Impersonation problem.

Discussion in 'ASP .Net Security' started by szhang, Mar 29, 2005.

  1. szhang

    szhang Guest

    When I enable impersonation in web.config and show User identity in .aspx
    page, it is the user IIS authenticates. But when I try to access Sql server,
    I get an access denied error message. It looks like asp.net does not
    impersonate it at sql server side. I can impersonate a specific user in
    web.config without problem. Is this a bug or by design? I need to give users
    permissions based on their Windows login and I have a lot of users, but they
    are not going to access these web pages at the same time.
     
    szhang, Mar 29, 2005
    #1
    1. Advertising

  2. szhang

    Brock Allen Guest

    It sounds like you have the "network hop" authentication issue. If you're
    authenticating from machine A to machine B (without passing a password across
    the network, so think SSPI), then machine B tries to use those same credentials
    to go to machine C, then it will fail unless you've configured your used
    in AD to have the password stored with reversible encryption. Most security
    experts think that's ridiculous as that's not secure. Thus you need to design
    your app around this inherent problem.

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen



    > When I enable impersonation in web.config and show User identity in
    > .aspx page, it is the user IIS authenticates. But when I try to access
    > Sql server, I get an access denied error message. It looks like
    > asp.net does not impersonate it at sql server side. I can impersonate
    > a specific user in web.config without problem. Is this a bug or by
    > design? I need to give users permissions based on their Windows login
    > and I have a lot of users, but they are not going to access these web
    > pages at the same time.
    >
     
    Brock Allen, Mar 29, 2005
    #2
    1. Advertising

  3. Agreed.

    The canonical solution to the double hop problem is to implement Kerberos
    delegation. There are many references on this newsgroup and on Microsoft's
    sites that you can search for.

    Joe K.

    "Brock Allen" <> wrote in message
    news:...
    > It sounds like you have the "network hop" authentication issue. If you're
    > authenticating from machine A to machine B (without passing a password
    > across the network, so think SSPI), then machine B tries to use those same
    > credentials to go to machine C, then it will fail unless you've configured
    > your used in AD to have the password stored with reversible encryption.
    > Most security experts think that's ridiculous as that's not secure. Thus
    > you need to design your app around this inherent problem.
    >
    > -Brock
    > DevelopMentor
    > http://staff.develop.com/ballen
    >
    >
    >
    >> When I enable impersonation in web.config and show User identity in
    >> .aspx page, it is the user IIS authenticates. But when I try to access
    >> Sql server, I get an access denied error message. It looks like
    >> asp.net does not impersonate it at sql server side. I can impersonate
    >> a specific user in web.config without problem. Is this a bug or by
    >> design? I need to give users permissions based on their Windows login
    >> and I have a lot of users, but they are not going to access these web
    >> pages at the same time.
    >>

    >
    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Mar 29, 2005
    #3
  4. szhang

    Paul Clement Guest

    On Tue, 29 Mar 2005 07:29:08 -0800, szhang <> wrote:

    ¤ When I enable impersonation in web.config and show User identity in .aspx
    ¤ page, it is the user IIS authenticates. But when I try to access Sql server,
    ¤ I get an access denied error message. It looks like asp.net does not
    ¤ impersonate it at sql server side. I can impersonate a specific user in
    ¤ web.config without problem. Is this a bug or by design? I need to give users
    ¤ permissions based on their Windows login and I have a lot of users, but they
    ¤ are not going to access these web pages at the same time.

    Is your SQL Server set up for integrated security and is it specified in your connection string?


    Paul
    ~~~~
    Microsoft MVP (Visual Basic)
     
    Paul Clement, Mar 29, 2005
    #4
  5. szhang

    szhang Guest

    Thanks for your replies.

    Here is my real problem. Our existing asp pages use windows authentication
    and have no problem accessing sql server. All stored procedures use
    is_member() function to determine user's permission. It will be too much to
    rewrite all those stored procedures. Most users are computer illiterate and
    all applications are on intranet, so security is not a big issue. The new web
    server is on W2k3. The old one is on W2k and the PDC is still on a NT box.
    What is the easiest way to get around this problem?

