ASP.NET Fixed Identity Impersonation

Discussion in 'ASP .Net Security' started by ADavis, Jul 18, 2005.

  1. ADavis

    ADavis Guest

    We have a development web server (Windows 2000 Server) and a production web
    server (Windows 2000 Server) both are running IIS 5.0 and have the .NET
    Framework 1.1. We have asp.net fixed identity impersonation running on the
    development server and it's fine. We moved the website to the production
    server and we're getting the following error:

    Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed to start
    monitoring file changes.

    did a search in Google and found this article:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317955

    We followed Method 1 - didn't work.

    We are reluctant to follow Method 2 because the individual web site folders
    are set to inherit permission from the parent.

    Any help will be appreciated.

    Sincerely,

    ADavis
     
    ADavis, Jul 18, 2005
    #1
    1. Advertising

  2. ADavis

    ADavis Guest

    Also, I just wanted to add that the machine.config file is configured to use
    impersonation as well on both servers (this is from our development server):

    <identity impersonate="true" userName="domain\servername_ASPNET"
    password="*******!"/>

    "ADavis" wrote:

    > We have a development web server (Windows 2000 Server) and a production web
    > server (Windows 2000 Server) both are running IIS 5.0 and have the .NET
    > Framework 1.1. We have asp.net fixed identity impersonation running on the
    > development server and it's fine. We moved the website to the production
    > server and we're getting the following error:
    >
    > Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed to start
    > monitoring file changes.
    >
    > did a search in Google and found this article:
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317955
    >
    > We followed Method 1 - didn't work.
    >
    > We are reluctant to follow Method 2 because the individual web site folders
    > are set to inherit permission from the parent.
    >
    > Any help will be appreciated.
    >
    > Sincerely,
    >
    > ADavis
     
    ADavis, Jul 18, 2005
    #2
    1. Advertising

  3. Hello ADavis,

    out of curiosity - why do you use fixed identity via config??

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Also, I just wanted to add that the machine.config file is configured
    > to use impersonation as well on both servers (this is from our
    > development server):
    >
    > <identity impersonate="true" userName="domain\servername_ASPNET"
    > password="*******!"/>
    >
    > "ADavis" wrote:
    >
    >> We have a development web server (Windows 2000 Server) and a
    >> production web server (Windows 2000 Server) both are running IIS 5.0
    >> and have the .NET Framework 1.1. We have asp.net fixed identity
    >> impersonation running on the development server and it's fine. We
    >> moved the website to the production server and we're getting the
    >> following error:
    >>
    >> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed to
    >> start monitoring file changes.
    >>
    >> did a search in Google and found this article:
    >> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317955
    >>
    >> We followed Method 1 - didn't work.
    >>
    >> We are reluctant to follow Method 2 because the individual web site
    >> folders are set to inherit permission from the parent.
    >>
    >> Any help will be appreciated.
    >>
    >> Sincerely,
    >>
    >> ADavis
    >>
     
    Dominick Baier [DevelopMentor], Jul 18, 2005
    #3
  4. ADavis

    ADavis Guest

    We have multiple websites (all with their own databases) running on the same
    web server, since we were using the machine account to the connect to the
    database (impersonation off in the webconfig file) we felt it might be a
    security risk if the machine account were to become compromised.

    I read several articles on fixed identity impersonation and encrypting the
    credintals in the registry and it seemed like the solution. We could still
    take advantage of connection pooling, but not have the account information in
    plain text in our webconfig file (connection string).

    "Dominick Baier [DevelopMentor]" wrote:

    > Hello ADavis,
    >
    > out of curiosity - why do you use fixed identity via config??
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Also, I just wanted to add that the machine.config file is configured
    > > to use impersonation as well on both servers (this is from our
    > > development server):
    > >
    > > <identity impersonate="true" userName="domain\servername_ASPNET"
    > > password="*******!"/>
    > >
    > > "ADavis" wrote:
    > >
    > >> We have a development web server (Windows 2000 Server) and a
    > >> production web server (Windows 2000 Server) both are running IIS 5.0
    > >> and have the .NET Framework 1.1. We have asp.net fixed identity
    > >> impersonation running on the development server and it's fine. We
    > >> moved the website to the production server and we're getting the
    > >> following error:
    > >>
    > >> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed to
    > >> start monitoring file changes.
    > >>
    > >> did a search in Google and found this article:
    > >> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317955
    > >>
    > >> We followed Method 1 - didn't work.
    > >>
    > >> We are reluctant to follow Method 2 because the individual web site
    > >> folders are set to inherit permission from the parent.
    > >>
    > >> Any help will be appreciated.
    > >>
    > >> Sincerely,
    > >>
    > >> ADavis
    > >>

    >
    >
    >
    >
     
    ADavis, Jul 18, 2005
    #4
  5. ADavis

    J-T Guest

    ADavis,

    WE are doing the same thing ,can I ask you couple of questions?

    1)Are you using NTLM? for each website?
    2) When you impersonated under a fixed account,Is it a domain account or a
    local account of the webserver?

    3) How your connection string to the database looks like? I mean is it using
    Trusted Connection or Sql server account?


