Form authentication, errors

Discussion in 'ASP .Net Security' started by Guest, Jun 7, 2005.

  1. Guest

    Guest Guest

    Hi
    I followed the MS kb#316748 trying to implement form authentication for my
    ..NET application, but I got this error when I was just trying to load the
    login.aspx, any clue?
    TIA

    here is the stack trace:
    [HttpException (0x80004005): An error occurred while try to load the string
    resources (GetModuleHandle failed with error -2147023888).]
    System.Web.StringResourceManager.ReadSafeStringResource(Type t) +376
    System.Web.UI.TemplateControl.ReadStringResource(Type t) +5
    ASP.login_aspx..ctor()

    [TargetInvocationException: Exception has been thrown by the target of an
    invocation.]
    System.RuntimeType.CreateInstanceImpl(Boolean publicOnly) +0
    System.Activator.CreateInstance(Type type, Boolean nonPublic) +66
    System.Web.UI.TemplateControlParser.GetCompiledInstance(String
    virtualPath, String inputFile, HttpContext context) +164

    [HttpException (0x80004005): Failed to create page of type
    'ASP.login_aspx'.]
    System.Web.UI.TemplateControlParser.GetCompiledInstance(String
    virtualPath, String inputFile, HttpContext context) +340
    System.Web.UI.PageParser.GetCompiledPageInstanceInternal(String
    virtualPath, String inputFile, HttpContext context) +43
    System.Web.UI.PageHandlerFactory.GetHandler(HttpContext context, String
    requestType, String url, String path) +44
    System.Web.HttpApplication.MapHttpHandler(HttpContext context, String
    requestType, String path, String pathTranslated, Boolean useAppConfig) +698

    System.Web.MapHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep
    ..Execute() +95
    System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
    completedSynchronously) +173


    --
    Guest, Jun 7, 2005
    #1
    1. Advertising

  2. Guest

    Guest Guest

    By the way, as advised by the kb doc. I have set "Impersonation=true" in my
    web.config!

    TIA

    here is my web.config ---
    <authentication mode="Forms">
    <forms loginUrl="login.aspx" name="adAuthCookie" timeout="10"
    path="/">
    </forms>
    </authentication>
    <authorization>
    <deny users="?"/>
    <allow users="*"/>
    </authorization>
    <identity impersonate="true"/>


    <dl> wrote in message news:...
    > Hi
    > I followed the MS kb#316748 trying to implement form authentication for my
    > .NET application, but I got this error when I was just trying to load the
    > login.aspx, any clue?
    > TIA
    >
    > here is the stack trace:
    > [HttpException (0x80004005): An error occurred while try to load the

    string
    > resources (GetModuleHandle failed with error -2147023888).]
    > System.Web.StringResourceManager.ReadSafeStringResource(Type t) +376
    > System.Web.UI.TemplateControl.ReadStringResource(Type t) +5
    > ASP.login_aspx..ctor()
    >
    > [TargetInvocationException: Exception has been thrown by the target of an
    > invocation.]
    > System.RuntimeType.CreateInstanceImpl(Boolean publicOnly) +0
    > System.Activator.CreateInstance(Type type, Boolean nonPublic) +66
    > System.Web.UI.TemplateControlParser.GetCompiledInstance(String
    > virtualPath, String inputFile, HttpContext context) +164
    >
    > [HttpException (0x80004005): Failed to create page of type
    > 'ASP.login_aspx'.]
    > System.Web.UI.TemplateControlParser.GetCompiledInstance(String
    > virtualPath, String inputFile, HttpContext context) +340
    > System.Web.UI.PageParser.GetCompiledPageInstanceInternal(String
    > virtualPath, String inputFile, HttpContext context) +43
    > System.Web.UI.PageHandlerFactory.GetHandler(HttpContext context, String
    > requestType, String url, String path) +44
    > System.Web.HttpApplication.MapHttpHandler(HttpContext context, String
    > requestType, String path, String pathTranslated, Boolean useAppConfig)

    +698
    >
    >

    System.Web.MapHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep
    > .Execute() +95
    > System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
    > completedSynchronously) +173
    >
    >
    > --
    >
    >
    >
    Guest, Jun 7, 2005
    #2
    1. Advertising

  3. Hello dl,

    why do you want to impersonate when using forms auth??

    if IIS is set to anonymous and forms auth is enabled - IIRC impersonation
    means your app runs under IUSR_MACHINENAME.

    does this make sense??

