Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Impersonation and integrated security (+sql server reporting servi

Reply
Thread Tools

Impersonation and integrated security (+sql server reporting servi

 
 
Phil Aldis
Guest
Posts: n/a
 
      08-15-2004
Hi,

I'm having a little difficulty getting my head round windows integrated
security/impersonation and I'd appreciate a little help with the problem I'm
trying to solve (or an indication that what I'm trying to do is too hard to
be worth it!)

To give you the background: I'm developing a web portal application which
has fairly limited number of users. We're using SQL Server reporting
services. A number of the reports need to be bound to groups of users; also,
some of the reports need to know the logged-in user to use directly in the
SQL queries. This can, of course, all be done using Windows Integrated
Authentication. Also, another piece of info, I can't justify the cost of the
Enterprise version of SQL Server and so cannot use a reporting services
custom security extension (eg Form based authentication). Also, I'm serving
up my reports using the reportviewer custom control, which loads reports into
an IFrame, so effectively creates its own http requests.

I have no problems creating accounts on the server for every user. What I
don't like, however, is the integrated security popup box. It's quite ugly
and from a user experience point of view really doesn't fit in with their
expectations of a web application, where they would expect a more forms based
view. I thought that I might be able to do something in the background
whereby they could login through a form and I could manaully do the logging
in, and from then on (until timeout) this user would be regarded by the
webapp and report server as the credentials supplied.

Okay, so I used the demo in msdn:
ms-help://MS.MSDNQTR.2004JUL.1033/cpref/html/frlrfSystemSecurityPrincipalWindowsIdentityClassIm personateTopic1.htm

and webapp'ed it. This works and I was hoping that if I didn't undo the
impersonation at the end, that all future http requests from this client
would be regarded as the impersonated user, which would obviously enable
someone to login and then when they view reports they would be that user. I
kinda knew that wasn't going to work and it feels like I might still be able
to do this by doing something with the security token.

Is what I'm trying to do mad? Am I going to have to implement my own
HttpHandler and impersonate the user I think someone is, at each request? It
would be great if there are any tutorials out there. Obviously if it's too
difficult, or will introduce huge security weaknesses in the system then it's
just not worth it. As I said, all I'm trying to do here is remove the popup
login box!

Thanks in advance for your help,

Phil Aldis

 
Reply With Quote
 
 
 
 
Ken Schaefer
Guest
Posts: n/a
 
      08-16-2004
Internet Explorer can be configured to automatically send the user's
credentials to the website if the site is in the local Intranet zone...then
you wouldn't see the pop-up login dialogue box (unless the currently logged
in user does not have sufficient privileges)

Would that help?

Cheers
Ken

"Phil Aldis" <Phil http://www.velocityreviews.com/forums/(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> I'm having a little difficulty getting my head round windows integrated
> security/impersonation and I'd appreciate a little help with the problem
> I'm
> trying to solve (or an indication that what I'm trying to do is too hard
> to
> be worth it!)
>
> To give you the background: I'm developing a web portal application which
> has fairly limited number of users. We're using SQL Server reporting
> services. A number of the reports need to be bound to groups of users;
> also,
> some of the reports need to know the logged-in user to use directly in the
> SQL queries. This can, of course, all be done using Windows Integrated
> Authentication. Also, another piece of info, I can't justify the cost of
> the
> Enterprise version of SQL Server and so cannot use a reporting services
> custom security extension (eg Form based authentication). Also, I'm
> serving
> up my reports using the reportviewer custom control, which loads reports
> into
> an IFrame, so effectively creates its own http requests.
>
> I have no problems creating accounts on the server for every user. What I
> don't like, however, is the integrated security popup box. It's quite ugly
> and from a user experience point of view really doesn't fit in with their
> expectations of a web application, where they would expect a more forms
> based
> view. I thought that I might be able to do something in the background
> whereby they could login through a form and I could manaully do the
> logging
> in, and from then on (until timeout) this user would be regarded by the
> webapp and report server as the credentials supplied.
>
> Okay, so I used the demo in msdn:
> ms-help://MS.MSDNQTR.2004JUL.1033/cpref/html/frlrfSystemSecurityPrincipalWindowsIdentityClassIm personateTopic1.htm
>
> and webapp'ed it. This works and I was hoping that if I didn't undo the
> impersonation at the end, that all future http requests from this client
> would be regarded as the impersonated user, which would obviously enable
> someone to login and then when they view reports they would be that user.
> I
> kinda knew that wasn't going to work and it feels like I might still be
> able
> to do this by doing something with the security token.
>
> Is what I'm trying to do mad? Am I going to have to implement my own
> HttpHandler and impersonate the user I think someone is, at each request?
> It
> would be great if there are any tutorials out there. Obviously if it's too
> difficult, or will introduce huge security weaknesses in the system then
> it's
> just not worth it. As I said, all I'm trying to do here is remove the
> popup
> login box!
>
> Thanks in advance for your help,
>
> Phil Aldis
>



