Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > ASP.NET Fixed Identity Impersonation

Reply
Thread Tools

ASP.NET Fixed Identity Impersonation

 
 
ADavis
Guest
Posts: n/a
 
      07-18-2005
We have a development web server (Windows 2000 Server) and a production web
server (Windows 2000 Server) both are running IIS 5.0 and have the .NET
Framework 1.1. We have asp.net fixed identity impersonation running on the
development server and it's fine. We moved the website to the production
server and we're getting the following error:

Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed to start
monitoring file changes.

did a search in Google and found this article:
http://support.microsoft.com/default...;en-us;Q317955

We followed Method 1 - didn't work.

We are reluctant to follow Method 2 because the individual web site folders
are set to inherit permission from the parent.

Any help will be appreciated.

Sincerely,

ADavis
 
Reply With Quote
 
 
 
 
ADavis
Guest
Posts: n/a
 
      07-18-2005
Also, I just wanted to add that the machine.config file is configured to use
impersonation as well on both servers (this is from our development server):

<identity impersonate="true" userName="domain\servername_ASPNET"
password="*******!"/>

"ADavis" wrote:

> We have a development web server (Windows 2000 Server) and a production web
> server (Windows 2000 Server) both are running IIS 5.0 and have the .NET
> Framework 1.1. We have asp.net fixed identity impersonation running on the
> development server and it's fine. We moved the website to the production
> server and we're getting the following error:
>
> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed to start
> monitoring file changes.
>
> did a search in Google and found this article:
> http://support.microsoft.com/default...;en-us;Q317955
>
> We followed Method 1 - didn't work.
>
> We are reluctant to follow Method 2 because the individual web site folders
> are set to inherit permission from the parent.
>
> Any help will be appreciated.
>
> Sincerely,
>
> ADavis

 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      07-18-2005
Hello ADavis,

out of curiosity - why do you use fixed identity via config??

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Also, I just wanted to add that the machine.config file is configured
> to use impersonation as well on both servers (this is from our
> development server):
>
> <identity impersonate="true" userName="domain\servername_ASPNET"
> password="*******!"/>
>
> "ADavis" wrote:
>
>> We have a development web server (Windows 2000 Server) and a
>> production web server (Windows 2000 Server) both are running IIS 5.0
>> and have the .NET Framework 1.1. We have asp.net fixed identity
>> impersonation running on the development server and it's fine. We
>> moved the website to the production server and we're getting the
>> following error:
>>
>> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed to
>> start monitoring file changes.
>>
>> did a search in Google and found this article:
>> http://support.microsoft.com/default...;en-us;Q317955
>>
>> We followed Method 1 - didn't work.
>>
>> We are reluctant to follow Method 2 because the individual web site
>> folders are set to inherit permission from the parent.
>>
>> Any help will be appreciated.
>>
>> Sincerely,
>>
>> ADavis
>>




 
Reply With Quote
 
ADavis
Guest
Posts: n/a
 
      07-18-2005
We have multiple websites (all with their own databases) running on the same
web server, since we were using the machine account to the connect to the
database (impersonation off in the webconfig file) we felt it might be a
security risk if the machine account were to become compromised.

I read several articles on fixed identity impersonation and encrypting the
credintals in the registry and it seemed like the solution. We could still
take advantage of connection pooling, but not have the account information in
plain text in our webconfig file (connection string).

"Dominick Baier [DevelopMentor]" wrote:

> Hello ADavis,
>
> out of curiosity - why do you use fixed identity via config??
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Also, I just wanted to add that the machine.config file is configured
> > to use impersonation as well on both servers (this is from our
> > development server):
> >
> > <identity impersonate="true" userName="domain\servername_ASPNET"
> > password="*******!"/>
> >
> > "ADavis" wrote:
> >
> >> We have a development web server (Windows 2000 Server) and a
> >> production web server (Windows 2000 Server) both are running IIS 5.0
> >> and have the .NET Framework 1.1. We have asp.net fixed identity
> >> impersonation running on the development server and it's fine. We
> >> moved the website to the production server and we're getting the
> >> following error:
> >>
> >> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed to
> >> start monitoring file changes.
> >>
> >> did a search in Google and found this article:
> >> http://support.microsoft.com/default...;en-us;Q317955
> >>
> >> We followed Method 1 - didn't work.
> >>
> >> We are reluctant to follow Method 2 because the individual web site
> >> folders are set to inherit permission from the parent.
> >>
> >> Any help will be appreciated.
> >>
> >> Sincerely,
> >>
> >> ADavis
> >>

>
>
>
>

 
Reply With Quote
 
J-T
Guest
Posts: n/a
 
      07-18-2005
ADavis,

WE are doing the same thing ,can I ask you couple of questions?