    I think you can safely disbale impersonation

    for a working example of forms auth check this :
    http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f-98d0-bc8cfbec4c3a

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > By the way, as advised by the kb doc. I have set "Impersonation=true"
    > in my web.config!
    >
    > TIA
    >
    > here is my web.config ---
    > <authentication mode="Forms">
    > <forms loginUrl="login.aspx" name="adAuthCookie" timeout="10"
    > path="/">
    > </forms>
    > </authentication>
    > <authorization>
    > <deny users="?"/>
    > <allow users="*"/>
    > </authorization>
    > <identity impersonate="true"/>
    > <dl> wrote in message news:...
    >
    >> Hi
    >> I followed the MS kb#316748 trying to implement form authentication
    >> for my
    >> .NET application, but I got this error when I was just trying to load
    >> the
    >> login.aspx, any clue?
    >> TIA
    >> here is the stack trace:
    >> [HttpException (0x80004005): An error occurred while try to load the

    > string
    >
    >> resources (GetModuleHandle failed with error -2147023888).]
    >> System.Web.StringResourceManager.ReadSafeStringResource(Type t) +376
    >> System.Web.UI.TemplateControl.ReadStringResource(Type t) +5
    >> ASP.login_aspx..ctor()
    >>
    >> [TargetInvocationException: Exception has been thrown by the target
    >> of an
    >> invocation.]
    >> System.RuntimeType.CreateInstanceImpl(Boolean publicOnly) +0
    >> System.Activator.CreateInstance(Type type, Boolean nonPublic) +66
    >> System.Web.UI.TemplateControlParser.GetCompiledInstance(String
    >> virtualPath, String inputFile, HttpContext context) +164
    >> [HttpException (0x80004005): Failed to create page of type
    >> 'ASP.login_aspx'.]
    >> System.Web.UI.TemplateControlParser.GetCompiledInstance(String
    >> virtualPath, String inputFile, HttpContext context) +340
    >> System.Web.UI.PageParser.GetCompiledPageInstanceInternal(String
    >> virtualPath, String inputFile, HttpContext context) +43
    >> System.Web.UI.PageHandlerFactory.GetHandler(HttpContext context,
    >> String requestType, String url, String path) +44
    >> System.Web.HttpApplication.MapHttpHandler(HttpContext context, String
    >> requestType, String path, String pathTranslated, Boolean
    >> useAppConfig)
    >>

    > +698
    >
    > System.Web.MapHandlerExecutionStep.System.Web.HttpApplication+IExecuti
    > onStep
    >
    >> .Execute() +95
    >> System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
    >> completedSynchronously) +173
    >> --
    >>
    Dominick Baier [DevelopMentor], Jun 7, 2005
    #3
  4. Guest

    Guest Guest

    Hi
    I think I have missed one step, ie. to change the default IUSER/machine
    account to a "least privileged" account and
    I have just created a user with "Domain users" as primary group to replace
    the default anonymous account.

    Now I am getting
    HTTP 401.1 - Unauthorized: Logon Failed
    But I did not see the login.aspx and have not yet type in the credentials!
    Is this something to do with my "least privileged" account?
    TIA

    <dl> wrote in message news:...
    > Hi
    > I followed the MS kb#316748 trying to implement form authentication for my
    > .NET application, but I got this error when I was just trying to load the
    > login.aspx, any clue?
    > TIA
    >
    > here is the stack trace:
    > [HttpException (0x80004005): An error occurred while try to load the

    string
    > resources (GetModuleHandle failed with error -2147023888).]
    > System.Web.StringResourceManager.ReadSafeStringResource(Type t) +376
    > System.Web.UI.TemplateControl.ReadStringResource(Type t) +5
    > ASP.login_aspx..ctor()
    >
    > [TargetInvocationException: Exception has been thrown by the target of an
    > invocation.]
    > System.RuntimeType.CreateInstanceImpl(Boolean publicOnly) +0
    > System.Activator.CreateInstance(Type type, Boolean nonPublic) +66
    > System.Web.UI.TemplateControlParser.GetCompiledInstance(String
    > virtualPath, String inputFile, HttpContext context) +164
    >
    > [HttpException (0x80004005): Failed to create page of type
    > 'ASP.login_aspx'.]
    > System.Web.UI.TemplateControlParser.GetCompiledInstance(String
    > virtualPath, String inputFile, HttpContext context) +340
    > System.Web.UI.PageParser.GetCompiledPageInstanceInternal(String
    > virtualPath, String inputFile, HttpContext context) +43
    > System.Web.UI.PageHandlerFactory.GetHandler(HttpContext context, String
    > requestType, String url, String path) +44
    > System.Web.HttpApplication.MapHttpHandler(HttpContext context, String
    > requestType, String path, String pathTranslated, Boolean useAppConfig)

    +698
    >
    >

    System.Web.MapHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep
    > .Execute() +95
    > System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
    > completedSynchronously) +173
    >
    >
    > --
    >
    >
    >
    Guest, Jun 7, 2005
    #4
  5. Guest

    Guest Guest

    Hi Dominick
    I have just changed the anonymous to "least privileged" account. But I
    properly didn't set it right, or didn't give the account enough access
    right, I am now getting
    HTTP 401.1 - Unauthorized: Logon Failed
    when I was trying to load the login.aspx! I have not even typed in the
    credentials yet!?

    The reason why I would like to use impersonation is to allow domain control
    delegation. i.e my application need to be able to add / change / delete
    domain objects (mainly user and ou), in doing so I want to delegate ou
    administration to the users created via my application. i.e. I am writing
    something similar to a web based domain user account / ou provisioning
    application.

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello dl,
    >
    > why do you want to impersonate when using forms auth??
    >
    > if IIS is set to anonymous and forms auth is enabled - IIRC impersonation
    > means your app runs under IUSR_MACHINENAME.
    >
    > does this make sense??
    >
    > I think you can safely disbale impersonation
    >
    > for a working example of forms auth check this :
    >

    http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f-98d0-bc8cfbec4c3a
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > By the way, as advised by the kb doc. I have set "Impersonation=true"
    > > in my web.config!
    > >
    > > TIA
    > >
    > > here is my web.config ---
    > > <authentication mode="Forms">
    > > <forms loginUrl="login.aspx" name="adAuthCookie" timeout="10"
    > > path="/">
    > > </forms>
    > > </authentication>
    > > <authorization>
    > > <deny users="?"/>
    > > <allow users="*"/>
    > > </authorization>
    > > <identity impersonate="true"/>
    > > <dl> wrote in message news:...
    > >
    > >> Hi
    > >> I followed the MS kb#316748 trying to implement form authentication
    > >> for my
    > >> .NET application, but I got this error when I was just trying to load
    > >> the
    > >> login.aspx, any clue?
    > >> TIA
    > >> here is the stack trace:
    > >> [HttpException (0x80004005): An error occurred while try to load the

    > > string
    > >
    > >> resources (GetModuleHandle failed with error -2147023888).]
    > >> System.Web.StringResourceManager.ReadSafeStringResource(Type t) +376
    > >> System.Web.UI.TemplateControl.ReadStringResource(Type t) +5
    > >> ASP.login_aspx..ctor()
    > >>
    > >> [TargetInvocationException: Exception has been thrown by the target
    > >> of an
    > >> invocation.]
    > >> System.RuntimeType.CreateInstanceImpl(Boolean publicOnly) +0
    > >> System.Activator.CreateInstance(Type type, Boolean nonPublic) +66
    > >> System.Web.UI.TemplateControlParser.GetCompiledInstance(String
    > >> virtualPath, String inputFile, HttpContext context) +164
    > >> [HttpException (0x80004005): Failed to create page of type
    > >> 'ASP.login_aspx'.]
    > >> System.Web.UI.TemplateControlParser.GetCompiledInstance(String
    > >> virtualPath, String inputFile, HttpContext context) +340
    > >> System.Web.UI.PageParser.GetCompiledPageInstanceInternal(String
    > >> virtualPath, String inputFile, HttpContext context) +43
    > >> System.Web.UI.PageHandlerFactory.GetHandler(HttpContext context,
    > >> String requestType, String url, String path) +44
    > >> System.Web.HttpApplication.MapHttpHandler(HttpContext context, String
    > >> requestType, String path, String pathTranslated, Boolean
    > >> useAppConfig)
    > >>

    > > +698
    > >
    > > System.Web.MapHandlerExecutionStep.System.Web.HttpApplication+IExecuti
    > > onStep
    > >
    > >> .Execute() +95
    > >> System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
    > >> completedSynchronously) +173
    > >> --
    > >>

    >
    >
    >
    Guest, Jun 7, 2005
    #5
  6. Hello dl,

    why do you want to do it via impersonation?? give your app pool a domain
    account identity and delegate the needed AD permissions to that account.
    much easier and less error prone.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi Dominick
    > I have just changed the anonymous to "least privileged" account. But
    > I
    > properly didn't set it right, or didn't give the account enough access
    > right, I am now getting
    > HTTP 401.1 - Unauthorized: Logon Failed
    > when I was trying to load the login.aspx! I have not even typed in
    > the
    > credentials yet!?
    > The reason why I would like to use impersonation is to allow domain
    > control delegation. i.e my application need to be able to add / change
    > / delete domain objects (mainly user and ou), in doing so I want to
    > delegate ou administration to the users created via my application.
    > i.e. I am writing something similar to a web based domain user account
    > / ou provisioning application.
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hello dl,
    >>
    >> why do you want to impersonate when using forms auth??
    >>
    >> if IIS is set to anonymous and forms auth is enabled - IIRC
    >> impersonation means your app runs under IUSR_MACHINENAME.
    >>
    >> does this make sense??
    >>
    >> I think you can safely disbale impersonation
    >>
    >> for a working example of forms auth check this :
    >>

    > http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f-9
    > 8d0-bc8cfbec4c3a
    >
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> By the way, as advised by the kb doc. I have set
    >>> "Impersonation=true" in my web.config!
    >>>
    >>> TIA
    >>>
    >>> here is my web.config ---
    >>> <authentication mode="Forms">
    >>> <forms loginUrl="login.aspx" name="adAuthCookie" timeout="10"
    >>> path="/">
    >>> </forms>
    >>> </authentication>
    >>> <authorization>
    >>> <deny users="?"/>
    >>> <allow users="*"/>
    >>> </authorization>
    >>> <identity impersonate="true"/>
    >>> <dl> wrote in message news:...
    >>>> Hi
    >>>> I followed the MS kb#316748 trying to implement form authentication
    >>>> for my
    >>>> .NET application, but I got this error when I was just trying to
    >>>> load
    >>>> the
    >>>> login.aspx, any clue?
    >>>> TIA
    >>>> here is the stack trace:
    >>>> [HttpException (0x80004005): An error occurred while try to load
    >>>> the
    >>> string
    >>>
    >>>> resources (GetModuleHandle failed with error -2147023888).]
    >>>> System.Web.StringResourceManager.ReadSafeStringResource(Type t)
    >>>> +376 System.Web.UI.TemplateControl.ReadStringResource(Type t) +5
    >>>> ASP.login_aspx..ctor()
    >>>>
    >>>> [TargetInvocationException: Exception has been thrown by the target
    >>>> of an
    >>>> invocation.]
    >>>> System.RuntimeType.CreateInstanceImpl(Boolean publicOnly) +0
    >>>> System.Activator.CreateInstance(Type type, Boolean nonPublic) +66
    >>>> System.Web.UI.TemplateControlParser.GetCompiledInstance(String
    >>>> virtualPath, String inputFile, HttpContext context) +164
    >>>> [HttpException (0x80004005): Failed to create page of type
    >>>> 'ASP.login_aspx'.]
    >>>> System.Web.UI.TemplateControlParser.GetCompiledInstance(String
    >>>> virtualPath, String inputFile, HttpContext context) +340
    >>>> System.Web.UI.PageParser.GetCompiledPageInstanceInternal(String
    >>>> virtualPath, String inputFile, HttpContext context) +43
    >>>> System.Web.UI.PageHandlerFactory.GetHandler(HttpContext context,
    >>>> String requestType, String url, String path) +44
    >>>> System.Web.HttpApplication.MapHttpHandler(HttpContext context,
    >>>> String
    >>>> requestType, String path, String pathTranslated, Boolean
    >>>> useAppConfig)
    >>> +698
    >>>
    >>> System.Web.MapHandlerExecutionStep.System.Web.HttpApplication+IExecu
    >>> ti onStep
    >>>
    >>>> .Execute() +95
    >>>> System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
    >>>> Boolean&
    >>>> completedSynchronously) +173
    >>>> --
    Dominick Baier [DevelopMentor], Jun 7, 2005
    #6
  7. Guest

    Guest Guest

    Hi Dominick
    Are you saying that I should give my application a custom account to run as,
    and assign the least AD permissions required to this custom account? and
    would I need "Account operators" or "Schema Admins" or "Domain Admins" or
    some others in order to add / change / delete ou / user objects in a domain
    ?
    TIA

