"ASP.NET Machine Account" problem

Discussion in 'ASP .Net Security' started by James Wong, Aug 23, 2006.

  1. James Wong

    James Wong Guest

    Hi,

    When I use VB.Net 2005 to develop some web service program, this program
    will connect to other domain server.
    Therefore, the permission of "ASP.NET Machine Account" cannot access to this
    server.

    Can I change the other domain user to instead of "ASP.NET Machine Account"
    for the IIS with VB.Net 2005?
    Otherwise, has good idea to solve my problem?
    Thanks!

    James
     
    James Wong, Aug 23, 2006
    #1
    1. Advertising

  2. Hello James,

    From your description, when your ASP.NET application(which running under
    the machine\ASPNET account) try accessing some remote protected resource,
    you got premission issue, correct?

    Since your ASP.NET application's work process account is "MACHINE\ASPNET",
    I think your development machine is windows XP or Windows 2000 with IIS5,
    correct?

    As for ASP.NET application, by default all the code is running under the
    worker process account. And default worker process account is different
    depend on the OS/IIS version:

    ** on XP/2000 with IIS5, by default ASP.NET process(aspnet_wp.exe) running
    under "machine\ASPNET" account, this can be changed in the machine.config
    file (under framework
    directory----C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG)

    ** on windows 2003 server with IIS6, ASP.NET use IIS application pool mode,
    and the worker process(w3wp.exe) running under "NT AUTHORITY\NETWORK
    SERVICE" account.

    Here is a msdn article describing how to check ASP.NET worker process
    identity and how to configure it:


    #Configuring ASP.NET Process Identity
    http://msdn2.microsoft.com/en-us/library/dwc1xthy.aspx

    so for your scenario, your ASP.NET application will access some protected
    remote resource, I think you can consider configure your ASP.NET
    application to use a different process account. This account should be
    recognizable by the remote machine and have sufficient permission. It can
    be:

    ** a domain account

    ** a duplicated local account which has a mapping account (with the same
    username and password) on the remote machine)

    You can decide which one to use according to your detailed condition. Also,
    to make sure your custom account has sufficient permission to run ASP.NET
    application, you can follow the below msdn article:

    #How To: Create a Service Account for an ASP.NET 2.0 Application
    https://msdn.microsoft.com/library/en-us/dnpag2/html/paght000009.asp?frame=t
    rue


    In addition, if there is only little number of page or code which will
    access remote secured resource and you do not want to change the worker
    process account for the entire web application(in machine.config). You can
    consider programmatically impersonate in your application/page's code:


    Here is a good article introducing impersonate in ASP.NET 2.0:


    #How To: Use Impersonation and Delegation in ASP.NET 2.0
    http://msdn.microsoft.com/library/en-us/dnpag2/html/paght000023.asp?frame=tr
    ue


    You can have a look at the above options. If you have anything unclear or
    any other information wonder, please feel free to let me know.


    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead



    ==================================================

    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.



    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.

    ==================================================



    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Steven Cheng[MSFT], Aug 23, 2006
    #2
    1. Advertising

  3. James Wong

    James Wong Guest

    Hi, I will try it, thx~



    "Steven Cheng[MSFT]" <> ¼¶¼g©ó¶l¥ó·s»D:...
    > Hello James,
    >
    > From your description, when your ASP.NET application(which running under
    > the machine\ASPNET account) try accessing some remote protected resource,
    > you got premission issue, correct?
    >
    > Since your ASP.NET application's work process account is "MACHINE\ASPNET",
    > I think your development machine is windows XP or Windows 2000 with IIS5,
    > correct?
    >
    > As for ASP.NET application, by default all the code is running under the
    > worker process account. And default worker process account is different
    > depend on the OS/IIS version:
    >
    > ** on XP/2000 with IIS5, by default ASP.NET process(aspnet_wp.exe) running
    > under "machine\ASPNET" account, this can be changed in the machine.config
    > file (under framework
    > directory----C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG)
    >
    > ** on windows 2003 server with IIS6, ASP.NET use IIS application pool
    > mode,
    > and the worker process(w3wp.exe) running under "NT AUTHORITY\NETWORK
    > SERVICE" account.
    >
    > Here is a msdn article describing how to check ASP.NET worker process
    > identity and how to configure it:
    >
    >
    > #Configuring ASP.NET Process Identity
    > http://msdn2.microsoft.com/en-us/library/dwc1xthy.aspx
    >
    > so for your scenario, your ASP.NET application will access some protected
    > remote resource, I think you can consider configure your ASP.NET
    > application to use a different process account. This account should be
    > recognizable by the remote machine and have sufficient permission. It can
    > be:
    >
    > ** a domain account
    >
    > ** a duplicated local account which has a mapping account (with the same
    > username and password) on the remote machine)
    >
    > You can decide which one to use according to your detailed condition.
    > Also,
    > to make sure your custom account has sufficient permission to run ASP.NET
    > application, you can follow the below msdn article:
    >
    > #How To: Create a Service Account for an ASP.NET 2.0 Application
    > https://msdn.microsoft.com/library/en-us/dnpag2/html/paght000009.asp?frame=t
    > rue
    >
    >
    > In addition, if there is only little number of page or code which will
    > access remote secured resource and you do not want to change the worker
    > process account for the entire web application(in machine.config). You can
    > consider programmatically impersonate in your application/page's code:
    >
    >
    > Here is a good article introducing impersonate in ASP.NET 2.0:
    >
    >
    > #How To: Use Impersonation and Delegation in ASP.NET 2.0
    > http://msdn.microsoft.com/library/en-us/dnpag2/html/paght000023.asp?frame=tr
    > ue
    >
    >
    > You can have a look at the above options. If you have anything unclear or
    > any other information wonder, please feel free to let me know.
    >
    >
    > Sincerely,
    >
    > Steven Cheng
    >
    > Microsoft MSDN Online Support Lead
    >
    >
    >
    > ==================================================
    >
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    > ications.
    >
    >
    >
    > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    > where an initial response from the community or a Microsoft Support
    > Engineer within 1 business day is acceptable. Please note that each follow
    > up response may take approximately 2 business days as the support
    > professional working with you may need further investigation to reach the
    > most efficient resolution. The offering is not appropriate for situations
    > that require urgent, real-time or phone-based interactions or complex
    > project analysis and dump analysis issues. Issues of this nature are best
    > handled working with a dedicated Microsoft Support Engineer by contacting
    > Microsoft Customer Support Services (CSS) at
    > http://msdn.microsoft.com/subscriptions/support/default.aspx.
    >
    > ==================================================
    >
    >
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    >
     
    James Wong, Aug 28, 2006
    #3
  4. Thanks for your reply James,

    Please feel free to let me know if there is any other information you
    wonder.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Steven Cheng[MSFT], Aug 28, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andreas Suurkuusk
    Replies:
    0
    Views:
    4,030
    Andreas Suurkuusk
    Jul 27, 2003
  2. Ted Miller
    Replies:
    0
    Views:
    5,218
    Ted Miller
    Sep 13, 2003
  3. Colin Young
    Replies:
    0
    Views:
    2,983
    Colin Young
    Aug 28, 2003
  4. B. Chernick

    Basic theory question about the ASP.NET Machine account

    B. Chernick, Dec 26, 2005, in forum: ASP .Net Security
    Replies:
    2
    Views:
    150
    B. Chernick
    Dec 27, 2005
  5. Mike

    Problem problem problem :( Need Help

    Mike, May 7, 2004, in forum: ASP General
    Replies:
    2
    Views:
    581
    Bullschmidt
    May 11, 2004
Loading...

Share This Page