P
Pete Beech
Hi all,
apologies if this has come up before, but I've been searching the
whole day and found nothing...
If I have authentication set to "windows", and identity
impersonation="false", do I need to grant access to the authenticated
windows user on the website and its resources (aspx files, etc)?
The MSDN VS.NET documention has the diagram in this link
(http://msdn.microsoft.com/library/d...ry/en-us/cpguide/html/cpconaspnetdataflow.asp)
- it looks like, if impersonation is set to false, it says it does
'other security checks', but does not go through NTFS ACL security.
Other responses I've seen say that, if impersonation is false, then
you only need to grant access to the ASPNET user.
However, in the Building Secure ASP.NET application book, Chapter 8,
it states "Windows ACLs
Client Requested Resources. The ASP.NET FileAuthorizationModule
performs access checks for requested file types that are mapped to the
ASP.NET ISAPI. It uses the original caller's access token and ACL
attached to requested resources in order to perform access checks.
**** Impersonation is not required. ****"
and later on, about Windows authentication,
"The access token of the authenticated caller (which may be the
Anonymous Internet user account if IIS is configured for Anonymous
authentication) is made available to the ASP.NET application. Note the
following:
This allows the ASP.NET FileAuthorizationModule to perform access
checks against requested ASP.NET files using the original caller's
access token.
Important ASP.NET File authorization only performs access checks
against file types that are mapped to Aspnet_isapi.dll.
*** File authorization does not require impersonation. **** With
impersonation enabled any resource access performed by your
application uses the impersonated caller's identity. In this event,
ensure that the ACLs attached to resources contain an Access Control
Entry (ACE) that grants at least read access to the original caller's
identity."
When I actually try it out, it seems that I do need to have the user
granted access with an ACL on the resource, even with no
impersonation. But this seems to directly contradict the .NET
documentation.
Does this really mean that, if I want to programmatically deny access
or use the authorization tag in the web.config, that I need to set
access to 'Everyone'? Can I really not just grant access to the ASPNET
account? Or am I just misunderstanding this completely?
What I would like is to be able to just grant access to ASPNET, but
still obtain the Windows User identity to do my own custom
authorization. Is this possible?
Hope someone can help me!,
Cheers,
Pete
apologies if this has come up before, but I've been searching the
whole day and found nothing...
If I have authentication set to "windows", and identity
impersonation="false", do I need to grant access to the authenticated
windows user on the website and its resources (aspx files, etc)?
The MSDN VS.NET documention has the diagram in this link
(http://msdn.microsoft.com/library/d...ry/en-us/cpguide/html/cpconaspnetdataflow.asp)
- it looks like, if impersonation is set to false, it says it does
'other security checks', but does not go through NTFS ACL security.
Other responses I've seen say that, if impersonation is false, then
you only need to grant access to the ASPNET user.
However, in the Building Secure ASP.NET application book, Chapter 8,
it states "Windows ACLs
Client Requested Resources. The ASP.NET FileAuthorizationModule
performs access checks for requested file types that are mapped to the
ASP.NET ISAPI. It uses the original caller's access token and ACL
attached to requested resources in order to perform access checks.
**** Impersonation is not required. ****"
and later on, about Windows authentication,
"The access token of the authenticated caller (which may be the
Anonymous Internet user account if IIS is configured for Anonymous
authentication) is made available to the ASP.NET application. Note the
following:
This allows the ASP.NET FileAuthorizationModule to perform access
checks against requested ASP.NET files using the original caller's
access token.
Important ASP.NET File authorization only performs access checks
against file types that are mapped to Aspnet_isapi.dll.
*** File authorization does not require impersonation. **** With
impersonation enabled any resource access performed by your
application uses the impersonated caller's identity. In this event,
ensure that the ACLs attached to resources contain an Access Control
Entry (ACE) that grants at least read access to the original caller's
identity."
When I actually try it out, it seems that I do need to have the user
granted access with an ACL on the resource, even with no
impersonation. But this seems to directly contradict the .NET
documentation.
Does this really mean that, if I want to programmatically deny access
or use the authorization tag in the web.config, that I need to set
access to 'Everyone'? Can I really not just grant access to the ASPNET
account? Or am I just misunderstanding this completely?
What I would like is to be able to just grant access to ASPNET, but
still obtain the Windows User identity to do my own custom
authorization. Is this possible?
Hope someone can help me!,
Cheers,
Pete