Membership functions connect to Sql Server as Process Identity, not user identity??

Discussion in 'ASP .Net Security' started by andrew.sher@gmail.com, Apr 16, 2006.

  1. Guest

    When I attempt to use any of the Membership class functions (eg
    getAllUsers()) to access my db from my web app, it is my
    mydomain/processidentity attempting to log in to sql server, and this
    is failing as this id has not been granted access in sql server(on
    purpose). I am using windows authentication (in web.config), with
    impersonation on, and basic authentication turned on, anonymous access
    off, in IIS. When I access the database by means other than through
    the Membership class, such as creating my own sql commands,
    sqldatareaders, etc., I correctly log into sql server as the
    impersonated user. Looking at the audit logs, it seems that regardless
    of my impersonation settings, the Membership class functions run under
    the processidentity id, not the impersonated user id. Is this by design
    and is there any way around this? For the life of me I can't figure out
    why these Membership functions do not assume the user id like
    everything else does. I'm desparate for a solution and haven't found a
    solution anywhere.
     
    , Apr 16, 2006
    #1
    1. Advertising

  2. right - that's by design - and i would call it a feature..

    Do you really want that every single user of your system has direct access
    to your credentials database??

    out of curiosity - why do you use membership when you use Windows Authentication?

    - and to answer your question - there is no way around it - you could download
    the sources of the SqlMembershipProvider and remove the code that checks
    for impersonation if thats really what you want/need...

    http://download.microsoft.com/downl...-b7e3-33bacfcc8e98/ProviderToolkitSamples.msi

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > When I attempt to use any of the Membership class functions (eg
    > getAllUsers()) to access my db from my web app, it is my
    > mydomain/processidentity attempting to log in to sql server, and this
    > is failing as this id has not been granted access in sql server(on
    > purpose). I am using windows authentication (in web.config), with
    > impersonation on, and basic authentication turned on, anonymous access
    > off, in IIS. When I access the database by means other than through
    > the Membership class, such as creating my own sql commands,
    > sqldatareaders, etc., I correctly log into sql server as the
    > impersonated user. Looking at the audit logs, it seems that regardless
    > of my impersonation settings, the Membership class functions run under
    > the processidentity id, not the impersonated user id. Is this by
    > design and is there any way around this? For the life of me I can't
    > figure out why these Membership functions do not assume the user id
    > like everything else does. I'm desparate for a solution and haven't
    > found a solution anywhere.
    >
     
    Dominick Baier [DevelopMentor], Apr 16, 2006
    #2
    1. Advertising

  3. Guest

    Thank you for replying, this has been bothering me for days. To answer
    your questions, the reason I want to use membership while using windows
    authentication is this site serves as an administration portal for
    another site, and thus every user of this system by definition is to
    have direct access to the credentials db. That other site does use
    forms authentication and the membership class for everything. While the
    other site is open to any public user, those in charge want to have a
    more secure method of gathering/displaying aggregate user data, and
    thus would like to use windows authentication so that only certain
    users in their domain are able to login to the admin site. As another
    layer of security, they want to be able to restrict the execution of
    the aggregate stored procedures by setting exec permissions on Sql
    Server to specific users, thus the reason I need to be able to
    impersonate the user all the way to sql server (even though
    theoretically the only people who can get into the admin site in the
    first place will be those that have the credentials to also run the
    aggregate sp's in the database). I know the drawbacks of impersonating
    to sql server, including connection pool issues, but that's the way it
    has to be. The reason I wanted to use the Membership functions in my
    admin app is that they provide exactly the functionality I need since
    all the data in the db is modeled around Membership. I could rewrite
    all of the procedure calls, but chances are it wont be as quick or
    correct as the real ones, but it looks like that's what i need to do.

    On a side note, thank you Dominick for providing the ShowContexts.aspx
    file on your website, I've been using it this last week and it's helped
    me learn a lot about impersonation, security, etc.
     
