How to run as in a deamon

Discussion in 'ASP .Net Security' started by David Thielen, Aug 24, 2006.

  1. Hi;

    We have this web app that handles security great. For everything we do we
    run as the client so we do not have to store any credentials ourselves and it
    handles Sql Server access, reading files from the server, everything.

    But... we have a deamon program where users can schedule these same actions.
    The problem is, when these deamon programs run, we don't have the client user
    attached and therefore cannot get their credentials.

    Do we need to get their uname/pw and store it to be able to runAs them -
    like services in Windows when running under a user? I hate to store that info
    because that is the keys to the kingdom.

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com

    Cubicle Wars - http://www.windwardreports.com/film.htm
     
    David Thielen, Aug 24, 2006
    #1
    1. Advertising

  2. David Thielen

    Joe Kaplan Guest

    Have them set up the scheduled task to run as the required user. That's the
    most straightforward way to solve this.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "David Thielen" <> wrote in message
    news:...
    > Hi;
    >
    > We have this web app that handles security great. For everything we do we
    > run as the client so we do not have to store any credentials ourselves and
    > it
    > handles Sql Server access, reading files from the server, everything.
    >
    > But... we have a deamon program where users can schedule these same
    > actions.
    > The problem is, when these deamon programs run, we don't have the client
    > user
    > attached and therefore cannot get their credentials.
    >
    > Do we need to get their uname/pw and store it to be able to runAs them -
    > like services in Windows when running under a user? I hate to store that
    > info
    > because that is the keys to the kingdom.
    >
    > --
    > thanks - dave
    > david_at_windward_dot_net
    > http://www.windwardreports.com
    >
    > Cubicle Wars - http://www.windwardreports.com/film.htm
    >
    >
     
    Joe Kaplan, Aug 24, 2006
    #2
    1. Advertising

  3. The problem is that this runs on the server (ASP.NET) and most user's don't
    have (and shouldn't have) login rights on the server.

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com

    Cubicle Wars - http://www.windwardreports.com/film.htm




    "Joe Kaplan" wrote:

    > Have them set up the scheduled task to run as the required user. That's the
    > most straightforward way to solve this.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > --
    > "David Thielen" <> wrote in message
    > news:...
    > > Hi;
    > >
    > > We have this web app that handles security great. For everything we do we
    > > run as the client so we do not have to store any credentials ourselves and
    > > it
    > > handles Sql Server access, reading files from the server, everything.
    > >
    > > But... we have a deamon program where users can schedule these same
    > > actions.
    > > The problem is, when these deamon programs run, we don't have the client
    > > user
    > > attached and therefore cannot get their credentials.
    > >
    > > Do we need to get their uname/pw and store it to be able to runAs them -
    > > like services in Windows when running under a user? I hate to store that
    > > info
    > > because that is the keys to the kingdom.
    > >
    > > --
    > > thanks - dave
    > > david_at_windward_dot_net
    > > http://www.windwardreports.com
    > >
    > > Cubicle Wars - http://www.windwardreports.com/film.htm
    > >
    > >

    >
    >
    >
     
    David Thielen, Aug 24, 2006
    #3
  4. David Thielen

    Joe Kaplan Guest

    What would be the conceptual difference between running the scheduled task
    as the user your need vs. storing their credentials so you could create a
    token for them and impersonate them? Basically, that just means it is your
    problem to store the credentials vs. the operating system's.

    If the process ran as SYSTEM, the server was 2K3 and the AD domain was 2K3
    native, you could create an impersonation token for a user based solely on
    their user principal name via S4U/protocol transition. I'm not sure if that
    really helps you though.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "David Thielen" <> wrote in message
    news:...
    > The problem is that this runs on the server (ASP.NET) and most user's
    > don't
    > have (and shouldn't have) login rights on the server.
    >
    > --
    > thanks - dave
    > david_at_windward_dot_net
    > http://www.windwardreports.com
    >
    > Cubicle Wars - http://www.windwardreports.com/film.htm
    >
    >
    >
    >
    > "Joe Kaplan" wrote:
    >
    >> Have them set up the scheduled task to run as the required user. That's
    >> the
    >> most straightforward way to solve this.
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "David Thielen" <> wrote in message
    >> news:...
    >> > Hi;
    >> >
    >> > We have this web app that handles security great. For everything we do
    >> > we
    >> > run as the client so we do not have to store any credentials ourselves
    >> > and
    >> > it
    >> > handles Sql Server access, reading files from the server, everything.
    >> >
    >> > But... we have a deamon program where users can schedule these same
    >> > actions.
    >> > The problem is, when these deamon programs run, we don't have the
    >> > client
    >> > user
    >> > attached and therefore cannot get their credentials.
    >> >
    >> > Do we need to get their uname/pw and store it to be able to runAs
    >> > them -
    >> > like services in Windows when running under a user? I hate to store
    >> > that
    >> > info
    >> > because that is the keys to the kingdom.
    >> >
    >> > --
    >> > thanks - dave
    >> > david_at_windward_dot_net
    >> > http://www.windwardreports.com
    >> >
    >> > Cubicle Wars - http://www.windwardreports.com/film.htm
    >> >
    >> >

    >>
    >>
    >>
     
    Joe Kaplan, Aug 24, 2006
    #4
  5. David Thielen

    MikeS Guest

    If you want to impersonate them, you will need their credentials, and
    use LoginUser. Perhaps save them away somewhere using the crypto API.
    There is trouble there then when their password changes and you could
    end up locking out their account.

