using PInvoke to call LogonUser is the
perfect solution.

Here is an article that explains how to do that:
306158 INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/?id=306158

Jim Cheshire [MSFT]
Developer Support
ASP.NET
http://www.velocityreviews.com/forums/(E-Mail Removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
>From: "Dima Semensky" <(E-Mail Removed)>
>Subject: Access network resources from ASP.NET
>Date: Thu, 23 Oct 2003 10:55:28 -0400
>Lines: 34
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <O#(E-Mail Removed)>
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>NNTP-Posting-Host: 208.18.161.2
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
>Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 7296
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>Hi!
>
>after extensive research of this topic, I'm still not sure what is
>"official" way to do it.
>
>Task:
>
> 1. User submits some request to ASP.NET application and the app should
>write the result to a network share.
> 2. Integrated Authentication must be used
> 3. No open password are allowed to be specified in any config files
> 4. Can't assign special domain user as Local Administrator
>
>Problem:
>
> With default setup, it is not possible due to security reasons.
>
>Related topics:
> - impersonation
> - machine.config - processModel.userName
> - IUSR_MACHINE user
> - delagation
>
>Here is where I'm stuck: I'd like to use impersonation like this:
> <identity impersonate="true" userName="Bob" password="pwd" />
>
>but this topic explains that it's not possible:
>http://groups.google.com/groups?q=im...unknown+user+n

ame+or+bad+password.++group:microsoft.public.dotne t.*&hl=en&lr=&ie=UTF-8&oe=
UTF-8&group=microsoft.public.dotnet.*&selm=uzT4T%23%23 wCHA.2680%40TK2MSFTNGP
09&rnum=1
>
>Any ideas?
>
>Dima Semenskyy.
>
>
>


 
Reply With Quote
 
 
 
 
AlKa
Guest
Posts: n/a
 
      11-08-2003
THANK YOU JIM!!!

I looked for it (306158 INFO) for a long long time ... I love you!

Alessandro

"Jim Cheshire [MSFT]" <(E-Mail Removed)> ha scritto nel
messaggio news:(E-Mail Removed)...
> Dima,
>
> What you are doing is possible. What Mitch is talking about in his post

is
> delegation of credentials. Essentially, this means that if you are
> browsing the site and using your credentials sent by the browser, those
> same credentials cannot be used to access another resource on a machine
> remote to the Web server. In that scenario, the Web server is delegating
> your credentials, and such is prevented when using NTLM authentication.

If
> all of the boxes are using Windows 2000 or later, you can use Kerberos and
> delegation to get around that.
>
> However, what you really want to do is impersonate this user just to run a
> certain section of code and to write to the network resource. In that
> case, code-level impersonation using PInvoke to call LogonUser is the
> perfect solution.
>
> Here is an article that explains how to do that:
> 306158 INFO: Implementing Impersonation in an ASP.NET Application
> http://support.microsoft.com/?id=306158
>
> Jim Cheshire [MSFT]
> Developer Support
> ASP.NET
> (E-Mail Removed)
>
> This post is provided as-is with no warranties and confers no rights.
>
> --------------------
> >From: "Dima Semensky" <(E-Mail Removed)>
> >Subject: Access network resources from ASP.NET
> >Date: Thu, 23 Oct 2003 10:55:28 -0400
> >Lines: 34
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> >Message-ID: <O#(E-Mail Removed)>
> >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> >NNTP-Posting-Host: 208.18.161.2
> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
> >Xref: cpmsftngxa06.phx.gbl

> microsoft.public.dotnet.framework.aspnet.security: 7296
> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> >
> >Hi!
> >
> >after extensive research of this topic, I'm still not sure what is
> >"official" way to do it.
> >
> >Task:
> >
> > 1. User submits some request to ASP.NET application and the app

should
> >write the result to a network share.
> > 2. Integrated Authentication must be used
> > 3. No open password are allowed to be specified in any config files
> > 4. Can't assign special domain user as Local Administrator
> >
> >Problem:
> >
> > With default setup, it is not possible due to security reasons.
> >
> >Related topics:
> > - impersonation
> > - machine.config - processModel.userName
> > - IUSR_MACHINE user
> > - delagation
> >
> >Here is where I'm stuck: I'd like to use impersonation like this:
> > <identity impersonate="true" userName="Bob" password="pwd" />
> >
> >but this topic explains that it's not possible:

>
>http://groups.google.com/groups?q=im...unknown+user+n
>

ame+or+bad+password.++group:microsoft.public.dotne t.*&hl=en&lr=&ie=UTF-8&oe=
>

UTF-8&group=microsoft.public.dotnet.*&selm=uzT4T%23%23 wCHA.2680%40TK2MSFTNGP
> 09&rnum=1
> >
> >Any ideas?
> >
> >Dima Semenskyy.
> >
> >
> >

