IIS/ASP.NET impersonation probelm

Discussion in 'ASP .Net Security' started by Ram, Jun 7, 2006.

  1. Ram

    Ram Guest

    I need to create custome performance counters for my asp.net application,
    these counters am creating in application_start event.

    to create this counters i used following setting in IIS and web.config file

    in IIS ---> Directory security tab--->
    1) checked anonymus access and integrated windows authentication
    2) settings in web.config --->

    <identity impersonate = "true" userName = "mycomputername\TestRam"
    password = "<password>" />

    <authorization>
    <allow users="*" />
    </authorization>

    <authentication mode="Windows" />

    with the above settings its works fine, TestRam is local Admin

    Now with my requirement I should not use plain password in my web.config, i
    decided to use this thorugh IIS setting

    in IIS ---> Directory security tab--->
    1) checked anonymus access and integrated windows authentication
    2) In anonymus section, i used following account as my anonymus account
    mycomputername\TestRam
    3) settings in web.config --->

    <identity impersonate = "true" />

    <authorization>
    <allow users="*" />
    </authorization>

    <authentication mode="Windows" />

    if i run the application i will get " Reqired registry access not allowed"

    when i check identity account through "Envirnoment.UserName" i will see the
    above account and even with "Windowsidentity.GetCurrent().name"

    Even I gave explicitly full control permissions to above account in
    following registrys

    1)HKEY_LOCAL_MACHINE\SOFTWARE\MICROSFT\WINDOWSNT\CURRENTVERSION\Perflib
    2) HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Service as well as ControlSet002



    can anybody help me as it is due to move to my technical center


    Regards
    Ram
     
    Ram, Jun 7, 2006
    #1
    1. Advertising

  2. This is a bad approach. You really ought to install things like event log
    sources and perf counters during the initial deployment of your application.
    Let an admin do that. Then, in your code, you just instantiate your perf
    counters and write to them.

    You can do this easily by creating some PerformanceCounterInstaller classes
    in your assembly and having an admin run installutil.exe on your assembly.
    This way, your app can run as a normally privileged user as well and you
    won't need to worry about hiding credentials. It is a win/win across the
    board.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Ram" <> wrote in message
    news:...
    >I need to create custome performance counters for my asp.net application,
    > these counters am creating in application_start event.
    >
    > to create this counters i used following setting in IIS and web.config
    > file
    >
    > in IIS ---> Directory security tab--->
    > 1) checked anonymus access and integrated windows authentication
    > 2) settings in web.config --->
    >
    > <identity impersonate = "true" userName = "mycomputername\TestRam"
    > password = "<password>" />
    >
    > <authorization>
    > <allow users="*" />
    > </authorization>
    >
    > <authentication mode="Windows" />
    >
    > with the above settings its works fine, TestRam is local Admin
    >
    > Now with my requirement I should not use plain password in my web.config,
    > i
    > decided to use this thorugh IIS setting
    >
    > in IIS ---> Directory security tab--->
    > 1) checked anonymus access and integrated windows authentication
    > 2) In anonymus section, i used following account as my anonymus account
    > mycomputername\TestRam
    > 3) settings in web.config --->
    >
    > <identity impersonate = "true" />
    >
    > <authorization>
    > <allow users="*" />
    > </authorization>
    >
    > <authentication mode="Windows" />
    >
    > if i run the application i will get " Reqired registry access not
    > allowed"
    >
    > when i check identity account through "Envirnoment.UserName" i will see
    > the
    > above account and even with "Windowsidentity.GetCurrent().name"
    >
    > Even I gave explicitly full control permissions to above account in
    > following registrys
    >
    > 1)HKEY_LOCAL_MACHINE\SOFTWARE\MICROSFT\WINDOWSNT\CURRENTVERSION\Perflib
    > 2) HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Service as well as
    > ControlSet002
    >
    >
    >
    > can anybody help me as it is due to move to my technical center
    >
    >
    > Regards
    > Ram
    >
    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Jun 7, 2006
    #2
    1. Advertising

  3. Ram

    Ram Guest

    Thanks Joe

    Yes, I will use installutill to install, in the mean i found the reason why
    it is not doing before, i am creating counters in application_start event,at
    this instance still impersonation has not yet applied, still it takes ASPNET
    user, so i moved my logic to session_start event.
    it worked well.

    Ram


    "Joe Kaplan (MVP - ADSI)" wrote:

