Obtaining Application Pool Identity in Inpersonation Mode

A

Adam Roe

I have an ASP.Net application running on IIS 6.0 that is configured to
impersonate the identity of the user who is accessing the page. I am
wanting to have code that runs as the identity of the application pool for
which this website runs as. is there a way to do this in code?
 
J

Jim Cheshire [MSFT]

Adam,

You would normally impersonate only when you want to run code under a
different identity than the application pool. Is there a specific need to
impersonate in your application?

Jim Cheshire, MCSE, MCSD [MSFT]
ASP.NET
Developer Support
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
 
A

Adam Roe

The Server control that I am building must run in windows sharepoint
services which requires impersonation. I am wanting to connect to a SQL
Server DB using SSPI and I was wanting to run the Application Pool as a
domain user that has writes on the SQL Server Database. I am starting to
think that my approach might be wrong could you recommend a better way of
doing this. Should I build a COM+ component to make the data call or can I
change the security context on just the Thread while I am making the call?
I haven't done a hole lot with .net security so any advice would be great.

Thanks
Adam Roe

Jim Cheshire said:
Adam,

You would normally impersonate only when you want to run code under a
different identity than the application pool. Is there a specific need to
impersonate in your application?

Jim Cheshire, MCSE, MCSD [MSFT]
ASP.NET
Developer Support
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
From: "Adam Roe" <[email protected]>
Subject: Obtaining Application Pool Identity in Inpersonation Mode
Date: Wed, 21 Jan 2004 23:31:20 -0500
Lines: 6
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet.security
NNTP-Posting-Host: adsl-67-39-0-49.dsl.dytnoh.ameritech.net 67.39.0.49
Path:
Click to expand...
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.
phx.gbl
Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework.aspnet.security:8320
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security

I have an ASP.Net application running on IIS 6.0 that is configured to
impersonate the identity of the user who is accessing the page. I am
wanting to have code that runs as the identity of the application pool for
which this website runs as. is there a way to do this in code?
Click to expand...
Click to expand...
 
J

Joe Kaplan \(MVP - ADSI\)

That said, if you really need to be able to do this, you should be able to
strip off the impersonating token by calling the Windows API RevertToSelf
via P/Invoke. If you need to go back to impersonating, you should hold onto
the WindowsIdentity so you can create a new impersonation context.

I also don't understand why you are impersonating if you need to not
impersonate in your app, but perhaps there is a legitimate reason for doing
this.

Joe K.

Jim Cheshire said:
Adam,

You would normally impersonate only when you want to run code under a
different identity than the application pool. Is there a specific need to
impersonate in your application?

Jim Cheshire, MCSE, MCSD [MSFT]
ASP.NET
Developer Support
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
From: "Adam Roe" <[email protected]>
Subject: Obtaining Application Pool Identity in Inpersonation Mode
Date: Wed, 21 Jan 2004 23:31:20 -0500
Lines: 6
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet.security
NNTP-Posting-Host: adsl-67-39-0-49.dsl.dytnoh.ameritech.net 67.39.0.49
Path:
Click to expand...
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.
phx.gbl
Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework.aspnet.security:8320
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security

I have an ASP.Net application running on IIS 6.0 that is configured to
impersonate the identity of the user who is accessing the page. I am
wanting to have code that runs as the identity of the application pool for
which this website runs as. is there a way to do this in code?
Click to expand...
Click to expand...
 
J

Joe Kaplan \(MVP - ADSI\)

COM+ is probably the "right" way to do what you want. That allows you more
fine-grained control over the account that is used to access SQL and
decouples it from the ASP.NET worker process.

However, you could probably use the trick I suggested in my other post to
call RevertToSelf and then start impersonation again when you are done.
That would require that you have unmanaged code execution permissions and
sounds a lot like a hack that would be difficult to support. Hence the COM+
suggestion.

Remoting or Web Services would also give you another way to get into a
different process context, but they should all be slower and thus not as
desirable unless you want that additional functionality.

Joe K.

Adam Roe said:
The Server control that I am building must run in windows sharepoint
services which requires impersonation. I am wanting to connect to a SQL
Server DB using SSPI and I was wanting to run the Application Pool as a
domain user that has writes on the SQL Server Database. I am starting to
think that my approach might be wrong could you recommend a better way of
doing this. Should I build a COM+ component to make the data call or can I
change the security context on just the Thread while I am making the call?
I haven't done a hole lot with .net security so any advice would be great.

Thanks
Adam Roe

Jim Cheshire said:
Adam,

You would normally impersonate only when you want to run code under a
different identity than the application pool. Is there a specific need to
impersonate in your application?

Jim Cheshire, MCSE, MCSD [MSFT]
ASP.NET
Developer Support
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
From: "Adam Roe" <[email protected]>
Subject: Obtaining Application Pool Identity in Inpersonation Mode
Date: Wed, 21 Jan 2004 23:31:20 -0500
Lines: 6
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet.security
NNTP-Posting-Host: adsl-67-39-0-49.dsl.dytnoh.ameritech.net 67.39.0.49
Path:
Click to expand...
Click to expand...
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

HELP! Changed Application Pool Identity Service Unavailable 3
Application Pool identity account to reflect logged on user 0
application pool identity question 3
Application pool security 1
identity impersonate=true masks the identity of the app pool for trusted sql connections 2
SQL / IIS Application Pool Identity 3
SQL / IIS Application Pool Identity 0
ASP.NET 1.1 Application Pool Identity and user authentication problem with AD (Active Directory) 4

Members online

Total: 35 (members: 2, guests: 33)
Robots: 440

Forum statistics

Threads
473,769
Messages
2,569,580
Members
45,055
Latest member
SlimSparkKetoACVReview

Latest Threads

Top