ASP.NET security and RSA SecurID

[Alan Chen]

Hi,
I have a dll that wraps RSA SecurID package. It works great if I call
the api from a Console app. But SD_Check() always failed (Access
denied even if I passed in correct user id and passcode) every time
when I call the api from a web service or a web app. I suspect that
web.config or IIS need to be modified but don't know how.
Any suggestions? Thanks.

 

[Joe Kaplan \(MVP - ADSI\)]

What if you change the processModel or App Pool ID to a more privileged
account such as an administrator or SYSTEM? It could be that it is trying
to access a file or registry key that requires a more privileged account
than what ASP.NET is running under.

Regmon or Filemon from SysInternals is often very helpful at tracking this
kind of thing down. Running the console app under a regular user account
might be good too.

I'd love to see your code if you'd be interested in sharing. I've got ACE
servers out the wazoo here!

HTH,

Joe K.

 

[Alan Chen]

Joe,
Thanks for your reply.
You are right and nice tool you suggested, I use Regmon and found the
difference as follow:

10:07:52
AM aspnet_wp.exe:1104 OpenKey HKLM\SOFTWARE\SDTI\ACECLIENT ACCDENIED
9:59:47
AM ConsoleApplicat:3696 OpenKey HKLM\SOFTWARE\SDTI\ACECLIENT SUCCESS
The first item is from Web app and second is from Console app.
For quick experiment, I just gave ASPNET user a Admin priviledge
temperarely and the web app passed the check!
I will probably use impersonate to get a more elegant solution.

For you reference, I got most of the code from here:
http://groups.google.com/groups?q=sd_check&hl=en&lr=&ie=UTF-8&selm=#5y
FTrV7DHA.1428%40TK2MSFTNGP12.phx.gbl&rnum=1

I made it a dll and reference in both console and web app. The test I
used is very simple:

private void Button1_Click(object sender, System.EventArgs e)
{
string userName = TextBox1.Text;
string passcode = TextBox2.Text;
int status = Authentication.VerifySecurID(userName, passcode);
TextBox3.Text = status.ToString();
}