Access network resources from ASP.NET

Discussion in 'ASP .Net Security' started by Dima Semensky, Oct 23, 2003.

  1. Hi!

    after extensive research of this topic, I'm still not sure what is
    "official" way to do it.

    Task:

    1. User submits some request to ASP.NET application and the app should
    write the result to a network share.
    2. Integrated Authentication must be used
    3. No open password are allowed to be specified in any config files
    4. Can't assign special domain user as Local Administrator

    Problem:

    With default setup, it is not possible due to security reasons.

    Related topics:
    - impersonation
    - machine.config - processModel.userName
    - IUSR_MACHINE user
    - delagation

    Here is where I'm stuck: I'd like to use impersonation like this:
    <identity impersonate="true" userName="Bob" password="pwd" />

    but this topic explains that it's not possible:
    http://groups.google.com/groups?q=i...t.*&selm=uzT4T##wCHA.2680@TK2MSFTNGP09&rnum=1

    Any ideas?

    Dima Semenskyy.
    Dima Semensky, Oct 23, 2003
    #1
    1. Advertising

  2. Dima,

    What you are doing is possible. What Mitch is talking about in his post is
    delegation of credentials. Essentially, this means that if you are
    browsing the site and using your credentials sent by the browser, those
    same credentials cannot be used to access another resource on a machine
    remote to the Web server. In that scenario, the Web server is delegating
    your credentials, and such is prevented when using NTLM authentication. If
    all of the boxes are using Windows 2000 or later, you can use Kerberos and
    delegation to get around that.

    However, what you really want to do is impersonate this user just to run a
    certain section of code and to write to the network resource. In that
    case, code-level impersonation using PInvoke to call LogonUser is the
    perfect solution.

    Here is an article that explains how to do that:
    306158 INFO: Implementing Impersonation in an ASP.NET Application
    http://support.microsoft.com/?id=306158

    Jim Cheshire [MSFT]
    Developer Support
    ASP.NET


    This post is provided as-is with no warranties and confers no rights.

    --------------------
    >From: "Dima Semensky" <>
    >Subject: Access network resources from ASP.NET
    >Date: Thu, 23 Oct 2003 10:55:28 -0400
    >Lines: 34
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
    >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    >Message-ID: <O#>
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >NNTP-Posting-Host: 208.18.161.2
    >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
    >Xref: cpmsftngxa06.phx.gbl

    microsoft.public.dotnet.framework.aspnet.security:7296
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >Hi!
    >
    >after extensive research of this topic, I'm still not sure what is
    >"official" way to do it.
    >
    >Task:
    >
    > 1. User submits some request to ASP.NET application and the app should
    >write the result to a network share.
    > 2. Integrated Authentication must be used
    > 3. No open password are allowed to be specified in any config files
    > 4. Can't assign special domain user as Local Administrator
    >
    >Problem:
    >
    > With default setup, it is not possible due to security reasons.
    >
    >Related topics:
    > - impersonation
    > - machine.config - processModel.userName
    > - IUSR_MACHINE user
    > - delagation
    >
    >Here is where I'm stuck: I'd like to use impersonation like this:
    > <identity impersonate="true" userName="Bob" password="pwd" />
    >
    >but this topic explains that it's not possible:
    >http://groups.google.com/groups?q=impersonate Logon failure: unknown user n

    ame+or+bad+password.++group:microsoft.public.dotnet.*&hl=en&lr=&ie=UTF-8&oe=
    UTF-8&group=microsoft.public.dotnet.*&selm=uzT4T%23%23wCHA.2680%40TK2MSFTNGP
    09&rnum=1
    >
    >Any ideas?
    >
    >Dima Semenskyy.
    >
    >
    >
    Jim Cheshire [MSFT], Oct 23, 2003
    #2
    1. Advertising

  3. Dima Semensky

    AlKa Guest

    THANK YOU JIM!!!

    I looked for it (306158 INFO) for a long long time ... I love you!

