IIS 7 and WindowsIdentity

[Peter Larsen [CPH]]

Hej,

I have a website where the IIS is setup to use "Windows Authentication".

The website connects to oracle using the following connection string:
<add key="Main.ConnectionString" value="data source=DATABASE;user
id=/;"/>

Running the website, WindowsIdentity return the user added to the
application-pool associated with the website. Thread.CurrentPrincipal return
the user currently accessing the website.

I want OracleConnection to use the identity of the user currently using the
website (here Thread.CurrentPrincipal), but this is not what happens. The
oracle component use the user-account added to the Application Pool (here
found in WindowsIdentity).

There must be a way to do this, but i don't know how to configure the IIS to
use the identity from current user...

Thank you in advance.
BR
Peter

 

[Jerry Weng]

Hello Peter Larsen,
Thank you for posting.
From your post, my understanding on this issue is: login to the database
with the current user which authenticated in your web system. If I'm off
base, please feel free to let me know.

We need to impersonate the user to meet the requirement.

So the connectionString need to be like this:
<add key="Main.ConnectionString" value="data source=DATABASE;User Id=/;"/>

And we need to add <identity impersonate="true"> to the web.config.

<system.web>
<identity impersonate="true"/>
</system.web>

Reference:
ASP.NET Impersonation
http://msdn.microsoft.com/en-us/library/aa292118(VS.71).aspx

Please let me know the information above so that I can provider further
assistance on this problem. I am looking forward to your reply.

--
Sincerely,
Jerry Weng
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

With newsgroups, MSDN subscribers enjoy unlimited, free support as opposed
to the limited number of phone-based technical support incidents. Complex
issues or server-down situations are not recommended for the newsgroups.
Issues of this nature are best handled working with a Microsoft Support
Engineer using one of your phone-based incidents.
==================================================
--------------------
| From: "Peter Larsen [CPH]" <[email protected]>
| Subject: IIS 7 and WindowsIdentity
| Date: Tue, 27 Jul 2010 18:14:16 +0200
| Lines: 25
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5931
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: edge1.bankinvest.dk 131.165.55.124
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:78
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| Hej,
|
| I have a website where the IIS is setup to use "Windows Authentication".
|
| The website connects to oracle using the following connection string:
| <add key="Main.ConnectionString" value="data source=DATABASE;user
| id=/;"/>
|
| Running the website, WindowsIdentity return the user added to the
| application-pool associated with the website. Thread.CurrentPrincipal
return
| the user currently accessing the website.
|
| I want OracleConnection to use the identity of the user currently using
the
| website (here Thread.CurrentPrincipal), but this is not what happens. The
| oracle component use the user-account added to the Application Pool (here
| found in WindowsIdentity).
|
| There must be a way to do this, but i don't know how to configure the IIS
to
| use the identity from current user...
|
| Thank you in advance.
| BR
| Peter
|
|
|

 

[Peter Larsen [CPH]]

Hi Jerry,

Thank you for your comment.
I think this is what i am looking for.

Just to be sure - so it is possible to impersonate each session (on the iis)
with current user(s) ??

BR
Peter

 

[Peter Larsen [CPH]]

Hi Jerry,

I can't get it to work.

I use the following sample to test with:

string cs = ConfigurationManager.AppSettings["main.connectionstring"];
Oracle.DataAccess.Client.OracleConnection oc = new OracleConnection(cs);
string sql = "select * from table_name t";
using (OracleCommand com = new OracleCommand(sql, oc))
{
oc.Open();
OracleDataReader odr = com.ExecuteReader();
}

The web.config contains "identity impersonate = true" and user id=/; in the
connection string.

On my own machine, this works just fine, but it fails on the ISS with the
error "Oracle.DataAccess.Client.OracleException: ORA-1017".

I log the text from the below line + checks that the logoff/logon events
exist in the Security Log (on the server).

string text = string.Format("windowsidentity:{0}:{1},
currentthread:{2}:{3}",
System.Security.Principal.WindowsIdentity.GetCurrent().Name,
System.Security.Principal.WindowsIdentity.GetCurrent().IsAuthenticated,
System.Threading.Thread.CurrentPrincipal.Identity.Name,
System.Threading.Thread.CurrentPrincipal.Identity.IsAuthenticated);

It all seems ok, but it doesn't work.
What do i do wrong here ??

