impersonation and location element

Discussion in 'ASP .Net Security' started by Brad, Nov 3, 2003.

  1. Brad

    Brad Guest

    I have an asp.net app with one sub folder that requires windows
    authentication. The IIS folder is set to require intergrated security and
    the sub folder has its own web.config
    with the following setting.
    <identity impersonate="true" />
    <authorization>
    <allow users ="*" />
    </authorization>
    This works fine and WindowsIdentity.GetCurrent.Name yields the true users
    identity.

    But...if I remove the web.config from the sub folder and place the above
    settings in a "location" element in the apps web.config (se below) then
    impersonation seems to fail and the "WindowsIdentity.GetCurrent.Name
    always equals "NT AUTHORITY\NETWORK SERVICE".

    <location path="subfoldername/page.aspx">
    <system.web>
    <identity impersonate="true" />
    <authorization>
    <allow users ="*" /><!-- This allows access to all users -->
    </authorization>
    </system.web>
    </location>

    My question is: Why does setting the impersonate in the location element in
    the apps web.config behave differently than setting it in the separate
    web.config?


    Brad
     
    Brad, Nov 3, 2003
    #1
    1. Advertising

  2. Brad

    MSFT Guest

    Hi Brad,

    I tested this situation but I got different result with you. When I open
    the webform in sub folder, it give me correct user account instead of "NT
    AUTHORITY\NETWORK SERVICE".

    Therefore, I want confirm with you that if you also create a virtual
    directory for the sub folder in IIS? When you open the page, did you use:

    Http://localhost/WebApplication1/Sub1/page.aspx

    or

    Http://localhost/Sub1/page.aspx ?

    In my test, I only have "WebApplication1" as a virtual directory and set
    its securoty to "Integrated Windows Authentication"

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    MSFT, Nov 4, 2003
    #2
    1. Advertising

  3. Brad

    Brad Guest

    Luke,
    Using your example:
    Sub1 is not a virtual directory. Anonymous access is enabled for WebApp1
    but it is disabled for Sub1. The page must be accessed as
    Http://localhost/WebApplication1/Sub1/page.aspx as it is part of the
    WebApp1 compiled application.

    I see the question coming: why not just use integrated auth for WebApp1?
    WebApp1 actually uses forms authentication because some users can be
    authenticated on our domain and others must login using a login page. With
    integrated auth on Sub1 I can test users against folder and, if they can
    access sub1/page.aspx, I set the forms auth using their windows identity
    name otherwise they have to use the login page and I set the forms auth
    using the login page info. It works quite well and I've been using for a
    year now. I was just trying to eliminate multiple web configs in the same
    app and ran into this little issue.

    Brad


    "MSFT" <> wrote in message
    news:...
    > Hi Brad,
    >
    > I tested this situation but I got different result with you. When I open
    > the webform in sub folder, it give me correct user account instead of "NT
    > AUTHORITY\NETWORK SERVICE".
    >
    > Therefore, I want confirm with you that if you also create a virtual
    > directory for the sub folder in IIS? When you open the page, did you use:
    >
    > Http://localhost/WebApplication1/Sub1/page.aspx
    >
    > or
    >
    > Http://localhost/Sub1/page.aspx ?
    >
    > In my test, I only have "WebApplication1" as a virtual directory and set
    > its securoty to "Integrated Windows Authentication"
    >
    > Luke
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
     
    Brad, Nov 4, 2003
    #3
  4. Brad

    MSFT Guest

    Hi Brad,

    I tested "Sub1 is not a virtual directory. Anonymous access is enabled for
    WebApp1 but it is disabled for Sub1. ", but I still get the correct result.
    Here is my ASPX code behind:

    Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles MyBase.Load
    Response.Write(WindowsIdentity.GetCurrent.Name)
    End Sub

    And here is the configration section in web.config of webapp1:

    <location path="sub1/webform5.aspx">
    <system.web>
    <identity impersonate="true" />
    <authorization>
    <allow users ="*" /><!-- This allows access to all users -->
    </authorization>
    </system.web>
    </location>

    Can you create a new web project to test this?

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    MSFT, Nov 6, 2003
    #4
  5. Brad

    MSFT Guest

    Hello Bard, what is the result after you create a new web project for test?
    any updates?

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    MSFT, Nov 10, 2003
    #5
  6. Brad

    Brad Guest

    Bard?? Hmmm...I'm not so adept with word or pen as to be called a Bard ;-)
    Anyway....it works now. I'm not sure why it didn't earlier though
    assumption would be that I had a typo or left something out before.

    Thanks for looking into this and the followup.

    Brad



    "MSFT" <> wrote in message
    news:...
    > Hello Bard, what is the result after you create a new web project for

    test?
    > any updates?
    >
    > Luke
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
     
    Brad, Nov 10, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Luke Dalessandro
    Replies:
    0
    Views:
    616
    Luke Dalessandro
    Jan 15, 2006
  2. zxo102
    Replies:
    0
    Views:
    418
    zxo102
    Aug 1, 2006
  3. HANM
    Replies:
    2
    Views:
    723
    Joseph Kesselman
    Jan 29, 2008
  4. saiho.yuen
    Replies:
    3
    Views:
    437
    kaeli
    Sep 14, 2004
  5. hehehe

    adf java and <location></location>

    hehehe, Jul 6, 2009, in forum: Javascript
    Replies:
    1
    Views:
    111
    Evertjan.
    Jul 6, 2009
Loading...

Share This Page