1)Are you using NTLM? for each website?
2) When you impersonated under a fixed account,Is it a domain account or a
local account of the webserver?

3) How your connection string to the database looks like? I mean is it using
Trusted Connection or Sql server account?


Thanks a lot

"ADavis" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Also, I just wanted to add that the machine.config file is configured to
> use
> impersonation as well on both servers (this is from our development
> server):
>
> <identity impersonate="true" userName="domain\servername_ASPNET"
> password="*******!"/>
>
> "ADavis" wrote:
>
>> We have a development web server (Windows 2000 Server) and a production
>> web
>> server (Windows 2000 Server) both are running IIS 5.0 and have the .NET
>> Framework 1.1. We have asp.net fixed identity impersonation running on
>> the
>> development server and it's fine. We moved the website to the
>> production
>> server and we're getting the following error:
>>
>> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed to
>> start
>> monitoring file changes.
>>
>> did a search in Google and found this article:
>> http://support.microsoft.com/default...;en-us;Q317955
>>
>> We followed Method 1 - didn't work.
>>
>> We are reluctant to follow Method 2 because the individual web site
>> folders
>> are set to inherit permission from the parent.
>>
>> Any help will be appreciated.
>>
>> Sincerely,
>>
>> ADavis



 
Reply With Quote
 
ADavis
Guest
Posts: n/a
 
      07-18-2005
1) Yes
2) We are using a domain account
3) Trusted connection.

"J-T" wrote:

> ADavis,
>
> WE are doing the same thing ,can I ask you couple of questions?
>
> 1)Are you using NTLM? for each website?
> 2) When you impersonated under a fixed account,Is it a domain account or a
> local account of the webserver?
>
> 3) How your connection string to the database looks like? I mean is it using
> Trusted Connection or Sql server account?
>
>
> Thanks a lot
>
> "ADavis" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Also, I just wanted to add that the machine.config file is configured to
> > use
> > impersonation as well on both servers (this is from our development
> > server):
> >
> > <identity impersonate="true" userName="domain\servername_ASPNET"
> > password="*******!"/>
> >
> > "ADavis" wrote:
> >
> >> We have a development web server (Windows 2000 Server) and a production
> >> web
> >> server (Windows 2000 Server) both are running IIS 5.0 and have the .NET
> >> Framework 1.1. We have asp.net fixed identity impersonation running on
> >> the
> >> development server and it's fine. We moved the website to the
> >> production
> >> server and we're getting the following error:
> >>
> >> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed to
> >> start
> >> monitoring file changes.
> >>
> >> did a search in Google and found this article:
> >> http://support.microsoft.com/default...;en-us;Q317955
> >>
> >> We followed Method 1 - didn't work.
> >>
> >> We are reluctant to follow Method 2 because the individual web site
> >> folders
> >> are set to inherit permission from the parent.
> >>
> >> Any help will be appreciated.
> >>
> >> Sincerely,
> >>
> >> ADavis

>
>
>

 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      07-18-2005
Hello ADavis,

why don't you just use IIS6 and run every application in a distinct application
pool with a custom identity??

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> We have multiple websites (all with their own databases) running on
> the same web server, since we were using the machine account to the
> connect to the database (impersonation off in the webconfig file) we
> felt it might be a security risk if the machine account were to become
> compromised.
>
> I read several articles on fixed identity impersonation and encrypting
> the credintals in the registry and it seemed like the solution. We
> could still take advantage of connection pooling, but not have the
> account information in plain text in our webconfig file (connection
> string).
>
> "Dominick Baier [DevelopMentor]" wrote:
>
>> Hello ADavis,
>>
>> out of curiosity - why do you use fixed identity via config??
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Also, I just wanted to add that the machine.config file is
>>> configured to use impersonation as well on both servers (this is
>>> from our development server):
>>>
>>> <identity impersonate="true" userName="domain\servername_ASPNET"
>>> password="*******!"/>
>>>
>>> "ADavis" wrote:
>>>
>>>> We have a development web server (Windows 2000 Server) and a
>>>> production web server (Windows 2000 Server) both are running IIS
>>>> 5.0 and have the .NET Framework 1.1. We have asp.net fixed
>>>> identity impersonation running on the development server and it's
>>>> fine. We moved the website to the production server and we're
>>>> getting the following error:
>>>>
>>>> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed
>>>> to start monitoring file changes.
>>>>
>>>> did a search in Google and found this article:
>>>> http://support.microsoft.com/default...;en-us;Q317955
>>>> We followed Method 1 - didn't work.
>>>>
>>>> We are reluctant to follow Method 2 because the individual web site
>>>> folders are set to inherit permission from the parent.
>>>>
>>>> Any help will be appreciated.
>>>>
>>>> Sincerely,
>>>>
>>>> ADavis
>>>>




