asp.net, basic authentication, file access

Discussion in 'ASP .Net Security' started by jzink, Jan 2, 2004.

  1. jzink

    jzink Guest

    I have a asp.net application that is configured to
    use "basic authentication". The application needs to have
    access to delete a file in let's say directory
    d:\inetpub\wwwroot\myApp\reports. Do I need to grant
    access to the ASPNET account or to the accounts of the
    users who will be accessing the site ?

    I put the following line of code in
    Thread.CurrentPrincipal.Identity.Name.ToString() and it
    returns the id of the person logged in.



    thanks for your help
    jzink, Jan 2, 2004
    #1
    1. Advertising

  2. If you have turned the impersonation on the .net code will run under the
    identity of he users who will be accessing the site, else the .net code will
    run under the ASPNET account (this is a default) identity.

    HtH,
    Andrea

    --
    This posting is provided "AS IS" with no warranties, and confers no rights.


    "jzink" <> wrote in message
    news:065401c3d141$c293ee60$...
    > I have a asp.net application that is configured to
    > use "basic authentication". The application needs to have
    > access to delete a file in let's say directory
    > d:\inetpub\wwwroot\myApp\reports. Do I need to grant
    > access to the ASPNET account or to the accounts of the
    > users who will be accessing the site ?
    >
    > I put the following line of code in
    > Thread.CurrentPrincipal.Identity.Name.ToString() and it
    > returns the id of the person logged in.
    >
    >
    >
    > thanks for your help
    Andrea D'Onofrio [MSFT], Jan 2, 2004
    #2
    1. Advertising

  3. jzink

    JZink Guest

    I don't believe I have impersonation turned on. Here is
    my machine.config entries:
    <identity impersonate="false" userName="" password=""/>

    <processModel
    enable="true"
    timeout="Infinite"
    idleTimeout="Infinite"
    shutdownTimeout="0:00:05"
    requestLimit="Infinite"
    requestQueueLimit="5000"
    restartQueueLimit="10"
    memoryLimit="60"
    webGarden="false"
    cpuMask="0xffffffff"
    userName="machine"
    password="AutoGenerate"
    logLevel="Errors"
    clientConnectedCheck="0:00:05"
    comAuthenticationLevel="Connect"
    comImpersonationLevel="Impersonate"
    responseDeadlockInterval="00:03:00"
    maxWorkerThreads="20"
    maxIoThreads="20"
    />

    However, if I place this code in an aspx page:
    Thread.CurrentPrincipal.Identity.Name.ToString()
    I see the id of the person being authenticated.


    >-----Original Message-----
    >If you have turned the impersonation on the .net code

    will run under the
    >identity of he users who will be accessing the site, else

    the .net code will
    >run under the ASPNET account (this is a default) identity.
    >
    >HtH,
    >Andrea
    >
    >--
    >This posting is provided "AS IS" with no warranties, and

    confers no rights.
    >
    >
    >"jzink" <> wrote in message
    >news:065401c3d141$c293ee60$...
    >> I have a asp.net application that is configured to
    >> use "basic authentication". The application needs to

    have
    >> access to delete a file in let's say directory
    >> d:\inetpub\wwwroot\myApp\reports. Do I need to grant
    >> access to the ASPNET account or to the accounts of the
    >> users who will be accessing the site ?
    >>
    >> I put the following line of code in
    >> Thread.CurrentPrincipal.Identity.Name.ToString() and it
    >> returns the id of the person logged in.
    >>
    >>
    >>
    >> thanks for your help

    >
    >
    >.
    >
    JZink, Jan 2, 2004
    #3
  4. You will want to grant access to the ASPNET account for deleting the file.
    If you want only the authenticated user to have the ability to delete the
    file then you could simply set impersonation to true and set permissions
    for that logged on user. If you do this and you are still having problems,
    a good way to troubleshoot would be to use filemon while you repro any
    errors. You can download it from www.sysinternals.com. It will show you
    what user is accessing what files and whether the access was successful or
    not.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    Holly
    Holly Mazerolle, Jan 6, 2004
    #4
  5. jzink

    jzink Guest

    I do not have impersonation set to true, yet when I put
    this code into my aspx page:
    Response.Write (
    Thread.CurrentPrincipal.Identity.Name.ToString() )
    it will write out the name of the user who was
    authenticated not ASPNET. What am I missing ???

    >-----Original Message-----
    >You will want to grant access to the ASPNET account for

    deleting the file.
    >If you want only the authenticated user to have the

    ability to delete the
    >file then you could simply set impersonation to true and

    set permissions
    >for that logged on user. If you do this and you are still

    having problems,
    >a good way to troubleshoot would be to use filemon while

    you repro any
    >errors. You can download it from www.sysinternals.com. It

    will show you
    >what user is accessing what files and whether the access

    was successful or
    >not.
    >
    >This posting is provided "AS IS" with no warranties, and

    confers no rights.
    >
    >Holly
    >
    >.
    >
    jzink, Jan 6, 2004
    #5
  6. If you want to see the identity of the worker process, that is, the account
    that will be used to access your protected resource, you should use
    System.Security.Principal.WindowsIdentity.GetCurrent().Name.