    Thanks a lot

    "ADavis" <> wrote in message
    news:...
    > Also, I just wanted to add that the machine.config file is configured to
    > use
    > impersonation as well on both servers (this is from our development
    > server):
    >
    > <identity impersonate="true" userName="domain\servername_ASPNET"
    > password="*******!"/>
    >
    > "ADavis" wrote:
    >
    >> We have a development web server (Windows 2000 Server) and a production
    >> web
    >> server (Windows 2000 Server) both are running IIS 5.0 and have the .NET
    >> Framework 1.1. We have asp.net fixed identity impersonation running on
    >> the
    >> development server and it's fine. We moved the website to the
    >> production
    >> server and we're getting the following error:
    >>
    >> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed to
    >> start
    >> monitoring file changes.
    >>
    >> did a search in Google and found this article:
    >> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317955
    >>
    >> We followed Method 1 - didn't work.
    >>
    >> We are reluctant to follow Method 2 because the individual web site
    >> folders
    >> are set to inherit permission from the parent.
    >>
    >> Any help will be appreciated.
    >>
    >> Sincerely,
    >>
    >> ADavis
     
    J-T, Jul 18, 2005
    #5
  6. ADavis

    ADavis Guest

    1) Yes
    2) We are using a domain account
    3) Trusted connection.

    "J-T" wrote:

    > ADavis,
    >
    > WE are doing the same thing ,can I ask you couple of questions?
    >
    > 1)Are you using NTLM? for each website?
    > 2) When you impersonated under a fixed account,Is it a domain account or a
    > local account of the webserver?
    >
    > 3) How your connection string to the database looks like? I mean is it using
    > Trusted Connection or Sql server account?
    >
    >
    > Thanks a lot
    >
    > "ADavis" <> wrote in message
    > news:...
    > > Also, I just wanted to add that the machine.config file is configured to
    > > use
    > > impersonation as well on both servers (this is from our development
    > > server):
    > >
    > > <identity impersonate="true" userName="domain\servername_ASPNET"
    > > password="*******!"/>
    > >
    > > "ADavis" wrote:
    > >
    > >> We have a development web server (Windows 2000 Server) and a production
    > >> web
    > >> server (Windows 2000 Server) both are running IIS 5.0 and have the .NET
    > >> Framework 1.1. We have asp.net fixed identity impersonation running on
    > >> the
    > >> development server and it's fine. We moved the website to the
    > >> production
    > >> server and we're getting the following error:
    > >>
    > >> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed to
    > >> start
    > >> monitoring file changes.
    > >>
    > >> did a search in Google and found this article:
    > >> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317955
    > >>
    > >> We followed Method 1 - didn't work.
    > >>
    > >> We are reluctant to follow Method 2 because the individual web site
    > >> folders
    > >> are set to inherit permission from the parent.
    > >>
    > >> Any help will be appreciated.
    > >>
    > >> Sincerely,
    > >>
    > >> ADavis

    >
    >
    >
     
    ADavis, Jul 18, 2005
    #6
  7. Hello ADavis,

    why don't you just use IIS6 and run every application in a distinct application
    pool with a custom identity??

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > We have multiple websites (all with their own databases) running on
    > the same web server, since we were using the machine account to the
    > connect to the database (impersonation off in the webconfig file) we
    > felt it might be a security risk if the machine account were to become
    > compromised.
    >
    > I read several articles on fixed identity impersonation and encrypting
    > the credintals in the registry and it seemed like the solution. We
    > could still take advantage of connection pooling, but not have the
    > account information in plain text in our webconfig file (connection
    > string).
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> Hello ADavis,
    >>
    >> out of curiosity - why do you use fixed identity via config??
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Also, I just wanted to add that the machine.config file is
    >>> configured to use impersonation as well on both servers (this is
    >>> from our development server):
    >>>
    >>> <identity impersonate="true" userName="domain\servername_ASPNET"
    >>> password="*******!"/>
    >>>
    >>> "ADavis" wrote:
    >>>
    >>>> We have a development web server (Windows 2000 Server) and a
    >>>> production web server (Windows 2000 Server) both are running IIS
    >>>> 5.0 and have the .NET Framework 1.1. We have asp.net fixed
    >>>> identity impersonation running on the development server and it's
    >>>> fine. We moved the website to the production server and we're
    >>>> getting the following error:
    >>>>
    >>>> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed
    >>>> to start monitoring file changes.
    >>>>
    >>>> did a search in Google and found this article:
    >>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317955
    >>>> We followed Method 1 - didn't work.
    >>>>
    >>>> We are reluctant to follow Method 2 because the individual web site
    >>>> folders are set to inherit permission from the parent.
    >>>>
    >>>> Any help will be appreciated.
    >>>>
    >>>> Sincerely,
    >>>>
    >>>> ADavis
    >>>>
     
    Dominick Baier [DevelopMentor], Jul 18, 2005
    #7
  8. ADavis

    J-T Guest

    If you are using a Trusted connection,it means that you don;t specify
    username and password in your connection string then in Sql server side you
    give the appropriate permissions to that domain account,right?
    Thanks

    "ADavis" <> wrote in message
    news:...
    > 1) Yes
    > 2) We are using a domain account
    > 3) Trusted connection.
    >
    > "J-T" wrote:
    >
    >> ADavis,
    >>
    >> WE are doing the same thing ,can I ask you couple of questions?
    >>
    >> 1)Are you using NTLM? for each website?
    >> 2) When you impersonated under a fixed account,Is it a domain account or
    >> a
    >> local account of the webserver?
    >>
    >> 3) How your connection string to the database looks like? I mean is it
    >> using
    >> Trusted Connection or Sql server account?
    >>
    >>
    >> Thanks a lot
    >>
    >> "ADavis" <> wrote in message
    >> news:...
    >> > Also, I just wanted to add that the machine.config file is configured
    >> > to
    >> > use
    >> > impersonation as well on both servers (this is from our development
    >> > server):
    >> >
    >> > <identity impersonate="true" userName="domain\servername_ASPNET"
    >> > password="*******!"/>
    >> >
    >> > "ADavis" wrote:
    >> >
    >> >> We have a development web server (Windows 2000 Server) and a
    >> >> production
    >> >> web
    >> >> server (Windows 2000 Server) both are running IIS 5.0 and have the
    >> >> .NET
    >> >> Framework 1.1. We have asp.net fixed identity impersonation running
    >> >> on
    >> >> the
    >> >> development server and it's fine. We moved the website to the
    >> >> production
    >> >> server and we're getting the following error:
    >> >>
    >> >> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed to
    >> >> start
    >> >> monitoring file changes.
    >> >>
    >> >> did a search in Google and found this article:
    >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317955
    >> >>
    >> >> We followed Method 1 - didn't work.
    >> >>
    >> >> We are reluctant to follow Method 2 because the individual web site
    >> >> folders
    >> >> are set to inherit permission from the parent.
    >> >>
    >> >> Any help will be appreciated.
    >> >>
    >> >> Sincerely,
    >> >>
    >> >> ADavis