>



 
Reply With Quote
 
Jim Cheshire [MSFT]
Guest
Posts: n/a
 
      11-10-2003
Alessandro,

Thanks for the sentiment. Glad to have resolved your issue.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(E-Mail Removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
>From: "AlKa" <me@office>
>References: <O#(E-Mail Removed)>

<(E-Mail Removed)>
>Subject: Re: Access network resources from ASP.NET
>Date: Sun, 9 Nov 2003 00:29:10 +0100
>Lines: 99
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <#SdS#(E-Mail Removed)>
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>NNTP-Posting-Host: host106-159.pool217222.interbusiness.it 217.222.159.106
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP12.phx.gbl
>Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 7476
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>THANK YOU JIM!!!
>
>I looked for it (306158 INFO) for a long long time ... I love you!
>
>Alessandro
>
>"Jim Cheshire [MSFT]" <(E-Mail Removed)> ha scritto nel
>messaggio news:(E-Mail Removed)...
>> Dima,
>>
>> What you are doing is possible. What Mitch is talking about in his post

>is
>> delegation of credentials. Essentially, this means that if you are
>> browsing the site and using your credentials sent by the browser, those
>> same credentials cannot be used to access another resource on a machine
>> remote to the Web server. In that scenario, the Web server is delegating
>> your credentials, and such is prevented when using NTLM authentication.

>If
>> all of the boxes are using Windows 2000 or later, you can use Kerberos

and
>> delegation to get around that.
>>
>> However, what you really want to do is impersonate this user just to run

a
>> certain section of code and to write to the network resource. In that
>> case, code-level impersonation using PInvoke to call LogonUser is the
>> perfect solution.
>>
>> Here is an article that explains how to do that:
>> 306158 INFO: Implementing Impersonation in an ASP.NET Application
>> http://support.microsoft.com/?id=306158
>>
>> Jim Cheshire [MSFT]
>> Developer Support
>> ASP.NET
>> (E-Mail Removed)
>>
>> This post is provided as-is with no warranties and confers no rights.
>>
>> --------------------
>> >From: "Dima Semensky" <(E-Mail Removed)>
>> >Subject: Access network resources from ASP.NET
>> >Date: Thu, 23 Oct 2003 10:55:28 -0400
>> >Lines: 34
>> >X-Priority: 3
>> >X-MSMail-Priority: Normal
>> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>> >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>> >Message-ID: <O#(E-Mail Removed)>
>> >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>> >NNTP-Posting-Host: 208.18.161.2
>> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
>> >Xref: cpmsftngxa06.phx.gbl

>> microsoft.public.dotnet.framework.aspnet.security: 7296
>> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>> >
>> >Hi!
>> >
>> >after extensive research of this topic, I'm still not sure what is
>> >"official" way to do it.
>> >
>> >Task:
>> >
>> > 1. User submits some request to ASP.NET application and the app

>should
>> >write the result to a network share.
>> > 2. Integrated Authentication must be used
>> > 3. No open password are allowed to be specified in any config files
>> > 4. Can't assign special domain user as Local Administrator
>> >
>> >Problem:
>> >
>> > With default setup, it is not possible due to security reasons.
>> >
>> >Related topics:
>> > - impersonation
>> > - machine.config - processModel.userName
>> > - IUSR_MACHINE user
>> > - delagation
>> >
>> >Here is where I'm stuck: I'd like to use impersonation like this:
>> > <identity impersonate="true" userName="Bob" password="pwd" />
>> >
>> >but this topic explains that it's not possible:

>>
>>http://groups.google.com/groups?q=im...+unknown+user+

n
>>

>ame+or+bad+password.++group:microsoft.public.dotn et.*&hl=en&lr=&ie=UTF-8&oe

=
>>

>UTF-8&group=microsoft.public.dotnet.*&selm=uzT4T%23%23 wCHA.2680%40TK2MSFTNG

P
>> 09&rnum=1
>> >
>> >Any ideas?
>> >
>> >Dima Semenskyy.
>> >
>> >
>> >

>>

>
>
>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Win32: Access to network resources w/o user login utabintarbo Python 3 09-26-2006 10:00 PM
py2app question: Resources/Python -> Resources/lib/python2.4 Russell E. Owen Python 0 09-08-2006 08:08 PM
access to resources on wireless network =?Utf-8?B?d2FuZGFtYQ==?= Wireless Networking 1 07-24-2004 05:11 PM
RE: Access network resources from aspx page Matt Hawley ASP .Net 0 04-02-2004 07:07 PM
Access network resources from aspx page Mark Goldin ASP .Net 1 04-02-2004 02:21 PM



Advertisments