ASP.NET process impresonation on IIS6

Discussion in 'ASP .Net Security' started by Lauren Buchholz, Oct 6, 2003.

  1. Hi, I have an application that was originally designed under IIS5.1 and
    ASP.NET that used used a setting in the machine.config that would allow my
    worker process to run under a different account. I know that the new worker
    process isolation mode changes how this works, but I have been unable to get
    my application to run as the account I would like while keeping IIS in
    native mode. Anyone know how to do this?

    More specifically, we need a .NET app to connect to a PKI based SSL web
    service. The way we had it working in the past is that we would create a
    limited security account, install the proper certificates in that account,
    and then run the worker process as that account. Is there a better way to
    do this now in windows 2003?
     
    Lauren Buchholz, Oct 6, 2003
    #1
    1. Advertising

  2. If IIS is running in worker process isolation mode (IIS6 native mode in
    Widnows.NET server2003) "processModel" account specified in the
    machine.config file is ignored.



    If you want to run your web application on a specific account, just simply
    change the application pool identity to the account you wanted to run your
    web application under. And make sure this is account is a member of local
    IIS_WGP group.



    You may want to review your application architecture if this is an internet
    facing box as there are lots of security issues involved in running the
    application pool on a privileged account.



    "Lauren Buchholz" <> wrote in message
    news:...
    > Hi, I have an application that was originally designed under IIS5.1 and
    > ASP.NET that used used a setting in the machine.config that would allow my
    > worker process to run under a different account. I know that the new

    worker
    > process isolation mode changes how this works, but I have been unable to

    get
    > my application to run as the account I would like while keeping IIS in
    > native mode. Anyone know how to do this?
    >
    > More specifically, we need a .NET app to connect to a PKI based SSL web
    > service. The way we had it working in the past is that we would create a
    > limited security account, install the proper certificates in that account,
    > and then run the worker process as that account. Is there a better way to
    > do this now in windows 2003?
    >
    >
     
    Ram Sunkara [msft], Oct 7, 2003
    #2
    1. Advertising

  3. Lauren Buchholz

    Lauren Guest

    Thanks, I will give that a shot today. When I was playing
    around tried all of this, minus the step of adding the
    account to the IIS_WPG on the machine and was getting some
    strange errors.

    Regards
    >-----Original Message-----
    >If IIS is running in worker process isolation mode (IIS6

    native mode in
    >Widnows.NET server2003) "processModel" account specified

    in the
    >machine.config file is ignored.
    >
    >
    >
    >If you want to run your web application on a specific

    account, just simply
    >change the application pool identity to the account you

    wanted to run your
    >web application under. And make sure this is account is a

    member of local
    >IIS_WGP group.
    >
    >
    >
    >You may want to review your application architecture if

    this is an internet
    >facing box as there are lots of security issues involved

    in running the
    >application pool on a privileged account.
    >
    >
    >
    >"Lauren Buchholz" <> wrote in message
    >news:...
    >> Hi, I have an application that was originally designed

    under IIS5.1 and
    >> ASP.NET that used used a setting in the machine.config

    that would allow my
    >> worker process to run under a different account. I

    know that the new
    >worker
    >> process isolation mode changes how this works, but I

    have been unable to
    >get
    >> my application to run as the account I would like while

    keeping IIS in
    >> native mode. Anyone know how to do this?
    >>
    >> More specifically, we need a .NET app to connect to a

    PKI based SSL web
    >> service. The way we had it working in the past is that

    we would create a
    >> limited security account, install the proper

    certificates in that account,
    >> and then run the worker process as that account. Is

    there a better way to
    >> do this now in windows 2003?
    >>
    >>

    >
    >
    >.
    >
     
    Lauren, Oct 7, 2003
    #3
  4. Is there a better way to have my asp.net account store the certificate that
    it needs to access the web service I am trying to use? My original solution
    although functional doesn't seem like it is optimal. I have tried using the
    certificates MMC plugin to import the certificate, but the only service I
    can see is the web server process itself, which I don't belive is the
    correct service to store the personal certificate. Is the only way to have
    ASP.NET contact a site via a personal certifcate to use an impersonated
    account, or is there a more secure way to do this?

    "Lauren" <> wrote in message
    news:2471b01c38ced$fe7abbe0$...
    > Thanks, I will give that a shot today. When I was playing
    > around tried all of this, minus the step of adding the
    > account to the IIS_WPG on the machine and was getting some
    > strange errors.
    >
    > Regards
    > >-----Original Message-----
    > >If IIS is running in worker process isolation mode (IIS6

    > native mode in
    > >Widnows.NET server2003) "processModel" account specified

    > in the
    > >machine.config file is ignored.
    > >
    > >
    > >
    > >If you want to run your web application on a specific

    > account, just simply
    > >change the application pool identity to the account you

    > wanted to run your
    > >web application under. And make sure this is account is a

    > member of local
    > >IIS_WGP group.
    > >
    > >
    > >
    > >You may want to review your application architecture if

    > this is an internet
    > >facing box as there are lots of security issues involved

    > in running the
    > >application pool on a privileged account.
    > >
    > >
    > >
    > >"Lauren Buchholz" <> wrote in message
    > >news:...
    > >> Hi, I have an application that was originally designed

