Impersonation and integrated security (+sql server reporting servi

Discussion in 'ASP .Net Security' started by Phil Aldis, Aug 15, 2004.

  1. Phil Aldis

    Phil Aldis Guest

    Hi,

    I'm having a little difficulty getting my head round windows integrated
    security/impersonation and I'd appreciate a little help with the problem I'm
    trying to solve (or an indication that what I'm trying to do is too hard to
    be worth it!)

    To give you the background: I'm developing a web portal application which
    has fairly limited number of users. We're using SQL Server reporting
    services. A number of the reports need to be bound to groups of users; also,
    some of the reports need to know the logged-in user to use directly in the
    SQL queries. This can, of course, all be done using Windows Integrated
    Authentication. Also, another piece of info, I can't justify the cost of the
    Enterprise version of SQL Server and so cannot use a reporting services
    custom security extension (eg Form based authentication). Also, I'm serving
    up my reports using the reportviewer custom control, which loads reports into
    an IFrame, so effectively creates its own http requests.

    I have no problems creating accounts on the server for every user. What I
    don't like, however, is the integrated security popup box. It's quite ugly
    and from a user experience point of view really doesn't fit in with their
    expectations of a web application, where they would expect a more forms based
    view. I thought that I might be able to do something in the background
    whereby they could login through a form and I could manaully do the logging
    in, and from then on (until timeout) this user would be regarded by the
    webapp and report server as the credentials supplied.

    Okay, so I used the demo in msdn:
    ms-help://MS.MSDNQTR.2004JUL.1033/cpref/html/frlrfSystemSecurityPrincipalWindowsIdentityClassImpersonateTopic1.htm

    and webapp'ed it. This works and I was hoping that if I didn't undo the
    impersonation at the end, that all future http requests from this client
    would be regarded as the impersonated user, which would obviously enable
    someone to login and then when they view reports they would be that user. I
    kinda knew that wasn't going to work and it feels like I might still be able
    to do this by doing something with the security token.

    Is what I'm trying to do mad? Am I going to have to implement my own
    HttpHandler and impersonate the user I think someone is, at each request? It
    would be great if there are any tutorials out there. Obviously if it's too
    difficult, or will introduce huge security weaknesses in the system then it's
    just not worth it. As I said, all I'm trying to do here is remove the popup
    login box!

    Thanks in advance for your help,

    Phil Aldis
    Phil Aldis, Aug 15, 2004
    #1
    1. Advertising

  2. Phil Aldis

    Ken Schaefer Guest

    Internet Explorer can be configured to automatically send the user's
    credentials to the website if the site is in the local Intranet zone...then
    you wouldn't see the pop-up login dialogue box (unless the currently logged
    in user does not have sufficient privileges)

    Would that help?

    Cheers
    Ken

    "Phil Aldis" <Phil > wrote in message
    news:...
    > Hi,
    >
    > I'm having a little difficulty getting my head round windows integrated
    > security/impersonation and I'd appreciate a little help with the problem
    > I'm
    > trying to solve (or an indication that what I'm trying to do is too hard
    > to
    > be worth it!)
    >
    > To give you the background: I'm developing a web portal application which
    > has fairly limited number of users. We're using SQL Server reporting
    > services. A number of the reports need to be bound to groups of users;
    > also,
    > some of the reports need to know the logged-in user to use directly in the
    > SQL queries. This can, of course, all be done using Windows Integrated
    > Authentication. Also, another piece of info, I can't justify the cost of
    > the
    > Enterprise version of SQL Server and so cannot use a reporting services
    > custom security extension (eg Form based authentication). Also, I'm
    > serving
    > up my reports using the reportviewer custom control, which loads reports
    > into
    > an IFrame, so effectively creates its own http requests.
    >
    > I have no problems creating accounts on the server for every user. What I
    > don't like, however, is the integrated security popup box. It's quite ugly
    > and from a user experience point of view really doesn't fit in with their
    > expectations of a web application, where they would expect a more forms
    > based
    > view. I thought that I might be able to do something in the background
    > whereby they could login through a form and I could manaully do the
    > logging
    > in, and from then on (until timeout) this user would be regarded by the
    > webapp and report server as the credentials supplied.
    >
    > Okay, so I used the demo in msdn:
    > ms-help://MS.MSDNQTR.2004JUL.1033/cpref/html/frlrfSystemSecurityPrincipalWindowsIdentityClassImpersonateTopic1.htm
    >
    > and webapp'ed it. This works and I was hoping that if I didn't undo the
    > impersonation at the end, that all future http requests from this client
    > would be regarded as the impersonated user, which would obviously enable
    > someone to login and then when they view reports they would be that user.
    > I
    > kinda knew that wasn't going to work and it feels like I might still be
    > able
    > to do this by doing something with the security token.
    >
    > Is what I'm trying to do mad? Am I going to have to implement my own
    > HttpHandler and impersonate the user I think someone is, at each request?
    > It
    > would be great if there are any tutorials out there. Obviously if it's too
    > difficult, or will introduce huge security weaknesses in the system then
    > it's
    > just not worth it. As I said, all I'm trying to do here is remove the
    > popup
    > login box!
    >
    > Thanks in advance for your help,
    >
    > Phil Aldis
    >
    Ken Schaefer, Aug 16, 2004
    #2
    1. Advertising