    There is nothing like being able to su from root to another user
    without a password in Windows as far as I know.

    ASP.NET is not a daemon, it is a filter, IIS is a daemon. I am not sure
    how one schedules things in IIS though since it only comes to life when
    a connection is made.

    I am thinking that impersonation may not be an option and whatever API
    you are calling on schedule, on behalf of the user, may have to trust
    the caller, the scheduler program, and also accept a parameter that
    indicates the user and use that to audit which actions are taken.

    It would be nice if something like queued components could remember the
    original callers id and execute as them on schedule.

    The bottom line is that impersonation is a pain and more so when you
    want to do it forever.
     
    MikeS, Aug 24, 2006
    #5
  6. Hello Dave,

    I think the problem here is that the your deamon application doesn't has a
    credential store, or can not get crential or authenticated token from IIS.
    In such case, I'm afraid you have to pre-store the certain user(you want to
    run as)'s username/password credentials in your application storage. This
    could be database or configuration file. One example is SQL Server
    reporting service which will store the username/password credentials in the
    database and used for accessing external resource.

    In .net framework 2.0, we have some built-in means to encrpt data such as
    the DPAPI wrapper:

    #Using the DPAPI through ProtectedData Class in .Net Framework 2.0
    http://www.c-sharpcorner.com/UploadFile/mosessaur/dpapiprotecteddataclass010
    52006142332PM/dpapiprotecteddataclass.aspx?ArticleID=d6a6c525-1898-45de-b16e
    -58c763472348


    Also, .net framework 2.0 support RSA or DPAPI provider to encrypt
    configuration file sections:
    #Encrypting Configuration Information in ASP.NET 2.0 Applications
    http://aspnet.4guysfromrolla.com/articles/021506-1.aspx

    In addition, as for your deamon application, after it runas/impersonate a
    certain user, will it access any remote resource or only the resoruce on
    the local machine? If it only accessing resource on local machine, and the
    deamon application can run under LOCAL SYSTEM account(as service), you can
    consider the kerberos S4U logon approach as Joe has mentioend. Here is a
    article introducing this:

    #Exploring S4U Kerberos Extensions in Windows Server 2003
    http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/

    For example, you can use the following code to constructor a
    windowsIdentity and impersonate it(through user principal name):
    ============================
    WindowsIdentity wi = new WindowsIdentity("username@domainname");


    WindowsImpersonationContext ctx = wi.Impersonate();

    StreamWriter sw = new
    StreamWriter(@"d:\\temp\\testfolder\\jetan_file111.txt");
    sw.WriteLine("this file is created by jetan.");
    sw.Close();


    Response.Write("<br/>IMpersonate: " +
    System.Security.Principal.WindowsIdentity.GetCurrent().Name);

    ctx.Undo();

    =========================



    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead



    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Steven Cheng[MSFT], Aug 24, 2006
    #6
  7. Thank you Joe/Steven/Mike. Boy security is a pain!!!

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com

    Cubicle Wars - http://www.windwardreports.com/film.htm




    "Joe Kaplan" wrote:

    > What would be the conceptual difference between running the scheduled task
    > as the user your need vs. storing their credentials so you could create a
    > token for them and impersonate them? Basically, that just means it is your
    > problem to store the credentials vs. the operating system's.
    >
    > If the process ran as SYSTEM, the server was 2K3 and the AD domain was 2K3
    > native, you could create an impersonation token for a user based solely on
    > their user principal name via S4U/protocol transition. I'm not sure if that
    > really helps you though.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > --
    > "David Thielen" <> wrote in message
    > news:...
    > > The problem is that this runs on the server (ASP.NET) and most user's
    > > don't
    > > have (and shouldn't have) login rights on the server.
    > >
    > > --
    > > thanks - dave
    > > david_at_windward_dot_net
    > > http://www.windwardreports.com
    > >
    > > Cubicle Wars - http://www.windwardreports.com/film.htm
    > >
    > >
    > >
    > >
    > > "Joe Kaplan" wrote:
    > >
    > >> Have them set up the scheduled task to run as the required user. That's
    > >> the
    > >> most straightforward way to solve this.
    > >>
    > >> Joe K.
    > >>
    > >> --
    > >> Joe Kaplan-MS MVP Directory Services Programming
    > >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> Programming"
    > >> http://www.directoryprogramming.net
    > >> --
    > >> "David Thielen" <> wrote in message
    > >> news:...
    > >> > Hi;
    > >> >
    > >> > We have this web app that handles security great. For everything we do
    > >> > we
    > >> > run as the client so we do not have to store any credentials ourselves
    > >> > and
    > >> > it
    > >> > handles Sql Server access, reading files from the server, everything.
    > >> >
    > >> > But... we have a deamon program where users can schedule these same
    > >> > actions.
    > >> > The problem is, when these deamon programs run, we don't have the
    > >> > client
    > >> > user
    > >> > attached and therefore cannot get their credentials.
    > >> >
    > >> > Do we need to get their uname/pw and store it to be able to runAs
    > >> > them -
    > >> > like services in Windows when running under a user? I hate to store
    > >> > that
    > >> > info
    > >> > because that is the keys to the kingdom.
    > >> >
    > >> > --
    > >> > thanks - dave
    > >> > david_at_windward_dot_net
    > >> > http://www.windwardreports.com
    > >> >
    > >> > Cubicle Wars - http://www.windwardreports.com/film.htm
    > >> >
    > >> >
    > >>
    > >>
    > >>

    >
    >
    >
     
    David Thielen, Aug 24, 2006
    #7
  8. LOL :)

    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > Thank you Joe/Steven/Mike. Boy security is a pain!!!
    >
    > Cubicle Wars - http://www.windwardreports.com/film.htm
    >
    > "Joe Kaplan" wrote:
    >
    >> What would be the conceptual difference between running the scheduled
    >> task as the user your need vs. storing their credentials so you could
    >> create a token for them and impersonate them? Basically, that just
    >> means it is your problem to store the credentials vs. the operating
    >> system's.
    >>
    >> If the process ran as SYSTEM, the server was 2K3 and the AD domain
    >> was 2K3 native, you could create an impersonation token for a user
    >> based solely on their user principal name via S4U/protocol
    >> transition. I'm not sure if that really helps you though.
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "David Thielen" <> wrote in message
    >> news:...
    >>> The problem is that this runs on the server (ASP.NET) and most
    >>> user's
    >>> don't
    >>> have (and shouldn't have) login rights on the server.
    >>> --
    >>> thanks - dave
    >>> david_at_windward_dot_net
    >>> http://www.windwardreports.com
    >>> Cubicle Wars - http://www.windwardreports.com/film.htm
    >>>
    >>> "Joe Kaplan" wrote:
    >>>
    >>>> Have them set up the scheduled task to run as the required user.
    >>>> That's
    >>>> the
    >>>> most straightforward way to solve this.
    >>>> Joe K.
    >>>>
    >>>> --
    >>>> Joe Kaplan-MS MVP Directory Services Programming
    >>>> Co-author of "The .NET Developer's Guide to Directory Services
    >>>> Programming"
    >>>> http://www.directoryprogramming.net
    >>>> --
    >>>> "David Thielen" <> wrote in message
    >>>> news:...
    >>>>> Hi;
    >>>>>
    >>>>> We have this web app that handles security great. For everything
    >>>>> we do
    >>>>> we
    >>>>> run as the client so we do not have to store any credentials
    >>>>> ourselves
    >>>>> and
    >>>>> it
    >>>>> handles Sql Server access, reading files from the server,
    >>>>> everything.
    >>>>> But... we have a deamon program where users can schedule these
    >>>>> same
    >>>>> actions.
    >>>>> The problem is, when these deamon programs run, we don't have the
    >>>>> client
    >>>>> user
    >>>>> attached and therefore cannot get their credentials.
    >>>>> Do we need to get their uname/pw and store it to be able to runAs
    >>>>> them -
    >>>>> like services in Windows when running under a user? I hate to
    >>>>> store
    >>>>> that
    >>>>> info
    >>>>> because that is the keys to the kingdom.
    >>>>> --
    >>>>> thanks - dave
    >>>>> david_at_windward_dot_net
    >>>>> http://www.windwardreports.com
    >>>>> Cubicle Wars - http://www.windwardreports.com/film.htm
    >>>>>
     
    Dominick Baier, Aug 24, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. bigbinc

    simple examples deamon,service

    bigbinc, Jul 14, 2003, in forum: Java
    Replies:
    2
    Views:
    529
    bigbinc
    Jul 15, 2003
  2. jbj
    Replies:
    4
    Views:
    6,825
  3. Replies:
    7
    Views:
    677
    CBFalconer
    Dec 1, 2006
  4. Replies:
    0
    Views:
    427
  5. Roy

    Deamon Process

    Roy, Jul 31, 2007, in forum: C Programming
    Replies:
    2
    Views:
    345
    Mark Bluemel
    Jul 31, 2007
Loading...

Share This Page