RE: ASP.Net not impersonating for WSE 2.0

From: Dan Rogers (danro_at_microsoft.com)
Date: 11/30/04

• Next message: Dan Rogers: "Re: PLEASE HELP - object reference not set to instance of an object"
• Previous message: Francois: "ASP.Net not impersonating for WSE 2.0"
• In reply to: Francois: "ASP.Net not impersonating for WSE 2.0"
• Messages sorted by: [ date ] [ thread ]

Date: Tue, 30 Nov 2004 00:43:12 GMT

Hi Francios,

I think that I understand what you are doing, and have an idea about what
you may be expecting to happen.

When using username tokens in WSE, this is not an integrated security
strategy. The role the SQL server plays is to allow you (the application)
to verify that the calling user is aware of their credentials and has
provided proper credentials with the call. As such, the applicaiton should
not expect ASP.NET to impersonate the calling user - since this SOAP based
authentication approach has nothing to do with windows based domain logins.
 Using user name tokens delegates all responsibility for auth to the
application writer, and thus is not integrated into windows security at all.

Setting up a database that contains credentials is similar to any
application level database, from a coding perspective. As such, integrated
security is the rececommended way to go. But running IIS as the system
account is not recommended, and is resulting in your issues with identity
at the database level. Consider putting IIS back to it's normal settings,
and add the impersonation user / password information to the web.config
file. Doing this allows you to use IIS in it's low security mode, and have
your web service application calls to the database be made under an
elevated privelege.

Once you have determined that the user knows their credentials, you can
then make your code do the right thing as far as determining the authority
to make a call, etc. Since user tokens involve a degree of "roll your own
applicaiton security", a number of application specific strategies are
appropriate after this point.

I hope this helps

Dan Rogers
Microsoft Corporation

--------------------
>Thread-Topic: ASP.Net not impersonating for WSE 2.0
>thread-index: AcTWac/wHCNlV2KuSdyC5uLLqp7waQ==
>X-WBNR-Posting-Host: 142.165.62.119
>From: "=?Utf-8?B?RnJhbmNvaXM=?=" <Francois@discussions.microsoft.com>
>Subject: ASP.Net not impersonating for WSE 2.0
>Date: Mon, 29 Nov 2004 15:19:02 -0800
>Lines: 37
>Message-ID: <76F4A8B3-2347-4F3D-B643-EA07B2AEE2C1@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
>Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:26880
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
>
>I have several web services that use WSE to authenticate calling users.
>I use a UsernameToken that validates the sent username and password
>against our SqlServer database. The SqlServer database is on a
>different machine than the website. For all of my database access I use
>Windows Integrated Security. As such, I've had to change the ASP.Net
>process model to system in the machine.config and set <identity
>impersonate="true" /> in the web.config for the web service project.
>For all regular db access throughout the web services the impersonation
>works and the code can connect to the database with the user we
>specified as the anonymous user for the website.
>
>However, when the password validation code for the AuthenticateToken
>method in my custom UsernameTokenManager object runs
>WindowsIdentity.GetCurrent().Name returns 'NT AUTHORITY\SYSTEM' and the
>database says "Login failed for user 'DOMAIN\MACHINENAME$'"
>
>This means that either the code in AuthenticateToken is ran using the
>builtin machine user, or because the class was constructed before
>aspnet_wp.exe switched users according to the <identity
>impersonate="true" /> tag in the web.config.
>
>As I see it, there are only a couple of options to fix this problem:
>1) Add the machine user to the database (is this even possible?)
>2) Change my db to mixed mode authentication (against MS's best
>practises) and store the connection string somewhere
>
>Are there any other options? What have other people done in this
>situation? What is my best solution? I find it hard to believe that
>I'm the only person using WSE to authenticate against SqlServer with
>integrated security, yet I've never seen any documentation on the
>subject nor discussion about it on the newsgroups.
>
>I'm using Windows 2000/IIS 5.0/SQL Server 2000/.NET Framework 1.1 SP2
>
>TIA,
>
>Francois
>

• Next message: Dan Rogers: "Re: PLEASE HELP - object reference not set to instance of an object"
• Previous message: Francois: "ASP.Net not impersonating for WSE 2.0"
• In reply to: Francois: "ASP.Net not impersonating for WSE 2.0"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint