ASP.NET Impersonation in a Windows 2003 non domain member server

Discussion in 'ASP .Net Security' started by Johann Granados, Apr 20, 2007.

  1. Hi everybody,

    Is it possible to do ASP.NET Impersonation in a windows 2003 non domain
    member server (locate at the DMZ)? If so, how can I do that?

    Thanks in advance for your kind reply

    Best regards,

    Johann Granados
    Staff DotNet
     
    Johann Granados, Apr 20, 2007
    #1
    1. Advertising

  2. You need Windows authentication enabled for that.

    Then you either generally impersonate for the length of the whole request
    using the <identity impersonate="true" /> config switch - or programmatically
    by calling

    using (((WindowsIdentity)Context.User.Identity).Impersonate())
    {
    }

    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Hi everybody,
    >
    > Is it possible to do ASP.NET Impersonation in a windows 2003 non
    > domain member server (locate at the DMZ)? If so, how can I do that?
    >
    > Thanks in advance for your kind reply
    >
    > Best regards,
    >
    > Johann Granados
    > Staff DotNe
     
    Dominick Baier, Apr 20, 2007
    #2
    1. Advertising

  3. Re: ASP.NET Impersonation in a Windows 2003 non domain member serv

    Hi Dominick,

    Thanks a lot for your answer.

    I've tried both approaches you mention. They both work very well in a
    domain member server but they don't work in a non domain member server (cause
    there are no domain controller to authenticate the user). What I need is a
    way to call a server component located at the internal network by passing it
    a windows identity credential created at the non domain member server.

    Thanks again for your help.

    Best regards,

    Johann Granados

    "Dominick Baier" wrote:

    > You need Windows authentication enabled for that.
    >
    > Then you either generally impersonate for the length of the whole request
    > using the <identity impersonate="true" /> config switch - or programmatically
    > by calling
    >
    > using (((WindowsIdentity)Context.User.Identity).Impersonate())
    > {
    > }
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
    >
    > > Hi everybody,
    > >
    > > Is it possible to do ASP.NET Impersonation in a windows 2003 non
    > > domain member server (locate at the DMZ)? If so, how can I do that?
    > >
    > > Thanks in advance for your kind reply
    > >
    > > Best regards,
    > >
    > > Johann Granados
    > > Staff DotNet

    >
    >
    >
     
    Johann Granados, Apr 20, 2007
    #3
  4. Johann Granados

    Joe Kaplan Guest

    Re: ASP.NET Impersonation in a Windows 2003 non domain member serv

    Yeah, you can't really do this as you can't create a domain identity to
    impersonate on a non-domain machine. That's not the way Windows security
    works. You would need a way to do this that didn't not require
    impersonation.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Johann Granados" <> wrote in
    message news:...
    > Hi Dominick,
    >
    > Thanks a lot for your answer.
    >
    > I've tried both approaches you mention. They both work very well in a
    > domain member server but they don't work in a non domain member server
    > (cause
    > there are no domain controller to authenticate the user). What I need is
    > a
    > way to call a server component located at the internal network by passing
    > it
    > a windows identity credential created at the non domain member server.
    >
    > Thanks again for your help.
    >
    > Best regards,
    >
    > Johann Granados
    >
     
    Joe Kaplan, Apr 20, 2007
    #4
  5. Re: ASP.NET Impersonation in a Windows 2003 non domain member serv

    I found this article about Protocol Transition:
    http://msdn2.microsoft.com/en-us/library/ms998355.aspx. It mentioned the
    Service-for-User-to-Self (S4U2Self) for Kerberos implemented in Windows
    Server 2003 (this service allows the developer to obtain a WindowsIdentiy
    without passing out a password). The article does not mentioned if this
    service works in a non domain member server but I guess it may does. Have
    you ever heard this service? Have you used it?

    Best regards,

    --
    Johann Granados
    MVP Compact Framework
    Costa Rica, Central America


    "Joe Kaplan" wrote:

    > Yeah, you can't really do this as you can't create a domain identity to
    > impersonate on a non-domain machine. That's not the way Windows security
    > works. You would need a way to do this that didn't not require
    > impersonation.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > --
    > "Johann Granados" <> wrote in
    > message news:...
    > > Hi Dominick,
    > >
    > > Thanks a lot for your answer.
    > >
    > > I've tried both approaches you mention. They both work very well in a
    > > domain member server but they don't work in a non domain member server
    > > (cause
    > > there are no domain controller to authenticate the user). What I need is
    > > a
    > > way to call a server component located at the internal network by passing
    > > it
    > > a windows identity credential created at the non domain member server.
    > >
    > > Thanks again for your help.
    > >
    > > Best regards,
    > >
    > > Johann Granados
    > >