 
Reply With Quote
 
J-T
Guest
Posts: n/a
 
      07-18-2005
If you are using a Trusted connection,it means that you don;t specify
username and password in your connection string then in Sql server side you
give the appropriate permissions to that domain account,right?
Thanks

"ADavis" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> 1) Yes
> 2) We are using a domain account
> 3) Trusted connection.
>
> "J-T" wrote:
>
>> ADavis,
>>
>> WE are doing the same thing ,can I ask you couple of questions?
>>
>> 1)Are you using NTLM? for each website?
>> 2) When you impersonated under a fixed account,Is it a domain account or
>> a
>> local account of the webserver?
>>
>> 3) How your connection string to the database looks like? I mean is it
>> using
>> Trusted Connection or Sql server account?
>>
>>
>> Thanks a lot
>>
>> "ADavis" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > Also, I just wanted to add that the machine.config file is configured
>> > to
>> > use
>> > impersonation as well on both servers (this is from our development
>> > server):
>> >
>> > <identity impersonate="true" userName="domain\servername_ASPNET"
>> > password="*******!"/>
>> >
>> > "ADavis" wrote:
>> >
>> >> We have a development web server (Windows 2000 Server) and a
>> >> production
>> >> web
>> >> server (Windows 2000 Server) both are running IIS 5.0 and have the
>> >> .NET
>> >> Framework 1.1. We have asp.net fixed identity impersonation running
>> >> on
>> >> the
>> >> development server and it's fine. We moved the website to the
>> >> production
>> >> server and we're getting the following error:
>> >>
>> >> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed to
>> >> start
>> >> monitoring file changes.
>> >>
>> >> did a search in Google and found this article:
>> >> http://support.microsoft.com/default...;en-us;Q317955
>> >>
>> >> We followed Method 1 - didn't work.
>> >>
>> >> We are reluctant to follow Method 2 because the individual web site
>> >> folders
>> >> are set to inherit permission from the parent.
>> >>
>> >> Any help will be appreciated.
>> >>
>> >> Sincerely,
>> >>
>> >> ADavis

>>
>>
>>



 
Reply With Quote
 
ADavis
Guest
Posts: n/a
 
      07-18-2005
Yes, we only give exec permission to our stored procedures to the domain
account specifically created for the web application.

"J-T" wrote:

> If you are using a Trusted connection,it means that you don;t specify
> username and password in your connection string then in Sql server side you
> give the appropriate permissions to that domain account,right?
> Thanks
>
> "ADavis" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > 1) Yes
> > 2) We are using a domain account
> > 3) Trusted connection.
> >
> > "J-T" wrote:
> >
> >> ADavis,
> >>
> >> WE are doing the same thing ,can I ask you couple of questions?
> >>
> >> 1)Are you using NTLM? for each website?
> >> 2) When you impersonated under a fixed account,Is it a domain account or
> >> a
> >> local account of the webserver?
> >>
> >> 3) How your connection string to the database looks like? I mean is it
> >> using
> >> Trusted Connection or Sql server account?
> >>
> >>
> >> Thanks a lot
> >>
> >> "ADavis" <(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed)...
> >> > Also, I just wanted to add that the machine.config file is configured
> >> > to
> >> > use
> >> > impersonation as well on both servers (this is from our development
> >> > server):
> >> >
> >> > <identity impersonate="true" userName="domain\servername_ASPNET"
> >> > password="*******!"/>
> >> >
> >> > "ADavis" wrote:
> >> >
> >> >> We have a development web server (Windows 2000 Server) and a
> >> >> production
> >> >> web
> >> >> server (Windows 2000 Server) both are running IIS 5.0 and have the
> >> >> .NET
> >> >> Framework 1.1. We have asp.net fixed identity impersonation running
> >> >> on
> >> >> the
> >> >> development server and it's fine. We moved the website to the
> >> >> production
> >> >> server and we're getting the following error:
> >> >>
> >> >> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed to
> >> >> start
> >> >> monitoring file changes.
> >> >>
> >> >> did a search in Google and found this article:
> >> >> http://support.microsoft.com/default...;en-us;Q317955
> >> >>
> >> >> We followed Method 1 - didn't work.
> >> >>
> >> >> We are reluctant to follow Method 2 because the individual web site
> >> >> folders
> >> >> are set to inherit permission from the parent.
> >> >>
> >> >> Any help will be appreciated.
> >> >>
> >> >> Sincerely,
> >> >>
> >> >> ADavis
> >>
> >>
> >>

