Who am I impersonating?

Discussion in 'ASP .Net Security' started by Gary Bagen, Feb 27, 2004.

  1. Gary Bagen

    Gary Bagen Guest

    Is there a way I can get the user of the identity I will be
    impersonating to get network resources?

    I know WindowsIdentity.GetCurrent().Name for the person coming into
    the ASP.NET app but I want to do some testing of different
    combinations of impersonating based on Anon, Windows Auth, and
    impersonate = true in web.config. So I am looking for the identity
    that will be used for the ASP.NET app to go to a network resource.

    thanks,
    Gar
     
    Gary Bagen, Feb 27, 2004
    #1
    1. Advertising

  2. If the question is, "can I impersonate the caller in such a way that I can
    access network resources as that caller", then:

    If you are using integrated Windows authentication at the IIS level, the
    answer is "no", unless:
    * You enable Kerberos delegation for the account and the machines involved
    in the delegation, or
    * Your web browser is on the same machine as the web server.

    If you are using Basic authentication at the IIS level, the answer is "yes"
    if Basic auth is configured to use "interactive" logon. This is the default
    for IIS5. (I'm blanking all of a sudden as to whether it is the default for
    IIS6, but I think it isn't.)

    -- Aaron

    "Gary Bagen" <> wrote in message
    news:...
    > Is there a way I can get the user of the identity I will be
    > impersonating to get network resources?
    >
    > I know WindowsIdentity.GetCurrent().Name for the person coming into
    > the ASP.NET app but I want to do some testing of different
    > combinations of impersonating based on Anon, Windows Auth, and
    > impersonate = true in web.config. So I am looking for the identity
    > that will be used for the ASP.NET app to go to a network resource.
    >
    > thanks,
    > Gar
     
    Aaron Margosis [MS], Feb 27, 2004
    #2
    1. Advertising

  3. Gary Bagen

    Gary Bagen Guest

    Hi Aaron,

    I understand what you are describing, but I have done a poor job of
    asking the right question.

    For production, what we plan on doing is using the ProcessModel
    element of Machine.Config on the web servers to point to a registry
    location for username/password attributes which will use aspnetreg.exe
    for encryption.

    We want to test this out before making a final recommendation. So,
    with my ASP.NET temporary test app, I just wanted to display the name
    of the user the ASP.NET app will use to try and access network
    resources.

    Then I can show depending on how machine.config, web.config, IIS
    Anonymous and IIS Windows Authentication settings determine who will
    try and use network resources from the ASP.NET app. This is not
    something we will be doing in production.

    Thanks,
    Gar

    "Aaron Margosis [MS]" <> wrote in message news:<#AwlUNQ$>...
    > If the question is, "can I impersonate the caller in such a way that I can
    > access network resources as that caller", then:
    >
    > If you are using integrated Windows authentication at the IIS level, the
    > answer is "no", unless:
    > * You enable Kerberos delegation for the account and the machines involved
    > in the delegation, or
    > * Your web browser is on the same machine as the web server.
    >
    > If you are using Basic authentication at the IIS level, the answer is "yes"
    > if Basic auth is configured to use "interactive" logon. This is the default
    > for IIS5. (I'm blanking all of a sudden as to whether it is the default for
    > IIS6, but I think it isn't.)
    >
    > -- Aaron
    >
    > "Gary Bagen" <> wrote in message
    > news:...
    > > Is there a way I can get the user of the identity I will be
    > > impersonating to get network resources?
    > >
    > > I know WindowsIdentity.GetCurrent().Name for the person coming into
    > > the ASP.NET app but I want to do some testing of different
    > > combinations of impersonating based on Anon, Windows Auth, and
    > > impersonate = true in web.config. So I am looking for the identity
    > > that will be used for the ASP.NET app to go to a network resource.
    > >
    > > thanks,
    > > Gar
     
    Gary Bagen, Feb 27, 2004
    #3
  4. Gary Bagen

    Tim Thacker Guest

    I've got a similar issue and I think I'm running into the same problem.
    I've got a ASPX Page on Server A. Web Service on Server B. I need to
    pass the Windows Creditials through Server A to Server B. I've set the
    Impersonate options, turned on Windows Auth. When I run IE from Server A
    everyhting works fine. Run it from anywhere else and I get Access
    Denied. Is this by design or am I doing something wrong?

    Thanks!
    Tim


    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
     
    Tim Thacker, Feb 27, 2004
    #4
  5. Gary Bagen

    Alek Davis Guest

    Tim,

    This is by design (as Aaron described). To summarize, in a typical situation
    (integrated authentication), you cannot pass users credentials over one
    machine (i.e. from computer A (IE) through server B (ASPX) to server C (SQL
    Server/Web Service/etc)), unless you enable Kerberos/delegation on the
    network, which is generally not recommended for security reasons.

    Alek

    "Tim Thacker" <> wrote in message
    news:OptxOjX$...
    >
    > I've got a similar issue and I think I'm running into the same problem.
    > I've got a ASPX Page on Server A. Web Service on Server B. I need to
    > pass the Windows Creditials through Server A to Server B. I've set the
    > Impersonate options, turned on Windows Auth. When I run IE from Server A
    > everyhting works fine. Run it from anywhere else and I get Access
    > Denied. Is this by design or am I doing something wrong?
    >
    > Thanks!
    > Tim
    >
    >
    > *** Sent via Developersdex http://www.developersdex.com ***
    > Don't just participate in USENET...get rewarded for it!
     
    Alek Davis, Feb 28, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jason

    impersonating and LogonUser

    Jason, Dec 30, 2003, in forum: ASP .Net
    Replies:
    7
    Views:
    463
    Jim Cheshire [MSFT]
    Jan 5, 2004
  2. Replies:
    4
    Views:
    508
  3. =?Utf-8?B?SW5kZXB0aA==?=
    Replies:
    1
    Views:
    492
    Bruce Barker
    Apr 1, 2005
  4. =?Utf-8?B?QWxpc3RhaXIgTGFjeQ==?=

    Compilation error when impersonating

    =?Utf-8?B?QWxpc3RhaXIgTGFjeQ==?=, Jul 19, 2005, in forum: ASP .Net
    Replies:
    3
    Views:
    566
    Patrice
    Jul 19, 2005
  5. =?Utf-8?B?TGVvbmFyZG8gQXJlbmE=?=

    Impersonating

    =?Utf-8?B?TGVvbmFyZG8gQXJlbmE=?=, Apr 26, 2006, in forum: ASP .Net
    Replies:
    2
    Views:
    4,552
Loading...

Share This Page