  3. Phil Aldis

    Phil Aldis Guest

    Re: Impersonation and integrated security (+sql server reporting s

    Thanks for your response Ken.

    The problem is that people are coming through the internet. Also, the IT
    skill level of some of the people using the site is fairly low and I'm
    slightly concerned that the popup is going to be fairly confusing. Also
    having to fill in the domain is a bit confusing. As I said, it's really not
    100% crucial and if it were, it's looking like the only way I can do it, is
    to buy as Enterprise license and implement my own security extension for
    reporting services that gives me lots more freedom.

    One thing that doesn concern me: am I right in thinking that if I'm using
    windows security, I'm preventing any non-IE browsers from using the site? Is
    there any way round this?

    Thanks,

    Phil

    "Ken Schaefer" wrote:

    > Internet Explorer can be configured to automatically send the user's
    > credentials to the website if the site is in the local Intranet zone...then
    > you wouldn't see the pop-up login dialogue box (unless the currently logged
    > in user does not have sufficient privileges)
    >
    > Would that help?
    >
    > Cheers
    > Ken
    >
    > "Phil Aldis" <Phil > wrote in message
    > news:...
    > > Hi,
    > >
    > > I'm having a little difficulty getting my head round windows integrated
    > > security/impersonation and I'd appreciate a little help with the problem
    > > I'm
    > > trying to solve (or an indication that what I'm trying to do is too hard
    > > to
    > > be worth it!)
    > >
    > > To give you the background: I'm developing a web portal application which
    > > has fairly limited number of users. We're using SQL Server reporting
    > > services. A number of the reports need to be bound to groups of users;
    > > also,
    > > some of the reports need to know the logged-in user to use directly in the
    > > SQL queries. This can, of course, all be done using Windows Integrated
    > > Authentication. Also, another piece of info, I can't justify the cost of
    > > the
    > > Enterprise version of SQL Server and so cannot use a reporting services
    > > custom security extension (eg Form based authentication). Also, I'm
    > > serving
    > > up my reports using the reportviewer custom control, which loads reports
    > > into
    > > an IFrame, so effectively creates its own http requests.
    > >
    > > I have no problems creating accounts on the server for every user. What I
    > > don't like, however, is the integrated security popup box. It's quite ugly
    > > and from a user experience point of view really doesn't fit in with their
    > > expectations of a web application, where they would expect a more forms
    > > based
    > > view. I thought that I might be able to do something in the background
    > > whereby they could login through a form and I could manaully do the
    > > logging
    > > in, and from then on (until timeout) this user would be regarded by the
    > > webapp and report server as the credentials supplied.
    > >
    > > Okay, so I used the demo in msdn:
    > > ms-help://MS.MSDNQTR.2004JUL.1033/cpref/html/frlrfSystemSecurityPrincipalWindowsIdentityClassImpersonateTopic1.htm
    > >
    > > and webapp'ed it. This works and I was hoping that if I didn't undo the
    > > impersonation at the end, that all future http requests from this client
    > > would be regarded as the impersonated user, which would obviously enable
    > > someone to login and then when they view reports they would be that user.
    > > I
    > > kinda knew that wasn't going to work and it feels like I might still be
    > > able
    > > to do this by doing something with the security token.
    > >
    > > Is what I'm trying to do mad? Am I going to have to implement my own
    > > HttpHandler and impersonate the user I think someone is, at each request?
    > > It
    > > would be great if there are any tutorials out there. Obviously if it's too
    > > difficult, or will introduce huge security weaknesses in the system then
    > > it's
    > > just not worth it. As I said, all I'm trying to do here is remove the
    > > popup
    > > login box!
    > >
    > > Thanks in advance for your help,
    > >
    > > Phil Aldis
    > >

    >
    >
    >
    Phil Aldis, Aug 16, 2004
    #3
  4. Phil Aldis

    Raterus Guest

    Re: Impersonation and integrated security (+sql server reporting s

    You are correct, integrated windows authentication is only supported when the client uses IE. Though if you still needed to use windows accounts, basic authentication is supported by almost all browsers, and digest authentication is supported by some of them.