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello dl,
    >
    > why do you want to do it via impersonation?? give your app pool a domain
    > account identity and delegate the needed AD permissions to that account.
    > much easier and less error prone.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Hi Dominick
    > > I have just changed the anonymous to "least privileged" account. But
    > > I
    > > properly didn't set it right, or didn't give the account enough access
    > > right, I am now getting
    > > HTTP 401.1 - Unauthorized: Logon Failed
    > > when I was trying to load the login.aspx! I have not even typed in
    > > the
    > > credentials yet!?
    > > The reason why I would like to use impersonation is to allow domain
    > > control delegation. i.e my application need to be able to add / change
    > > / delete domain objects (mainly user and ou), in doing so I want to
    > > delegate ou administration to the users created via my application.
    > > i.e. I am writing something similar to a web based domain user account
    > > / ou provisioning application.
    > >
    > > "Dominick Baier [DevelopMentor]"
    > > <> wrote in message
    > > news:...
    > >
    > >> Hello dl,
    > >>
    > >> why do you want to impersonate when using forms auth??
    > >>
    > >> if IIS is set to anonymous and forms auth is enabled - IIRC
    > >> impersonation means your app runs under IUSR_MACHINENAME.
    > >>
    > >> does this make sense??
    > >>
    > >> I think you can safely disbale impersonation
    > >>
    > >> for a working example of forms auth check this :
    > >>

    > > http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f-9
    > > 8d0-bc8cfbec4c3a
    > >
    > >> ---------------------------------------
    > >> Dominick Baier - DevelopMentor
    > >> http://www.leastprivilege.com
    > >>> By the way, as advised by the kb doc. I have set
    > >>> "Impersonation=true" in my web.config!
    > >>>
    > >>> TIA
    > >>>
    > >>> here is my web.config ---
    > >>> <authentication mode="Forms">
    > >>> <forms loginUrl="login.aspx" name="adAuthCookie" timeout="10"
    > >>> path="/">
    > >>> </forms>
    > >>> </authentication>
    > >>> <authorization>
    > >>> <deny users="?"/>
    > >>> <allow users="*"/>
    > >>> </authorization>
    > >>> <identity impersonate="true"/>
    > >>> <dl> wrote in message news:...
    > >>>> Hi
    > >>>> I followed the MS kb#316748 trying to implement form authentication
    > >>>> for my
    > >>>> .NET application, but I got this error when I was just trying to
    > >>>> load
    > >>>> the
    > >>>> login.aspx, any clue?
    > >>>> TIA
    > >>>> here is the stack trace:
    > >>>> [HttpException (0x80004005): An error occurred while try to load
    > >>>> the
    > >>> string
    > >>>
    > >>>> resources (GetModuleHandle failed with error -2147023888).]
    > >>>> System.Web.StringResourceManager.ReadSafeStringResource(Type t)
    > >>>> +376 System.Web.UI.TemplateControl.ReadStringResource(Type t) +5
    > >>>> ASP.login_aspx..ctor()
    > >>>>
    > >>>> [TargetInvocationException: Exception has been thrown by the target
    > >>>> of an
    > >>>> invocation.]
    > >>>> System.RuntimeType.CreateInstanceImpl(Boolean publicOnly) +0
    > >>>> System.Activator.CreateInstance(Type type, Boolean nonPublic) +66
    > >>>> System.Web.UI.TemplateControlParser.GetCompiledInstance(String
    > >>>> virtualPath, String inputFile, HttpContext context) +164
    > >>>> [HttpException (0x80004005): Failed to create page of type
    > >>>> 'ASP.login_aspx'.]
    > >>>> System.Web.UI.TemplateControlParser.GetCompiledInstance(String
    > >>>> virtualPath, String inputFile, HttpContext context) +340
    > >>>> System.Web.UI.PageParser.GetCompiledPageInstanceInternal(String
    > >>>> virtualPath, String inputFile, HttpContext context) +43
    > >>>> System.Web.UI.PageHandlerFactory.GetHandler(HttpContext context,
    > >>>> String requestType, String url, String path) +44
    > >>>> System.Web.HttpApplication.MapHttpHandler(HttpContext context,
    > >>>> String
    > >>>> requestType, String path, String pathTranslated, Boolean
    > >>>> useAppConfig)
    > >>> +698
    > >>>
    > >>> System.Web.MapHandlerExecutionStep.System.Web.HttpApplication+IExecu
    > >>> ti onStep
    > >>>
    > >>>> .Execute() +95
    > >>>> System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
    > >>>> Boolean&
    > >>>> completedSynchronously) +173
    > >>>> --

    >
    >
    >
    Guest, Jun 7, 2005
    #7
  8. Hello dl,

    well- the same privileges you wanted to give to your impersonated account
    (plus add it to IIS_WPG).

