ASP.NET Security

Discussion in 'ASP .Net Security' started by James Wong, Sep 7, 2006.

  1. James Wong

    James Wong Guest

    Hi,

    My local computer is Windows XP, and other server is Windows Server 2003.
    I use VB.Net 2005 to develop some web service program, this program will
    connect to this server.
    The local computer and the server is using same domain. (e.g. MyDomain)

    By the way, I use the debug mode (dynamic port) to run this program, it is
    success to connect to the server.
    (e.g. http://localhost:2369/test/)

    Otherwise, I use the IE to run it, it is fail to connect to the server.
    (e.g. http://localhost/test/)

    I try this command "WindowsIdentity.GetCurrent()" to test my program,

    in debug mode,
    it will show this user. "MyDomain\James", this is the account when i login
    for my local computer.

    in IE,
    it will show this user. "MyComputerName\ASPNET".

    Is it the security problem about "ASPNET" account?
    How can I solve it? Thanks!


    James
    James Wong, Sep 7, 2006
    #1
    1. Advertising

  2. Hi James,

    You are right that the problem is caused by: when running your web service
    under IIS5, it's running under a local service account ASPNET which by
    default don't have required privilege to access your network resource. When
    using debug mode, the web service is running under your current domain user
    account and it can correctly access the network resource.

    What you needed is Impersonation under ASP.NET 2.0. Based on your
    requirement (what network resource you are accessing in your web service,
    does it only needs temporarily access or does it needs frequent access),
    you may choose to use configured impersonation in your web.config or use
    LogonUser to temporarily impersonate an account to use the network resource.

    You can use following two articles as a reference to get yourself familiar
    with some related concept first:

    http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetch08.asp?frame=t
    rue#secnetch08_accessingnetworkresources

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html
    /paght000023.asp

    My colleague Steven Cheng has answered several questions about
    Impersonation in this the .aspnet and .aspnet.security newsgroups, you can
    also search for them for more information; I think using some real-world
    scenario can also help you understand that.

    Please feel free to post here if you need some code to help you get going.

    Sincerely,
    Walter Wang (, remove 'online.')
    Microsoft Online Community Support

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.

    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Walter Wang [MSFT], Sep 7, 2006
    #2
    1. Advertising

  3. James Wong

    James Wong Guest

    hi,

    how can i change the user "ASPNET" to another domain user? Thanks!

    James


    "Walter Wang [MSFT]" <> ¼¶¼g©ó¶l¥ó·s»D:...
    > Hi James,
    >
    > You are right that the problem is caused by: when running your web service
    > under IIS5, it's running under a local service account ASPNET which by
    > default don't have required privilege to access your network resource.
    > When
    > using debug mode, the web service is running under your current domain
    > user
    > account and it can correctly access the network resource.
    >
    > What you needed is Impersonation under ASP.NET 2.0. Based on your
    > requirement (what network resource you are accessing in your web service,
    > does it only needs temporarily access or does it needs frequent access),
    > you may choose to use configured impersonation in your web.config or use
    > LogonUser to temporarily impersonate an account to use the network
    > resource.
    >
    > You can use following two articles as a reference to get yourself familiar
    > with some related concept first:
    >
    > http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetch08.asp?frame=t
    > rue#secnetch08_accessingnetworkresources
    >
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html
    > /paght000023.asp
    >
    > My colleague Steven Cheng has answered several questions about
    > Impersonation in this the .aspnet and .aspnet.security newsgroups, you can
    > also search for them for more information; I think using some real-world
    > scenario can also help you understand that.
    >
    > Please feel free to post here if you need some code to help you get going.
    >
    > Sincerely,
    > Walter Wang (, remove 'online.')
    > Microsoft Online Community Support
    >
    > ==================================================
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    > ications.
    >
    > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    > where an initial response from the community or a Microsoft Support
    > Engineer within 1 business day is acceptable. Please note that each follow
    > up response may take approximately 2 business days as the support
    > professional working with you may need further investigation to reach the
    > most efficient resolution. The offering is not appropriate for situations
    > that require urgent, real-time or phone-based interactions or complex
    > project analysis and dump analysis issues. Issues of this nature are best
    > handled working with a dedicated Microsoft Support Engineer by contacting
    > Microsoft Customer Support Services (CSS) at
    > http://msdn.microsoft.com/subscriptions/support/default.aspx.
    > ==================================================
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    >
    James Wong, Sep 8, 2006
    #3
  4. Hi James,

    You can refer to following MSDN library:

    #Configuring ASP.NET Process Identity
    http://msdn2.microsoft.com/en-us/library/dwc1xthy.aspx

    For your scenario that is running IIS5 and ASP.NET 2.0 on Windows XP, the
    key steps are:
    1) Configure <processModel> to use the specified domain account
    2) Run aspnet_regiis.exe -ga "domain\user" to grant required ACLs to the
    user account.

    I hope this helps. Please feel free to post here if anything is unclear.

    Regards,
    Walter Wang (, remove 'online.')
    Microsoft Online Community Support

    ==================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Walter Wang [MSFT], Sep 12, 2006
    #4
  5. James Wong

    James Wong Guest

    Hi,

    I fixed this problem, thanks!

    James


    "Walter Wang [MSFT]" <> ¼¶¼g©ó¶l¥ó·s»D:...
    > Hi James,
    >
    > You can refer to following MSDN library:
    >
    > #Configuring ASP.NET Process Identity
    > http://msdn2.microsoft.com/en-us/library/dwc1xthy.aspx
    >
    > For your scenario that is running IIS5 and ASP.NET 2.0 on Windows XP, the
    > key steps are:
    > 1) Configure <processModel> to use the specified domain account
    > 2) Run aspnet_regiis.exe -ga "domain\user" to grant required ACLs to the
    > user account.
    >
    > I hope this helps. Please feel free to post here if anything is unclear.
    >
    > Regards,
    > Walter Wang (, remove 'online.')
    > Microsoft Online Community Support
    >
    > ==================================================
    > When responding to posts, please "Reply to Group" via your newsreader so
    > that others may learn and benefit from your issue.
    > ==================================================
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    >
    James Wong, Sep 12, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Patrick
    Replies:
    2
    Views:
    651
    Steven Cheng[MSFT]
    Oct 1, 2004
  2. Dinis Cruz

    Asp.Net Security Analyser (new security tool by DDPlus)

    Dinis Cruz, Oct 8, 2003, in forum: ASP .Net Security
    Replies:
    2
    Views:
    136
    Dinis Cruz
    Oct 11, 2003
  3. Dinis Cruz
    Replies:
    1
    Views:
    122
    Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
    Oct 17, 2003
  4. Michael Randrup
    Replies:
    3
    Views:
    299
    Henning Krause [MVP]
    Mar 27, 2006
  5. Kursat
    Replies:
    1
    Views:
    313
    Dominick Baier
    May 7, 2007
Loading...

Share This Page