ASP.NET Security

[James Wong]

Hi,

My local computer is Windows XP, and other server is Windows Server 2003.
I use VB.Net 2005 to develop some web service program, this program will
connect to this server.
The local computer and the server is using same domain. (e.g. MyDomain)

By the way, I use the debug mode (dynamic port) to run this program, it is
success to connect to the server.
(e.g. http://localhost:2369/test/)

Otherwise, I use the IE to run it, it is fail to connect to the server.
(e.g. http://localhost/test/)

I try this command "WindowsIdentity.GetCurrent()" to test my program,

in debug mode,
it will show this user. "MyDomain\James", this is the account when i login
for my local computer.

in IE,
it will show this user. "MyComputerName\ASPNET".

Is it the security problem about "ASPNET" account?
How can I solve it? Thanks!


James

 

[Walter Wang [MSFT]]

Hi James,

You are right that the problem is caused by: when running your web service
under IIS5, it's running under a local service account ASPNET which by
default don't have required privilege to access your network resource. When
using debug mode, the web service is running under your current domain user
account and it can correctly access the network resource.

What you needed is Impersonation under ASP.NET 2.0. Based on your
requirement (what network resource you are accessing in your web service,
does it only needs temporarily access or does it needs frequent access),
you may choose to use configured impersonation in your web.config or use
LogonUser to temporarily impersonate an account to use the network resource.

You can use following two articles as a reference to get yourself familiar
with some related concept first:

http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetch08.asp?frame=t
rue#secnetch08_accessingnetworkresources

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html
/paght000023.asp

My colleague Steven Cheng has answered several questions about
Impersonation in this the .aspnet and .aspnet.security newsgroups, you can
also search for them for more information; I think using some real-world
scenario can also help you understand that.

Please feel free to post here if you need some code to help you get going.

Sincerely,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[James Wong]

hi,

how can i change the user "ASPNET" to another domain user? Thanks!

James

 

[Walter Wang [MSFT]]

Hi James,

You can refer to following MSDN library:

#Configuring ASP.NET Process Identity
http://msdn2.microsoft.com/en-us/library/dwc1xthy.aspx

For your scenario that is running IIS5 and ASP.NET 2.0 on Windows XP, the
key steps are:
1) Configure <processModel> to use the specified domain account
2) Run aspnet_regiis.exe -ga "domain\user" to grant required ACLs to the
user account.

I hope this helps. Please feel free to post here if anything is unclear.

Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[James Wong]

Hi,

I fixed this problem, thanks!

James