    --Michael

    "Phil Aldis" <> wrote in message news:...
    > Thanks for your response Ken.
    >
    > The problem is that people are coming through the internet. Also, the IT
    > skill level of some of the people using the site is fairly low and I'm
    > slightly concerned that the popup is going to be fairly confusing. Also
    > having to fill in the domain is a bit confusing. As I said, it's really not
    > 100% crucial and if it were, it's looking like the only way I can do it, is
    > to buy as Enterprise license and implement my own security extension for
    > reporting services that gives me lots more freedom.
    >
    > One thing that doesn concern me: am I right in thinking that if I'm using
    > windows security, I'm preventing any non-IE browsers from using the site? Is
    > there any way round this?
    >
    > Thanks,
    >
    > Phil
    >
    > "Ken Schaefer" wrote:
    >
    > > Internet Explorer can be configured to automatically send the user's
    > > credentials to the website if the site is in the local Intranet zone...then
    > > you wouldn't see the pop-up login dialogue box (unless the currently logged
    > > in user does not have sufficient privileges)
    > >
    > > Would that help?
    > >
    > > Cheers
    > > Ken
    > >
    > > "Phil Aldis" <Phil > wrote in message
    > > news:...
    > > > Hi,
    > > >
    > > > I'm having a little difficulty getting my head round windows integrated
    > > > security/impersonation and I'd appreciate a little help with the problem
    > > > I'm
    > > > trying to solve (or an indication that what I'm trying to do is too hard
    > > > to
    > > > be worth it!)
    > > >
    > > > To give you the background: I'm developing a web portal application which
    > > > has fairly limited number of users. We're using SQL Server reporting
    > > > services. A number of the reports need to be bound to groups of users;
    > > > also,
    > > > some of the reports need to know the logged-in user to use directly in the
    > > > SQL queries. This can, of course, all be done using Windows Integrated
    > > > Authentication. Also, another piece of info, I can't justify the cost of
    > > > the
    > > > Enterprise version of SQL Server and so cannot use a reporting services
    > > > custom security extension (eg Form based authentication). Also, I'm
    > > > serving
    > > > up my reports using the reportviewer custom control, which loads reports
    > > > into
    > > > an IFrame, so effectively creates its own http requests.
    > > >
    > > > I have no problems creating accounts on the server for every user. What I
    > > > don't like, however, is the integrated security popup box. It's quite ugly
    > > > and from a user experience point of view really doesn't fit in with their
    > > > expectations of a web application, where they would expect a more forms
    > > > based
    > > > view. I thought that I might be able to do something in the background
    > > > whereby they could login through a form and I could manaully do the
    > > > logging
    > > > in, and from then on (until timeout) this user would be regarded by the
    > > > webapp and report server as the credentials supplied.
    > > >
    > > > Okay, so I used the demo in msdn:
    > > > ms-help://MS.MSDNQTR.2004JUL.1033/cpref/html/frlrfSystemSecurityPrincipalWindowsIdentityClassImpersonateTopic1.htm
    > > >
    > > > and webapp'ed it. This works and I was hoping that if I didn't undo the
    > > > impersonation at the end, that all future http requests from this client
    > > > would be regarded as the impersonated user, which would obviously enable
    > > > someone to login and then when they view reports they would be that user.
    > > > I
    > > > kinda knew that wasn't going to work and it feels like I might still be
    > > > able
    > > > to do this by doing something with the security token.
    > > >
    > > > Is what I'm trying to do mad? Am I going to have to implement my own
    > > > HttpHandler and impersonate the user I think someone is, at each request?
    > > > It
    > > > would be great if there are any tutorials out there. Obviously if it's too
    > > > difficult, or will introduce huge security weaknesses in the system then
    > > > it's
    > > > just not worth it. As I said, all I'm trying to do here is remove the
    > > > popup
    > > > login box!
    > > >
    > > > Thanks in advance for your help,
    > > >
    > > > Phil Aldis
    > > >

    > >
    > >
    > >
    Raterus, Aug 16, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dave
    Replies:
    1
    Views:
    482
    S. Justin Gengo
    Aug 11, 2003
  2. Brian
    Replies:
    1
    Views:
    464
    Scott Allen
    May 4, 2005
  3. =?Utf-8?B?aVRoaW5rRGF0YQ==?=

    HOWTO: Configure .Net 2.0 Website, SQLServer 2005, Reporting Servi

    =?Utf-8?B?aVRoaW5rRGF0YQ==?=, Jun 20, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    998
    Smokey Grindle
    Jun 20, 2006
  4. eRic
    Replies:
    6
    Views:
    344
    Kunal
    Mar 5, 2004
  5. Philip K
    Replies:
    0
    Views:
    122
    Philip K
    Jun 28, 2007
Loading...

Share This Page