    >
    >
    >
     
    Johann Granados, Apr 20, 2007
    #5
  6. Johann Granados

    Joe Kaplan Guest

    Re: ASP.NET Impersonation in a Windows 2003 non domain member serv

    I have used it and it won't work for you either if the server isn't a domain
    member. Sorry. :)

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Johann Granados" <> wrote in
    message news:...
    >I found this article about Protocol Transition:
    > http://msdn2.microsoft.com/en-us/library/ms998355.aspx. It mentioned the
    > Service-for-User-to-Self (S4U2Self) for Kerberos implemented in Windows
    > Server 2003 (this service allows the developer to obtain a WindowsIdentiy
    > without passing out a password). The article does not mentioned if this
    > service works in a non domain member server but I guess it may does. Have
    > you ever heard this service? Have you used it?
    >
    > Best regards,
    >
    > --
    > Johann Granados
    > MVP Compact Framework
    > Costa Rica, Central America
    >
    >
     
    Joe Kaplan, Apr 20, 2007
    #6
  7. Re: ASP.NET Impersonation in a Windows 2003 non domain member serv

    OK - you are talking about delegation. Which is something different.

    Yeah - you need domain connectivity for that.


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Hi Dominick,
    >
    > Thanks a lot for your answer.
    >
    > I've tried both approaches you mention. They both work very well in a
    > domain member server but they don't work in a non domain member server
    > (cause there are no domain controller to authenticate the user). What
    > I need is a way to call a server component located at the internal
    > network by passing it a windows identity credential created at the non
    > domain member server.
    >
    > Thanks again for your help.
    >
    > Best regards,
    >
    > Johann Granados
    >
    > "Dominick Baier" wrote:
    >
    >> You need Windows authentication enabled for that.
    >>
    >> Then you either generally impersonate for the length of the whole
    >> request using the <identity impersonate="true" /> config switch - or
    >> programmatically by calling
    >>
    >> using (((WindowsIdentity)Context.User.Identity).Impersonate())
    >> {
    >> }
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >>> Hi everybody,
    >>>
    >>> Is it possible to do ASP.NET Impersonation in a windows 2003 non
    >>> domain member server (locate at the DMZ)? If so, how can I do that?
    >>>
    >>> Thanks in advance for your kind reply
    >>>
    >>> Best regards,
    >>>
    >>> Johann Granados
    >>> Staff DotNet
     
    Dominick Baier, Apr 20, 2007
    #7
  8. Johann Granados

    Joe Kaplan Guest

    Re: ASP.NET Impersonation in a Windows 2003 non domain member serv

    I don't think he can impersonate a domain account on a non-domain member
    machine whether or not he wants to delegate. He wouldn't be delegating if
    he was using S4U or called LogonUser, but I don't think he can get that
    logon token and impersonate it no matter what. Is that your understanding
    of how it works?

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    message news:...
    > OK - you are talking about delegation. Which is something different.
    >
    > Yeah - you need domain connectivity for that.
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications
    > (http://www.microsoft.com/mspress/books/9989.asp)
    >
    >> Hi Dominick,
    >>
    >> Thanks a lot for your answer.
    >>
    >> I've tried both approaches you mention. They both work very well in a
    >> domain member server but they don't work in a non domain member server
    >> (cause there are no domain controller to authenticate the user). What
    >> I need is a way to call a server component located at the internal
    >> network by passing it a windows identity credential created at the non
    >> domain member server.
    >>
    >> Thanks again for your help.
    >>
    >> Best regards,
    >>
    >> Johann Granados
    >>
    >> "Dominick Baier" wrote:
    >>
    >>> You need Windows authentication enabled for that.
    >>>
    >>> Then you either generally impersonate for the length of the whole
    >>> request using the <identity impersonate="true" /> config switch - or
    >>> programmatically by calling
    >>>
    >>> using (((WindowsIdentity)Context.User.Identity).Impersonate())
    >>> {
    >>> }
    >>> -----
    >>> Dominick Baier (http://www.leastprivilege.com)
    >>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>
    >>>> Hi everybody,
    >>>>
    >>>> Is it possible to do ASP.NET Impersonation in a windows 2003 non
    >>>> domain member server (locate at the DMZ)? If so, how can I do that?
    >>>>
    >>>> Thanks in advance for your kind reply
    >>>>
    >>>> Best regards,
    >>>>
    >>>> Johann Granados
    >>>> Staff DotNet

    >
    >
     
    Joe Kaplan, Apr 20, 2007
    #8
  9. Re: ASP.NET Impersonation in a Windows 2003 non domain member serv

    "What I need is a way to call a server component located at the internal
    network by passing it a windows identity credential created at the non domain
    member server."

    Well - the question is - do you need to call the internal component using
    client credentials??