Thank you.

BR
Peter

 

[Peter Larsen [CPH]]

Hi Jerry,

I have found that it works if i change the Application Pool to use my
account (and remove impersonate = true from web.config).

It also works if i change the logon method from Windows Authentication to
Basic Authentication + removing impersonate as above, and then logon using
the logon popup window.

BR
Peter

 

[Peter Larsen [CPH]]

- but it doesn't work if using Windows Authentication and ASP.NET
Impersonation - which is what i need :-(

 

[Jerry Weng]

Hi Peter,

With Windows authentication, either the Windows user must belong to a
privileged Windows group such as ORA_DBA on the Oracle server or external
authentication must be enabled. External authentication is not recommended,
because it is less secure than access through group membership.

Are the users which you want to impersonate belong to the Windows group
such as ORA_DBA?

For ASP.NET, we have to use <identity impersonate="true" /> to impersonate
the current logon user to process something rather than to use the default
NETWORK SERVICE account. I think the problem drop down to how the Orcale
database know the Windows acount is in the sercurity user list. Just like
we need to add the Windows account to the Security/Logins list in the
Microsoft SQL Server Management Studio. I think so does the Orcale databse
need your impersonated account to be added into his user list. And you also
said that the impersonation works on you local machine but not on the ISS
server, so I think it is a configuration problem on Orcale database. (Sorry
I'm not quite familiar with Orcale.)

Oracle database security problems are out of the support boundaries of this
managed newsgroups. So I also think we can find more help about how to
implementing Window Authentication for Orcale from the oracle.com. But I
still try my best to provide some useful clues to resolve your issue. Here
I found some useful links from third part websites.

Securing a .NET Application on the Oracle Database
http://www.oracle.com/technology/pub/articles/mastering_dotnet_oracle/cook_m
asteringdotnet.html

This response contains a reference to a third party World Wide Web site.
Microsoft is providing this information as a convenience to you. Microsoft
does not control these sites and has not tested any software or information
found on these sites; therefore, Microsoft cannot make any representations
regarding the quality, safety, or suitability of any software or
information found there. There are inherent dangers in the use of any
software found on the Internet, and Microsoft cautions you to make sure
that you completely understand the risk before retrieving any software from
the Internet.
--------------------
| From: "Peter Larsen [CPH]" <[email protected]>
| References: <[email protected]>
<[email protected]>
| Subject: Re: IIS 7 and WindowsIdentity
| Date: Wed, 28 Jul 2010 14:12:40 +0200
| Lines: 63
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5931
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: edge1.bankinvest.dk 131.165.55.124
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP06.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:85
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| Hi Jerry,
|
| I can't get it to work.
|
| I use the following sample to test with:
|
| string cs = ConfigurationManager.AppSettings["main.connectionstring"];
| Oracle.DataAccess.Client.OracleConnection oc = new OracleConnection(cs);
| string sql = "select * from table_name t";
| using (OracleCommand com = new OracleCommand(sql, oc))
| {
| oc.Open();
| OracleDataReader odr = com.ExecuteReader();
| }
|
| The web.config contains "identity impersonate = true" and user id=/; in
the
| connection string.
|
| On my own machine, this works just fine, but it fails on the ISS with the
| error "Oracle.DataAccess.Client.OracleException: ORA-1017".
|
| I log the text from the below line + checks that the logoff/logon events
| exist in the Security Log (on the server).
|
| string text = string.Format("windowsidentity:{0}:{1},
| currentthread:{2}:{3}",
| System.Security.Principal.WindowsIdentity.GetCurrent().Name,
| System.Security.Principal.WindowsIdentity.GetCurrent().IsAuthenticated,
| System.Threading.Thread.CurrentPrincipal.Identity.Name,
| System.Threading.Thread.CurrentPrincipal.Identity.IsAuthenticated);
|
| It all seems ok, but it doesn't work.
| What do i do wrong here ??
|
| Thank you.
|
| BR
| Peter
|
|
|
| | > Hello Peter Larsen,
| > Thank you for posting.
| > From your post, my understanding on this issue is: login to the database
| > with the current user which authenticated in your web system. If I'm off
| > base, please feel free to let me know.
| >
| > We need to impersonate the user to meet the requirement.
| >
| > So the connectionString need to be like this:
| > <add key="Main.ConnectionString" value="data source=DATABASE;User
| > Id=/;"/>
| >
| > And we need to add <identity impersonate="true"> to the web.config.
| >
| > <system.web>
| > <identity impersonate="true"/>
| > </system.web>
| >
|
|
|

