identity impersonate=true masks the identity of the app pool for trusted sql connections

Discussion in 'ASP .Net Security' started by Popezilla, Mar 18, 2007.

  1. Popezilla

    Popezilla Guest

    I have my ASP.NET sites setup to connect to SQL Server using trusted
    security and their application pool identities according to this
    article: http://msdn2.microsoft.com/en-us/library/ms998292.aspx

    Everything is working fine without trouble.

    However, now I have a site which requires the identity
    impersonate=true web config setting so that it knows the active
    directory id of the web user. I have to have the impersonate flag
    turned on because I use the AspNetWindowsTokenRoleProvider to
    authorize my users.

    The problem is that when impoersonate=true, the site no loner connects
    to the database with the app pool identity. Instead, it uses either
    the user's identity if basic authentication is enabled or some other
    local machine account.

    How can I accomplish both in the same web site? How can I have the
    site use trusted security and connect to my SQL server under the
    identity of the app pool AND have impoersonate=true so that I know the
    AD id of the user?

    Thanks for your help.
     
    Popezilla, Mar 18, 2007
    #1
    1. Advertising

  2. What do you mean with AD id?? The username?

    You get that from Context.User.Identity.Name - and no impersonation is required
    for that (nor for the token role provider - but i see no value in using that
    anyways).

    Make sure windows auth is enabled in IIS - and anonymous is turned off..

    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > I have my ASP.NET sites setup to connect to SQL Server using trusted
    > security and their application pool identities according to this
    > article: http://msdn2.microsoft.com/en-us/library/ms998292.aspx
    >
    > Everything is working fine without trouble.
    >
    > However, now I have a site which requires the identity
    > impersonate=true web config setting so that it knows the active
    > directory id of the web user. I have to have the impersonate flag
    > turned on because I use the AspNetWindowsTokenRoleProvider to
    > authorize my users.
    >
    > The problem is that when impoersonate=true, the site no loner connects
    > to the database with the app pool identity. Instead, it uses either
    > the user's identity if basic authentication is enabled or some other
    > local machine account.
    >
    > How can I accomplish both in the same web site? How can I have the
    > site use trusted security and connect to my SQL server under the
    > identity of the app pool AND have impoersonate=true so that I know the
    > AD id of the user?
    >
    > Thanks for your help.
    >
     
    Dominick Baier, Mar 18, 2007
    #2
    1. Advertising

  3. Popezilla

    Popezilla Guest

    On Mar 17, 11:21 pm, Dominick Baier
    <dbaier@pleasepleasenospam_leastprivilege.com> wrote:
    > What do you mean with AD id?? The username?
    >
    > You get that from Context.User.Identity.Name - and no impersonation is required
    > for that (nor for the token role provider - but i see no value in using that
    > anyways).
    >
    > Make sure windows auth is enabled in IIS - and anonymous is turned off..
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
    >
    >
    >
    > > I have my ASP.NET sites setup to connect to SQL Server using trusted
    > > security and their application pool identities according to this
    > > article:http://msdn2.microsoft.com/en-us/library/ms998292.aspx

    >
    > > Everything is working fine without trouble.

    >
    > > However, now I have a site which requires the identity
    > > impersonate=true web config setting so that it knows the active
    > > directory id of the web user. I have to have the impersonate flag
    > > turned on because I use the AspNetWindowsTokenRoleProvider to
    > > authorize my users.

    >
    > > The problem is that when impoersonate=true, the site no loner connects
    > > to the database with the app pool identity. Instead, it uses either
    > > the user's identity if basic authentication is enabled or some other
    > > local machine account.

    >
    > > How can I accomplish both in the same web site? How can I have the
    > > site use trusted security and connect to my SQL server under the
    > > identity of the app pool AND have impoersonate=true so that I know the
    > > AD id of the user?

    >
    > > Thanks for your help.- Hide quoted text -

    >
    > - Show quoted text -


    Thank you. I was using WindowsIdentity.GetCurrent() which would not
    return the account name of the user unless the impersonate flag was
    set.
     
    Popezilla, Mar 18, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kathy Burke
    Replies:
    3
    Views:
    2,691
    Kathy Burke
    Dec 22, 2003
  2. Natty Gur
    Replies:
    0
    Views:
    486
    Natty Gur
    Dec 22, 2003
  3. Natty Gur
    Replies:
    0
    Views:
    496
    Natty Gur
    Dec 22, 2003
  4. bdb112
    Replies:
    45
    Views:
    1,402
    jazbees
    Apr 29, 2009
  5. Frederick D'hont
    Replies:
    0
    Views:
    333
    Frederick D'hont
    Jul 25, 2005
Loading...

Share This Page