IIS/ASP.NET impersonation probelm

[Ram]

I need to create custome performance counters for my asp.net application,
these counters am creating in application_start event.

to create this counters i used following setting in IIS and web.config file

in IIS ---> Directory security tab--->
1) checked anonymus access and integrated windows authentication
2) settings in web.config --->

<identity impersonate = "true" userName = "mycomputername\TestRam"
password = "<password>" />

<authorization>
<allow users="*" />
</authorization>

<authentication mode="Windows" />

with the above settings its works fine, TestRam is local Admin

Now with my requirement I should not use plain password in my web.config, i
decided to use this thorugh IIS setting

in IIS ---> Directory security tab--->
1) checked anonymus access and integrated windows authentication
2) In anonymus section, i used following account as my anonymus account
mycomputername\TestRam
3) settings in web.config --->

<identity impersonate = "true" />

<authorization>
<allow users="*" />
</authorization>

<authentication mode="Windows" />

if i run the application i will get " Reqired registry access not allowed"

when i check identity account through "Envirnoment.UserName" i will see the
above account and even with "Windowsidentity.GetCurrent().name"

Even I gave explicitly full control permissions to above account in
following registrys

1)HKEY_LOCAL_MACHINE\SOFTWARE\MICROSFT\WINDOWSNT\CURRENTVERSION\Perflib
2) HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Service as well as ControlSet002



can anybody help me as it is due to move to my technical center


Regards
Ram

 

[Joe Kaplan \(MVP - ADSI\)]

This is a bad approach. You really ought to install things like event log
sources and perf counters during the initial deployment of your application.
Let an admin do that. Then, in your code, you just instantiate your perf
counters and write to them.

You can do this easily by creating some PerformanceCounterInstaller classes
in your assembly and having an admin run installutil.exe on your assembly.
This way, your app can run as a normally privileged user as well and you
won't need to worry about hiding credentials. It is a win/win across the
board.

Joe K.

 

[Ram]

Thanks Joe

Yes, I will use installutill to install, in the mean i found the reason why
it is not doing before, i am creating counters in application_start event,at
this instance still impersonation has not yet applied, still it takes ASPNET
user, so i moved my logic to session_start event.
it worked well.

Ram

 

[Dominick Baier [DevelopMentor]]

IMO this is still a bad approach - you run your app with elevated privs...whats
wrong with pre-registering that stuff from an admin console??