    >>
    >>
    >>
     
    J-T, Jul 18, 2005
    #8
  9. ADavis

    ADavis Guest

    Yes, we only give exec permission to our stored procedures to the domain
    account specifically created for the web application.

    "J-T" wrote:

    > If you are using a Trusted connection,it means that you don;t specify
    > username and password in your connection string then in Sql server side you
    > give the appropriate permissions to that domain account,right?
    > Thanks
    >
    > "ADavis" <> wrote in message
    > news:...
    > > 1) Yes
    > > 2) We are using a domain account
    > > 3) Trusted connection.
    > >
    > > "J-T" wrote:
    > >
    > >> ADavis,
    > >>
    > >> WE are doing the same thing ,can I ask you couple of questions?
    > >>
    > >> 1)Are you using NTLM? for each website?
    > >> 2) When you impersonated under a fixed account,Is it a domain account or
    > >> a
    > >> local account of the webserver?
    > >>
    > >> 3) How your connection string to the database looks like? I mean is it
    > >> using
    > >> Trusted Connection or Sql server account?
    > >>
    > >>
    > >> Thanks a lot
    > >>
    > >> "ADavis" <> wrote in message
    > >> news:...
    > >> > Also, I just wanted to add that the machine.config file is configured
    > >> > to
    > >> > use
    > >> > impersonation as well on both servers (this is from our development
    > >> > server):
    > >> >
    > >> > <identity impersonate="true" userName="domain\servername_ASPNET"
    > >> > password="*******!"/>
    > >> >
    > >> > "ADavis" wrote:
    > >> >
    > >> >> We have a development web server (Windows 2000 Server) and a
    > >> >> production
    > >> >> web
    > >> >> server (Windows 2000 Server) both are running IIS 5.0 and have the
    > >> >> .NET
    > >> >> Framework 1.1. We have asp.net fixed identity impersonation running
    > >> >> on
    > >> >> the
    > >> >> development server and it's fine. We moved the website to the
    > >> >> production
    > >> >> server and we're getting the following error:
    > >> >>
    > >> >> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed to
    > >> >> start
    > >> >> monitoring file changes.
    > >> >>
    > >> >> did a search in Google and found this article:
    > >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317955
    > >> >>
    > >> >> We followed Method 1 - didn't work.
    > >> >>
    > >> >> We are reluctant to follow Method 2 because the individual web site
    > >> >> folders
    > >> >> are set to inherit permission from the parent.
    > >> >>
    > >> >> Any help will be appreciated.
    > >> >>
    > >> >> Sincerely,
    > >> >>
    > >> >> ADavis
    > >>
    > >>
    > >>

    >
    >
    >
     
    ADavis, Jul 19, 2005
    #9
  10. ADavis

    J-T Guest

    ADavis,

    Have you ever tested this in this scenario(because we are sharing exactly
    the same thing).When you use impersonation using fixed identity ,Is worker
    process Identity (ASPNET in IIS 5.x and Identity of application pool in IIS
    6.0) taken into account at all or not? I think when impersonating the worker
    process accoutn is forced to be your impersonated user .What do you think?
    My focous is cross-machine,from webserver to Database server.

    Actually you wanted to get an answer for yur problem and u got trapped by
    sb's else questions.Sorry about that.

    Thanks
    "ADavis" <> wrote in message
    news:...
    > Yes, we only give exec permission to our stored procedures to the domain
    > account specifically created for the web application.
    >
    > "J-T" wrote:
    >
    >> If you are using a Trusted connection,it means that you don;t specify
    >> username and password in your connection string then in Sql server side
    >> you
    >> give the appropriate permissions to that domain account,right?
    >> Thanks
    >>
    >> "ADavis" <> wrote in message
    >> news:...
    >> > 1) Yes
    >> > 2) We are using a domain account
    >> > 3) Trusted connection.
    >> >
    >> > "J-T" wrote:
    >> >
    >> >> ADavis,
    >> >>
    >> >> WE are doing the same thing ,can I ask you couple of questions?
    >> >>
    >> >> 1)Are you using NTLM? for each website?
    >> >> 2) When you impersonated under a fixed account,Is it a domain account
    >> >> or
    >> >> a
    >> >> local account of the webserver?
    >> >>
    >> >> 3) How your connection string to the database looks like? I mean is it
    >> >> using
    >> >> Trusted Connection or Sql server account?
    >> >>
    >> >>
    >> >> Thanks a lot
    >> >>
    >> >> "ADavis" <> wrote in message
    >> >> news:...
    >> >> > Also, I just wanted to add that the machine.config file is
    >> >> > configured
    >> >> > to
    >> >> > use
    >> >> > impersonation as well on both servers (this is from our development
    >> >> > server):
    >> >> >
    >> >> > <identity impersonate="true" userName="domain\servername_ASPNET"
    >> >> > password="*******!"/>
    >> >> >
    >> >> > "ADavis" wrote:
    >> >> >
    >> >> >> We have a development web server (Windows 2000 Server) and a
    >> >> >> production
    >> >> >> web
    >> >> >> server (Windows 2000 Server) both are running IIS 5.0 and have the
    >> >> >> .NET
    >> >> >> Framework 1.1. We have asp.net fixed identity impersonation
    >> >> >> running
    >> >> >> on
    >> >> >> the
    >> >> >> development server and it's fine. We moved the website to the
    >> >> >> production
    >> >> >> server and we're getting the following error:
    >> >> >>
    >> >> >> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed
    >> >> >> to
    >> >> >> start
    >> >> >> monitoring file changes.
    >> >> >>
    >> >> >> did a search in Google and found this article:
    >> >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317955
    >> >> >>
    >> >> >> We followed Method 1 - didn't work.
    >> >> >>
    >> >> >> We are reluctant to follow Method 2 because the individual web site
    >> >> >> folders
    >> >> >> are set to inherit permission from the parent.
    >> >> >>
    >> >> >> Any help will be appreciated.
    >> >> >>
    >> >> >> Sincerely,
    >> >> >>
    >> >> >> ADavis
    >> >>
    >> >>
    >> >>