    This will return, in you case, the ASPNET account if you turn off
    impersonation, or your logged on user account if you turn on impersonation.



    --
    Eng. Hernan de Lahitte - MSDE
    Lagash Systems S.A. - Buenos Aires, Argentina
    http://www.lagash.com



    "jzink" <> wrote in message
    news:096201c3d468$ab769af0$...
    > I do not have impersonation set to true, yet when I put
    > this code into my aspx page:
    > Response.Write (
    > Thread.CurrentPrincipal.Identity.Name.ToString() )
    > it will write out the name of the user who was
    > authenticated not ASPNET. What am I missing ???
    >
    > >-----Original Message-----
    > >You will want to grant access to the ASPNET account for

    > deleting the file.
    > >If you want only the authenticated user to have the

    > ability to delete the
    > >file then you could simply set impersonation to true and

    > set permissions
    > >for that logged on user. If you do this and you are still

    > having problems,
    > >a good way to troubleshoot would be to use filemon while

    > you repro any
    > >errors. You can download it from www.sysinternals.com. It

    > will show you
    > >what user is accessing what files and whether the access

    > was successful or
    > >not.
    > >
    > >This posting is provided "AS IS" with no warranties, and

    > confers no rights.
    > >
    > >Holly
    > >
    > >.
    > >
    Hernan de Lahitte, Jan 6, 2004
    #6
  7. jzink

    jzink Guest

    I changed the aspx code to print out
    System.Security.Principal.WindowsIdentity.GetCurrent().Name
    and now i see NT AUTHORITY\NETWORK SERVICE. shouldn't i
    see aspnet ???

    >-----Original Message-----
    >If you want to see the identity of the worker process,

    that is, the account
    >that will be used to access your protected resource, you

    should use
    >System.Security.Principal.WindowsIdentity.GetCurrent

    ().Name.
    >
    >This will return, in you case, the ASPNET account if you

    turn off
    >impersonation, or your logged on user account if you turn

    on impersonation.
    >
    >
    >
    >--
    >Eng. Hernan de Lahitte - MSDE
    >Lagash Systems S.A. - Buenos Aires, Argentina
    >http://www.lagash.com
    >
    >
    >
    >"jzink" <> wrote in message
    >news:096201c3d468$ab769af0$...
    >> I do not have impersonation set to true, yet when I put
    >> this code into my aspx page:
    >> Response.Write (
    >> Thread.CurrentPrincipal.Identity.Name.ToString() )
    >> it will write out the name of the user who was
    >> authenticated not ASPNET. What am I missing ???
    >>
    >> >-----Original Message-----
    >> >You will want to grant access to the ASPNET account for

    >> deleting the file.
    >> >If you want only the authenticated user to have the

    >> ability to delete the
    >> >file then you could simply set impersonation to true

    and
    >> set permissions
    >> >for that logged on user. If you do this and you are

    still
    >> having problems,
    >> >a good way to troubleshoot would be to use filemon

    while
    >> you repro any
    >> >errors. You can download it from www.sysinternals.com.

    It
    >> will show you
    >> >what user is accessing what files and whether the

    access
    >> was successful or
    >> >not.
    >> >
    >> >This posting is provided "AS IS" with no warranties,

    and
    >> confers no rights.
    >> >
    >> >Holly
    >> >
    >> >.
    >> >

    >
    >
    >.
    >
    jzink, Jan 6, 2004
    #7
  8. This is the default AppPoll Account for W2K3. This might be you case. The
    ASPNET account is the default for an XP box or lower.

    --
    Eng. Hernan de Lahitte - MSDE
    Lagash Systems S.A. - Buenos Aires, Argentina
    http://www.lagash.com



    "jzink" <> wrote in message
    news:00ac01c3d48a$fe49a340$...
    > I changed the aspx code to print out
    > System.Security.Principal.WindowsIdentity.GetCurrent().Name
    > and now i see NT AUTHORITY\NETWORK SERVICE. shouldn't i
    > see aspnet ???
    >
    > >-----Original Message-----
    > >If you want to see the identity of the worker process,

    > that is, the account
    > >that will be used to access your protected resource, you

    > should use
    > >System.Security.Principal.WindowsIdentity.GetCurrent

    > ().Name.
    > >
    > >This will return, in you case, the ASPNET account if you

