Thread identity

[Raster Space]

I have managed Web Application running on ASPNET user rights. How can I
execute certain (not all) methods with administrator privileges? Any ideas?

 

[Joe Kaplan \(MVP - ADSI\)]

You can impersonate an administrator for the duration of the call, or you
can run the worker process as the administrator and undo the impersonation
during the call. You can also put the admin code in a COM+ application that
runs under a different identity.

The WindowsImpersonationContext starts and stops impersonation. The only
other thing is getting the logon token for the administrator to use to
impersonate. The MSDN docs on WindowsImpersonationContext have a good
sample on that though. Then the problem is securely storing the
credentials...

Joe K.

 

[Dominick Baier [DevelopMentor]]

Hello Joe,

please - don't use impersonation for that -

both approaches using impersonation will get you in trouble -

a) WP runs as admin
when an attacker can take over the application - he is admin

b) WP runs as ASPNET - you impersonate admin
you need to use LogonUser for that - where do you want to store the admin
pwd - what happens with password change policy a.s.o...

write a local COM+ server (even remoting would be ok that has the necessary
privileges - factor out the code - and call into it from your ASP.NET app

 

[Joe Kaplan \(MVP - ADSI\)]

Agreed. I was just trying to explain the available approaches. The COM+
method is definitely the way to go. However, he may not want to deal with
that. As long as the risks are known (which I did not explain in any good
detail ).

Joe K.

 

[Raster]

Thanks guys! The COM+ method works just fine.

Agreed. I was just trying to explain the available approaches. The COM+
method is definitely the way to go. However, he may not want to deal with
that. As long as the risks are known (which I did not explain in any good
detail ).

Joe K.