    >>
    >>
    >>
     
    J-T, Jul 19, 2005
    #10
  11. ADavis

    ADavis Guest

    That's okay, I'm glad I can help. It's working in our development
    envirnoment, and it's passing the account information to the remote sql
    server box. Our LAN team called MS and they think the problem is the
    production webserver machine account (which is a domain account as well)
    didn't have the ability to impersonate, so our LAN team added the account to
    the local security policy. We have to schedule a downtime to cycle IIS to
    see if it works, I will keep you posted. From what I've read, the client
    sends it's token to IIS, which in turn passes it to the ASP.NET engine, this
    is where the impersonation takes place, so instead of using the machine
    account to authicate to the SQL Server we're telling it to use the windows
    account created for the web application. My problem is, it isn't even
    getting that far. We are getting an access denied to the web folder. Like I
    said earlier, it's working in our development envirnoment, weird stuff, but
    I'm learning. :)

    "J-T" wrote:

    > ADavis,
    >
    > Have you ever tested this in this scenario(because we are sharing exactly
    > the same thing).When you use impersonation using fixed identity ,Is worker
    > process Identity (ASPNET in IIS 5.x and Identity of application pool in IIS
    > 6.0) taken into account at all or not? I think when impersonating the worker
    > process accoutn is forced to be your impersonated user .What do you think?
    > My focous is cross-machine,from webserver to Database server.
    >
    > Actually you wanted to get an answer for yur problem and u got trapped by
    > sb's else questions.Sorry about that.
    >
    > Thanks
    > "ADavis" <> wrote in message
    > news:...
    > > Yes, we only give exec permission to our stored procedures to the domain
    > > account specifically created for the web application.
    > >
    > > "J-T" wrote:
    > >
    > >> If you are using a Trusted connection,it means that you don;t specify
    > >> username and password in your connection string then in Sql server side
    > >> you
    > >> give the appropriate permissions to that domain account,right?
    > >> Thanks
    > >>
    > >> "ADavis" <> wrote in message
    > >> news:...
    > >> > 1) Yes
    > >> > 2) We are using a domain account
    > >> > 3) Trusted connection.
    > >> >
    > >> > "J-T" wrote:
    > >> >
    > >> >> ADavis,
    > >> >>
    > >> >> WE are doing the same thing ,can I ask you couple of questions?
    > >> >>
    > >> >> 1)Are you using NTLM? for each website?
    > >> >> 2) When you impersonated under a fixed account,Is it a domain account
    > >> >> or
    > >> >> a
    > >> >> local account of the webserver?
    > >> >>
    > >> >> 3) How your connection string to the database looks like? I mean is it
    > >> >> using
    > >> >> Trusted Connection or Sql server account?
    > >> >>
    > >> >>
    > >> >> Thanks a lot
    > >> >>
    > >> >> "ADavis" <> wrote in message
    > >> >> news:...
    > >> >> > Also, I just wanted to add that the machine.config file is
    > >> >> > configured
    > >> >> > to
    > >> >> > use
    > >> >> > impersonation as well on both servers (this is from our development
    > >> >> > server):
    > >> >> >
    > >> >> > <identity impersonate="true" userName="domain\servername_ASPNET"
    > >> >> > password="*******!"/>
    > >> >> >
    > >> >> > "ADavis" wrote:
    > >> >> >
    > >> >> >> We have a development web server (Windows 2000 Server) and a
    > >> >> >> production
    > >> >> >> web
    > >> >> >> server (Windows 2000 Server) both are running IIS 5.0 and have the
    > >> >> >> .NET
    > >> >> >> Framework 1.1. We have asp.net fixed identity impersonation
    > >> >> >> running
    > >> >> >> on
    > >> >> >> the
    > >> >> >> development server and it's fine. We moved the website to the
    > >> >> >> production
    > >> >> >> server and we're getting the following error:
    > >> >> >>
    > >> >> >> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed
    > >> >> >> to
    > >> >> >> start
    > >> >> >> monitoring file changes.
    > >> >> >>
    > >> >> >> did a search in Google and found this article:
    > >> >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317955
    > >> >> >>
    > >> >> >> We followed Method 1 - didn't work.
    > >> >> >>
    > >> >> >> We are reluctant to follow Method 2 because the individual web site
    > >> >> >> folders
    > >> >> >> are set to inherit permission from the parent.
    > >> >> >>
    > >> >> >> Any help will be appreciated.
    > >> >> >>
    > >> >> >> Sincerely,
    > >> >> >>
    > >> >> >> ADavis
    > >> >>
    > >> >>
    > >> >>
    > >>
    > >>
    > >>

    >
    >
    >
     
    ADavis, Jul 19, 2005
    #11
  12. ADavis

    ADavis Guest

    We haven't upgrade to IIS 6.0 and I don't know when that will take place. I
    was under the impression that running each website in it's own pool would
    degrade the performance of the server? I'll do some research on what you
    suggested and pitch it to my manager. Thanks.

    "Dominick Baier [DevelopMentor]" wrote:

    > Hello ADavis,
    >
    > why don't you just use IIS6 and run every application in a distinct application
    > pool with a custom identity??
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > We have multiple websites (all with their own databases) running on
    > > the same web server, since we were using the machine account to the
    > > connect to the database (impersonation off in the webconfig file) we
    > > felt it might be a security risk if the machine account were to become
    > > compromised.
    > >
    > > I read several articles on fixed identity impersonation and encrypting
    > > the credintals in the registry and it seemed like the solution. We
    > > could still take advantage of connection pooling, but not have the
    > > account information in plain text in our webconfig file (connection
    > > string).
    > >
    > > "Dominick Baier [DevelopMentor]" wrote:
    > >
    > >> Hello ADavis,
    > >>
    > >> out of curiosity - why do you use fixed identity via config??
    > >>
    > >> ---------------------------------------
    > >> Dominick Baier - DevelopMentor
    > >> http://www.leastprivilege.com
    > >>> Also, I just wanted to add that the machine.config file is
    > >>> configured to use impersonation as well on both servers (this is
    > >>> from our development server):
    > >>>
    > >>> <identity impersonate="true" userName="domain\servername_ASPNET"
    > >>> password="*******!"/>
    > >>>
    > >>> "ADavis" wrote:
    > >>>
    > >>>> We have a development web server (Windows 2000 Server) and a
    > >>>> production web server (Windows 2000 Server) both are running IIS
    > >>>> 5.0 and have the .NET Framework 1.1. We have asp.net fixed
    > >>>> identity impersonation running on the development server and it's
    > >>>> fine. We moved the website to the production server and we're
    > >>>> getting the following error:
    > >>>>
    > >>>> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed
    > >>>> to start monitoring file changes.
    > >>>>
    > >>>> did a search in Google and found this article:
    > >>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317955
    > >>>> We followed Method 1 - didn't work.
    > >>>>
    > >>>> We are reluctant to follow Method 2 because the individual web site
    > >>>> folders are set to inherit permission from the parent.
    > >>>>
    > >>>> Any help will be appreciated.
    > >>>>
    > >>>> Sincerely,
    > >>>>
    > >>>> ADavis
    > >>>>

    >
    >
    >
    >
     
    ADavis, Jul 19, 2005
    #12
  13. ADavis

    J-T Guest

    >>but I'm learning. :)
    That's very good.So do I.

    >>so our LAN team added the account to the local security policy.


    Exactly what I was going to say that sometimes developers grant some
    permissions to an account and they don;t let eachother know.Everything is
    fine ,but when it gose to production it is another story.I persoanlly have
    found 40% of ASP.NET problems have something to do with security issue of
    Worker process and I think the root of all this evil is NTLM and not having
    the ability to flow the identity across the bounries.I would appreciate if
    you could let me know of the outcome to bahrez_AT_nospam_yahoo.com.I'm so
    interested to see what the problem was.

    Thanks a million for your valuable time .