    Alessandro

    "Jim Cheshire [MSFT]" <> ha scritto nel
    messaggio news:...
    > Dima,
    >
    > What you are doing is possible. What Mitch is talking about in his post

    is
    > delegation of credentials. Essentially, this means that if you are
    > browsing the site and using your credentials sent by the browser, those
    > same credentials cannot be used to access another resource on a machine
    > remote to the Web server. In that scenario, the Web server is delegating
    > your credentials, and such is prevented when using NTLM authentication.

    If
    > all of the boxes are using Windows 2000 or later, you can use Kerberos and
    > delegation to get around that.
    >
    > However, what you really want to do is impersonate this user just to run a
    > certain section of code and to write to the network resource. In that
    > case, code-level impersonation using PInvoke to call LogonUser is the
    > perfect solution.
    >
    > Here is an article that explains how to do that:
    > 306158 INFO: Implementing Impersonation in an ASP.NET Application
    > http://support.microsoft.com/?id=306158
    >
    > Jim Cheshire [MSFT]
    > Developer Support
    > ASP.NET
    >
    >
    > This post is provided as-is with no warranties and confers no rights.
    >
    > --------------------
    > >From: "Dima Semensky" <>
    > >Subject: Access network resources from ASP.NET
    > >Date: Thu, 23 Oct 2003 10:55:28 -0400
    > >Lines: 34
    > >X-Priority: 3
    > >X-MSMail-Priority: Normal
    > >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
    > >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    > >Message-ID: <O#>
    > >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    > >NNTP-Posting-Host: 208.18.161.2
    > >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
    > >Xref: cpmsftngxa06.phx.gbl

    > microsoft.public.dotnet.framework.aspnet.security:7296
    > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > >
    > >Hi!
    > >
    > >after extensive research of this topic, I'm still not sure what is
    > >"official" way to do it.
    > >
    > >Task:
    > >
    > > 1. User submits some request to ASP.NET application and the app

    should
    > >write the result to a network share.
    > > 2. Integrated Authentication must be used
    > > 3. No open password are allowed to be specified in any config files
    > > 4. Can't assign special domain user as Local Administrator
    > >
    > >Problem:
    > >
    > > With default setup, it is not possible due to security reasons.
    > >
    > >Related topics:
    > > - impersonation
    > > - machine.config - processModel.userName
    > > - IUSR_MACHINE user
    > > - delagation
    > >
    > >Here is where I'm stuck: I'd like to use impersonation like this:
    > > <identity impersonate="true" userName="Bob" password="pwd" />
    > >
    > >but this topic explains that it's not possible:

    >
    >http://groups.google.com/groups?q=impersonate Logon failure: unknown user n
    >

    ame+or+bad+password.++group:microsoft.public.dotnet.*&hl=en&lr=&ie=UTF-8&oe=
    >

    UTF-8&group=microsoft.public.dotnet.*&selm=uzT4T%23%23wCHA.2680%40TK2MSFTNGP
    > 09&rnum=1
    > >
    > >Any ideas?
    > >
    > >Dima Semenskyy.
    > >
    > >
    > >

    >
    AlKa, Nov 8, 2003
    #3
  4. Alessandro,

    Thanks for the sentiment. Glad to have resolved your issue. :)

    Jim Cheshire [MSFT]
    Developer Support
    ASP.NET


    This post is provided as-is with no warranties and confers no rights.

    --------------------
    >From: "AlKa" <me@office>
    >References: <O#>

    <>
    >Subject: Re: Access network resources from ASP.NET
    >Date: Sun, 9 Nov 2003 00:29:10 +0100
    >Lines: 99
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    >Message-ID: <#SdS#>
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >NNTP-Posting-Host: host106-159.pool217222.interbusiness.it 217.222.159.106
    >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
    >Xref: cpmsftngxa06.phx.gbl

    microsoft.public.dotnet.framework.aspnet.security:7476
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >THANK YOU JIM!!!
    >
    >I looked for it (306158 INFO) for a long long time ... I love you!
    >
    >Alessandro
    >
    >"Jim Cheshire [MSFT]" <> ha scritto nel
    >messaggio news:...
    >> Dima,
    >>
    >> What you are doing is possible. What Mitch is talking about in his post

    >is
    >> delegation of credentials. Essentially, this means that if you are
    >> browsing the site and using your credentials sent by the browser, those
    >> same credentials cannot be used to access another resource on a machine
    >> remote to the Web server. In that scenario, the Web server is delegating
    >> your credentials, and such is prevented when using NTLM authentication.