 

[Peter Larsen [CPH]]

Hi Jerry,

How can it be a oracle privileged issue, when it works using another
authentication method on the website ??
It does work if using Basic Authentication and ASP.NET Impersonation.

BR
Peter

 

[Peter Larsen [CPH]]

Could it be that the authentication type, when using Basic Authentication,
is kerberos and when using Windows Authentication, it is NTLM ??

/Peter

 

[Jerry Weng]

Hi Peter,

Well, Basic authentication is inherently insecure. Because it is easy to
decode Base64 encoded data, Basic authentication is essentially sending the
password as plain text. To improve the security of this authentication
scheme, we can use it in combination with Secure Sockets Layer/Transport
Layer Security (SSL/TLS) support to encrypt the HTTP session. However,
SSL/TLS impacts performance because it encrypts and decrypts all data on
each exchange. But it can be used by Internet appications.

Windows authentication is controlled and executed by IIS and is useful
mainly for intranet Web applications.

So maybe that also a possible reason. And If you are using a Intranet web
application, Windows authentication would work better.

Anyway, it seems that Basic authentication and ASP.NET impersonation could
help you to resolve the problem, right?

--
Sincerely,
Jerry Weng
Microsoft Online Community Support

--------------------
| From: "Peter Larsen [CPH]" <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| Subject: Re: IIS 7 and WindowsIdentity
| Date: Thu, 29 Jul 2010 10:29:50 +0200
| Lines: 48
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5931
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: edge1.bankinvest.dk 131.165.55.124
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:93
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| Hi Jerry,
|
| How can it be a oracle privileged issue, when it works using another
| authentication method on the website ??
| It does work if using Basic Authentication and ASP.NET Impersonation.
|
| BR
| Peter
|
|
| | > Hi Peter,
| >
| > With Windows authentication, either the Windows user must belong to a
| > privileged Windows group such as ORA_DBA on the Oracle server or
external
| > authentication must be enabled. External authentication is not
| > recommended,
| > because it is less secure than access through group membership.
| >
| > Are the users which you want to impersonate belong to the Windows group
| > such as ORA_DBA?
| >
| > For ASP.NET, we have to use <identity impersonate="true" /> to
impersonate
| > the current logon user to process something rather than to use the
default
| > NETWORK SERVICE account. I think the problem drop down to how the Orcale
| > database know the Windows acount is in the sercurity user list. Just
like
| > we need to add the Windows account to the Security/Logins list in the
| > Microsoft SQL Server Management Studio. I think so does the Orcale
databse
| > need your impersonated account to be added into his user list. And you
| > also
| > said that the impersonation works on you local machine but not on the
ISS
| > server, so I think it is a configuration problem on Orcale database.
| > (Sorry
| > I'm not quite familiar with Orcale.)
| >
| > Oracle database security problems are out of the support boundaries of
| > this
| > managed newsgroups. So I also think we can find more help about how to
| > implementing Window Authentication for Orcale from the oracle.com. But I
| > still try my best to provide some useful clues to resolve your issue.
Here
| > I found some useful links from third part websites.
| >
| > Securing a .NET Application on the Oracle Database
| >
http://www.oracle.com/technology/pub/articles/mastering_dotnet_oracle/cook_m
| > asteringdotnet.html
|
|
|

 

[Peter Larsen [CPH]]

Hi Jerry,

It is true that Basic Authentication works, but it is not an option. I only
tried it as a test.
We must use Windows Authentication.

And yes, the website runs on our intranet (IIS 7 on server 2007).

