Re: Machine.Config -- ProcessModel vs Identity Impersonation
From: Jim Cheshire [MSFT] (jamesche_at_online.microsoft.com)
Date: 06/01/04
- Next message: Curt_C [MVP]: "Re: I can't modify web.config"
- Previous message: Ignacio Machin \( .NET/ C# MVP \): "Re: Adding eventhandler to control"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 01 Jun 2004 15:01:13 GMT
Hi Scott,
Sorry for the delay. I've been out of the office.
Integrated security is perfectly fine, but you must be aware of some of the
caveats involved. By default, integrated security is going to use NTLM,
and NTLM does not allow for delegation of credentials. In other words, if
your database server is on a different computer than IIS (and it should
be), NTLM security isn't going to work because in order to authenticate to
the database, your user's credentials have to be passed by IIS to the
database server on behalf of the user, and NTLM is designed to fail in that
scenario. Instead, you need to configure Kerberos authentication and
delegation.
810572 HOW TO: Configure an ASP.NET Application for a Delegation Scenario
http://support.microsoft.com/?id=810572
If you want to use integrated security, how you proceed depends upon how
you want the user to be authenticated. For example, if you just want to
make sure that a Windows account is used to access the database server, but
it doesn't necessarily have to be the user who is authenticated to the
site, you can simply impersonate the specific user account necessary in
code so that you can access the database.
306158 INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/?id=306158
If it is important to you that the user be the specific person browsing the
application, you can use the same article to impersonate the authenticated
user. Both of these ideas allow you to run under the context of a
priviledged account for the least amount of time required to get the job
done.
Jim Cheshire, MCSE, MCSD [MSFT]
ASP.NET
Developer Support
jamesche@online.microsoft.com
This post is provided "AS-IS" with no warranties and confers no rights.
--------------------
>From: "Wm. Scott Miller" <Scott.Miller@spam.killer.wvinsurance.gov>
>References: <#C1V5wbQEHA.3456@TK2MSFTNGP11.phx.gbl>
<temSN7mQEHA.752@cpmsftngxa10.phx.gbl>
>Subject: Re: Machine.Config -- ProcessModel vs Identity Impersonation
>Date: Tue, 25 May 2004 12:07:25 -0400
>Lines: 72
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
>Message-ID: <uFj7fJnQEHA.3232@TK2MSFTNGP11.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet
>NNTP-Posting-Host: ip207064.pat.wvnet.edu 129.71.207.64
>Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11
phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework.aspnet:236136
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>
>So, in the case of wanting to access a network share or database
(integrated
>security) which would be better or expose the least in security
>vulnerabilities? Or in the case of the database and ASP.NET, is integrated
>the way to go?
>
>Thanks for the reply,
>Scott
>
>"Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
>news:temSN7mQEHA.752@cpmsftngxa10.phx.gbl...
>> Scott,
>>
>> If you set the processModel element, all threads that are executed by
>> ASP.NET will run under that context. If you set the <identity> element,
>> the main thread will run under the impersonated identity, but any new
>> threads you create will run under the identity specific in the
>> <processModel>. That is one difference that many developers don't
>realize.
>>
>> You typically would not set the <identity> element in the machine.config.
>> Instead, it is most often set at the web.config level. It's important to
>> realize that you do not have to explicitly set a username and password
for
>> the <identity> element. If you simply enable impersonation without
>> specifying a user, the identity will be that of the user who is
>> authenticated in IIS or the anonymous account if none is authorized.
>>
>> In short, the <processModel> element is used to (among other things)
>> specify which weak account (preferably) will be used to run the worker
>> process. The <identity> element is used to specify that ASP.NET code
>> should be run as a user other than the process account.
>>
>> Jim Cheshire, MCSE, MCSD [MSFT]
>> ASP.NET
>> Developer Support
>> jamesche@online.microsoft.com
>>
>> This post is provided "AS-IS" with no warranties and confers no rights.
>>
>> --------------------
>> >From: "Wm. Scott Miller" <Scott.Miller@spam.killer.wvinsurance.gov>
>> >Subject: Machine.Config -- ProcessModel vs Identity Impersonation
>> >Date: Mon, 24 May 2004 14:23:32 -0400
>> >Lines: 10
>> >X-Priority: 3
>> >X-MSMail-Priority: Normal
>> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
>> >Message-ID: <#C1V5wbQEHA.3456@TK2MSFTNGP11.phx.gbl>
>> >Newsgroups: microsoft.public.dotnet.framework.aspnet
>> >NNTP-Posting-Host: ip207064.pat.wvnet.edu 129.71.207.64
>> >Path:
>>
>cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP1
1
>> phx.gbl
>> >Xref: cpmsftngxa10.phx.gbl
>microsoft.public.dotnet.framework.aspnet:235889
>> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>> >
>> >What is the difference between using a username and password in the
>> >processmodel section vs using one in impersonation in the machine.config
>> >file? What are the advantages of each and what are the reasons for
using
>> >each?
>> >
>> >Thanks for any replies,
>> >Scott
>> >
>> >
>> >
>> >
>>
>
>
>
- Next message: Curt_C [MVP]: "Re: I can't modify web.config"
- Previous message: Ignacio Machin \( .NET/ C# MVP \): "Re: Adding eventhandler to control"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