    >If
    >> all of the boxes are using Windows 2000 or later, you can use Kerberos

    and
    >> delegation to get around that.
    >>
    >> However, what you really want to do is impersonate this user just to run

    a
    >> certain section of code and to write to the network resource. In that
    >> case, code-level impersonation using PInvoke to call LogonUser is the
    >> perfect solution.
    >>
    >> Here is an article that explains how to do that:
    >> 306158 INFO: Implementing Impersonation in an ASP.NET Application
    >> http://support.microsoft.com/?id=306158
    >>
    >> Jim Cheshire [MSFT]
    >> Developer Support
    >> ASP.NET
    >>
    >>
    >> This post is provided as-is with no warranties and confers no rights.
    >>
    >> --------------------
    >> >From: "Dima Semensky" <>
    >> >Subject: Access network resources from ASP.NET
    >> >Date: Thu, 23 Oct 2003 10:55:28 -0400
    >> >Lines: 34
    >> >X-Priority: 3
    >> >X-MSMail-Priority: Normal
    >> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
    >> >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    >> >Message-ID: <O#>
    >> >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >> >NNTP-Posting-Host: 208.18.161.2
    >> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
    >> >Xref: cpmsftngxa06.phx.gbl

    >> microsoft.public.dotnet.framework.aspnet.security:7296
    >> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >> >
    >> >Hi!
    >> >
    >> >after extensive research of this topic, I'm still not sure what is
    >> >"official" way to do it.
    >> >
    >> >Task:
    >> >
    >> > 1. User submits some request to ASP.NET application and the app

    >should
    >> >write the result to a network share.
    >> > 2. Integrated Authentication must be used
    >> > 3. No open password are allowed to be specified in any config files
    >> > 4. Can't assign special domain user as Local Administrator
    >> >
    >> >Problem:
    >> >
    >> > With default setup, it is not possible due to security reasons.
    >> >
    >> >Related topics:
    >> > - impersonation
    >> > - machine.config - processModel.userName
    >> > - IUSR_MACHINE user
    >> > - delagation
    >> >
    >> >Here is where I'm stuck: I'd like to use impersonation like this:
    >> > <identity impersonate="true" userName="Bob" password="pwd" />
    >> >
    >> >but this topic explains that it's not possible:

    >>
    >>http://groups.google.com/groups?q=impersonate Logon failure: unknown user

    n
    >>

    >ame+or+bad+password.++group:microsoft.public.dotnet.*&hl=en&lr=&ie=UTF-8&oe

    =
    >>

    >UTF-8&group=microsoft.public.dotnet.*&selm=uzT4T%23%23wCHA.2680%40TK2MSFTNG

    P
    >> 09&rnum=1
    >> >
    >> >Any ideas?
    >> >
    >> >Dima Semenskyy.
    >> >
    >> >
    >> >

    >>

    >
    >
    >
    Jim Cheshire [MSFT], Nov 10, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark Goldin

    Access network resources from aspx page

    Mark Goldin, Apr 2, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    359
    Matt Hawley
    Apr 2, 2004
  2. Matt Hawley

    RE: Access network resources from aspx page

    Matt Hawley, Apr 2, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    358
    Matt Hawley
    Apr 2, 2004
  3. Siva
    Replies:
    2
    Views:
    415
    Jim Cheshire
    Dec 23, 2005
  4. utabintarbo
    Replies:
    3
    Views:
    288
    Roger Upole
    Sep 26, 2006
  5. Dilip
    Replies:
    2
    Views:
    120
    Dilip
    Apr 13, 2004
Loading...

Share This Page