    You can delegate special permissions in AD to non-admin user. Active Directory
    and User -> Delegate

    For the in-depth info on which specific perms you need - ask Joe Kaplan (on
    this list) - he know best!

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi Dominick
    > Are you saying that I should give my application a custom account to
    > run as,
    > and assign the least AD permissions required to this custom account?
    > and
    > would I need "Account operators" or "Schema Admins" or "Domain Admins"
    > or
    > some others in order to add / change / delete ou / user objects in a
    > domain
    > ?
    > TIA
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hello dl,
    >>
    >> why do you want to do it via impersonation?? give your app pool a
    >> domain account identity and delegate the needed AD permissions to
    >> that account. much easier and less error prone.
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Hi Dominick
    >>> I have just changed the anonymous to "least privileged" account.
    >>> But
    >>> I
    >>> properly didn't set it right, or didn't give the account enough
    >>> access
    >>> right, I am now getting
    >>> HTTP 401.1 - Unauthorized: Logon Failed
    >>> when I was trying to load the login.aspx! I have not even typed in
    >>> the
    >>> credentials yet!?
    >>> The reason why I would like to use impersonation is to allow domain
    >>> control delegation. i.e my application need to be able to add /
    >>> change
    >>> / delete domain objects (mainly user and ou), in doing so I want to
    >>> delegate ou administration to the users created via my application.
    >>> i.e. I am writing something similar to a web based domain user
    >>> account
    >>> / ou provisioning application.
    >>> "Dominick Baier [DevelopMentor]"
    >>> <> wrote in message
    >>> news:...
    >>>
    >>>> Hello dl,
    >>>>
    >>>> why do you want to impersonate when using forms auth??
    >>>>
    >>>> if IIS is set to anonymous and forms auth is enabled - IIRC
    >>>> impersonation means your app runs under IUSR_MACHINENAME.
    >>>>
    >>>> does this make sense??
    >>>>
    >>>> I think you can safely disbale impersonation
    >>>>
    >>>> for a working example of forms auth check this :
    >>>>
    >>> http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f
    >>> -9 8d0-bc8cfbec4c3a
    >>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> By the way, as advised by the kb doc. I have set
    >>>>> "Impersonation=true" in my web.config!
    >>>>> TIA
    >>>>>
    >>>>> here is my web.config ---
    >>>>> <authentication mode="Forms">
    >>>>> <forms loginUrl="login.aspx" name="adAuthCookie" timeout="10"
    >>>>> path="/">
    >>>>> </forms>
    >>>>> </authentication>
    >>>>> <authorization>
    >>>>> <deny users="?"/>
    >>>>> <allow users="*"/>
    >>>>> </authorization>
    >>>>> <identity impersonate="true"/>
    >>>>> <dl> wrote in message news:...
    >>>>>> Hi
    >>>>>> I followed the MS kb#316748 trying to implement form
    >>>>>> authentication
    >>>>>> for my
    >>>>>> .NET application, but I got this error when I was just trying to
    >>>>>> load
    >>>>>> the
    >>>>>> login.aspx, any clue?
    >>>>>> TIA
    >>>>>> here is the stack trace:
    >>>>>> [HttpException (0x80004005): An error occurred while try to load
    >>>>>> the
    >>>>> string
    >>>>>
    >>>>>> resources (GetModuleHandle failed with error -2147023888).]
    >>>>>> System.Web.StringResourceManager.ReadSafeStringResource(Type t)
    >>>>>> +376 System.Web.UI.TemplateControl.ReadStringResource(Type t) +5
    >>>>>> ASP.login_aspx..ctor()
    >>>>>>
    >>>>>> [TargetInvocationException: Exception has been thrown by the
    >>>>>> target
    >>>>>> of an
    >>>>>> invocation.]
    >>>>>> System.RuntimeType.CreateInstanceImpl(Boolean publicOnly) +0
    >>>>>> System.Activator.CreateInstance(Type type, Boolean nonPublic) +66
    >>>>>> System.Web.UI.TemplateControlParser.GetCompiledInstance(String
    >>>>>> virtualPath, String inputFile, HttpContext context) +164
    >>>>>> [HttpException (0x80004005): Failed to create page of type
    >>>>>> 'ASP.login_aspx'.]
    >>>>>> System.Web.UI.TemplateControlParser.GetCompiledInstance(String
    >>>>>> virtualPath, String inputFile, HttpContext context) +340
    >>>>>> System.Web.UI.PageParser.GetCompiledPageInstanceInternal(String
    >>>>>> virtualPath, String inputFile, HttpContext context) +43
    >>>>>> System.Web.UI.PageHandlerFactory.GetHandler(HttpContext context,
    >>>>>> String requestType, String url, String path) +44
    >>>>>> System.Web.HttpApplication.MapHttpHandler(HttpContext context,
    >>>>>> String
    >>>>>> requestType, String path, String pathTranslated, Boolean
    >>>>>> useAppConfig)
    >>>>> +698
    >>>>>
    >>>>> System.Web.MapHandlerExecutionStep.System.Web.HttpApplication+IExe
    >>>>> cu ti onStep
    >>>>>
    >>>>>> .Execute() +95
    >>>>>> System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
    >>>>>> Boolean&
    >>>>>> completedSynchronously) +173
    >>>>>> --
    Dominick Baier [DevelopMentor], Jun 7, 2005
    #8
  9. A couple of quick points:

    You absolutely don't need a service account at all to do simple LDAP
    authentication. This code is adequate:

    DirectoryEntry de = new DirectoryEntry("LDAP://yourdomain.com/RootDSE",
    user, pwd, AuthenticationTypes.Secure);
    try
    {
    object o = de.NativeObject;
    return true;
    }
    catch (COMException ex)
    {
    return false;
    }
    finally
    {
    de.Dispose();
    }

    The advantage of impersonating a domain account for the auth is that you can
    use serverless binding in your binding string (LDAP://rootdse instead of
    LDAP://domain.com/rootdse), but if you provide a domain hint, you don't
    really need that.

    I don't think it is a good idea to use your highly privileged service
    account for creating users as your IIS anonymous user account. I'd suggest
    using those credentials only for the operations required. You have the
    choice of providing the credentials in the constructor, programmatically
    impersonating the user temporarily or moving the privileged code into a COM+
    component under a specific account.

    Regarding the privileges you need, this depends a great deal on how your AD
    security has been designed, but generally speaking, account operators can
    create accounts. It is probably a good idea to delegate a special account
    to create accounts in just the container(s) you need to for use in this
    application if absolutely possible as you really want to be careful.

    HTH,

    Joe K.

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello dl,
    >
    > well- the same privileges you wanted to give to your impersonated account
    > (plus add it to IIS_WPG).
    >
    > You can delegate special permissions in AD to non-admin user. Active
    > Directory and User -> Delegate
    > For the in-depth info on which specific perms you need - ask Joe Kaplan
    > (on this list) - he know best!
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Hi Dominick
    >> Are you saying that I should give my application a custom account to
    >> run as,
    >> and assign the least AD permissions required to this custom account?
    >> and
    >> would I need "Account operators" or "Schema Admins" or "Domain Admins"
    >> or
    >> some others in order to add / change / delete ou / user objects in a
    >> domain
    >> ?
    >> TIA
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> Hello dl,
    >>>
    >>> why do you want to do it via impersonation?? give your app pool a
    >>> domain account identity and delegate the needed AD permissions to
    >>> that account. much easier and less error prone.
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> Hi Dominick
    >>>> I have just changed the anonymous to "least privileged" account.
    >>>> But
    >>>> I
    >>>> properly didn't set it right, or didn't give the account enough
    >>>> access
    >>>> right, I am now getting
    >>>> HTTP 401.1 - Unauthorized: Logon Failed
    >>>> when I was trying to load the login.aspx! I have not even typed in
    >>>> the
    >>>> credentials yet!?
    >>>> The reason why I would like to use impersonation is to allow domain
    >>>> control delegation. i.e my application need to be able to add /
    >>>> change
    >>>> / delete domain objects (mainly user and ou), in doing so I want to
    >>>> delegate ou administration to the users created via my application.
    >>>> i.e. I am writing something similar to a web based domain user
    >>>> account
    >>>> / ou provisioning application.
    >>>> "Dominick Baier [DevelopMentor]"
    >>>> <> wrote in message
    >>>> news:...
    >>>>
    >>>>> Hello dl,
    >>>>>
    >>>>> why do you want to impersonate when using forms auth??
    >>>>>
    >>>>> if IIS is set to anonymous and forms auth is enabled - IIRC