 
Reply With Quote
 
 
 
 
Phil Aldis
Guest
Posts: n/a
 
      08-16-2004
Thanks for your response Ken.

The problem is that people are coming through the internet. Also, the IT
skill level of some of the people using the site is fairly low and I'm
slightly concerned that the popup is going to be fairly confusing. Also
having to fill in the domain is a bit confusing. As I said, it's really not
100% crucial and if it were, it's looking like the only way I can do it, is
to buy as Enterprise license and implement my own security extension for
reporting services that gives me lots more freedom.

One thing that doesn concern me: am I right in thinking that if I'm using
windows security, I'm preventing any non-IE browsers from using the site? Is
there any way round this?

Thanks,

Phil

"Ken Schaefer" wrote:

> Internet Explorer can be configured to automatically send the user's
> credentials to the website if the site is in the local Intranet zone...then
> you wouldn't see the pop-up login dialogue box (unless the currently logged
> in user does not have sufficient privileges)
>
> Would that help?
>
> Cheers
> Ken
>
> "Phil Aldis" <Phil (E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi,
> >
> > I'm having a little difficulty getting my head round windows integrated
> > security/impersonation and I'd appreciate a little help with the problem
> > I'm
> > trying to solve (or an indication that what I'm trying to do is too hard
> > to
> > be worth it!)
> >
> > To give you the background: I'm developing a web portal application which
> > has fairly limited number of users. We're using SQL Server reporting
> > services. A number of the reports need to be bound to groups of users;
> > also,
> > some of the reports need to know the logged-in user to use directly in the
> > SQL queries. This can, of course, all be done using Windows Integrated
> > Authentication. Also, another piece of info, I can't justify the cost of
> > the
> > Enterprise version of SQL Server and so cannot use a reporting services
> > custom security extension (eg Form based authentication). Also, I'm
> > serving
> > up my reports using the reportviewer custom control, which loads reports
> > into
> > an IFrame, so effectively creates its own http requests.
> >
> > I have no problems creating accounts on the server for every user. What I
> > don't like, however, is the integrated security popup box. It's quite ugly
> > and from a user experience point of view really doesn't fit in with their
> > expectations of a web application, where they would expect a more forms
> > based
> > view. I thought that I might be able to do something in the background
> > whereby they could login through a form and I could manaully do the
> > logging
> > in, and from then on (until timeout) this user would be regarded by the
> > webapp and report server as the credentials supplied.
> >
> > Okay, so I used the demo in msdn:
> > ms-help://MS.MSDNQTR.2004JUL.1033/cpref/html/frlrfSystemSecurityPrincipalWindowsIdentityClassIm personateTopic1.htm
> >
> > and webapp'ed it. This works and I was hoping that if I didn't undo the
> > impersonation at the end, that all future http requests from this client
> > would be regarded as the impersonated user, which would obviously enable
> > someone to login and then when they view reports they would be that user.
> > I
> > kinda knew that wasn't going to work and it feels like I might still be
> > able
> > to do this by doing something with the security token.
> >
> > Is what I'm trying to do mad? Am I going to have to implement my own
> > HttpHandler and impersonate the user I think someone is, at each request?
> > It
> > would be great if there are any tutorials out there. Obviously if it's too
> > difficult, or will introduce huge security weaknesses in the system then
> > it's
> > just not worth it. As I said, all I'm trying to do here is remove the
> > popup
> > login box!
> >
> > Thanks in advance for your help,
> >
> > Phil Aldis
> >

>
>
>

 
Reply With Quote
 
Raterus
Guest
Posts: n/a
 
      08-16-2004
You are correct, integrated windows authentication is only supported when the client uses IE. Though if you still needed to use windows accounts, basic authentication is supported by almost all browsers, and digest authentication is supported by some of them.

