Impersonation in asp.net

Discussion in 'ASP .Net Security' started by Samuel Shum, Jul 14, 2004.

  1. Samuel Shum

    Samuel Shum Guest

    Hello, I have a problem on the impersonation in asp.net: I've developed some
    components which can create user accounts on the web server. The asp files
    resided on the server will call these components to do the job BUT the
    "aspnet" (asp.net worker process account) doesn't have enough privilege to
    do so... (as the components are called in the context of this "low
    privilege" account). I understand that .Net framework has something called
    "impersonation" which can run the worker process in the context of some
    "higher" account (in this case, accounts under administrators group). The
    problem seems to be solved with this approach but now the problem is that
    the "impersonated" account, which is the "admin" account's name and
    password, is stored in "cleartext" in the web.config file which imposes
    serious security issue... A solution solving this is to store the username
    and password in the registry and encrypt them... however, the debugger
    returns error that the "password" entry cannot be read from the registry...
    even I did give the permission "read" to the worker process... so how can
    this be resolved? Or is this the right way to do this kind of job?

    Thanks in advance.

    Samuel
    Samuel Shum, Jul 14, 2004
    #1
    1. Advertising

  2. Samuel Shum

    Mark Duregon Guest

    Use the DPAPI or one of the .NET encryption methods to encrpt the information in the web.config file. Information on this topic is in the Building Secure ASP.NET practices paper http://msdn.microsoft.com/library/d...-us/dnnetsec/html/secnetlpMSDN.asp?frame=true


    "Samuel Shum" wrote:

    > Hello, I have a problem on the impersonation in asp.net: I've developed some
    > components which can create user accounts on the web server. The asp files
    > resided on the server will call these components to do the job BUT the
    > "aspnet" (asp.net worker process account) doesn't have enough privilege to
    > do so... (as the components are called in the context of this "low
    > privilege" account). I understand that .Net framework has something called
    > "impersonation" which can run the worker process in the context of some
    > "higher" account (in this case, accounts under administrators group). The
    > problem seems to be solved with this approach but now the problem is that
    > the "impersonated" account, which is the "admin" account's name and
    > password, is stored in "cleartext" in the web.config file which imposes
    > serious security issue... A solution solving this is to store the username
    > and password in the registry and encrypt them... however, the debugger
    > returns error that the "password" entry cannot be read from the registry...
    > even I did give the permission "read" to the worker process... so how can
    > this be resolved? Or is this the right way to do this kind of job?
    >
    > Thanks in advance.
    >
    > Samuel
    >
    >
    >
    Mark Duregon, Jul 14, 2004
    #2
    1. Advertising

  3. Samuel Shum

    Samuel Shum Guest

    Thanks Mark for the information, sorry if my query mislead you. I'd done the
    encryption part: the username and password are encrypted and stored in the
    registry with the tool "aspnet_setreg"
    (http://support.microsoft.com/default.aspx?scid=kb;en-us;329290) and those
    can be retrieved by stating the following entry in the web.config file:

    <identity impersonate="true"
    userName="registry:HKLM\Software\DummyApplication\Identity\ASPNET_SETREG,use
    rName"
    password="registry:HKLM\Software\DummyApplication\Identity\ASPNET_SETREG,pas
    sword" />

    I follow the procedures exactly but the browser returns the following error:
    ***
    Configuration Error
    Description: An error occurred during the processing of a configuration file
    required to service this request. Please review the specific error details
    below and modify your configuration file appropriately.

    Parser Error Message: Error reading the password from the registry.

    Source Error:

    Line 83: <globalization requestEncoding="utf-8" responseEncoding="utf-8"
    />
    Line 84:
    Line 85: <identity impersonate="true"
    userName="registry:HKLM\Software\DummyApplication\Identity\ASPNET_SETREG,use
    rName"
    password="registry:HKLM\Software\DummyApplication\Identity\ASPNET_SETREG,pas
    sword" />
    Line 86: </system.web>

    Source File: c:\inetpub\wwwroot\Encryption\web.config Line: 85

    ----------------------------------------------------------------------------
    ----
    Version Information: Microsoft .NET Framework Version:1.1.4322.573; ASP.NET
    Version:1.1.4322.573
    ***

    I'd given the "aspnet" account the permission to read the entries, just
    don't know what the error exactly means.