    , Apr 16, 2006
    #3
  4. thanks, glad it is useful :)

    as i said - you could just use the source of the sql provider released by
    MS last week and remove the impersonation/revert to self code - look out
    for calls to "SqlConnectionHelper.GetConnection()"

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Thank you for replying, this has been bothering me for days. To answer
    > your questions, the reason I want to use membership while using
    > windows authentication is this site serves as an administration portal
    > for another site, and thus every user of this system by definition is
    > to have direct access to the credentials db. That other site does use
    > forms authentication and the membership class for everything. While
    > the other site is open to any public user, those in charge want to
    > have a more secure method of gathering/displaying aggregate user data,
    > and thus would like to use windows authentication so that only certain
    > users in their domain are able to login to the admin site. As another
    > layer of security, they want to be able to restrict the execution of
    > the aggregate stored procedures by setting exec permissions on Sql
    > Server to specific users, thus the reason I need to be able to
    > impersonate the user all the way to sql server (even though
    > theoretically the only people who can get into the admin site in the
    > first place will be those that have the credentials to also run the
    > aggregate sp's in the database). I know the drawbacks of impersonating
    > to sql server, including connection pool issues, but that's the way it
    > has to be. The reason I wanted to use the Membership functions in my
    > admin app is that they provide exactly the functionality I need since
    > all the data in the db is modeled around Membership. I could rewrite
    > all of the procedure calls, but chances are it wont be as quick or
    > correct as the real ones, but it looks like that's what i need to do.
    >
    > On a side note, thank you Dominick for providing the ShowContexts.aspx
    > file on your website, I've been using it this last week and it's
    > helped me learn a lot about impersonation, security, etc.
    >
     
    Dominick Baier [DevelopMentor], Apr 16, 2006
    #4
  5. Guest

    Thanks again, I was wondering where the code was to change
    impersonation. Now I have to figure out how to take the
    SqlMembershipProvider, make my changes, and get it to compile
    correctly. I tried to just copy all the source that microsoft provided
    and put it in my app_code folder and change my settings in the
    web.config file, but I got a compile error saying Microsoft.Samples.SR
    is inaccesible due to its protection level. I don't know what this
    means, so back to googling for answers.
     
    , Apr 16, 2006
    #5
  6. not sure whats your problem - it compiles fine here -

    SR is internal - maybe change it to public / don't put it in App_Code

    the impersonation code in question is (in SqlConnectionHolder.Open)

    if (revertImpersonate) {
    using (HostingEnvironment.Impersonate()) {
    Connection.Open();
    }
    }
    else {
    Connection.Open();
    }

    just change it to

    Connection.Open();


    (not tested)


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Thanks again, I was wondering where the code was to change
    > impersonation. Now I have to figure out how to take the
    > SqlMembershipProvider, make my changes, and get it to compile
    > correctly. I tried to just copy all the source that microsoft provided
    > and put it in my app_code folder and change my settings in the
    > web.config file, but I got a compile error saying Microsoft.Samples.SR
    > is inaccesible due to its protection level. I don't know what this
    > means, so back to googling for answers.
    >
     
    Dominick Baier [DevelopMentor], Apr 16, 2006
    #6
  7. Guest

    My problem was in the web.config provider element, I tried to refer to
    my custom provider without using the 'Microsoft.Samples...' prefix in
    the type string. It's all working perfectly now, thanks.
     
    , Apr 16, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?UmV6YQ==?=
    Replies:
    3
    Views:
    18,050
    Carlos Barini
    Jun 7, 2004
  2. nalbayo
    Replies:
    2
    Views:
    5,592
    Bruce Barker
    Nov 11, 2005
  3. Frederick D'hont
    Replies:
    0
    Views:
    340
    Frederick D'hont
    Jul 25, 2005
  4. Wesley Chen
    Replies:
    0
    Views:
    247
    Wesley Chen
    Apr 7, 2009
  5. Wesley Chen
    Replies:
    9
    Views:
    263
    Sean O'Halpin
    Apr 14, 2009
Loading...

Share This Page