anonymous access + impersonation

Discussion in 'ASP .Net Web Services' started by yonido@gmail.com, Jan 30, 2006.

  1. Guest

    Hello,

    I'm writing a web method which calls a COM+ method, which I need to
    call with the user that logged on to windows and invoked the WebMethod
    (impersonation).

    Simple impersonation works (impersonte=true in web.config) - however, i
    need that only a certain part of the code will run in this context. For
    other parts, i need different grant opions.

    So that where code-impersonation comes in (using
    HttpContext.Current.User.Indetity and calling Impersonate()).

    For example:

    [WebMethod]
    public void ConfusedMethod()
    {
    // This lines will need some powerful grants
    WriteSomethingToEventLog();
    OpenFileInSystemDirectory();

    // This lines should be run with the user
    DoImpersonation();
    CallComComponent();
    UndoImpersonation();
    }

    THE PROBLEM IS:
    i need the first lines to run with a differnet user. i dont want to use
    2 impersonations.
    i want all the other parts - which are not in the impersonation scope -
    to run with a user ill configure in IIS (NOT "network service"!)

    tried the following:
    1 - configure the webservice to run as anonymous access, with a certain
    user. but then Impersonate() doesnt work (exception - cant impersonate
    with an anonymous user).

    2 - configure the webservice as windows-integrated security. now i
    want to decide which user will run the "default lines". so the only way
    i see - is create an application pool with identity=MyDefaultUser.
    when doing this, i get an http 401 error (unauthorized) if i try to
    call the web service. the only user which works is if i call the
    webservice with MyDefaultUser.

    I DO set the credentials for the webservice (defaultCredentials) - so
    thats not the problem.

    whats the correct way to accomplish that?
     
    , Jan 30, 2006
    #1
    1. Advertising

  2. Hello,

    My advice u to impersonate your com+ component not ASP.NET or IIS. To
    accomplish this u must register your com+ component under a com+ application
    that is configured to run as a server application(or you can modify IIS
    application protection level). Impersonate this com+ application. Add read&
    execute rights for the physical dll for ASPNET user and give directory
    listing rights on that hard drive...

    This is the easiest way to do this. But it might has some security risks i
    am not sure.. Be careful on this scenario. "Anyone who can call your com+
    component will have impersonated user's rights and permissions.. "

    --
    HTH

    Thanks,
    Yunus Emre ALPÖZEN
    BSc, MCSD.NET
    Microsoft .NET & Security MVP

    <> wrote in message
    news:...
    > Hello,
    >
    > I'm writing a web method which calls a COM+ method, which I need to
    > call with the user that logged on to windows and invoked the WebMethod
    > (impersonation).
    >
    > Simple impersonation works (impersonte=true in web.config) - however, i
    > need that only a certain part of the code will run in this context. For
    > other parts, i need different grant opions.
    >
    > So that where code-impersonation comes in (using
    > HttpContext.Current.User.Indetity and calling Impersonate()).
    >
    > For example:
    >
    > [WebMethod]
    > public void ConfusedMethod()
    > {
    > // This lines will need some powerful grants
    > WriteSomethingToEventLog();
    > OpenFileInSystemDirectory();
    >
    > // This lines should be run with the user
    > DoImpersonation();
    > CallComComponent();
    > UndoImpersonation();
    > }
    >
    > THE PROBLEM IS:
    > i need the first lines to run with a differnet user. i dont want to use
    > 2 impersonations.
    > i want all the other parts - which are not in the impersonation scope -
    > to run with a user ill configure in IIS (NOT "network service"!)
    >
    > tried the following:
    > 1 - configure the webservice to run as anonymous access, with a certain
    > user. but then Impersonate() doesnt work (exception - cant impersonate
    > with an anonymous user).
    >
    > 2 - configure the webservice as windows-integrated security. now i
    > want to decide which user will run the "default lines". so the only way
    > i see - is create an application pool with identity=MyDefaultUser.
    > when doing this, i get an http 401 error (unauthorized) if i try to
    > call the web service. the only user which works is if i call the
    > webservice with MyDefaultUser.
    >
    > I DO set the credentials for the webservice (defaultCredentials) - so
    > thats not the problem.
    >
    > whats the correct way to accomplish that?
    >
     
    Yunus Emre ALPÖZEN [MVP], Jan 30, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?amVzdGVy?=
    Replies:
    1
    Views:
    473
    Patrice
    Sep 23, 2004
  2. Reporter
    Replies:
    3
    Views:
    477
    Mike Schilling
    May 12, 2007
  3. sam

    ASP.NET Anonymous Impersonation

    sam, Aug 19, 2004, in forum: ASP .Net Security
    Replies:
    5
    Views:
    342
  4. anonymous access + impersonation

    , Jan 30, 2006, in forum: ASP .Net Security
    Replies:
    5
    Views:
    237
  5. Replies:
    1
    Views:
    223
Loading...

Share This Page