Data encryption ?

Discussion in 'ASP .Net Security' started by WJ, Apr 9, 2004.

  1. WJ

    WJ Guest

    ..Net Experts,

    Instead of using MS/Data Protection API, I am using my own encryption
    library. I need to impersonate a special account (a local Windows 2003 Logon
    ID) on my IIS6 box for certain sites, the current "web.config" does not know
    how to decrypt the encrypted password in the line below:

    <identity impersonate="true" user="mySpecialAcct" password="secretPW"/>

    Is there a way to pause my page loader/authentication process until my
    decryption code is completed (to un-encrypt the password) ? In other word,
    when the user punches in the url, MS/IE will prompt him for his password, I
    like somehow to intercept this process at the server side until the
    decryption is completed.

    Thanks

    John
     
    WJ, Apr 9, 2004
    #1
    1. Advertising

  2. Well not really, but I think you can achieve what you are after by using the
    Aspnet_setreg.exe utility that is described in Knowledge base article
    KB329290.

    If you have VS.NET installed, then you can load IE or load up the MSDN help
    and paste this link into the address bar
    ms-help://MS.MSDNQTR.2003OCT.1033/enu_kbaspnetkb/aspnetkb/329290.htm
    to get information on the above article, or simply search on microsofts
    knowledgebase for it. That should do what you need.

    --
    - Paul Glavich
    Microsoft MVP - ASP.NET


    "WJ" <> wrote in message
    news:...
    > .Net Experts,
    >
    > Instead of using MS/Data Protection API, I am using my own encryption
    > library. I need to impersonate a special account (a local Windows 2003

    Logon
    > ID) on my IIS6 box for certain sites, the current "web.config" does not

    know
    > how to decrypt the encrypted password in the line below:
    >
    > <identity impersonate="true" user="mySpecialAcct" password="secretPW"/>
    >
    > Is there a way to pause my page loader/authentication process until my
    > decryption code is completed (to un-encrypt the password) ? In other word,
    > when the user punches in the url, MS/IE will prompt him for his password,

    I
    > like somehow to intercept this process at the server side until the
    > decryption is completed.
    >
    > Thanks
    >
    > John
    >
    >
    >
    >
    >
     
    Paul Glavich [MVP - ASP.NET], Apr 11, 2004
    #2
    1. Advertising

  3. WJ

    WJ Guest

    Paul,

    Thanks for the reply. Actually, this util uses DPAPI tool which I try to
    avoid. The reason is I attempt to avoid having to use the Windows Registry
    DB at all cost. My thinking is that I will try to mess with the Global.asax
    to see if there is a way around. So far, no luck in the Google search.

    John

    "Paul Glavich [MVP - ASP.NET]" <-NOSPAM> wrote in
    message news:%...
    > Well not really, but I think you can achieve what you are after by using

    the
    > Aspnet_setreg.exe utility that is described in Knowledge base article
    > KB329290.
    >
    > If you have VS.NET installed, then you can load IE or load up the MSDN

    help
    > and paste this link into the address bar
    > ms-help://MS.MSDNQTR.2003OCT.1033/enu_kbaspnetkb/aspnetkb/329290.htm
    > to get information on the above article, or simply search on microsofts
    > knowledgebase for it. That should do what you need.
    >
    > --
    > - Paul Glavich
    > Microsoft MVP - ASP.NET
    >
    >
    > "WJ" <> wrote in message
    > news:...
    > > .Net Experts,
    > >
    > > Instead of using MS/Data Protection API, I am using my own encryption
    > > library. I need to impersonate a special account (a local Windows 2003

    > Logon
    > > ID) on my IIS6 box for certain sites, the current "web.config" does not

    > know
    > > how to decrypt the encrypted password in the line below:
    > >
    > > <identity impersonate="true" user="mySpecialAcct" password="secretPW"/>
    > >
    > > Is there a way to pause my page loader/authentication process until my
    > > decryption code is completed (to un-encrypt the password) ? In other

    word,
    > > when the user punches in the url, MS/IE will prompt him for his

    password,
    > I
    > > like somehow to intercept this process at the server side until the
    > > decryption is completed.
    > >
    > > Thanks
    > >
    > > John
    > >
    > >
    > >
    > >
    > >

    >
    >
     
    WJ, Apr 11, 2004
    #3
  4. Well fair enough. I personally dont mind the registry at all and use it all
    the time. However, given you dont want to do that, then perhaps just use a
    separate configuration section, whether it be in the <appSettings> element,
    or in your own custom section, that defines the user and the encrypted
    password in the encrypted format of your choosing (I assume your own
    personal library), then in code do the impersonation. Yes its more work, but
    I am not aware of any easy method to intercept the supplying of the password
    to the "impersonation engine" and I suspect that if there is a method to do
    this, it would probably be a bit more work and complexity than simply
    impersonating a user in code.

    Hope that helps somewhat.

    --
    - Paul Glavich
    Microsoft MVP - ASP.NET


    "WJ" <> wrote in message
    news:...
    > Paul,
    >
    > Thanks for the reply. Actually, this util uses DPAPI tool which I try to
    > avoid. The reason is I attempt to avoid having to use the Windows Registry
    > DB at all cost. My thinking is that I will try to mess with the

    Global.asax
    > to see if there is a way around. So far, no luck in the Google search.
    >
    > John
    >
    > "Paul Glavich [MVP - ASP.NET]" <-NOSPAM> wrote in
    > message news:%...
    > > Well not really, but I think you can achieve what you are after by using

    > the
    > > Aspnet_setreg.exe utility that is described in Knowledge base article
    > > KB329290.
    > >
    > > If you have VS.NET installed, then you can load IE or load up the MSDN

