ASP.NET Impersonation / delegation

From: Magdelin (magdelinsuja_at_newsgroups.nospam)
Date: 04/28/04

Next message: chornbe: "RE: Copy of a variable instead of referenc to it?"
Previous message: dm_dal: "Re: System.Text.StreamWriter encoding issue (Framework 1.1)"
Next in thread: bruce barker: "Re: ASP.NET Impersonation / delegation"
Reply: bruce barker: "Re: ASP.NET Impersonation / delegation"
Messages sorted by: [ date ] [ thread ]

Date: Wed, 28 Apr 2004 09:31:07 -0700

Hi all,

I am trying to implement ASP.NET impersonation/delegation in an intranet application in C#. The presentation layer developed in ASP.NET accesses the business logic via .net remoting. The business logic in-turn accesses the other network resources such as the SQL Server and the Active Directory.
Both the business logic and the web application are deployed in IIS installed on two separate Win2k servers. Since, the application requires “Windows Authentication” in order to implement the declarative Role-based security, both business and presentation layers are configured for impersonation, by including the <identity impersonate="true"/> tag in their respective web.config files. The directory security of business and web applications hosted in IIS is configured for "Integrated Windows Authentication". The anonymous, digest and basic authentication options are not selected.

With the above mentioned configuration, if the business logic tries to access the active directory, a COMexception occurs with the error message "An operation error has occurred". I believe this error has occurred because the impersonated account and the computer on which the business logic runs are not trusted for delegation by the Domain controller. The following links explains the reason for such an error.

http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
http://support.microsoft.com/default.aspx?kbid=325894
http://support.microsoft.com/default.aspx?kbid=264921

Link to the newsgroup search
http://msdn.microsoft.com/newsgroups/managed/default.aspx?query=double+hop&dg=&cat=en-us-msdnman&lang=en&cr=US&pt=&catlist=&dglist=&ptlist=

Since our security team considers trusting win2k server for delegation to be a major security risk, I haven't had the opportunity, to test the business logic with the trusted configuration myself. From the trace log it is clear that the authentication type is NTLM and the account used to test the business logic has sufficient privileges to query the Active Directory (AD). The application is successful in querying the AD when account properties (userName and password) are included in the <Identity> tag.

Fortunately, I found few delegation alternatives in MSDN at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconaspnetdelegation.asp

The WindowsImpersonationContext.Impersonate() is now considered as the best alternative for impersonating an account that is specially created for this purpose. The role based security will be implemented as before but for accessing resources such as AD and SQL Server the new helper account will be used. The account that currently runs the process will be impersonated with a special helper account which will have sufficient privileges to impersonate as well as query the AD. Once the task with the AD is completed, the windows identity will revert back to its original credentials. The following link details how to make such impersonation, possible. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconImpersonatingReverting.asp

When the impersonation and reversion is tried on the win2k server, I receive the error message “1314: The required privilege is not held by client”. I know that the LogonUser API requires “Act as part of the operating system (SE_TCB_NAME)” privilege. But, I would like to grant the helper account with least possible privilege.

Is there a privilege other than the “SE_TCB_NAME” that has fewer privileges but can still make the LogonUser API work? Is there a better alternative for ASP.NET impersonation/delegation?

Any ideas or pointers to articles would be greatly appreciated.

Thanks in advance.
Magdelin

Next message: chornbe: "RE: Copy of a variable instead of referenc to it?"
Previous message: dm_dal: "Re: System.Text.StreamWriter encoding issue (Framework 1.1)"
Next in thread: bruce barker: "Re: ASP.NET Impersonation / delegation"
Reply: bruce barker: "Re: ASP.NET Impersonation / delegation"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

ASP.NET Impersonation / delegation
... Link to the newsgroup search ... Is there a privilege other than the “SE_TCB_NAME” that has fewer privileges but can still make the LogonUser API work? ... Any ideas or pointers to articles would be greatly appreciated. ...
(microsoft.public.dotnet.framework.interop)
ASP.NET Impersonation / delegation
... Link to the newsgroup search ... Is there a privilege other than the “SE_TCB_NAME” that has fewer privileges but can still make the LogonUser API work? ... Any ideas or pointers to articles would be greatly appreciated. ...
(microsoft.public.dotnet.framework.aspnet)
ASP.NET Impersonation / delegation
... Link to the newsgroup search ... Is there a privilege other than the “SE_TCB_NAME” that has fewer privileges but can still make the LogonUser API work? ... Any ideas or pointers to articles would be greatly appreciated. ...
(microsoft.public.dotnet.framework.aspnet.security)
ASP.NET Impersonation / delegation
... Link to the newsgroup search ... Is there a privilege other than the “SE_TCB_NAME” that has fewer privileges but can still make the LogonUser API work? ... Any ideas or pointers to articles would be greatly appreciated. ...
(microsoft.public.win2000.developer)