expiring passwords with impersonated identity

Discussion in 'ASP .Net Security' started by Anton Sokolovsky, Oct 26, 2004.

  1. Hi all !

    Imagine ASP.NET application impersonating specific identity with webconfig:
    <identity impersonate="true" userName="accountname" password="password" />

    When accountname user is specially created to run this application and noone
    uses it for interactive logon, there is no standard way to change the
    password when it expires. This leads to ASP.NET application failing with
    code 500.

    There are 2 workarounds in this case that I came up to:
    1. Try impersonating the user in the code for each page, and if fails
    redirect to the page that gives the ability to change the password.
    2. Same as #1 but done only once - in default.aspx

    Question is: whith impersonation in default.aspx will the token be
    application wide - used for any other subseqent page request within this
    application, or it's scope is just a single page. Point is to reach
    application-wide impersonation with a piece of code rather than using
    webconfig.

    Sorry if this question has been asked previously, but I cannot find it.

    Thanks,
    Anton.
     
    Anton Sokolovsky, Oct 26, 2004
    #1
    1. Advertising

  2. Solved - expiring passwords with impersonated identity

    1. Don't use imersonation in web.config
    2. In global.asax implement Application_PreRequestHandlerExecute with the
    code to impersonate required user
    3. If #2 fails and current loged in user has OS admin rights, redirect the
    user to the page where he is allowed to configure the application with new
    credentials.


    "Anton Sokolovsky" <> wrote in message
    news:cll7ks$ar0$...
    > Hi all !
    >
    > Imagine ASP.NET application impersonating specific identity with

    webconfig:
    > <identity impersonate="true" userName="accountname" password="password" />
    >
    > When accountname user is specially created to run this application and

    noone
    > uses it for interactive logon, there is no standard way to change the
    > password when it expires. This leads to ASP.NET application failing with
    > code 500.
    >
    > There are 2 workarounds in this case that I came up to:
    > 1. Try impersonating the user in the code for each page, and if fails
    > redirect to the page that gives the ability to change the password.
    > 2. Same as #1 but done only once - in default.aspx
    >
    > Question is: whith impersonation in default.aspx will the token be
    > application wide - used for any other subseqent page request within this
    > application, or it's scope is just a single page. Point is to reach
    > application-wide impersonation with a piece of code rather than using
    > webconfig.
    >
    > Sorry if this question has been asked previously, but I cannot find it.
    >
    > Thanks,
    > Anton.
    >
    >
     
    Anton Sokolovsky, Nov 2, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Giovanni Bassi
    Replies:
    0
    Views:
    661
    Giovanni Bassi
    Oct 20, 2003
  2. nalbayo
    Replies:
    2
    Views:
    5,536
    Bruce Barker
    Nov 11, 2005
  3. JimLad
    Replies:
    0
    Views:
    461
    JimLad
    Jan 16, 2009
  4. ben
    Replies:
    0
    Views:
    174
  5. JeffJ

    Web service with expiring passwords

    JeffJ, Mar 3, 2009, in forum: ASP .Net Web Services
    Replies:
    3
    Views:
    736
    JeffJ
    Mar 11, 2009
Loading...

Share This Page