    "Joe Kaplan (MVP - ADSI)" wrote:

    > Agreed.
    >
    > The canonical solution to the double hop problem is to implement Kerberos
    > delegation. There are many references on this newsgroup and on Microsoft's
    > sites that you can search for.
    >
    > Joe K.
    >
    > "Brock Allen" <> wrote in message
    > news:...
    > > It sounds like you have the "network hop" authentication issue. If you're
    > > authenticating from machine A to machine B (without passing a password
    > > across the network, so think SSPI), then machine B tries to use those same
    > > credentials to go to machine C, then it will fail unless you've configured
    > > your used in AD to have the password stored with reversible encryption.
    > > Most security experts think that's ridiculous as that's not secure. Thus
    > > you need to design your app around this inherent problem.
    > >
    > > -Brock
    > > DevelopMentor
    > > http://staff.develop.com/ballen
    > >
    > >
    > >
    > >> When I enable impersonation in web.config and show User identity in
    > >> .aspx page, it is the user IIS authenticates. But when I try to access
    > >> Sql server, I get an access denied error message. It looks like
    > >> asp.net does not impersonate it at sql server side. I can impersonate
    > >> a specific user in web.config without problem. Is this a bug or by
    > >> design? I need to give users permissions based on their Windows login
    > >> and I have a lot of users, but they are not going to access these web
    > >> pages at the same time.
    > >>

    > >
    > >
    > >

    >
    >
    >
     
    szhang, Mar 30, 2005
    #5
  6. Ah, if you are using an NT4 domain controller, than Kerberos delegation is
    right out as that requires AD.

    Just out of curiosity, in the instance where access to SQL works, is SQL
    server on the same box as the web server?

    Joe K.

    "szhang" <> wrote in message
    news:...
    > Thanks for your replies.
    >
    > Here is my real problem. Our existing asp pages use windows authentication
    > and have no problem accessing sql server. All stored procedures use
    > is_member() function to determine user's permission. It will be too much
    > to
    > rewrite all those stored procedures. Most users are computer illiterate
    > and
    > all applications are on intranet, so security is not a big issue. The new
    > web
    > server is on W2k3. The old one is on W2k and the PDC is still on a NT box.
    > What is the easiest way to get around this problem?
    >
    > "Joe Kaplan (MVP - ADSI)" wrote:
    >
    >> Agreed.
    >>
    >> The canonical solution to the double hop problem is to implement Kerberos
    >> delegation. There are many references on this newsgroup and on
    >> Microsoft's
    >> sites that you can search for.
    >>
    >> Joe K.
    >>
    >> "Brock Allen" <> wrote in message
    >> news:...
    >> > It sounds like you have the "network hop" authentication issue. If
    >> > you're
    >> > authenticating from machine A to machine B (without passing a password
    >> > across the network, so think SSPI), then machine B tries to use those
    >> > same
    >> > credentials to go to machine C, then it will fail unless you've
    >> > configured
    >> > your used in AD to have the password stored with reversible encryption.
    >> > Most security experts think that's ridiculous as that's not secure.
    >> > Thus
    >> > you need to design your app around this inherent problem.
    >> >
    >> > -Brock
    >> > DevelopMentor
    >> > http://staff.develop.com/ballen
    >> >
    >> >
    >> >
    >> >> When I enable impersonation in web.config and show User identity in
    >> >> .aspx page, it is the user IIS authenticates. But when I try to access
    >> >> Sql server, I get an access denied error message. It looks like
    >> >> asp.net does not impersonate it at sql server side. I can impersonate
    >> >> a specific user in web.config without problem. Is this a bug or by
    >> >> design? I need to give users permissions based on their Windows login
    >> >> and I have a lot of users, but they are not going to access these web
    >> >> pages at the same time.
    >> >>
    >> >
    >> >
    >> >

    >>
    >>
    >>
     
    Joe Kaplan \(MVP - ADSI\), Mar 30, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kelly D. Jones

    Problem with impersonation and delegation

    Kelly D. Jones, Sep 4, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    1,832
  2. Thomas

    problem using impersonation

    Thomas, Oct 24, 2003, in forum: ASP .Net
    Replies:
    4
    Views:
    460
    Thomas
    Oct 27, 2003
  3. jm
    Replies:
    1
    Views:
    1,945
    bruce barker
    Dec 20, 2003
  4. Replies:
    0
    Views:
    421
  5. hellrazor

    problem with aspnet "impersonation"

    hellrazor, Nov 19, 2004, in forum: ASP .Net
    Replies:
    5
    Views:
    7,866
    Willy Denoyette [MVP]
    Nov 19, 2004
Loading...

Share This Page