To Be or To Impersonate, that is the Question

Discussion in 'ASP .Net Security' started by Gary Bagen, Mar 5, 2004.

  1. Gary Bagen

    Gary Bagen Guest

    Alrighty, my continued foray into accessing network resources from the
    web server continues...

    When employees hit the intranet ASP.NET applications on our web
    servers (dev, test, prod), they may need access to network resources
    from those servers (like the network printer or another network
    share).

    We are not running Kerberos so that throws out IIS impersonation of
    the Windows user hitting the app. (<identity impersonate="true" /> in
    web.config).

    That leaves three options that I have found:
    1) In the web.config of each app: <identity impersonate="true"
    username="registry:HKLM\Software\HiddenCredential\ASPNET_SETREG,userName"
    password="registry:HKLM\Software\HiddenCredential\ASPNET_SETREG,password"
    />

    2) In the machine.config of each server: <identity impersonate="true"
    username="registry:HKLM\Software\HiddenCredential\ASPNET_SETREG,userName"
    password="registry:HKLM\Software\HiddenCredential\ASPNET_SETREG,password"
    />

    3) In the ProcessModel of machine.config using the registery pointers
    as above. If IIS 6, then the GUI Admin.

    Between option 2 & 3, which is the preferred method? The applications
    don't care, they'll get that user in either situation (unless they
    override identity in web.config).

    When I present these three options to the group I want to be able to
    tell them the pros and cons between 2 & 3 since they appear very
    similar on the surface. I think I understand that underneath option 2
    has the worker process imporsonating an identity while option 3 has
    the inetinfo.exe being the identity.

    Thanks,
    Gar
     
    Gary Bagen, Mar 5, 2004
    #1
    1. Advertising

  2. Gary Bagen

    Paul Glavich Guest

    With option 1, obviously web.config is easier to access for a malicious user
    than the machine.config (yes, you have the credentials encrypted, but it is
    still easier to find this 'clue' than with the machine.config) as the
    machine.config is locked down further using ACL's.

    The machine.config option affects ASP.NET globally though, so any other
    ASP.NET applications on the machine would also be affected.

    What about setting up a defined network user, with only minimum priveleges
    (to the printer and network share), and storing these credentials in the
    database, to use for you to programmatically impersonate. Just a thought.

    --
    - Paul Glavich


    "Gary Bagen" <> wrote in message
    news:...
    > Alrighty, my continued foray into accessing network resources from the
    > web server continues...
    >
    > When employees hit the intranet ASP.NET applications on our web
    > servers (dev, test, prod), they may need access to network resources
    > from those servers (like the network printer or another network
    > share).
    >
    > We are not running Kerberos so that throws out IIS impersonation of
    > the Windows user hitting the app. (<identity impersonate="true" /> in
    > web.config).
    >
    > That leaves three options that I have found:
    > 1) In the web.config of each app: <identity impersonate="true"
    > username="registry:HKLM\Software\HiddenCredential\ASPNET_SETREG,userName"
    > password="registry:HKLM\Software\HiddenCredential\ASPNET_SETREG,password"
    > />
    >
    > 2) In the machine.config of each server: <identity impersonate="true"
    > username="registry:HKLM\Software\HiddenCredential\ASPNET_SETREG,userName"
    > password="registry:HKLM\Software\HiddenCredential\ASPNET_SETREG,password"
    > />
    >
    > 3) In the ProcessModel of machine.config using the registery pointers
    > as above. If IIS 6, then the GUI Admin.
    >
    > Between option 2 & 3, which is the preferred method? The applications
    > don't care, they'll get that user in either situation (unless they
    > override identity in web.config).
    >
    > When I present these three options to the group I want to be able to
    > tell them the pros and cons between 2 & 3 since they appear very
    > similar on the surface. I think I understand that underneath option 2
    > has the worker process imporsonating an identity while option 3 has
    > the inetinfo.exe being the identity.
    >
    > Thanks,
    > Gar
     
    Paul Glavich, Mar 7, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Christian Binder

    <identity impersonate> and NETWORK ACCESS DB-HELP

    Christian Binder, Jul 25, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    468
    Christian Binder
    Jul 25, 2003
  2. William F. Robertson, Jr.

    identity impersonate for web applications

    William F. Robertson, Jr., Aug 29, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    433
    William F. Robertson, Jr.
    Aug 29, 2003
  3. Peter O'Reilly
    Replies:
    2
    Views:
    10,975
    Peter O'Reilly
    Nov 3, 2003
  4. Kathy Burke
    Replies:
    3
    Views:
    2,697
    Kathy Burke
    Dec 22, 2003
  5. Bill Belliveau

    DirectoryEntry Impersonate or WindowsIdentity Impersonate?

    Bill Belliveau, Jan 28, 2004, in forum: ASP .Net Security
    Replies:
    3
    Views:
    421
    Joe Kaplan \(MVP - ADSI\)
    Jan 31, 2004
Loading...

Share This Page