anonymous access + impersonation

Discussion in 'ASP .Net Security' started by yonido@gmail.com, Jan 30, 2006.

  1. Guest

    Hello,

    I'm writing a web method which calls a COM+ method, which I need to
    call with the user that logged on to windows and invoked the WebMethod
    (impersonation).

    Simple impersonation works (impersonte=true in web.config) - however, i
    need that only a certain part of the code will run in this context. For
    other parts, i need different grant opions.

    So that where code-impersonation comes in (using
    HttpContext.Current.User.Indetity and calling Impersonate()).

    For example:

    [WebMethod]
    public void ConfusedMethod()
    {
    // This lines will need some powerful grants
    WriteSomethingToEventLog();
    OpenFileInSystemDirectory();

    // This lines should be run with the user
    DoImpersonation();
    CallComComponent();
    UndoImpersonation();
    }

    THE PROBLEM IS:
    i need the first lines to run with a differnet user. i dont want to use
    2 impersonations.
    i want all the other parts - which are not in the impersonation scope -
    to run with a user ill configure in IIS (NOT "network service"!)

    tried the following:
    1 - configure the webservice to run as anonymous access, with a certain
    user. but then Impersonate() doesnt work (exception - cant impersonate
    with an anonymous user).

    2 - configure the webservice as windows-integrated security. now i
    want to decide which user will run the "default lines". so the only way
    i see - is create an application pool with identity=MyDefaultUser.
    when doing this, i get an http 401 error (unauthorized) if i try to
    call the web service. the only user which works is if i call the
    webservice with MyDefaultUser.

    I DO set the credentials for the webservice (defaultCredentials) - so
    thats not the problem.

    whats the correct way to accomplish that?
    , Jan 30, 2006
    #1
    1. Advertising

  2. Hi,

    set the AppPool identity to whatever you want your app to run under (add
    this account to the IIS_WPG local group)
    You have to enable Windows integrated auth and disable anonymous access in
    IIS
    enable Windows authentication in ASP.NET <authentication mode="Windows" />
    the clients need read DACLS on the asmx files.

    this should do it.
    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hello,
    >
    > I'm writing a web method which calls a COM+ method, which I need to
    > call with the user that logged on to windows and invoked the WebMethod
    > (impersonation).
    >
    > Simple impersonation works (impersonte=true in web.config) - however,
    > i need that only a certain part of the code will run in this context.
    > For other parts, i need different grant opions.
    >
    > So that where code-impersonation comes in (using
    > HttpContext.Current.User.Indetity and calling Impersonate()).
    > For example:
    >
    > [WebMethod]
    > public void ConfusedMethod()
    > {
    > // This lines will need some powerful grants
    > WriteSomethingToEventLog();
    > OpenFileInSystemDirectory();
    > // This lines should be run with the user
    > DoImpersonation();
    > CallComComponent();
    > UndoImpersonation();
    > }
    > THE PROBLEM IS:
    > i need the first lines to run with a differnet user. i dont want to
    > use
    > 2 impersonations.
    > i want all the other parts - which are not in the impersonation scope
    > -
    > to run with a user ill configure in IIS (NOT "network service"!)
    > tried the following:
    > 1 - configure the webservice to run as anonymous access, with a
    > certain
    > user. but then Impersonate() doesnt work (exception - cant impersonate
    > with an anonymous user).
    > 2 - configure the webservice as windows-integrated security. now i
    > want to decide which user will run the "default lines". so the only
    > way
    > i see - is create an application pool with identity=MyDefaultUser.
    > when doing this, i get an http 401 error (unauthorized) if i try to
    > call the web service. the only user which works is if i call the
    > webservice with MyDefaultUser.
    > I DO set the credentials for the webservice (defaultCredentials) - so
    > thats not the problem.
    >
    > whats the correct way to accomplish that?
    >
    Dominick Baier [DevelopMentor], Jan 30, 2006
    #2
    1. Advertising

  3. Guest

    hi & thanks for the quick reply.

