ASP.NET Impersonation to access Oracle database...

Discussion in 'ASP .Net' started by Top Poster, Jul 6, 2005.

  1. Top Poster

    Top Poster Guest

    Hi all,

    I am trying to work out how I can use impersonation to connect to an Oracle
    9i database such that I can avoid sending a clear text username and password
    to the Oracle server.

    We are using Windows 2000 and IIS 5.0. Currently the database and the
    Webserver are running on the same machine (which I'll call MyMachineName)
    Until now I have been using a connection string in the web.config file on an
    IIS Web Server as follows:

    <appSettings>
    <add key="ConnectionString" value="Data Source=mydatabase;User
    Id=scott;Password=tiger;Integrated Security=no;"/>
    </appSettings>

    This works fine but it is not a satisfactory long term solution.
    I have tried to use Impersonation so that the UserId and Password can be
    stored in the registry on the Web Server to achieve the same result. I have
    performed these steps on the IIS Web Server:

    From the command line:
    aspnet_setreg.exe -k:SOFTWARE\myWebService\identity -u:"scott" -p:"tiger"
    Added to web.config:
    <identity impersonate="true"
    userName="registry:HKLM\SOFTWARE\myWebService\identity\ASPNET_SETREG,userNam
    e"
    password="registry:HKLM\SOFTWARE\myWebService\identity\ASPNET_SETREG,passwor
    d"
    />

    I have kept the appSettings section but removed the username and password:
    <appSettings>
    <add key="ConnectionString" value="Data Source=mydatabase;Integrated
    Security=no;"/>
    </appSettings>

    Used regedt32.exe to grant permissions for the ASP.NET account on these
    registry keys. ie:
    Click on the HKEY_LOCAL_MACHINE\SOFTWARE\myWebService\ subkey
    On the Security menu, click Permissions
    Click Add
    In the "Look In" combo box (which appears in a Win2K environment) select the
    machine name (not the domain name because the ASPNET user has not been added
    to our domain)

    The user MyMachineName\ASPNET has now been granted permissions on the
    ASP.NET account.

    The web service is configured to use anonymous access.

    At this point I tried to navigate to the Virtual Directory
    (...service1.asmx) using Internet Explorer and received this error message:
    Configuration error ... Error from the operating system ... "A required
    privilege is not held by the client"

    Then I read that a possible workaround is to change the Local Policies as
    follows:
    Start,Settings,Control Panel,Administrative Tools,Local Security
    Policy,Local Policies,User Rights Assignment,Act as part of the operating
    system,
    Add,MyMachineName\ASPNET

    Unfortunately I am still getting the same error ... "A required privilege is
    not held by the client"
    I also tried modifying the machine.config file processModel section with
    userName="SYSTEM" and password="AutoGenerate"

    Does anyone have any suggestions to either fix the problem or to try an
    alternative approach?

    I am worried about the possibility that using a 3rd party product (Oracle)
    has compromised the likelihood of resolving the problem.
    Do I need to set up ASPNET as a domain user?
    Do I need to further change the appSettings section of the web.config file?
    Does ASPNET have to be defined as a database user ? (currently it is not)



    Many thanks,

    DJ
     
    Top Poster, Jul 6, 2005
    #1
    1. Advertising

  2. The error you are getting is because User Id=scott is not an authorized
    UserID to the desktop (or server) where you are running the application. If
    you were to use a userId and password that is allowed on both the desktop and
    on the Oracle server then you will not get that error.
    ---



    "Top Poster" wrote:

    > Hi all,
    >
    > I am trying to work out how I can use impersonation to connect to an Oracle
    > 9i database such that I can avoid sending a clear text username and password
    > to the Oracle server.
    >
    > We are using Windows 2000 and IIS 5.0. Currently the database and the
    > Webserver are running on the same machine (which I'll call MyMachineName)
    > Until now I have been using a connection string in the web.config file on an
    > IIS Web Server as follows:
    >
    > <appSettings>
    > <add key="ConnectionString" value="Data Source=mydatabase;User
    > Id=scott;Password=tiger;Integrated Security=no;"/>
    > </appSettings>
    >
    > This works fine but it is not a satisfactory long term solution.
    > I have tried to use Impersonation so that the UserId and Password can be
    > stored in the registry on the Web Server to achieve the same result. I have
    > performed these steps on the IIS Web Server:
    >
    > From the command line:
    > aspnet_setreg.exe -k:SOFTWARE\myWebService\identity -u:"scott" -p:"tiger"
    > Added to web.config:
    > <identity impersonate="true"
    > userName="registry:HKLM\SOFTWARE\myWebService\identity\ASPNET_SETREG,userNam
    > e"
    > password="registry:HKLM\SOFTWARE\myWebService\identity\ASPNET_SETREG,passwor
    > d"
    > />
    >
    > I have kept the appSettings section but removed the username and password:
    > <appSettings>
    > <add key="ConnectionString" value="Data Source=mydatabase;Integrated
    > Security=no;"/>
    > </appSettings>
    >
    > Used regedt32.exe to grant permissions for the ASP.NET account on these
    > registry keys. ie:
    > Click on the HKEY_LOCAL_MACHINE\SOFTWARE\myWebService\ subkey
    > On the Security menu, click Permissions
    > Click Add
    > In the "Look In" combo box (which appears in a Win2K environment) select the
    > machine name (not the domain name because the ASPNET user has not been added
    > to our domain)
    >
    > The user MyMachineName\ASPNET has now been granted permissions on the
    > ASP.NET account.
    >
    > The web service is configured to use anonymous access.
    >
    > At this point I tried to navigate to the Virtual Directory
    > (...service1.asmx) using Internet Explorer and received this error message:
    > Configuration error ... Error from the operating system ... "A required
    > privilege is not held by the client"
    >
    > Then I read that a possible workaround is to change the Local Policies as
    > follows:
    > Start,Settings,Control Panel,Administrative Tools,Local Security
    > Policy,Local Policies,User Rights Assignment,Act as part of the operating
    > system,
    > Add,MyMachineName\ASPNET
    >
    > Unfortunately I am still getting the same error ... "A required privilege is
    > not held by the client"
    > I also tried modifying the machine.config file processModel section with
    > userName="SYSTEM" and password="AutoGenerate"
    >
    > Does anyone have any suggestions to either fix the problem or to try an
    > alternative approach?
    >
    > I am worried about the possibility that using a 3rd party product (Oracle)
    > has compromised the likelihood of resolving the problem.
    > Do I need to set up ASPNET as a domain user?
    > Do I need to further change the appSettings section of the web.config file?
    > Does ASPNET have to be defined as a database user ? (currently it is not)
    >
    >
    >
    > Many thanks,
    >
    > DJ
    >
    >
    >
    >
     
    =?Utf-8?B?c29jaWV0b3BpYS5uZXQ=?=, Jul 6, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jaloha
    Replies:
    0
    Views:
    178
    Jaloha
    Jul 2, 2004
  2. benny
    Replies:
    1
    Views:
    385
    Jim Cheshire [MSFT]
    Jul 16, 2004
  3. saleryan

    ASP.NET IMPERSONATION AND ORACLE 8.1.7

    saleryan, Dec 28, 2005, in forum: ASP .Net Security
    Replies:
    6
    Views:
    416
    saleryan
    Jan 3, 2006
  4. Vincent Le-Texier
    Replies:
    1
    Views:
    161
    Paul Lalli
    Dec 3, 2004
  5. Feyruz
    Replies:
    4
    Views:
    2,251
    Sherm Pendley
    Oct 14, 2005
Loading...

Share This Page