    >>>>> impersonation means your app runs under IUSR_MACHINENAME.
    >>>>>
    >>>>> does this make sense??
    >>>>>
    >>>>> I think you can safely disbale impersonation
    >>>>>
    >>>>> for a working example of forms auth check this :
    >>>>>
    >>>> http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6f
    >>>> -9 8d0-bc8cfbec4c3a
    >>>>
    >>>>> ---------------------------------------
    >>>>> Dominick Baier - DevelopMentor
    >>>>> http://www.leastprivilege.com
    >>>>>> By the way, as advised by the kb doc. I have set
    >>>>>> "Impersonation=true" in my web.config!
    >>>>>> TIA
    >>>>>>
    >>>>>> here is my web.config ---
    >>>>>> <authentication mode="Forms">
    >>>>>> <forms loginUrl="login.aspx" name="adAuthCookie" timeout="10"
    >>>>>> path="/">
    >>>>>> </forms>
    >>>>>> </authentication>
    >>>>>> <authorization>
    >>>>>> <deny users="?"/>
    >>>>>> <allow users="*"/>
    >>>>>> </authorization>
    >>>>>> <identity impersonate="true"/>
    >>>>>> <dl> wrote in message news:...
    >>>>>>> Hi
    >>>>>>> I followed the MS kb#316748 trying to implement form
    >>>>>>> authentication
    >>>>>>> for my
    >>>>>>> .NET application, but I got this error when I was just trying to
    >>>>>>> load
    >>>>>>> the
    >>>>>>> login.aspx, any clue?
    >>>>>>> TIA
    >>>>>>> here is the stack trace:
    >>>>>>> [HttpException (0x80004005): An error occurred while try to load
    >>>>>>> the
    >>>>>> string
    >>>>>>
    >>>>>>> resources (GetModuleHandle failed with error -2147023888).]
    >>>>>>> System.Web.StringResourceManager.ReadSafeStringResource(Type t)
    >>>>>>> +376 System.Web.UI.TemplateControl.ReadStringResource(Type t) +5
    >>>>>>> ASP.login_aspx..ctor()
    >>>>>>>
    >>>>>>> [TargetInvocationException: Exception has been thrown by the
    >>>>>>> target
    >>>>>>> of an
    >>>>>>> invocation.]
    >>>>>>> System.RuntimeType.CreateInstanceImpl(Boolean publicOnly) +0
    >>>>>>> System.Activator.CreateInstance(Type type, Boolean nonPublic) +66
    >>>>>>> System.Web.UI.TemplateControlParser.GetCompiledInstance(String
    >>>>>>> virtualPath, String inputFile, HttpContext context) +164
    >>>>>>> [HttpException (0x80004005): Failed to create page of type
    >>>>>>> 'ASP.login_aspx'.]
    >>>>>>> System.Web.UI.TemplateControlParser.GetCompiledInstance(String
    >>>>>>> virtualPath, String inputFile, HttpContext context) +340
    >>>>>>> System.Web.UI.PageParser.GetCompiledPageInstanceInternal(String
    >>>>>>> virtualPath, String inputFile, HttpContext context) +43
    >>>>>>> System.Web.UI.PageHandlerFactory.GetHandler(HttpContext context,
    >>>>>>> String requestType, String url, String path) +44
    >>>>>>> System.Web.HttpApplication.MapHttpHandler(HttpContext context,
    >>>>>>> String
    >>>>>>> requestType, String path, String pathTranslated, Boolean
    >>>>>>> useAppConfig)
    >>>>>> +698
    >>>>>>
    >>>>>> System.Web.MapHandlerExecutionStep.System.Web.HttpApplication+IExe
    >>>>>> cu ti onStep
    >>>>>>
    >>>>>>> .Execute() +95
    >>>>>>> System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
    >>>>>>> Boolean&
    >>>>>>> completedSynchronously) +173
    >>>>>>> --

    >
    >
    >
    Joe Kaplan \(MVP - ADSI\), Jun 9, 2005
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark Goldin

    Errors, errors, errors

    Mark Goldin, Jan 17, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    913
    Mark Goldin
    Jan 17, 2004
  2. Dom
    Replies:
    0
    Views:
    439
  3. Dom
    Replies:
    0
    Views:
    479
  4. Max
    Replies:
    2
    Views:
    1,073
  5. Don Lancaster
    Replies:
    25
    Views:
    191
    -Lost
    Mar 27, 2007
Loading...

Share This Page