    J-T

    "ADavis" <> wrote in message
    news:...
    > That's okay, I'm glad I can help. It's working in our development
    > envirnoment, and it's passing the account information to the remote sql
    > server box. Our LAN team called MS and they think the problem is the
    > production webserver machine account (which is a domain account as well)
    > didn't have the ability to impersonate, so our LAN team added the account
    > to
    > the local security policy. We have to schedule a downtime to cycle IIS to
    > see if it works, I will keep you posted. From what I've read, the client
    > sends it's token to IIS, which in turn passes it to the ASP.NET engine,
    > this
    > is where the impersonation takes place, so instead of using the machine
    > account to authicate to the SQL Server we're telling it to use the windows
    > account created for the web application. My problem is, it isn't even
    > getting that far. We are getting an access denied to the web folder. Like
    > I
    > said earlier, it's working in our development envirnoment, weird stuff,
    > but
    > I'm learning. :)
    >
    > "J-T" wrote:
    >
    >> ADavis,
    >>
    >> Have you ever tested this in this scenario(because we are sharing exactly
    >> the same thing).When you use impersonation using fixed identity ,Is
    >> worker
    >> process Identity (ASPNET in IIS 5.x and Identity of application pool in
    >> IIS
    >> 6.0) taken into account at all or not? I think when impersonating the
    >> worker
    >> process accoutn is forced to be your impersonated user .What do you
    >> think?
    >> My focous is cross-machine,from webserver to Database server.
    >>
    >> Actually you wanted to get an answer for yur problem and u got trapped by
    >> sb's else questions.Sorry about that.
    >>
    >> Thanks
    >> "ADavis" <> wrote in message
    >> news:...
    >> > Yes, we only give exec permission to our stored procedures to the
    >> > domain
    >> > account specifically created for the web application.
    >> >
    >> > "J-T" wrote:
    >> >
    >> >> If you are using a Trusted connection,it means that you don;t specify
    >> >> username and password in your connection string then in Sql server
    >> >> side
    >> >> you
    >> >> give the appropriate permissions to that domain account,right?
    >> >> Thanks
    >> >>
    >> >> "ADavis" <> wrote in message
    >> >> news:...
    >> >> > 1) Yes
    >> >> > 2) We are using a domain account
    >> >> > 3) Trusted connection.
    >> >> >
    >> >> > "J-T" wrote:
    >> >> >
    >> >> >> ADavis,
    >> >> >>
    >> >> >> WE are doing the same thing ,can I ask you couple of questions?
    >> >> >>
    >> >> >> 1)Are you using NTLM? for each website?
    >> >> >> 2) When you impersonated under a fixed account,Is it a domain
    >> >> >> account
    >> >> >> or
    >> >> >> a
    >> >> >> local account of the webserver?
    >> >> >>
    >> >> >> 3) How your connection string to the database looks like? I mean is
    >> >> >> it
    >> >> >> using
    >> >> >> Trusted Connection or Sql server account?
    >> >> >>
    >> >> >>
    >> >> >> Thanks a lot
    >> >> >>
    >> >> >> "ADavis" <> wrote in message
    >> >> >> news:...
    >> >> >> > Also, I just wanted to add that the machine.config file is
    >> >> >> > configured
    >> >> >> > to
    >> >> >> > use
    >> >> >> > impersonation as well on both servers (this is from our
    >> >> >> > development
    >> >> >> > server):
    >> >> >> >
    >> >> >> > <identity impersonate="true" userName="domain\servername_ASPNET"
    >> >> >> > password="*******!"/>
    >> >> >> >
    >> >> >> > "ADavis" wrote:
    >> >> >> >
    >> >> >> >> We have a development web server (Windows 2000 Server) and a
    >> >> >> >> production
    >> >> >> >> web
    >> >> >> >> server (Windows 2000 Server) both are running IIS 5.0 and have
    >> >> >> >> the
    >> >> >> >> .NET
    >> >> >> >> Framework 1.1. We have asp.net fixed identity impersonation
    >> >> >> >> running
    >> >> >> >> on
    >> >> >> >> the
    >> >> >> >> development server and it's fine. We moved the website to the
    >> >> >> >> production
    >> >> >> >> server and we're getting the following error:
    >> >> >> >>
    >> >> >> >> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx',
    >> >> >> >> Failed
    >> >> >> >> to
    >> >> >> >> start
    >> >> >> >> monitoring file changes.
    >> >> >> >>
    >> >> >> >> did a search in Google and found this article:
    >> >> >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317955
    >> >> >> >>
    >> >> >> >> We followed Method 1 - didn't work.
    >> >> >> >>
    >> >> >> >> We are reluctant to follow Method 2 because the individual web
    >> >> >> >> site
    >> >> >> >> folders
    >> >> >> >> are set to inherit permission from the parent.
    >> >> >> >>
    >> >> >> >> Any help will be appreciated.
    >> >> >> >>
    >> >> >> >> Sincerely,
    >> >> >> >>
    >> >> >> >> ADavis
    >> >> >>
    >> >> >>
    >> >> >>
    >> >>
    >> >>
    >> >>

    >>
    >>
    >>
     
    J-T, Jul 19, 2005
    #13
  14. Have you considered using Filemon to figure out exactly which file or
    directory is causing the access denied? That would be a good place to
    start.

    My guess is that you will need to grant the required read access to the
    impersonated account, but Filemon should tell you exactly what is failing.

    Joe K.

    "ADavis" <> wrote in message
    news:...
    > Also, I just wanted to add that the machine.config file is configured to
    > use
    > impersonation as well on both servers (this is from our development
    > server):
    >
    > <identity impersonate="true" userName="domain\servername_ASPNET"
    > password="*******!"/>
    >
    > "ADavis" wrote:
    >
    >> We have a development web server (Windows 2000 Server) and a production
    >> web
    >> server (Windows 2000 Server) both are running IIS 5.0 and have the .NET
    >> Framework 1.1. We have asp.net fixed identity impersonation running on
    >> the
    >> development server and it's fine. We moved the website to the
    >> production
    >> server and we're getting the following error:
    >>
    >> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed to
    >> start
    >> monitoring file changes.
    >>
    >> did a search in Google and found this article:
    >> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317955
    >>
    >> We followed Method 1 - didn't work.
    >>
    >> We are reluctant to follow Method 2 because the individual web site
    >> folders
    >> are set to inherit permission from the parent.
    >>
    >> Any help will be appreciated.
    >>
    >> Sincerely,
    >>
    >> ADavis
     
    Joe Kaplan \(MVP - ADSI\), Jul 19, 2005
    #14
  15. Hello ADavis,

    to be honest - the whole (security) story of ASP.NET and IIS5.x is broken.

    - your listener running as SYSTEM
    - only one single worker process for all applications

    IIS6 is much faster, more robust, more manageable - and the next buffer overflow
    won't give your attacker SYSTEM rights on your server....

    upgrade that web server and you will never look back.