    Samuel
    Samuel Shum, Jul 14, 2004
    #3
  4. Possible Solution: I have wrestled with this one also. I finally got
    it to work by giving the MachineName(change this)\ASPNET account
    permissions to read the registry key ASPNET_SETREG directly, not the
    Identity key. Note, everytime you run aspnet_setreg it will drop and
    recreate the key, so you will have to add the permissions everytime
    you run it. Hope this helps.

    Stephen Shirley,
    MCSD .NET

    "Samuel Shum" <> wrote in message news:<>...
    > Thanks Mark for the information, sorry if my query mislead you. I'd done the
    > encryption part: the username and password are encrypted and stored in the
    > registry with the tool "aspnet_setreg"
    > (http://support.microsoft.com/default.aspx?scid=kb;en-us;329290) and those
    > can be retrieved by stating the following entry in the web.config file:
    >
    > <identity impersonate="true"
    > userName="registry:HKLM\Software\DummyApplication\Identity\ASPNET_SETREG,use
    > rName"
    > password="registry:HKLM\Software\DummyApplication\Identity\ASPNET_SETREG,pas
    > sword" />
    >
    > I follow the procedures exactly but the browser returns the following error:
    > ***
    > Configuration Error
    > Description: An error occurred during the processing of a configuration file
    > required to service this request. Please review the specific error details
    > below and modify your configuration file appropriately.
    >
    > Parser Error Message: Error reading the password from the registry.
    >
    > Source Error:
    >
    > Line 83: <globalization requestEncoding="utf-8" responseEncoding="utf-8"
    > />
    > Line 84:
    > Line 85: <identity impersonate="true"
    > userName="registry:HKLM\Software\DummyApplication\Identity\ASPNET_SETREG,use
    > rName"
    > password="registry:HKLM\Software\DummyApplication\Identity\ASPNET_SETREG,pas
    > sword" />
    > Line 86: </system.web>
    >
    > Source File: c:\inetpub\wwwroot\Encryption\web.config Line: 85
    >
    > ----------------------------------------------------------------------------
    > ----
    > Version Information: Microsoft .NET Framework Version:1.1.4322.573; ASP.NET
    > Version:1.1.4322.573
    > ***
    >
    > I'd given the "aspnet" account the permission to read the entries, just
    > don't know what the error exactly means.
    >
    > Samuel
    Stephen Shirley, MCSD .NET, Jul 27, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Raymond Basque

    Re: ASP.NET Fails after SP4 with Impersonation

    Raymond Basque, Jun 27, 2003, in forum: ASP .Net
    Replies:
    3
    Views:
    506
  2. Bassel Tabbara [MSFT]

    RE: ASP.NET Fails after SP4 with Impersonation

    Bassel Tabbara [MSFT], Jun 27, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    490
    Michael Kennedy [UB]
    Jun 28, 2003
  3. Hidulf
    Replies:
    1
    Views:
    433
    Michael Kennedy [UB]
    Jun 30, 2003
  4. Bjoern Wolfgardt

    Re: Impersonation in ASP.Net

    Bjoern Wolfgardt, Jul 21, 2003, in forum: ASP .Net
    Replies:
    2
    Views:
    339
    Sanjay Poojari
    Jul 21, 2003
  5. Bjoern Wolfgardt

    Re: Impersonation in ASP.Net

    Bjoern Wolfgardt, Jul 21, 2003, in forum: ASP .Net
    Replies:
    2
    Views:
    362
    Jerry
    Aug 8, 2003
Loading...

Share This Page