Machine.Config -- ProcessModel vs Identity Impersonation

[Wm. Scott Miller]

What is the difference between using a username and password in the
processmodel section vs using one in impersonation in the machine.config
file? What are the advantages of each and what are the reasons for using
each?

Thanks for any replies,
Scott

 

[Jim Cheshire [MSFT]]

Scott,

If you set the processModel element, all threads that are executed by
ASP.NET will run under that context. If you set the <identity> element,
the main thread will run under the impersonated identity, but any new
threads you create will run under the identity specific in the
<processModel>. That is one difference that many developers don't realize.

You typically would not set the <identity> element in the machine.config.
Instead, it is most often set at the web.config level. It's important to
realize that you do not have to explicitly set a username and password for
the <identity> element. If you simply enable impersonation without
specifying a user, the identity will be that of the user who is
authenticated in IIS or the anonymous account if none is authorized.

In short, the <processModel> element is used to (among other things)
specify which weak account (preferably) will be used to run the worker
process. The <identity> element is used to specify that ASP.NET code
should be run as a user other than the process account.

Jim Cheshire, MCSE, MCSD [MSFT]
ASP.NET
Developer Support
(e-mail address removed)

This post is provided "AS-IS" with no warranties and confers no rights.

--------------------

 

[Wm. Scott Miller]

So, in the case of wanting to access a network share or database (integrated
security) which would be better or expose the least in security
vulnerabilities? Or in the case of the database and ASP.NET, is integrated
the way to go?

Thanks for the reply,
Scott

Scott,

If you set the processModel element, all threads that are executed by
ASP.NET will run under that context. If you set the <identity> element,
the main thread will run under the impersonated identity, but any new
threads you create will run under the identity specific in the
<processModel>. That is one difference that many developers don't realize.

You typically would not set the <identity> element in the machine.config.
Instead, it is most often set at the web.config level. It's important to
realize that you do not have to explicitly set a username and password for
the <identity> element. If you simply enable impersonation without
specifying a user, the identity will be that of the user who is
authenticated in IIS or the anonymous account if none is authorized.

In short, the <processModel> element is used to (among other things)
specify which weak account (preferably) will be used to run the worker
process. The <identity> element is used to specify that ASP.NET code
should be run as a user other than the process account.

Jim Cheshire, MCSE, MCSD [MSFT]
ASP.NET
Developer Support
(e-mail address removed)

This post is provided "AS-IS" with no warranties and confers no rights.

--------------------

From: "Wm. Scott Miller" <[email protected]>
Subject: Machine.Config -- ProcessModel vs Identity Impersonation
Date: Mon, 24 May 2004 14:23:32 -0400
Lines: 10
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: ip207064.pat.wvnet.edu 129.71.207.64
Path:

cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11

phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework.aspnet:235889
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

What is the difference between using a username and password in the
processmodel section vs using one in impersonation in the machine.config
file? What are the advantages of each and what are the reasons for using
each?

Thanks for any replies,
Scott

 

[Jim Cheshire [MSFT]]

Hi Scott,

Sorry for the delay. I've been out of the office.

Integrated security is perfectly fine, but you must be aware of some of the
caveats involved. By default, integrated security is going to use NTLM,
and NTLM does not allow for delegation of credentials. In other words, if
your database server is on a different computer than IIS (and it should
be), NTLM security isn't going to work because in order to authenticate to
the database, your user's credentials have to be passed by IIS to the
database server on behalf of the user, and NTLM is designed to fail in that
scenario. Instead, you need to configure Kerberos authentication and
delegation.

810572 HOW TO: Configure an ASP.NET Application for a Delegation Scenario
http://support.microsoft.com/?id=810572

If you want to use integrated security, how you proceed depends upon how
you want the user to be authenticated. For example, if you just want to
make sure that a Windows account is used to access the database server, but
it doesn't necessarily have to be the user who is authenticated to the
site, you can simply impersonate the specific user account necessary in
code so that you can access the database.

306158 INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/?id=306158

If it is important to you that the user be the specific person browsing the
application, you can use the same article to impersonate the authenticated
user. Both of these ideas allow you to run under the context of a
priviledged account for the least amount of time required to get the job
done.

Jim Cheshire, MCSE, MCSD [MSFT]
ASP.NET
Developer Support
(e-mail address removed)

This post is provided "AS-IS" with no warranties and confers no rights.

--------------------

From: "Wm. Scott Miller" <[email protected]>
References: <#[email protected]>

Subject: Re: Machine.Config -- ProcessModel vs Identity Impersonation
Date: Tue, 25 May 2004 12:07:25 -0400
Lines: 72
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: ip207064.pat.wvnet.edu 129.71.207.64
Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11
.phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework.aspnet:236136
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

So, in the case of wanting to access a network share or database (integrated
security) which would be better or expose the least in security
vulnerabilities? Or in the case of the database and ASP.NET, is integrated
the way to go?

Thanks for the reply,
Scott

Scott,

If you set the processModel element, all threads that are executed by
ASP.NET will run under that context. If you set the <identity> element,
the main thread will run under the impersonated identity, but any new
threads you create will run under the identity specific in the
<processModel>. That is one difference that many developers don't realize.

You typically would not set the <identity> element in the machine.config.
Instead, it is most often set at the web.config level. It's important to
realize that you do not have to explicitly set a username and password for
the <identity> element. If you simply enable impersonation without
specifying a user, the identity will be that of the user who is
authenticated in IIS or the anonymous account if none is authorized.

In short, the <processModel> element is used to (among other things)
specify which weak account (preferably) will be used to run the worker
process. The <identity> element is used to specify that ASP.NET code
should be run as a user other than the process account.

Jim Cheshire, MCSE, MCSD [MSFT]
ASP.NET
Developer Support
(e-mail address removed)

This post is provided "AS-IS" with no warranties and confers no rights.

--------------------

From: "Wm. Scott Miller" <[email protected]>
Subject: Machine.Config -- ProcessModel vs Identity Impersonation
Date: Mon, 24 May 2004 14:23:32 -0400
Lines: 10
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: ip207064.pat.wvnet.edu 129.71.207.64
Path:

cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP1 1

phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework.aspnet:235889
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

What is the difference between using a username and password in the
processmodel section vs using one in impersonation in the machine.config
file? What are the advantages of each and what are the reasons for using
each?

Thanks for any replies,
Scott