    > under IIS5.1 and
    > >> ASP.NET that used used a setting in the machine.config

    > that would allow my
    > >> worker process to run under a different account. I

    > know that the new
    > >worker
    > >> process isolation mode changes how this works, but I

    > have been unable to
    > >get
    > >> my application to run as the account I would like while

    > keeping IIS in
    > >> native mode. Anyone know how to do this?
    > >>
    > >> More specifically, we need a .NET app to connect to a

    > PKI based SSL web
    > >> service. The way we had it working in the past is that

    > we would create a
    > >> limited security account, install the proper

    > certificates in that account,
    > >> and then run the worker process as that account. Is

    > there a better way to
    > >> do this now in windows 2003?
    > >>
    > >>

    > >
    > >
    > >.
    > >
     
    Lauren Buchholz, Oct 7, 2003
    #4
  5. Well the easiest way would be import the certificate in to the user store
    under which you wanted to run your web application. From your web
    application before calling the web service do a RevertToSelf to impersonate
    ASP.NET thread security context (in this case the user context you wanted
    ASP.NET to run under).

    When your call is completed make sure the thread impersonate back the
    current user.



    Calling RevertToSelf involves InteropServices.



    Ram-





    "Lauren Buchholz" <> wrote in message
    news:%...
    > Is there a better way to have my asp.net account store the certificate

    that
    > it needs to access the web service I am trying to use? My original

    solution
    > although functional doesn't seem like it is optimal. I have tried using

    the
    > certificates MMC plugin to import the certificate, but the only service I
    > can see is the web server process itself, which I don't belive is the
    > correct service to store the personal certificate. Is the only way to have
    > ASP.NET contact a site via a personal certifcate to use an impersonated
    > account, or is there a more secure way to do this?
    >
    > "Lauren" <> wrote in message
    > news:2471b01c38ced$fe7abbe0$...
    > > Thanks, I will give that a shot today. When I was playing
    > > around tried all of this, minus the step of adding the
    > > account to the IIS_WPG on the machine and was getting some
    > > strange errors.
    > >
    > > Regards
    > > >-----Original Message-----
    > > >If IIS is running in worker process isolation mode (IIS6

    > > native mode in
    > > >Widnows.NET server2003) "processModel" account specified

    > > in the
    > > >machine.config file is ignored.
    > > >
    > > >
    > > >
    > > >If you want to run your web application on a specific

    > > account, just simply
    > > >change the application pool identity to the account you

    > > wanted to run your
    > > >web application under. And make sure this is account is a

    > > member of local
    > > >IIS_WGP group.
    > > >
    > > >
    > > >
    > > >You may want to review your application architecture if

    > > this is an internet
    > > >facing box as there are lots of security issues involved

    > > in running the
    > > >application pool on a privileged account.
    > > >
    > > >
    > > >
    > > >"Lauren Buchholz" <> wrote in message
    > > >news:...
    > > >> Hi, I have an application that was originally designed

    > > under IIS5.1 and
    > > >> ASP.NET that used used a setting in the machine.config

    > > that would allow my
    > > >> worker process to run under a different account. I

    > > know that the new
    > > >worker
    > > >> process isolation mode changes how this works, but I

    > > have been unable to
    > > >get
    > > >> my application to run as the account I would like while

    > > keeping IIS in
    > > >> native mode. Anyone know how to do this?
    > > >>
    > > >> More specifically, we need a .NET app to connect to a

    > > PKI based SSL web
    > > >> service. The way we had it working in the past is that

    > > we would create a
    > > >> limited security account, install the proper

    > > certificates in that account,
    > > >> and then run the worker process as that account. Is

    > > there a better way to
    > > >> do this now in windows 2003?
    > > >>
    > > >>
    > > >
    > > >
    > > >.
    > > >

    >
    >
     
    Ram Sunkara [msft], Oct 9, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brian Henry
    Replies:
    1
    Views:
    1,044
    Kevin Spencer
    Jun 25, 2003
  2. =?Utf-8?B?QWxleCBNYWdoZW4=?=

    User Impresonation in Global.asax OnStart

    =?Utf-8?B?QWxleCBNYWdoZW4=?=, Apr 9, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    690
    Steven Cheng[MSFT]
    Apr 13, 2004
  3. =?Utf-8?B?ZW1zdHJlZXQ=?=

    running ASP.NET 1.4 and ASP.NET 2.05 on the same IIS6

    =?Utf-8?B?ZW1zdHJlZXQ=?=, Aug 4, 2006, in forum: ASP .Net
    Replies:
    2
    Views:
    1,596
    =?Utf-8?B?ZW1zdHJlZXQ=?=
    Aug 4, 2006
  4. Navin Mishra

    How to get process id of hosting ASP.NET worker process ?

    Navin Mishra, Feb 7, 2006, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    433
    Navin Mishra
    Feb 7, 2006
  5. Omar

    Still IIS6 do not process ASP pages

    Omar, Feb 17, 2004, in forum: ASP General
    Replies:
    5
    Views:
    131
    Aaron Bertrand - MVP
    Feb 17, 2004
Loading...

Share This Page