I have found a page (on MS website) saying that delegation is not supported
if using NTLM.
I have also read, that delegation may be a Security Policy setting + the
server must have a SPN (Service Principal Name) name.

But i can't get it to work.

I need somebody to tell me, what is the truth in this and how to make it
work.

BR
Peter

 

[Jerry Weng]

Hi Peter,

As I said, I think the key problem is how to create the Windows Account
User into the user list of the Orcale Database.

Here I found a solution from the network. I have not environment to test
it whether it works or not. Hope could help you.

Configuring Windows Authentication
http://oradim.blogspot.com/2007/11/configuring-windows-authentication.html

You can try it and please give me a feedback.

This response contains a reference to a third party World Wide Web site.
Microsoft is providing this information as a convenience to you. Microsoft
does not control these sites and has not tested any software or information
found on these sites; therefore, Microsoft cannot make any representations
regarding the quality, safety, or suitability of any software or
information found there. There are inherent dangers in the use of any
software found on the Internet, and Microsoft cautions you to make sure
that you completely understand the risk before retrieving any software from
the Internet.

--
Sincerely,
Jerry Weng
Microsoft Online Community Support
--------------------
| From: "Peter Larsen [CPH]" <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| Subject: Re: IIS 7 and WindowsIdentity
| Date: Fri, 30 Jul 2010 09:51:41 +0200
| Lines: 54
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5931
| Message-ID: <#[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: edge1.bankinvest.dk 131.165.55.124
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:97
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| Hi Jerry,
|
| It is true that Basic Authentication works, but it is not an option. I
only
| tried it as a test.
| We must use Windows Authentication.
|
| And yes, the website runs on our intranet (IIS 7 on server 2007).
|
| I have found a page (on MS website) saying that delegation is not
supported
| if using NTLM.
| I have also read, that delegation may be a Security Policy setting + the
| server must have a SPN (Service Principal Name) name.
|
| But i can't get it to work.
|
| I need somebody to tell me, what is the truth in this and how to make it
| work.
|
| BR
| Peter
|
|
|
|
| | > Hi Peter,
| >
| > Well, Basic authentication is inherently insecure. Because it is easy
to
| > decode Base64 encoded data, Basic authentication is essentially sending
| > the
| > password as plain text. To improve the security of this authentication
| > scheme, we can use it in combination with Secure Sockets Layer/Transport
| > Layer Security (SSL/TLS) support to encrypt the HTTP session. However,
| > SSL/TLS impacts performance because it encrypts and decrypts all data on
| > each exchange. But it can be used by Internet appications.
| >
| > Windows authentication is controlled and executed by IIS and is useful
| > mainly for intranet Web applications.
| >
| > So maybe that also a possible reason. And If you are using a Intranet
web
| > application, Windows authentication would work better.
| >
| > Anyway, it seems that Basic authentication and ASP.NET impersonation
could
| > help you to resolve the problem, right?
| >
| > --
| > Sincerely,
| > Jerry Weng
| > Microsoft Online Community Support
| >
| > ---
|
|
|

 

[Peter Larsen [CPH]]

But, it it true that delegation is not supported if using NTLM ??

BR
Peter

 

[Jerry Weng]

Hello Peter,

Yes, we can't use NTLM for delegation. We have to use Kerberos
authentication protocol.

Kerberos authentication authenticates the server and the client, whereas
Windows NT Challenge/Response (NTLM) authenticates the client only.

For client side, only Microsoft Internet Explorer 5.0 or later versions
support Kerberos.
For server side, only Windows 2000 or later versions support Kerberos
authentication, it need IIS 5.0 or later version.

--
Sincerely,
Jerry Weng
Microsoft Online Community Support
--------------------
| From: "Peter Larsen [CPH]" <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<#[email protected]>
<[email protected]>
| Subject: Re: IIS 7 and WindowsIdentity
| Date: Tue, 3 Aug 2010 16:23:50 +0200
| Lines: 7
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5931
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: edge1.bankinvest.dk 131.165.55.124
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:105
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| But, it it true that delegation is not supported if using NTLM ??
|
| BR
| Peter
|
|
|
|