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > I don't think he can impersonate a domain account on a non-domain
    > member machine whether or not he wants to delegate. He wouldn't be
    > delegating if he was using S4U or called LogonUser, but I don't think
    > he can get that logon token and impersonate it no matter what. Is
    > that your understanding of how it works?
    >
    > Joe K.
    >
     
    Dominick Baier, Apr 20, 2007
    #9
  10. Johann Granados

    Joe Kaplan Guest

    Re: ASP.NET Impersonation in a Windows 2003 non domain member serv

    It sounds to me like he just wants a way to call the component period and
    needs to impersonate any domain account. Whether or not it is the client's
    credential and he is delegating seems to be not as important.

    I'm saying that I don't think you can impersonate a domain account on a
    non-domain machine, but I'm not totaly positive, so I'm asking you. :)

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    message news:...
    > "What I need is a way to call a server component located at the internal
    > network by passing it a windows identity credential created at the non
    > domain member server."
    >
    > Well - the question is - do you need to call the internal component using
    > client credentials??
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications
    > (http://www.microsoft.com/mspress/books/9989.asp)
    >
    >> I don't think he can impersonate a domain account on a non-domain
    >> member machine whether or not he wants to delegate. He wouldn't be
    >> delegating if he was using S4U or called LogonUser, but I don't think
    >> he can get that logon token and impersonate it no matter what. Is
    >> that your understanding of how it works?
    >>
    >> Joe K.
    >>

    >
    >
     
    Joe Kaplan, Apr 20, 2007
    #10
  11. Re: ASP.NET Impersonation in a Windows 2003 non domain member serv

    you cannot impersonate a domain account on a non-domain machine.

    What would work is to have mirrored accounts on both sides. This means that
    on the server and the internal machine/domain there are two matching account
    with the same uname/password.

    Either the worker process runs as such an account - or this account is impersonated
    before doing internal component access.


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > It sounds to me like he just wants a way to call the component period
    > and needs to impersonate any domain account. Whether or not it is the
    > client's credential and he is delegating seems to be not as important.
    >
    > I'm saying that I don't think you can impersonate a domain account on
    > a non-domain machine, but I'm not totaly positive, so I'm asking you.
    > :)
    >
    > Joe K.
    >
     
    Dominick Baier, Apr 21, 2007
    #11
  12. Re: ASP.NET Impersonation in a Windows 2003 non domain member serv

    or maybe (though i haven't tried that) - you could impersonate a domain account
    using a token created with the NEW_CREDENTIAL option.


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > you cannot impersonate a domain account on a non-domain machine.
    >
    > What would work is to have mirrored accounts on both sides. This means
    > that on the server and the internal machine/domain there are two
    > matching account with the same uname/password.
    >
    > Either the worker process runs as such an account - or this account is
    > impersonated before doing internal component access.
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    > Developing More Secure Microsoft ASP.NET 2.0 Applications
    > (http://www.microsoft.com/mspress/books/9989.asp)
    >
    >> It sounds to me like he just wants a way to call the component period
    >> and needs to impersonate any domain account. Whether or not it is
    >> the client's credential and he is delegating seems to be not as
    >> important.
    >>
    >> I'm saying that I don't think you can impersonate a domain account on
    >> a non-domain machine, but I'm not totaly positive, so I'm asking you.
    >> :)
    >>
    >> Joe K.
    >>
     
    Dominick Baier, Apr 21, 2007
    #12
  13. Johann Granados

    Joe Kaplan Guest

    Re: ASP.NET Impersonation in a Windows 2003 non domain member serv

    That's kind of what I was thinking too, but I haven't tried it either. Not
    today though. :)

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    message news:...
    > or maybe (though i haven't tried that) - you could impersonate a domain
    > account using a token created with the NEW_CREDENTIAL option.
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
     
    Joe Kaplan, Apr 21, 2007
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Infant Newbie
    Replies:
    2
    Views:
    3,303
    Infant Newbie
    Nov 12, 2003
  2. =?Utf-8?B?Y2pr?=
    Replies:
    4
    Views:
    6,405
    nosperantos
    Nov 1, 2006
  3. Craig Neuwirt

    Impersonation on Windows 2003 Server

    Craig Neuwirt, Oct 21, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    2,641
    Craig Neuwirt
    Oct 22, 2004
  4. =?Utf-8?B?Sm9oYW5uIEdyYW5hZG9z?=

    ASP.NET Impersonation in a Windows 2003 non domain member server

    =?Utf-8?B?Sm9oYW5uIEdyYW5hZG9z?=, Apr 20, 2007, in forum: ASP .Net
    Replies:
    1
    Views:
    623
    Cowboy \(Gregory A. Beamer\)
    Apr 21, 2007
  5. Johann Granados

    Impersonation in non domain server

    Johann Granados, Feb 20, 2007, in forum: ASP .Net Security
    Replies:
    1
    Views:
    133
    Joe Kaplan
    Feb 20, 2007
Loading...

Share This Page