    > turn off
    > >impersonation, or your logged on user account if you turn

    > on impersonation.
    > >
    > >
    > >
    > >--
    > >Eng. Hernan de Lahitte - MSDE
    > >Lagash Systems S.A. - Buenos Aires, Argentina
    > >http://www.lagash.com
    > >
    > >
    > >
    > >"jzink" <> wrote in message
    > >news:096201c3d468$ab769af0$...
    > >> I do not have impersonation set to true, yet when I put
    > >> this code into my aspx page:
    > >> Response.Write (
    > >> Thread.CurrentPrincipal.Identity.Name.ToString() )
    > >> it will write out the name of the user who was
    > >> authenticated not ASPNET. What am I missing ???
    > >>
    > >> >-----Original Message-----
    > >> >You will want to grant access to the ASPNET account for
    > >> deleting the file.
    > >> >If you want only the authenticated user to have the
    > >> ability to delete the
    > >> >file then you could simply set impersonation to true

    > and
    > >> set permissions
    > >> >for that logged on user. If you do this and you are

    > still
    > >> having problems,
    > >> >a good way to troubleshoot would be to use filemon

    > while
    > >> you repro any
    > >> >errors. You can download it from www.sysinternals.com.

    > It
    > >> will show you
    > >> >what user is accessing what files and whether the

    > access
    > >> was successful or
    > >> >not.
    > >> >
    > >> >This posting is provided "AS IS" with no warranties,

    > and
    > >> confers no rights.
    > >> >
    > >> >Holly
    > >> >
    > >> >.
    > >> >

    > >
    > >
    > >.
    > >
    Hernan de Lahitte, Jan 6, 2004
    #8
  9. jzink

    jzink Guest

    what do you mean by appPoll account and how come I don't
    see nt authority\network service as a user in computer
    management\users ??

    >-----Original Message-----
    >This is the default AppPoll Account for W2K3. This might

    be you case. The
    >ASPNET account is the default for an XP box or lower.
    >
    >--
    >Eng. Hernan de Lahitte - MSDE
    >Lagash Systems S.A. - Buenos Aires, Argentina
    >http://www.lagash.com
    >
    >
    >
    >"jzink" <> wrote in message
    >news:00ac01c3d48a$fe49a340$...
    >> I changed the aspx code to print out
    >> System.Security.Principal.WindowsIdentity.GetCurrent

    ().Name
    >> and now i see NT AUTHORITY\NETWORK SERVICE. shouldn't i
    >> see aspnet ???
    >>
    >> >-----Original Message-----
    >> >If you want to see the identity of the worker process,

    >> that is, the account
    >> >that will be used to access your protected resource,

    you
    >> should use
    >> >System.Security.Principal.WindowsIdentity.GetCurrent

    >> ().Name.
    >> >
    >> >This will return, in you case, the ASPNET account if

    you
    >> turn off
    >> >impersonation, or your logged on user account if you

    turn
    >> on impersonation.
    >> >
    >> >
    >> >
    >> >--
    >> >Eng. Hernan de Lahitte - MSDE
    >> >Lagash Systems S.A. - Buenos Aires, Argentina
    >> >http://www.lagash.com
    >> >
    >> >
    >> >
    >> >"jzink" <> wrote in message
    >> >news:096201c3d468$ab769af0$...
    >> >> I do not have impersonation set to true, yet when I

    put
    >> >> this code into my aspx page:
    >> >> Response.Write (
    >> >> Thread.CurrentPrincipal.Identity.Name.ToString() )
    >> >> it will write out the name of the user who was
    >> >> authenticated not ASPNET. What am I missing ???
    >> >>
    >> >> >-----Original Message-----
    >> >> >You will want to grant access to the ASPNET account

    for
    >> >> deleting the file.
    >> >> >If you want only the authenticated user to have the
    >> >> ability to delete the
    >> >> >file then you could simply set impersonation to true

    >> and
    >> >> set permissions
    >> >> >for that logged on user. If you do this and you are

    >> still
    >> >> having problems,
    >> >> >a good way to troubleshoot would be to use filemon

    >> while
    >> >> you repro any
    >> >> >errors. You can download it from

    www.sysinternals.com.
    >> It
    >> >> will show you
    >> >> >what user is accessing what files and whether the

    >> access
    >> >> was successful or
    >> >> >not.
    >> >> >
    >> >> >This posting is provided "AS IS" with no warranties,

    >> and
    >> >> confers no rights.
    >> >> >
    >> >> >Holly
    >> >> >
    >> >> >.
    >> >> >
    >> >
    >> >
    >> >.
    >> >

    >
    >
    >.
    >
    jzink, Jan 7, 2004
    #9
  10. With AppPool, I refer to the Application Pool that has Windows 2003. To
    check this, go to the IIS Management Console snap-in and in the Application
    Pools folder, right click the DefaultAppPool node (This is the default
    Application Pool for all Web Sites). In the Properties/Identity tab option,
    you will see you selected Application Pool Identity.This should be the
    Network Service or in the canonical format, "NT AUTHORITY\NETWORK SERVICE".
    As you ponted out, you won't see this account with the Users manager. This
    is a predefined system account, like the System (TCB) account. The Network
    Service account is a low priviledge account so if you change this account in
    the AppPool Identity option for another with more priviledges, be carefull
    with a possible "Elevation of Priviledge Threat".