    your suggestion is exactly the same as my #2 attempt to solve the
    problem (mentioned above).
    the situation now is exactly as you mentioned.
    the new info you've added is about DACLs. i dont exactly know what you
    meant, but i tried adding read permissions through windows file system
    (is that what you meant?) to the user & nada.

    btw - if i open myService.asmx from the local computer it works with no
    problem (because im logged as the same user that runs the apppool).
    if i open myService.asmx from a remote computer - i get prompted to
    enter user & pass, and nothing passes through, even if i enter the
    apppool user & its password.


    any ideas?
    , Jan 30, 2006
    #3
  4. Hi,

    give it a try and give the IUSR account read DACL on the asmx.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > hi & thanks for the quick reply.
    >
    > your suggestion is exactly the same as my #2 attempt to solve the
    > problem (mentioned above).
    > the situation now is exactly as you mentioned.
    > the new info you've added is about DACLs. i dont exactly know what you
    > meant, but i tried adding read permissions through windows file system
    > (is that what you meant?) to the user & nada.
    > btw - if i open myService.asmx from the local computer it works with
    > no
    > problem (because im logged as the same user that runs the apppool).
    > if i open myService.asmx from a remote computer - i get prompted to
    > enter user & pass, and nothing passes through, even if i enter the
    > apppool user & its password.
    > any ideas?
    >
    Dominick Baier [DevelopMentor], Jan 30, 2006
    #4
  5. Hello,
    If i understood your problem exactly, my advice u to impersonate your com+
    component not ASP.NET or IIS. To accomplish this u must register your com+
    component under a com+ application that is configured to run as a server
    application(or you can modify IIS application protection level). Impersonate
    this com+ application. Add read&execute rights for the physical dll for
    ASPNET user and give directory listing rights on that hard drive...

    This is the easiest way to do this. But it might has some security risks i
    am not sure.. Be careful on this scenario. "Anyone who can call your com+
    component will have impersonated user's rights and permissions.. "

    --
    HTH

    Thanks,
    Yunus Emre ALPÖZEN
    BSc, MCSD.NET
    Microsoft .NET & Security MVP

    <> wrote in message
    news:...
    > hi & thanks for the quick reply.
    >
    > your suggestion is exactly the same as my #2 attempt to solve the
    > problem (mentioned above).
    > the situation now is exactly as you mentioned.
    > the new info you've added is about DACLs. i dont exactly know what you
    > meant, but i tried adding read permissions through windows file system
    > (is that what you meant?) to the user & nada.
    >
    > btw - if i open myService.asmx from the local computer it works with no
    > problem (because im logged as the same user that runs the apppool).
    > if i open myService.asmx from a remote computer - i get prompted to
    > enter user & pass, and nothing passes through, even if i enter the
    > apppool user & its password.
    >
    >
    > any ideas?
    >
    Yunus Emre ALPÖZEN [MVP], Jan 30, 2006
    #5
  6. Guest

    Dominick: your suggestion didn't work.

    Yunus: I didnt understand your suggestion. What do you mean by
    "personationg the com+ component"? how can you do that?
    the com+ component IS a server component. If you can be more specific..

    remember -
    1. i need the com+ methods to run with the user who invoked my web
    service
    2. i need other methods in my webservice to run as MyUser.

    thanks.
    , Jan 31, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?amVzdGVy?=
    Replies:
    1
    Views:
    462
    Patrice
    Sep 23, 2004
  2. Reporter
    Replies:
    3
    Views:
    456
    Mike Schilling
    May 12, 2007
  3. sam

    ASP.NET Anonymous Impersonation

    sam, Aug 19, 2004, in forum: ASP .Net Security
    Replies:
    5
    Views:
    329
  4. anonymous access + impersonation

    , Jan 30, 2006, in forum: ASP .Net Web Services
    Replies:
    1
    Views:
    198
    Yunus Emre ALPÖZEN [MVP]
    Jan 30, 2006
  5. Replies:
    1
    Views:
    208
Loading...

Share This Page