Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > "ASP.NET Machine Account" problem

Reply
Thread Tools

"ASP.NET Machine Account" problem

 
 
James Wong
Guest
Posts: n/a
 
      08-23-2006
Hi,

When I use VB.Net 2005 to develop some web service program, this program
will connect to other domain server.
Therefore, the permission of "ASP.NET Machine Account" cannot access to this
server.

Can I change the other domain user to instead of "ASP.NET Machine Account"
for the IIS with VB.Net 2005?
Otherwise, has good idea to solve my problem?
Thanks!

James


 
Reply With Quote
 
 
 
 
Steven Cheng[MSFT]
Guest
Posts: n/a
 
      08-23-2006
Hello James,

From your description, when your ASP.NET application(which running under
the machine\ASPNET account) try accessing some remote protected resource,
you got premission issue, correct?

Since your ASP.NET application's work process account is "MACHINE\ASPNET",
I think your development machine is windows XP or Windows 2000 with IIS5,
correct?

As for ASP.NET application, by default all the code is running under the
worker process account. And default worker process account is different
depend on the OS/IIS version:

** on XP/2000 with IIS5, by default ASP.NET process(aspnet_wp.exe) running
under "machine\ASPNET" account, this can be changed in the machine.config
file (under framework
directory----C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONF IG)

** on windows 2003 server with IIS6, ASP.NET use IIS application pool mode,
and the worker process(w3wp.exe) running under "NT AUTHORITY\NETWORK
SERVICE" account.

Here is a msdn article describing how to check ASP.NET worker process
identity and how to configure it:


#Configuring ASP.NET Process Identity
http://msdn2.microsoft.com/en-us/library/dwc1xthy.aspx

so for your scenario, your ASP.NET application will access some protected
remote resource, I think you can consider configure your ASP.NET
application to use a different process account. This account should be
recognizable by the remote machine and have sufficient permission. It can
be:

** a domain account

** a duplicated local account which has a mapping account (with the same
username and password) on the remote machine)

You can decide which one to use according to your detailed condition. Also,
to make sure your custom account has sufficient permission to run ASP.NET
application, you can follow the below msdn article:

#How To: Create a Service Account for an ASP.NET 2.0 Application
https://msdn.microsoft.com/library/e...09.asp?frame=t
rue


In addition, if there is only little number of page or code which will
access remote secured resource and you do not want to change the worker
process account for the entire web application(in machine.config). You can
consider programmatically impersonate in your application/page's code:


Here is a good article introducing impersonate in ASP.NET 2.0:


#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn.microsoft.com/library/en...3.asp?frame=tr
ue


You can have a look at the above options. If you have anything unclear or
any other information wonder, please feel free to let me know.


Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.

 
Reply With Quote
 
 
 
 
James Wong
Guest
Posts: n/a
 
      08-28-2006
Hi, I will try it, thx~



"Steven Cheng[MSFT]" <(E-Mail Removed)> glsD:(E-Mail Removed). gbl...
> Hello James,
>
> From your description, when your ASP.NET application(which running under
> the machine\ASPNET account) try accessing some remote protected resource,
> you got premission issue, correct?
>
> Since your ASP.NET application's work process account is "MACHINE\ASPNET",
> I think your development machine is windows XP or Windows 2000 with IIS5,
> correct?
>
> As for ASP.NET application, by default all the code is running under the
> worker process account. And default worker process account is different
> depend on the OS/IIS version:
>
> ** on XP/2000 with IIS5, by default ASP.NET process(aspnet_wp.exe) running
> under "machine\ASPNET" account, this can be changed in the machine.config
> file (under framework
> directory----C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONF IG)
>
> ** on windows 2003 server with IIS6, ASP.NET use IIS application pool
> mode,
> and the worker process(w3wp.exe) running under "NT AUTHORITY\NETWORK
> SERVICE" account.
>
> Here is a msdn article describing how to check ASP.NET worker process
> identity and how to configure it:
>
>
> #Configuring ASP.NET Process Identity
> http://msdn2.microsoft.com/en-us/library/dwc1xthy.aspx
>
> so for your scenario, your ASP.NET application will access some protected
> remote resource, I think you can consider configure your ASP.NET
> application to use a different process account. This account should be
> recognizable by the remote machine and have sufficient permission. It can
> be:
>
> ** a domain account
>
> ** a duplicated local account which has a mapping account (with the same
> username and password) on the remote machine)
>
> You can decide which one to use according to your detailed condition.
> Also,
> to make sure your custom account has sufficient permission to run ASP.NET
> application, you can follow the below msdn article:
>
> #How To: Create a Service Account for an ASP.NET 2.0 Application
> https://msdn.microsoft.com/library/e...09.asp?frame=t
> rue
>
>
> In addition, if there is only little number of page or code which will
> access remote secured resource and you do not want to change the worker
> process account for the entire web application(in machine.config). You can
> consider programmatically impersonate in your application/page's code:
>
>
> Here is a good article introducing impersonate in ASP.NET 2.0:
>
>
> #How To: Use Impersonation and Delegation in ASP.NET 2.0
> http://msdn.microsoft.com/library/en...3.asp?frame=tr
> ue
>
>
> You can have a look at the above options. If you have anything unclear or
> any other information wonder, please feel free to let me know.
>
>
> Sincerely,
>
> Steven Cheng
>
> Microsoft MSDN Online Support Lead
>
>
>
> ==================================================
>
> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/subscripti...ult.aspx#notif
> ications.
>
>
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at
> http://msdn.microsoft.com/subscripti...t/default.aspx.
>
> ==================================================
>
>
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>



 
Reply With Quote
 
Steven Cheng[MSFT]
Guest
Posts: n/a
 
      08-28-2006
Thanks for your reply James,

Please feel free to let me know if there is any other information you
wonder.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

This posting is provided "AS IS" with no warranties, and confers no rights.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Same directory structure on development machine and final machine.... UJ ASP .Net 2 02-20-2006 08:09 PM
Xp machine causes ME machine to get error 'unable to browse networ =?Utf-8?B?Sm9obg==?= Wireless Networking 1 12-01-2005 03:15 PM
Auto-attach to process '[1084] aspnet_wp.exe' on machine <Machine =?Utf-8?B?UmVzaG1hIFByYWJodQ==?= ASP .Net 0 01-21-2005 05:33 AM
JRE is machine dependent but compiler is machine independent jrefactors@hotmail.com Java 4 12-10-2004 07:11 PM



Advertisments