>
>
>

 
Reply With Quote
 
J-T
Guest
Posts: n/a
 
      07-18-2005
ADavis,

Have you ever tested this in this scenario(because we are sharing exactly
the same thing).When you use impersonation using fixed identity ,Is worker
process Identity (ASPNET in IIS 5.x and Identity of application pool in IIS
6.0) taken into account at all or not? I think when impersonating the worker
process accoutn is forced to be your impersonated user .What do you think?
My focous is cross-machine,from webserver to Database server.

Actually you wanted to get an answer for yur problem and u got trapped by
sb's else questions.Sorry about that.

Thanks
"ADavis" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Yes, we only give exec permission to our stored procedures to the domain
> account specifically created for the web application.
>
> "J-T" wrote:
>
>> If you are using a Trusted connection,it means that you don;t specify
>> username and password in your connection string then in Sql server side
>> you
>> give the appropriate permissions to that domain account,right?
>> Thanks
>>
>> "ADavis" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > 1) Yes
>> > 2) We are using a domain account
>> > 3) Trusted connection.
>> >
>> > "J-T" wrote:
>> >
>> >> ADavis,
>> >>
>> >> WE are doing the same thing ,can I ask you couple of questions?
>> >>
>> >> 1)Are you using NTLM? for each website?
>> >> 2) When you impersonated under a fixed account,Is it a domain account
>> >> or
>> >> a
>> >> local account of the webserver?
>> >>
>> >> 3) How your connection string to the database looks like? I mean is it
>> >> using
>> >> Trusted Connection or Sql server account?
>> >>
>> >>
>> >> Thanks a lot
>> >>
>> >> "ADavis" <(E-Mail Removed)> wrote in message
>> >> news:(E-Mail Removed)...
>> >> > Also, I just wanted to add that the machine.config file is
>> >> > configured
>> >> > to
>> >> > use
>> >> > impersonation as well on both servers (this is from our development
>> >> > server):
>> >> >
>> >> > <identity impersonate="true" userName="domain\servername_ASPNET"
>> >> > password="*******!"/>
>> >> >
>> >> > "ADavis" wrote:
>> >> >
>> >> >> We have a development web server (Windows 2000 Server) and a
>> >> >> production
>> >> >> web
>> >> >> server (Windows 2000 Server) both are running IIS 5.0 and have the
>> >> >> .NET
>> >> >> Framework 1.1. We have asp.net fixed identity impersonation
>> >> >> running
>> >> >> on
>> >> >> the
>> >> >> development server and it's fine. We moved the website to the
>> >> >> production
>> >> >> server and we're getting the following error:
>> >> >>
>> >> >> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed
>> >> >> to
>> >> >> start
>> >> >> monitoring file changes.
>> >> >>
>> >> >> did a search in Google and found this article:
>> >> >> http://support.microsoft.com/default...;en-us;Q317955
>> >> >>
>> >> >> We followed Method 1 - didn't work.
>> >> >>
>> >> >> We are reluctant to follow Method 2 because the individual web site
>> >> >> folders
>> >> >> are set to inherit permission from the parent.
>> >> >>
>> >> >> Any help will be appreciated.
>> >> >>
>> >> >> Sincerely,
>> >> >>
>> >> >> ADavis
>> >>
>> >>
>> >>

>>
>>
>>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASP.NET 2.0 Impersonation of fixed identity - truncation of identity JimLad ASP .Net 0 01-16-2009 10:42 AM
Issue with Identity Impersonation and user identity used passed for trusted SQL connection. Frederick D'hont ASP .Net Security 0 07-25-2005 02:41 PM
Machine.Config -- ProcessModel vs Identity Impersonation Wm. Scott Miller ASP .Net 3 06-01-2004 03:01 PM
Identity Impersonation question. Peter Johansen ASP .Net 1 05-02-2004 12:32 PM
Difference between HttpContext.Current.User.Identity and identity Impersonation Giovanni Bassi ASP .Net 0 10-20-2003 02:25 PM



Advertisments