    and btw - when you are impersonating you are really in a wacky state - there
    are so many exceptions where the impersonation token ISN'T used (thread switches,
    e.g. when calling COM, starting processes a.s.o.) - i would suggest to use
    it sparingly.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > We haven't upgrade to IIS 6.0 and I don't know when that will take
    > place. I was under the impression that running each website in it's
    > own pool would degrade the performance of the server? I'll do some
    > research on what you suggested and pitch it to my manager. Thanks.
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> Hello ADavis,
    >>
    >> why don't you just use IIS6 and run every application in a distinct
    >> application pool with a custom identity??
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> We have multiple websites (all with their own databases) running on
    >>> the same web server, since we were using the machine account to the
    >>> connect to the database (impersonation off in the webconfig file) we
    >>> felt it might be a security risk if the machine account were to
    >>> become compromised.
    >>>
    >>> I read several articles on fixed identity impersonation and
    >>> encrypting the credintals in the registry and it seemed like the
    >>> solution. We could still take advantage of connection pooling, but
    >>> not have the account information in plain text in our webconfig file
    >>> (connection string).
    >>>
    >>> "Dominick Baier [DevelopMentor]" wrote:
    >>>
    >>>> Hello ADavis,
    >>>>
    >>>> out of curiosity - why do you use fixed identity via config??
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> Also, I just wanted to add that the machine.config file is
    >>>>> configured to use impersonation as well on both servers (this is
    >>>>> from our development server):
    >>>>>
    >>>>> <identity impersonate="true" userName="domain\servername_ASPNET"
    >>>>> password="*******!"/>
    >>>>>
    >>>>> "ADavis" wrote:
    >>>>>
    >>>>>> We have a development web server (Windows 2000 Server) and a
    >>>>>> production web server (Windows 2000 Server) both are running IIS
    >>>>>> 5.0 and have the .NET Framework 1.1. We have asp.net fixed
    >>>>>> identity impersonation running on the development server and
    >>>>>> it's fine. We moved the website to the production server and
    >>>>>> we're getting the following error:
    >>>>>>
    >>>>>> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx',
    >>>>>> Failed to start monitoring file changes.
    >>>>>>
    >>>>>> did a search in Google and found this article:
    >>>>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317955
    >>>>>> We followed Method 1 - didn't work.
    >>>>>>
    >>>>>> We are reluctant to follow Method 2 because the individual web
    >>>>>> site folders are set to inherit permission from the parent.
    >>>>>>
    >>>>>> Any help will be appreciated.
    >>>>>>
    >>>>>> Sincerely,
    >>>>>>
    >>>>>> ADavis
    >>>>>>
     
    Dominick Baier [DevelopMentor], Jul 19, 2005
    #15
  16. ADavis

    ADavis Guest

    Actually, my group didn't set up and configure ASP.NET or IIS our LAN group
    is responsible for that. Once they cycled IIS, everything worked on our
    production server. I checked our development server and sure enough, both
    the local and domain account were in the local security policy. On the
    production server, only the local account was there. Everything is working
    properly. I found this on MSDN
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh20.asp.
    This is what gave me the idea of using fixed identity impersonation.

    "J-T" wrote:

    > >>but I'm learning. :)

    > That's very good.So do I.
    >
    > >>so our LAN team added the account to the local security policy.

    >
    > Exactly what I was going to say that sometimes developers grant some
    > permissions to an account and they don;t let eachother know.Everything is
    > fine ,but when it gose to production it is another story.I persoanlly have
    > found 40% of ASP.NET problems have something to do with security issue of
    > Worker process and I think the root of all this evil is NTLM and not having
    > the ability to flow the identity across the bounries.I would appreciate if
    > you could let me know of the outcome to bahrez_AT_nospam_yahoo.com.I'm so
    > interested to see what the problem was.
    >
    > Thanks a million for your valuable time .
    >
    > J-T
    >
    > "ADavis" <> wrote in message
    > news:...
    > > That's okay, I'm glad I can help. It's working in our development
    > > envirnoment, and it's passing the account information to the remote sql
    > > server box. Our LAN team called MS and they think the problem is the
    > > production webserver machine account (which is a domain account as well)
    > > didn't have the ability to impersonate, so our LAN team added the account
    > > to
    > > the local security policy. We have to schedule a downtime to cycle IIS to
    > > see if it works, I will keep you posted. From what I've read, the client
    > > sends it's token to IIS, which in turn passes it to the ASP.NET engine,
    > > this
    > > is where the impersonation takes place, so instead of using the machine
    > > account to authicate to the SQL Server we're telling it to use the windows
    > > account created for the web application. My problem is, it isn't even
    > > getting that far. We are getting an access denied to the web folder. Like
    > > I
    > > said earlier, it's working in our development envirnoment, weird stuff,
    > > but
    > > I'm learning. :)
    > >
    > > "J-T" wrote:
    > >
    > >> ADavis,
    > >>
    > >> Have you ever tested this in this scenario(because we are sharing exactly
    > >> the same thing).When you use impersonation using fixed identity ,Is
    > >> worker
    > >> process Identity (ASPNET in IIS 5.x and Identity of application pool in
    > >> IIS
    > >> 6.0) taken into account at all or not? I think when impersonating the
    > >> worker
    > >> process accoutn is forced to be your impersonated user .What do you
    > >> think?
    > >> My focous is cross-machine,from webserver to Database server.
    > >>
    > >> Actually you wanted to get an answer for yur problem and u got trapped by
    > >> sb's else questions.Sorry about that.
    > >>
    > >> Thanks
    > >> "ADavis" <> wrote in message
    > >> news:...
    > >> > Yes, we only give exec permission to our stored procedures to the
    > >> > domain
    > >> > account specifically created for the web application.
    > >> >
    > >> > "J-T" wrote:
    > >> >
    > >> >> If you are using a Trusted connection,it means that you don;t specify
    > >> >> username and password in your connection string then in Sql server
    > >> >> side
    > >> >> you
    > >> >> give the appropriate permissions to that domain account,right?
    > >> >> Thanks
    > >> >>
    > >> >> "ADavis" <> wrote in message
    > >> >> news:...
    > >> >> > 1) Yes
    > >> >> > 2) We are using a domain account
    > >> >> > 3) Trusted connection.
    > >> >> >
    > >> >> > "J-T" wrote:
    > >> >> >
    > >> >> >> ADavis,
    > >> >> >>
    > >> >> >> WE are doing the same thing ,can I ask you couple of questions?
    > >> >> >>
    > >> >> >> 1)Are you using NTLM? for each website?
    > >> >> >> 2) When you impersonated under a fixed account,Is it a domain
    > >> >> >> account
    > >> >> >> or
    > >> >> >> a
    > >> >> >> local account of the webserver?
    > >> >> >>
    > >> >> >> 3) How your connection string to the database looks like? I mean is
    > >> >> >> it
    > >> >> >> using
    > >> >> >> Trusted Connection or Sql server account?
    > >> >> >>
    > >> >> >>
    > >> >> >> Thanks a lot
    > >> >> >>
    > >> >> >> "ADavis" <> wrote in message
    > >> >> >> news:...
    > >> >> >> > Also, I just wanted to add that the machine.config file is
    > >> >> >> > configured
    > >> >> >> > to
    > >> >> >> > use
    > >> >> >> > impersonation as well on both servers (this is from our
    > >> >> >> > development
    > >> >> >> > server):
    > >> >> >> >
    > >> >> >> > <identity impersonate="true" userName="domain\servername_ASPNET"
    > >> >> >> > password="*******!"/>
    > >> >> >> >
    > >> >> >> > "ADavis" wrote:
    > >> >> >> >
    > >> >> >> >> We have a development web server (Windows 2000 Server) and a
    > >> >> >> >> production
    > >> >> >> >> web
    > >> >> >> >> server (Windows 2000 Server) both are running IIS 5.0 and have
    > >> >> >> >> the
    > >> >> >> >> .NET
    > >> >> >> >> Framework 1.1. We have asp.net fixed identity impersonation
    > >> >> >> >> running
    > >> >> >> >> on
    > >> >> >> >> the
    > >> >> >> >> development server and it's fine. We moved the website to the
    > >> >> >> >> production
    > >> >> >> >> server and we're getting the following error:
    > >> >> >> >>
    > >> >> >> >> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx',
    > >> >> >> >> Failed
    > >> >> >> >> to
    > >> >> >> >> start
    > >> >> >> >> monitoring file changes.
    > >> >> >> >>
    > >> >> >> >> did a search in Google and found this article:
    > >> >> >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317955
    > >> >> >> >>
    > >> >> >> >> We followed Method 1 - didn't work.
    > >> >> >> >>
    > >> >> >> >> We are reluctant to follow Method 2 because the individual web
    > >> >> >> >> site
    > >> >> >> >> folders
    > >> >> >> >> are set to inherit permission from the parent.
    > >> >> >> >>
    > >> >> >> >> Any help will be appreciated.
    > >> >> >> >>
    > >> >> >> >> Sincerely,
    > >> >> >> >>
    > >> >> >> >> ADavis
    > >> >> >>
    > >> >> >>
    > >> >> >>
    > >> >>
    > >> >>
    > >> >>
    > >>
    > >>
    > >>