    > This is a bad approach. You really ought to install things like event log
    > sources and perf counters during the initial deployment of your application.
    > Let an admin do that. Then, in your code, you just instantiate your perf
    > counters and write to them.
    >
    > You can do this easily by creating some PerformanceCounterInstaller classes
    > in your assembly and having an admin run installutil.exe on your assembly.
    > This way, your app can run as a normally privileged user as well and you
    > won't need to worry about hiding credentials. It is a win/win across the
    > board.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > --
    > "Ram" <> wrote in message
    > news:...
    > >I need to create custome performance counters for my asp.net application,
    > > these counters am creating in application_start event.
    > >
    > > to create this counters i used following setting in IIS and web.config
    > > file
    > >
    > > in IIS ---> Directory security tab--->
    > > 1) checked anonymus access and integrated windows authentication
    > > 2) settings in web.config --->
    > >
    > > <identity impersonate = "true" userName = "mycomputername\TestRam"
    > > password = "<password>" />
    > >
    > > <authorization>
    > > <allow users="*" />
    > > </authorization>
    > >
    > > <authentication mode="Windows" />
    > >
    > > with the above settings its works fine, TestRam is local Admin
    > >
    > > Now with my requirement I should not use plain password in my web.config,
    > > i
    > > decided to use this thorugh IIS setting
    > >
    > > in IIS ---> Directory security tab--->
    > > 1) checked anonymus access and integrated windows authentication
    > > 2) In anonymus section, i used following account as my anonymus account
    > > mycomputername\TestRam
    > > 3) settings in web.config --->
    > >
    > > <identity impersonate = "true" />
    > >
    > > <authorization>
    > > <allow users="*" />
    > > </authorization>
    > >
    > > <authentication mode="Windows" />
    > >
    > > if i run the application i will get " Reqired registry access not
    > > allowed"
    > >
    > > when i check identity account through "Envirnoment.UserName" i will see
    > > the
    > > above account and even with "Windowsidentity.GetCurrent().name"
    > >
    > > Even I gave explicitly full control permissions to above account in
    > > following registrys
    > >
    > > 1)HKEY_LOCAL_MACHINE\SOFTWARE\MICROSFT\WINDOWSNT\CURRENTVERSION\Perflib
    > > 2) HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Service as well as
    > > ControlSet002
    > >
    > >
    > >
    > > can anybody help me as it is due to move to my technical center
    > >
    > >
    > > Regards
    > > Ram
    > >
    > >
    > >

    >
    >
    >
     
    Ram, Jun 8, 2006
    #3
  4. IMO this is still a bad approach - you run your app with elevated privs...whats
    wrong with pre-registering that stuff from an admin console??

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Thanks Joe
    >
    > Yes, I will use installutill to install, in the mean i found the
    > reason why
    > it is not doing before, i am creating counters in application_start
    > event,at
    > this instance still impersonation has not yet applied, still it takes
    > ASPNET
    > user, so i moved my logic to session_start event.
    > it worked well.
    > Ram
    >
    > "Joe Kaplan (MVP - ADSI)" wrote:
    >
    >> This is a bad approach. You really ought to install things like
    >> event log sources and perf counters during the initial deployment of
    >> your application. Let an admin do that. Then, in your code, you just
    >> instantiate your perf counters and write to them.
    >>
    >> You can do this easily by creating some PerformanceCounterInstaller
    >> classes in your assembly and having an admin run installutil.exe on
    >> your assembly. This way, your app can run as a normally privileged
    >> user as well and you won't need to worry about hiding credentials.
    >> It is a win/win across the board.
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "Ram" <> wrote in message
    >> news:...
    >>> I need to create custome performance counters for my asp.net
    >>> application, these counters am creating in application_start event.
    >>>
    >>> to create this counters i used following setting in IIS and
    >>> web.config file
    >>>
    >>> in IIS ---> Directory security tab--->
    >>> 1) checked anonymus access and integrated windows authentication
    >>> 2) settings in web.config --->
    >>> <identity impersonate = "true" userName = "mycomputername\TestRam"
    >>> password = "<password>" />
    >>>
    >>> <authorization>
    >>> <allow users="*" />
    >>> </authorization>
    >>> <authentication mode="Windows" />
    >>>
    >>> with the above settings its works fine, TestRam is local Admin
    >>>
    >>> Now with my requirement I should not use plain password in my
    >>> web.config,
    >>> i
    >>> decided to use this thorugh IIS setting
    >>> in IIS ---> Directory security tab--->
    >>> 1) checked anonymus access and integrated windows authentication
    >>> 2) In anonymus section, i used following account as my anonymus
    >>> account
    >>> mycomputername\TestRam
    >>> 3) settings in web.config --->
    >>> <identity impersonate = "true" />
    >>>
    >>> <authorization>
    >>> <allow users="*" />
    >>> </authorization>
    >>> <authentication mode="Windows" />
    >>>
    >>> if i run the application i will get " Reqired registry access not
    >>> allowed"
    >>>
    >>> when i check identity account through "Envirnoment.UserName" i will
    >>> see
    >>> the
    >>> above account and even with "Windowsidentity.GetCurrent().name"
    >>> Even I gave explicitly full control permissions to above account in
    >>> following registrys
    >>>
    >>> 1)HKEY_LOCAL_MACHINE\SOFTWARE\MICROSFT\WINDOWSNT\CURRENTVERSION\Perf
    >>> lib 2) HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Service as well as
    >>> ControlSet002
    >>>
    >>> can anybody help me as it is due to move to my technical center
    >>>
    >>> Regards
    >>> Ram
     
    Dominick Baier [DevelopMentor], Jun 8, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    3
    Views:
    1,029
    David Binnie
    Mar 17, 2006
  2. Grey
    Replies:
    0
    Views:
    304
  3. Mick Walker

    IIS Management and ASP.Net Impersonation

    Mick Walker, Oct 23, 2007, in forum: ASP .Net
    Replies:
    5
    Views:
    19,266
    Kamal Reddy
    Jan 2, 2012
  4. serre

    ASP.NET Impersonation fails on IIS

    serre, Feb 7, 2005, in forum: ASP .Net Security
    Replies:
    2
    Views:
    139
    Paul Clement
    Feb 7, 2005
  5. Michael A. Jensen

    ASP.NET/IIS Authentication and Impersonation

    Michael A. Jensen, Jun 7, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    155
    Dominick Baier [DevelopMentor]
    Jun 7, 2005
Loading...

Share This Page