anonymous access + impersonation

Discussion in 'ASP .Net Web Services' started by yonido@gmail.com, Jan 30, 2006.

  1. Guest

    Hello,

    I'm writing a web method which calls a COM+ method, which I need to
    call with the user that logged on to windows and invoked the WebMethod
    (impersonation).

    Simple impersonation works (impersonte=true in web.config) - however, i
    need that only a certain part of the code will run in this context. For
    other parts, i need different grant opions.

    So that where code-impersonation comes in (using
    HttpContext.Current.User.Indetity and calling Impersonate()).

    For example:

    [WebMethod]
    public void ConfusedMethod()
    {
    // This lines will need some powerful grants
    WriteSomethingToEventLog();
    OpenFileInSystemDirectory();

    // This lines should be run with the user
    DoImpersonation();
    CallComComponent();
    UndoImpersonation();
    }

    THE PROBLEM IS:
    i need the first lines to run with a differnet user. i dont want to use
    2 impersonations.
    i want all the other parts - which are not in the impersonation scope -
    to run with a user ill configure in IIS (NOT "network service"!)

    tried the following:
    1 - configure the webservice to run as anonymous access, with a certain
    user. but then Impersonate() doesnt work (exception - cant impersonate
    with an anonymous user).

    2 - configure the webservice as windows-integrated security. now i
    want to decide which user will run the "default lines". so the only way
    i see - is create an application pool with identity=MyDefaultUser.
    when doing this, i get an http 401 error (unauthorized) if i try to
    call the web service. the only user which works is if i call the
    webservice with MyDefaultUser.

    I DO set the credentials for the webservice (defaultCredentials) - so
    thats not the problem.

    whats the correct way to accomplish that?
     
    , Jan 30, 2006
    #1
    1. Advertisements

  2. Hello,

    My advice u to impersonate your com+ component not ASP.NET or IIS. To
    accomplish this u must register your com+ component under a com+ application
    that is configured to run as a server application(or you can modify IIS
    application protection level). Impersonate this com+ application. Add read&
    execute rights for the physical dll for ASPNET user and give directory
    listing rights on that hard drive...

    This is the easiest way to do this. But it might has some security risks i
    am not sure.. Be careful on this scenario. "Anyone who can call your com+
    component will have impersonated user's rights and permissions.. "

    --
    HTH

    Thanks,
    Yunus Emre ALPÖZEN
    BSc, MCSD.NET
    Microsoft .NET & Security MVP

    <> wrote in message
    news:...
    > Hello,
    >
    > I'm writing a web method which calls a COM+ method, which I need to
    > call with the user that logged on to windows and invoked the WebMethod
    > (impersonation).
    >
    > Simple impersonation works (impersonte=true in web.config) - however, i
    > need that only a certain part of the code will run in this context. For
    > other parts, i need different grant opions.
    >
    > So that where code-impersonation comes in (using
    > HttpContext.Current.User.Indetity and calling Impersonate()).
    >
    > For example:
    >
    > [WebMethod]
    > public void ConfusedMethod()
    > {
    > // This lines will need some powerful grants
    > WriteSomethingToEventLog();
    > OpenFileInSystemDirectory();
    >
    > // This lines should be run with the user
    > DoImpersonation();
    > CallComComponent();
    > UndoImpersonation();
    > }
    >
    > THE PROBLEM IS:
    > i need the first lines to run with a differnet user. i dont want to use
    > 2 impersonations.
    > i want all the other parts - which are not in the impersonation scope -
    > to run with a user ill configure in IIS (NOT "network service"!)
    >
    > tried the following:
    > 1 - configure the webservice to run as anonymous access, with a certain
    > user. but then Impersonate() doesnt work (exception - cant impersonate
    > with an anonymous user).
    >
    > 2 - configure the webservice as windows-integrated security. now i
    > want to decide which user will run the "default lines". so the only way
    > i see - is create an application pool with identity=MyDefaultUser.
    > when doing this, i get an http 401 error (unauthorized) if i try to
    > call the web service. the only user which works is if i call the
    > webservice with MyDefaultUser.
    >
    > I DO set the credentials for the webservice (defaultCredentials) - so
    > thats not the problem.
    >
    > whats the correct way to accomplish that?
    >
     
    Yunus Emre ALPÖZEN [MVP], Jan 30, 2006
    #2
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?amVzdGVy?=
    Replies:
    1
    Views:
    563
    Patrice
    Sep 23, 2004
  2. Reporter
    Replies:
    3
    Views:
    683
    Mike Schilling
    May 12, 2007
  3. Tim Menninger

    Network File access using anonymous access

    Tim Menninger, Jul 22, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    410
    Raterus
    Jul 22, 2004
  4. sam

    ASP.NET Anonymous Impersonation

    sam, Aug 19, 2004, in forum: ASP .Net Security
    Replies:
    5
    Views:
    556
  5. MattC

    IIS Not using anonymous impersonation

    MattC, Jan 4, 2005, in forum: ASP .Net Security
    Replies:
    2
    Views:
    221
    MattC
    Jan 6, 2005
  6. anonymous access + impersonation

    , Jan 30, 2006, in forum: ASP .Net Security
    Replies:
    5
    Views:
    445
  7. msnews.microsoft.com

    Impersonation and Anonymous User

    msnews.microsoft.com, Aug 28, 2008, in forum: ASP .Net Security
    Replies:
    1
    Views:
    864
    Alexey Smirnov
    Aug 31, 2008
  8. Replies:
    1
    Views:
    377
Loading...