Hybrid sql server and asp.net windows authentication

Discussion in 'ASP .Net Security' started by Onur Gorur, Nov 11, 2004.

  1. Onur Gorur

    Onur Gorur Guest

    I have an asp.net web application that executes stored procedures on SQL
    Server 2000 on the backend and displays the results of this stored procs on a
    grid. I use integrated windows authentication on IIS, asp.net and SQL Server.
    Here is what I want to do:

    - When a user starts to use the application I want to get the credentials of
    the user. (This can be done by web.config:: <identity impersonate="true">)
    - After I get the user info, I would like to run the stored procedures with
    a different specific NT user's credentials, one that I will give all SQL
    Server accesses. So, I will not give any application user SQL Server direct
    query access but only this specific user account. (This can be done by
    impersonating this specific user in the web.config)

    I want both of this, but I could not find a way to accomplish both. One
    method I thought would be having one asp.net application and another web
    service application both running with different credentials: First, with the
    logged in user and second with my sql server account)

    Any other ideas? Help wanted!

    Thanks in advance


    --
    Onur Gorur, MCSD
    Microsoft Turkey
    Mid-Market Programs Manager
     
    Onur Gorur, Nov 11, 2004
    #1
    1. Advertising

  2. Couldn't you just set up your process model run as the trusted SQL account
    and then disable impersonation in ASP.NET? In that case, the SQL calls will
    be made with the process account, but users will still log in to the site as
    normal. If you needed to impersonate the current user for some reason
    (local file security or something), then you could manually impersonate by
    casting Content.User.Identity to a WindowsIdentity and then creating the
    impersonation context from there.

    Another option would be to put the db access code in a COM+ component and
    run it under a different identity.

    Joe K.

    "Onur Gorur" <> wrote in message
    news:...
    >I have an asp.net web application that executes stored procedures on SQL
    > Server 2000 on the backend and displays the results of this stored procs
    > on a
    > grid. I use integrated windows authentication on IIS, asp.net and SQL
    > Server.
    > Here is what I want to do:
    >
    > - When a user starts to use the application I want to get the credentials
    > of
    > the user. (This can be done by web.config:: <identity impersonate="true">)
    > - After I get the user info, I would like to run the stored procedures
    > with
    > a different specific NT user's credentials, one that I will give all SQL
    > Server accesses. So, I will not give any application user SQL Server
    > direct
    > query access but only this specific user account. (This can be done by
    > impersonating this specific user in the web.config)
    >
    > I want both of this, but I could not find a way to accomplish both. One
    > method I thought would be having one asp.net application and another web
    > service application both running with different credentials: First, with
    > the
    > logged in user and second with my sql server account)
    >
    > Any other ideas? Help wanted!
    >
    > Thanks in advance
    >
    >
    > --
    > Onur Gorur, MCSD
    > Microsoft Turkey
    > Mid-Market Programs Manager
     
    Joe Kaplan \(MVP - ADSI\), Nov 11, 2004
    #2
    1. Advertising

  3. Onur Gorur

    Onur Gorur Guest

    The only reason that I impersonate the current user is to get his NT login
    name. After I get the login name, I do not need the impersonation to this
    current account anymore. when i run the process with the trusted sql account
    (with integrated security=sspi), then as far as I know, correct me pls if I
    am wrong, when I get the identity of the user, i will get sql account's
    loginname and not the current user's or not?

    and also I think I should change the process's account from machine.config?
    or can it be changed from web.config? will it also affect other running web
    applications?

    I will be glad if you can give some code examples and elaborate on what you
    mean by "you could manually impersonate by casting Content.User.Identity to a
    WindowsIdentity and then creating the impersonation context from there."

    Thanks,
    Onur



    "Joe Kaplan (MVP - ADSI)" wrote:

    > Couldn't you just set up your process model run as the trusted SQL account
    > and then disable impersonation in ASP.NET? In that case, the SQL calls will
    > be made with the process account, but users will still log in to the site as
    > normal. If you needed to impersonate the current user for some reason
    > (local file security or something), then you could manually impersonate by
    > casting Content.User.Identity to a WindowsIdentity and then creating the
    > impersonation context from there.
    >
    > Another option would be to put the db access code in a COM+ component and
    > run it under a different identity.
    >
    > Joe K.
    >
    > "Onur Gorur" <> wrote in message
    > news:...
    > >I have an asp.net web application that executes stored procedures on SQL
    > > Server 2000 on the backend and displays the results of this stored procs
    > > on a
    > > grid. I use integrated windows authentication on IIS, asp.net and SQL
    > > Server.
    > > Here is what I want to do:
    > >
    > > - When a user starts to use the application I want to get the credentials
    > > of
    > > the user. (This can be done by web.config:: <identity impersonate="true">)
    > > - After I get the user info, I would like to run the stored procedures
    > > with
    > > a different specific NT user's credentials, one that I will give all SQL
    > > Server accesses. So, I will not give any application user SQL Server
    > > direct
    > > query access but only this specific user account. (This can be done by
    > > impersonating this specific user in the web.config)
    > >
    > > I want both of this, but I could not find a way to accomplish both. One
    > > method I thought would be having one asp.net application and another web
    > > service application both running with different credentials: First, with
    > > the
    > > logged in user and second with my sql server account)
    > >
    > > Any other ideas? Help wanted!
    > >
    > > Thanks in advance
    > >
    > >
    > > --
    > > Onur Gorur, MCSD
    > > Microsoft Turkey
    > > Mid-Market Programs Manager