--Michael

"Phil Aldis" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
> Thanks for your response Ken.
>
> The problem is that people are coming through the internet. Also, the IT
> skill level of some of the people using the site is fairly low and I'm
> slightly concerned that the popup is going to be fairly confusing. Also
> having to fill in the domain is a bit confusing. As I said, it's really not
> 100% crucial and if it were, it's looking like the only way I can do it, is
> to buy as Enterprise license and implement my own security extension for
> reporting services that gives me lots more freedom.
>
> One thing that doesn concern me: am I right in thinking that if I'm using
> windows security, I'm preventing any non-IE browsers from using the site? Is
> there any way round this?
>
> Thanks,
>
> Phil
>
> "Ken Schaefer" wrote:
>
> > Internet Explorer can be configured to automatically send the user's
> > credentials to the website if the site is in the local Intranet zone...then
> > you wouldn't see the pop-up login dialogue box (unless the currently logged
> > in user does not have sufficient privileges)
> >
> > Would that help?
> >
> > Cheers
> > Ken
> >
> > "Phil Aldis" <Phil (E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > Hi,
> > >
> > > I'm having a little difficulty getting my head round windows integrated
> > > security/impersonation and I'd appreciate a little help with the problem
> > > I'm
> > > trying to solve (or an indication that what I'm trying to do is too hard
> > > to
> > > be worth it!)
> > >
> > > To give you the background: I'm developing a web portal application which
> > > has fairly limited number of users. We're using SQL Server reporting
> > > services. A number of the reports need to be bound to groups of users;
> > > also,
> > > some of the reports need to know the logged-in user to use directly in the
> > > SQL queries. This can, of course, all be done using Windows Integrated
> > > Authentication. Also, another piece of info, I can't justify the cost of
> > > the
> > > Enterprise version of SQL Server and so cannot use a reporting services
> > > custom security extension (eg Form based authentication). Also, I'm
> > > serving
> > > up my reports using the reportviewer custom control, which loads reports
> > > into
> > > an IFrame, so effectively creates its own http requests.
> > >
> > > I have no problems creating accounts on the server for every user. What I
> > > don't like, however, is the integrated security popup box. It's quite ugly
> > > and from a user experience point of view really doesn't fit in with their
> > > expectations of a web application, where they would expect a more forms
> > > based
> > > view. I thought that I might be able to do something in the background
> > > whereby they could login through a form and I could manaully do the
> > > logging
> > > in, and from then on (until timeout) this user would be regarded by the
> > > webapp and report server as the credentials supplied.
> > >
> > > Okay, so I used the demo in msdn:
> > > ms-help://MS.MSDNQTR.2004JUL.1033/cpref/html/frlrfSystemSecurityPrincipalWindowsIdentityClassIm personateTopic1.htm
> > >
> > > and webapp'ed it. This works and I was hoping that if I didn't undo the
> > > impersonation at the end, that all future http requests from this client
> > > would be regarded as the impersonated user, which would obviously enable
> > > someone to login and then when they view reports they would be that user.
> > > I
> > > kinda knew that wasn't going to work and it feels like I might still be
> > > able
> > > to do this by doing something with the security token.
> > >
> > > Is what I'm trying to do mad? Am I going to have to implement my own
> > > HttpHandler and impersonate the user I think someone is, at each request?
> > > It
> > > would be great if there are any tutorials out there. Obviously if it's too
> > > difficult, or will introduce huge security weaknesses in the system then
> > > it's
> > > just not worth it. As I said, all I'm trying to do here is remove the
> > > popup
> > > login box!
> > >
> > > Thanks in advance for your help,
> > >
> > > Phil Aldis
> > >

> >
> >
> >

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
HELP: ASP.NET AJAX Page Continuously Getting Values from Web Servi lmttag ASP .Net Web Services 0 02-05-2009 06:24 PM
Using Remoting how to tell server is down verses error doing servi Philip K ASP .Net Web Services 0 06-28-2007 12:44 AM
HOWTO: Configure .Net 2.0 Website, SQLServer 2005, Reporting Servi =?Utf-8?B?aVRoaW5rRGF0YQ==?= ASP .Net 1 06-20-2006 06:04 PM
Use Client Certificate from Pocket PC VB.Net app to call Web Servi Ani Kinare ASP .Net Web Services 0 05-26-2005 05:24 PM
SQL Session State, Integrated Security, and Impersonation Brian ASP .Net 1 05-04-2005 05:45 PM



Advertisments