Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > IIS/ASP.NET impersonation probelm

Reply
Thread Tools

IIS/ASP.NET impersonation probelm

 
 
Ram
Guest
Posts: n/a
 
      06-07-2006
I need to create custome performance counters for my asp.net application,
these counters am creating in application_start event.

to create this counters i used following setting in IIS and web.config file

in IIS ---> Directory security tab--->
1) checked anonymus access and integrated windows authentication
2) settings in web.config --->

<identity impersonate = "true" userName = "mycomputername\TestRam"
password = "<password>" />

<authorization>
<allow users="*" />
</authorization>

<authentication mode="Windows" />

with the above settings its works fine, TestRam is local Admin

Now with my requirement I should not use plain password in my web.config, i
decided to use this thorugh IIS setting

in IIS ---> Directory security tab--->
1) checked anonymus access and integrated windows authentication
2) In anonymus section, i used following account as my anonymus account
mycomputername\TestRam
3) settings in web.config --->

<identity impersonate = "true" />

<authorization>
<allow users="*" />
</authorization>

<authentication mode="Windows" />

if i run the application i will get " Reqired registry access not allowed"

when i check identity account through "Envirnoment.UserName" i will see the
above account and even with "Windowsidentity.GetCurrent().name"

Even I gave explicitly full control permissions to above account in
following registrys

1)HKEY_LOCAL_MACHINE\SOFTWARE\MICROSFT\WINDOWSNT\C URRENTVERSION\Perflib
2) HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Service as well as ControlSet002



can anybody help me as it is due to move to my technical center


Regards
Ram



 
Reply With Quote
 
 
 
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      06-07-2006
This is a bad approach. You really ought to install things like event log
sources and perf counters during the initial deployment of your application.
Let an admin do that. Then, in your code, you just instantiate your perf
counters and write to them.

You can do this easily by creating some PerformanceCounterInstaller classes
in your assembly and having an admin run installutil.exe on your assembly.
This way, your app can run as a normally privileged user as well and you
won't need to worry about hiding credentials. It is a win/win across the
board.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Ram" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I need to create custome performance counters for my asp.net application,
> these counters am creating in application_start event.
>
> to create this counters i used following setting in IIS and web.config
> file
>
> in IIS ---> Directory security tab--->
> 1) checked anonymus access and integrated windows authentication
> 2) settings in web.config --->
>
> <identity impersonate = "true" userName = "mycomputername\TestRam"
> password = "<password>" />
>
> <authorization>
> <allow users="*" />
> </authorization>
>
> <authentication mode="Windows" />
>
> with the above settings its works fine, TestRam is local Admin
>
> Now with my requirement I should not use plain password in my web.config,
> i
> decided to use this thorugh IIS setting
>
> in IIS ---> Directory security tab--->
> 1) checked anonymus access and integrated windows authentication
> 2) In anonymus section, i used following account as my anonymus account
> mycomputername\TestRam
> 3) settings in web.config --->
>
> <identity impersonate = "true" />
>
> <authorization>
> <allow users="*" />
> </authorization>
>
> <authentication mode="Windows" />
>
> if i run the application i will get " Reqired registry access not
> allowed"
>
> when i check identity account through "Envirnoment.UserName" i will see
> the
> above account and even with "Windowsidentity.GetCurrent().name"
>
> Even I gave explicitly full control permissions to above account in
> following registrys
>
> 1)HKEY_LOCAL_MACHINE\SOFTWARE\MICROSFT\WINDOWSNT\C URRENTVERSION\Perflib
> 2) HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Service as well as
> ControlSet002
>
>
>
> can anybody help me as it is due to move to my technical center
>
>
> Regards
> Ram
>
>
>



 
Reply With Quote
 
 
 
 
Ram
Guest
Posts: n/a
 
      06-08-2006
Thanks Joe

Yes, I will use installutill to install, in the mean i found the reason why
it is not doing before, i am creating counters in application_start event,at
this instance still impersonation has not yet applied, still it takes ASPNET
user, so i moved my logic to session_start event.
it worked well.

Ram


"Joe Kaplan (MVP - ADSI)" wrote:

> This is a bad approach. You really ought to install things like event log
> sources and perf counters during the initial deployment of your application.
> Let an admin do that. Then, in your code, you just instantiate your perf
> counters and write to them.
>
> You can do this easily by creating some PerformanceCounterInstaller classes
> in your assembly and having an admin run installutil.exe on your assembly.
> This way, your app can run as a normally privileged user as well and you
> won't need to worry about hiding credentials. It is a win/win across the
> board.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> --
> "Ram" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> >I need to create custome performance counters for my asp.net application,
> > these counters am creating in application_start event.
> >
> > to create this counters i used following setting in IIS and web.config
> > file
> >
> > in IIS ---> Directory security tab--->
> > 1) checked anonymus access and integrated windows authentication
> > 2) settings in web.config --->
> >
> > <identity impersonate = "true" userName = "mycomputername\TestRam"
> > password = "<password>" />
> >
> > <authorization>
> > <allow users="*" />
> > </authorization>
> >
> > <authentication mode="Windows" />
> >
> > with the above settings its works fine, TestRam is local Admin
> >
> > Now with my requirement I should not use plain password in my web.config,
> > i
> > decided to use this thorugh IIS setting
> >
> > in IIS ---> Directory security tab--->
> > 1) checked anonymus access and integrated windows authentication
> > 2) In anonymus section, i used following account as my anonymus account
> > mycomputername\TestRam
> > 3) settings in web.config --->
> >
> > <identity impersonate = "true" />
> >
> > <authorization>
> > <allow users="*" />
> > </authorization>
> >
> > <authentication mode="Windows" />
> >
> > if i run the application i will get " Reqired registry access not
> > allowed"
> >
> > when i check identity account through "Envirnoment.UserName" i will see
> > the
> > above account and even with "Windowsidentity.GetCurrent().name"
> >
> > Even I gave explicitly full control permissions to above account in
> > following registrys
> >
> > 1)HKEY_LOCAL_MACHINE\SOFTWARE\MICROSFT\WINDOWSNT\C URRENTVERSION\Perflib
> > 2) HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Service as well as
> > ControlSet002
> >
> >
> >
> > can anybody help me as it is due to move to my technical center
> >
> >
> > Regards
> > Ram
> >
> >
> >

>
>
>

 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      06-08-2006
IMO this is still a bad approach - you run your app with elevated privs...whats
wrong with pre-registering that stuff from an admin console??

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Thanks Joe
>
> Yes, I will use installutill to install, in the mean i found the
> reason why
> it is not doing before, i am creating counters in application_start
> event,at
> this instance still impersonation has not yet applied, still it takes
> ASPNET
> user, so i moved my logic to session_start event.
> it worked well.
> Ram
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> This is a bad approach. You really ought to install things like
>> event log sources and perf counters during the initial deployment of
>> your application. Let an admin do that. Then, in your code, you just
>> instantiate your perf counters and write to them.
>>
>> You can do this easily by creating some PerformanceCounterInstaller
>> classes in your assembly and having an admin run installutil.exe on
>> your assembly. This way, your app can run as a normally privileged
>> user as well and you won't need to worry about hiding credentials.
>> It is a win/win across the board.
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> "Ram" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> I need to create custome performance counters for my asp.net
>>> application, these counters am creating in application_start event.
>>>
>>> to create this counters i used following setting in IIS and
>>> web.config file
>>>
>>> in IIS ---> Directory security tab--->
>>> 1) checked anonymus access and integrated windows authentication
>>> 2) settings in web.config --->
>>> <identity impersonate = "true" userName = "mycomputername\TestRam"
>>> password = "<password>" />
>>>
>>> <authorization>
>>> <allow users="*" />
>>> </authorization>
>>> <authentication mode="Windows" />
>>>
>>> with the above settings its works fine, TestRam is local Admin
>>>
>>> Now with my requirement I should not use plain password in my
>>> web.config,
>>> i
>>> decided to use this thorugh IIS setting
>>> in IIS ---> Directory security tab--->
>>> 1) checked anonymus access and integrated windows authentication
>>> 2) In anonymus section, i used following account as my anonymus
>>> account
>>> mycomputername\TestRam
>>> 3) settings in web.config --->
>>> <identity impersonate = "true" />
>>>
>>> <authorization>
>>> <allow users="*" />
>>> </authorization>
>>> <authentication mode="Windows" />
>>>
>>> if i run the application i will get " Reqired registry access not
>>> allowed"
>>>
>>> when i check identity account through "Envirnoment.UserName" i will
>>> see
>>> the
>>> above account and even with "Windowsidentity.GetCurrent().name"
>>> Even I gave explicitly full control permissions to above account in
>>> following registrys
>>>
>>> 1)HKEY_LOCAL_MACHINE\SOFTWARE\MICROSFT\WINDOWSNT\C URRENTVERSION\Perf
>>> lib 2) HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Service as well as
>>> ControlSet002
>>>
>>> can anybody help me as it is due to move to my technical center
>>>
>>> Regards
>>> Ram



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Mozilla browser probelm - Pls help kimshapiro100@yahoo.com Firefox 3 03-09-2006 07:10 PM
wireless probelm =?Utf-8?B?YWFyb25zaW1v?= Wireless Networking 1 10-24-2005 09:35 PM
Linksys Probelm Jason Wireless Networking 1 11-24-2004 12:16 AM
PIX Probelm Greg Cisco 3 05-21-2004 02:16 PM
Cisco 1751 Point-to-point probelm. Tom Cisco 2 05-21-2004 01:37 PM



Advertisments