    >
    >
    >
     
    ADavis, Jul 20, 2005
    #16
  17. ADavis

    ADavis Guest

    We did use Filemon and it said "BAD IMPERSONATION" we intrepreted that as
    being the account created for the website, not the domain account created for
    asp.net to run under. We called MS and added the domain account for asp.net
    to the local security policy to impersonate and everything is fine. Thanks

    "Joe Kaplan (MVP - ADSI)" wrote:

    > Have you considered using Filemon to figure out exactly which file or
    > directory is causing the access denied? That would be a good place to
    > start.
    >
    > My guess is that you will need to grant the required read access to the
    > impersonated account, but Filemon should tell you exactly what is failing.
    >
    > Joe K.
    >
    > "ADavis" <> wrote in message
    > news:...
    > > Also, I just wanted to add that the machine.config file is configured to
    > > use
    > > impersonation as well on both servers (this is from our development
    > > server):
    > >
    > > <identity impersonate="true" userName="domain\servername_ASPNET"
    > > password="*******!"/>
    > >
    > > "ADavis" wrote:
    > >
    > >> We have a development web server (Windows 2000 Server) and a production
    > >> web
    > >> server (Windows 2000 Server) both are running IIS 5.0 and have the .NET
    > >> Framework 1.1. We have asp.net fixed identity impersonation running on
    > >> the
    > >> development server and it's fine. We moved the website to the
    > >> production
    > >> server and we're getting the following error:
    > >>
    > >> Access denied to 'D:\MCJNET\WorkOrderSystems\default.aspx', Failed to
    > >> start
    > >> monitoring file changes.
    > >>
    > >> did a search in Google and found this article:
    > >> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317955
    > >>
    > >> We followed Method 1 - didn't work.
    > >>
    > >> We are reluctant to follow Method 2 because the individual web site
    > >> folders
    > >> are set to inherit permission from the parent.
    > >>
    > >> Any help will be appreciated.
    > >>
    > >> Sincerely,
    > >>
    > >> ADavis

    >
    >
    >
     
    ADavis, Jul 20, 2005
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Giovanni Bassi
    Replies:
    0
    Views:
    651
    Giovanni Bassi
    Oct 20, 2003
  2. Anil Krishnamurthy
    Replies:
    12
    Views:
    4,611
    Anil Krishnamurthy
    Oct 5, 2004
  3. nalbayo
    Replies:
    2
    Views:
    5,507
    Bruce Barker
    Nov 11, 2005
  4. JimLad
    Replies:
    0
    Views:
    452
    JimLad
    Jan 16, 2009
  5. Frederick D'hont
    Replies:
    0
    Views:
    313
    Frederick D'hont
    Jul 25, 2005
Loading...

Share This Page