    --
    Eng. Hernan de Lahitte - MSDE
    Lagash Systems S.A. - Buenos Aires, Argentina
    http://www.lagash.com



    "jzink" <> wrote in message
    news:076701c3d4cb$1e7e7740$...
    > what do you mean by appPoll account and how come I don't
    > see nt authority\network service as a user in computer
    > management\users ??
    >
    > >-----Original Message-----
    > >This is the default AppPoll Account for W2K3. This might

    > be you case. The
    > >ASPNET account is the default for an XP box or lower.
    > >
    > >--
    > >Eng. Hernan de Lahitte - MSDE
    > >Lagash Systems S.A. - Buenos Aires, Argentina
    > >http://www.lagash.com
    > >
    > >
    > >
    > >"jzink" <> wrote in message
    > >news:00ac01c3d48a$fe49a340$...
    > >> I changed the aspx code to print out
    > >> System.Security.Principal.WindowsIdentity.GetCurrent

    > ().Name
    > >> and now i see NT AUTHORITY\NETWORK SERVICE. shouldn't i
    > >> see aspnet ???
    > >>
    > >> >-----Original Message-----
    > >> >If you want to see the identity of the worker process,
    > >> that is, the account
    > >> >that will be used to access your protected resource,

    > you
    > >> should use
    > >> >System.Security.Principal.WindowsIdentity.GetCurrent
    > >> ().Name.
    > >> >
    > >> >This will return, in you case, the ASPNET account if

    > you
    > >> turn off
    > >> >impersonation, or your logged on user account if you

    > turn
    > >> on impersonation.
    > >> >
    > >> >
    > >> >
    > >> >--
    > >> >Eng. Hernan de Lahitte - MSDE
    > >> >Lagash Systems S.A. - Buenos Aires, Argentina
    > >> >http://www.lagash.com
    > >> >
    > >> >
    > >> >
    > >> >"jzink" <> wrote in message
    > >> >news:096201c3d468$ab769af0$...
    > >> >> I do not have impersonation set to true, yet when I

    > put
    > >> >> this code into my aspx page:
    > >> >> Response.Write (
    > >> >> Thread.CurrentPrincipal.Identity.Name.ToString() )
    > >> >> it will write out the name of the user who was
    > >> >> authenticated not ASPNET. What am I missing ???
    > >> >>
    > >> >> >-----Original Message-----
    > >> >> >You will want to grant access to the ASPNET account

    > for
    > >> >> deleting the file.
    > >> >> >If you want only the authenticated user to have the
    > >> >> ability to delete the
    > >> >> >file then you could simply set impersonation to true
    > >> and
    > >> >> set permissions
    > >> >> >for that logged on user. If you do this and you are
    > >> still
    > >> >> having problems,
    > >> >> >a good way to troubleshoot would be to use filemon
    > >> while
    > >> >> you repro any
    > >> >> >errors. You can download it from

    > www.sysinternals.com.
    > >> It
    > >> >> will show you
    > >> >> >what user is accessing what files and whether the
    > >> access
    > >> >> was successful or
    > >> >> >not.
    > >> >> >
    > >> >> >This posting is provided "AS IS" with no warranties,
    > >> and
    > >> >> confers no rights.
    > >> >> >
    > >> >> >Holly
    > >> >> >
    > >> >> >.
    > >> >> >
    > >> >
    > >> >
    > >> >.
    > >> >

    > >
    > >
    > >.
    > >
    Hernan de Lahitte, Jan 7, 2004
    #10
  11. So in your case since you are on Win2003 and you are not using
    impersonation the NT Authority\Network Service account will be who is
    accessing the location you are attempting to delete files from. As I
    mentioned before you may want to consider impersonation so that you only
    give permission to a specific domain account.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    Holly
    Holly Mazerolle, Jan 7, 2004
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brett Porter
    Replies:
    2
    Views:
    742
    Andrea D'Onofrio [MSFT]
    Jan 20, 2004
  2. Mark
    Replies:
    0
    Views:
    665
  3. Brett Porter
    Replies:
    5
    Views:
    568
    Brett Porter
    Feb 3, 2004
  4. Dom
    Replies:
    0
    Views:
    445
  5. Brett Porter
    Replies:
    2
    Views:
    184
    Andrea D'Onofrio [MSFT]
    Jan 20, 2004
Loading...

Share This Page