    >
    >
    >
     
    Onur Gorur, Nov 12, 2004
    #3
  4. Ok, a couple of things here:

    Context.User (or Page.User or Thread.CurrentPrincipal) will represent the
    user who authenticated. If you are using Windows authentication, this will
    be a WindowsPrincipal. If you want to get the name of the authenticated
    user, just do Context.User.Identity.Name. You don't need impersonation to
    do this. With Windows authentication, impersonation will just make whoever
    is in Context.User.Identity be the same as
    System.Security.Principal.WindowsIdentity.GetCurrent(), which is the
    identity of the token that is executing code on the current thread. Without
    impersonation, that will be the process account.

    In IIS5, changing the process account is done by changing the
    machine.config. Note that this change will affect all other applications
    that are sharing that same worker process. In II6, you change the AppPool
    identity. You have more options of having different applications in
    different pools with IIS and the config is via the MMC and integrated with
    IIS.

    To impersonate any WindowsIdentity, just call the Impersonate method. When
    you are done, just call the Undo method on the WindowsImpersonationContext
    that is returned from Impersonate.

    HTH,

    Joe K.

    "Onur Gorur" <> wrote in message
    news:...
    > The only reason that I impersonate the current user is to get his NT login
    > name. After I get the login name, I do not need the impersonation to this
    > current account anymore. when i run the process with the trusted sql
    > account
    > (with integrated security=sspi), then as far as I know, correct me pls if
    > I
    > am wrong, when I get the identity of the user, i will get sql account's
    > loginname and not the current user's or not?
    >
    > and also I think I should change the process's account from
    > machine.config?
    > or can it be changed from web.config? will it also affect other running
    > web
    > applications?
    >
    > I will be glad if you can give some code examples and elaborate on what
    > you
    > mean by "you could manually impersonate by casting Content.User.Identity
    > to a
    > WindowsIdentity and then creating the impersonation context from there."
    >
    > Thanks,
    > Onur
    >
    >
    >
    > "Joe Kaplan (MVP - ADSI)" wrote:
    >
    >> Couldn't you just set up your process model run as the trusted SQL
    >> account
    >> and then disable impersonation in ASP.NET? In that case, the SQL calls
    >> will
    >> be made with the process account, but users will still log in to the site
    >> as
    >> normal. If you needed to impersonate the current user for some reason
    >> (local file security or something), then you could manually impersonate
    >> by
    >> casting Content.User.Identity to a WindowsIdentity and then creating the
    >> impersonation context from there.
    >>
    >> Another option would be to put the db access code in a COM+ component and
    >> run it under a different identity.
    >>
    >> Joe K.
    >>
    >> "Onur Gorur" <> wrote in message
    >> news:...
    >> >I have an asp.net web application that executes stored procedures on SQL
    >> > Server 2000 on the backend and displays the results of this stored
    >> > procs
    >> > on a
    >> > grid. I use integrated windows authentication on IIS, asp.net and SQL
    >> > Server.
    >> > Here is what I want to do:
    >> >
    >> > - When a user starts to use the application I want to get the
    >> > credentials
    >> > of
    >> > the user. (This can be done by web.config:: <identity
    >> > impersonate="true">)
    >> > - After I get the user info, I would like to run the stored procedures
    >> > with
    >> > a different specific NT user's credentials, one that I will give all
    >> > SQL
    >> > Server accesses. So, I will not give any application user SQL Server
    >> > direct
    >> > query access but only this specific user account. (This can be done by
    >> > impersonating this specific user in the web.config)
    >> >
    >> > I want both of this, but I could not find a way to accomplish both. One
    >> > method I thought would be having one asp.net application and another
    >> > web
    >> > service application both running with different credentials: First,
    >> > with
    >> > the
    >> > logged in user and second with my sql server account)
    >> >
    >> > Any other ideas? Help wanted!
    >> >
    >> > Thanks in advance
    >> >
    >> >
    >> > --
    >> > Onur Gorur, MCSD
    >> > Microsoft Turkey
    >> > Mid-Market Programs Manager

    >>
    >>
    >>
     
    Joe Kaplan \(MVP - ADSI\), Nov 12, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?UmV6YQ==?=
    Replies:
    3
    Views:
    18,017
    Carlos Barini
    Jun 7, 2004
  2. Doug
    Replies:
    9
    Views:
    6,896
    Terence Tirella
    Apr 7, 2006
  3. Siobhan
    Replies:
    2
    Views:
    390
    Patrick.O.Ige
    Oct 31, 2005
  4. Chris Cichocki

    Windows + Custom Security hybrid??

    Chris Cichocki, Sep 20, 2006, in forum: ASP .Net Security
    Replies:
    1
    Views:
    125
    Steven Cheng[MSFT]
    Sep 21, 2006
  5. Littlefield, Tyler

    using twisted as a client-server hybrid

    Littlefield, Tyler, Dec 15, 2011, in forum: Python
    Replies:
    0
    Views:
    159
    Littlefield, Tyler
    Dec 15, 2011
Loading...

Share This Page