    > help
    > > and paste this link into the address bar
    > > ms-help://MS.MSDNQTR.2003OCT.1033/enu_kbaspnetkb/aspnetkb/329290.htm
    > > to get information on the above article, or simply search on microsofts
    > > knowledgebase for it. That should do what you need.
    > >
    > > --
    > > - Paul Glavich
    > > Microsoft MVP - ASP.NET
    > >
    > >
    > > "WJ" <> wrote in message
    > > news:...
    > > > .Net Experts,
    > > >
    > > > Instead of using MS/Data Protection API, I am using my own encryption
    > > > library. I need to impersonate a special account (a local Windows 2003

    > > Logon
    > > > ID) on my IIS6 box for certain sites, the current "web.config" does

    not
    > > know
    > > > how to decrypt the encrypted password in the line below:
    > > >
    > > > <identity impersonate="true" user="mySpecialAcct"

    password="secretPW"/>
    > > >
    > > > Is there a way to pause my page loader/authentication process until my
    > > > decryption code is completed (to un-encrypt the password) ? In other

    > word,
    > > > when the user punches in the url, MS/IE will prompt him for his

    > password,
    > > I
    > > > like somehow to intercept this process at the server side until the
    > > > decryption is completed.
    > > >
    > > > Thanks
    > > >
    > > > John
    > > >
    > > >
    > > >
    > > >
    > > >

    > >
    > >

    >
    >
     
    Paul Glavich [MVP - ASP.NET], Apr 12, 2004
    #4
  5. WJ

    WJ Guest

    Thanks Paul your your reply.

    I think a manual impersonation is the way to go for my current requirement.
    The link below will do what I need:
    http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306158

    John

    "Paul Glavich [MVP - ASP.NET]" <-NOSPAM> wrote in
    message news:...
    > Well fair enough. I personally dont mind the registry at all and use it

    all
    > the time. However, given you dont want to do that, then perhaps just use a
    > separate configuration section, whether it be in the <appSettings>

    element,
    > or in your own custom section, that defines the user and the encrypted
    > password in the encrypted format of your choosing (I assume your own
    > personal library), then in code do the impersonation. Yes its more work,

    but
    > I am not aware of any easy method to intercept the supplying of the

    password
    > to the "impersonation engine" and I suspect that if there is a method to

    do
    > this, it would probably be a bit more work and complexity than simply
    > impersonating a user in code.
    >
    > Hope that helps somewhat.
    >
    > --
    > - Paul Glavich
    > Microsoft MVP - ASP.NET
    >
    >
    > "WJ" <> wrote in message
    > news:...
    > > Paul,
    > >
    > > Thanks for the reply. Actually, this util uses DPAPI tool which I try to
    > > avoid. The reason is I attempt to avoid having to use the Windows

    Registry
    > > DB at all cost. My thinking is that I will try to mess with the

    > Global.asax
    > > to see if there is a way around. So far, no luck in the Google search.
    > >
    > > John
    > >
    > > "Paul Glavich [MVP - ASP.NET]" <-NOSPAM> wrote in
    > > message news:%...
    > > > Well not really, but I think you can achieve what you are after by

    using
    > > the
    > > > Aspnet_setreg.exe utility that is described in Knowledge base article
    > > > KB329290.
    > > >
    > > > If you have VS.NET installed, then you can load IE or load up the MSDN

    > > help
    > > > and paste this link into the address bar
    > > > ms-help://MS.MSDNQTR.2003OCT.1033/enu_kbaspnetkb/aspnetkb/329290.htm
    > > > to get information on the above article, or simply search on

    microsofts
    > > > knowledgebase for it. That should do what you need.
    > > >
    > > > --
    > > > - Paul Glavich
    > > > Microsoft MVP - ASP.NET
    > > >
    > > >
    > > > "WJ" <> wrote in message
    > > > news:...
    > > > > .Net Experts,
    > > > >
    > > > > Instead of using MS/Data Protection API, I am using my own

    encryption
    > > > > library. I need to impersonate a special account (a local Windows

    2003
    > > > Logon
    > > > > ID) on my IIS6 box for certain sites, the current "web.config" does

    > not
    > > > know
    > > > > how to decrypt the encrypted password in the line below:
    > > > >
    > > > > <identity impersonate="true" user="mySpecialAcct"

    > password="secretPW"/>
    > > > >
    > > > > Is there a way to pause my page loader/authentication process until

    my
    > > > > decryption code is completed (to un-encrypt the password) ? In other

    > > word,
    > > > > when the user punches in the url, MS/IE will prompt him for his

    > > password,
    > > > I
    > > > > like somehow to intercept this process at the server side until the
    > > > > decryption is completed.
    > > > >
    > > > > Thanks
    > > > >
    > > > > John
    > > > >
    > > > >
    > > > >
    > > > >
    > > > >
    > > >
    > > >

    > >
    > >

    >
    >
     
    WJ, Apr 13, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Fernando Barsoba

    Data type problem in encryption algorithm

    Fernando Barsoba, Nov 25, 2005, in forum: C Programming
    Replies:
    11
    Views:
    621
    Flash Gordon
    Nov 26, 2005
  2. Tom at SDI

    Data Security, Encryption

    Tom at SDI, Jul 14, 2005, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    120
    Tom at SDI
    Jul 14, 2005
  3. gary

    Data encryption

    gary, Jan 5, 2004, in forum: ASP General
    Replies:
    0
    Views:
    116
  4. Brad Tilley
    Replies:
    2
    Views:
    130
    Chilkat Software
    Nov 4, 2006
  5. Peter Young

    Encryption of post data

    Peter Young, Aug 6, 2003, in forum: Javascript
    Replies:
    12
    Views:
    187
    Douglas Crockford
    Aug 7, 2003
Loading...

Share This Page