Re: How to disable all this security?
- From: "Norman Yuan" <NoOne@xxxxxxxxxx>
- Date: Wed, 04 May 2005 04:33:48 GMT
Again, as I said in previous post, you need to know which account is
actually ruuning the ASP.NET app under different configuration. For example,
by default, it is MachineName\ASP (or MachineName\Network Service in
Win2003). But if you apply "impersonate=true", then things could change: if
you allow anonymous access, the rinninng accoutn will be impersonated to
"IUSER_MachineName"; if you apply WindowAuthentication, it becomes client
user's winows account.... Yes, it is a bit coplicated at beginning and need
some time to learn/remeber. You can quickly add a test page into your
ASP.NET app to examine exactly who is running it with different
configuration, like folowing:
Add a test page to the project, and ad a Label to the page. Add following
ode in Page_Load()
private void Pags_Load(object....)
{
if (!Page.IsPostBack)
{
Label1.Text=Page.Context.User.Identity.Name;
}
}
Set this page as Str=art page and run the project. You will see which user
account is used. Try different configuration: anonymous/windows
authetication, impersonate ot not....
Once you know who exactly is running, you should not have difficulty to give
it access to SQL Server database, if you know how to correctly set up login
on SQL server and create user to database.
HTH
"kvr901" <kvr901@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E5496246-DFB6-4BF8-BF54-DD01B8E45A55@xxxxxxxxxxxxxxxx
> I tried your suggestion, but still have the same problem. It works fine
as
> long as I the server IIS is set to not alloy Anonymous logins.
>
> I even went so far as to make the ASPNET user a member of the computer
> Administrators group, and gave the ASPNET user in SQL Server every
possible
> permission and role I could find. (all these changes I can undo very
quickly
> by restoring with a Ghost image).
>
> If you have a moment perhaps you can look at this Web.config stuff and
maybe
> you will see something I did wrong. Most of the stuff is as VS created
it.
> I added the <appsettings> part, the connection string was produced by VS
and
> I put it here instead. melissa8 is the laptop. srv-GX200 is the test
Win2k3
> server. 1aTestData is the SQL Server database.
>
> I added this: <identity impersonate="true" />
> Set customErrors to "Off"
> Set Authentication to "None"
>
>
> I didn't mean to imply I never want security, but if someone doesn't see
> something I did wrong it would be nice to be able to easily configure
> everything to full Administrator-like permissions so I can play with
VS/SQL
> Server for now. (I have absolutely no concerns about hackers. They can
hack
> all they want. There is nothing private on any of these machines. I can
> restore from Ghost images in a few minutes).
>
> TIA
>
>
>
>
>
>
>
> <?xml version="1.0" encoding="utf-8" ?>
> <configuration>
>
>
>
> <appSettings>
> <add key="MyConnectionString" value="workstation id=melissa8;packet
> size=4096;integrated security=SSPI;data source=srv-GX200;persist security
> info=False;initial catalog=1aTestData"/>
> </appSettings>
>
>
> <system.web>
>
>
>
> <identity impersonate="true" />
>
>
> <!-- DYNAMIC DEBUG COMPILATION
> Set compilation debug="true" to insert debugging symbols (.pdb
> information)
> into the compiled page. Because this creates a larger file that
> executes
> more slowly, you should set this value to true only when
debugging
> and to
> false at all other times. For more information, refer to the
> documentation about
> debugging ASP.NET files.
> -->
> <compilation defaultLanguage="vb" debug="true" />
>
> <!-- CUSTOM ERROR MESSAGES
> Set customErrors mode="On" or "RemoteOnly" to enable custom
error
> messages, "Off" to disable.
> Add <error> tags for each of the errors you want to handle.
>
> "On" Always display custom (friendly) messages.
> "Off" Always display detailed ASP.NET error information.
> "RemoteOnly" Display custom (friendly) messages only to users
not
> running
> on the local Web server. This setting is recommended for
security
> purposes, so
> that you do not display application detail information to
remote
> clients.
> -->
> <customErrors mode="Off" />
>
> <!-- AUTHENTICATION
> This section sets the authentication policies of the
application.
> Possible modes are "Windows",
> "Forms", "Passport" and "None"
>
> "None" No authentication is performed.
> "Windows" IIS performs authentication (Basic, Digest, or
> Integrated Windows) according to
> its settings for the application. Anonymous access must be
> disabled in IIS.
> "Forms" You provide a custom form (Web page) for users to enter
> their credentials, and then
> you authenticate them in your application. A user credential
> token is stored in a cookie.
> "Passport" Authentication is performed via a centralized
> authentication service provided
> by Microsoft that offers a single logon and core profile
services
> for member sites.
> -->
> <authentication mode="None" />
>
>
> <!-- AUTHORIZATION
> This section sets the authorization policies of the application.
> You can allow or deny access
> to application resources by user or role. Wildcards: "*" mean
> everyone, "?" means anonymous
> (unauthenticated) users.
> -->
> <authorization>
> <allow users="*" /> <!-- Allow all users -->
>
> <!-- <allow users="[comma separated list of users]"
> roles="[comma separated list of roles]"/>
> <deny users="[comma separated list of users]"
> roles="[comma separated list of roles]"/>
> -->
> </authorization>
>
> <!-- APPLICATION-LEVEL TRACE LOGGING
> Application-level tracing enables trace log output for every
page
> within an application.
> Set trace enabled="true" to enable application trace logging.
If
> pageOutput="true", the
> trace information will be displayed at the bottom of each page.
> Otherwise, you can view the
> application trace log by browsing the "trace.axd" page from your
> web application
> root.
> -->
> <trace enabled="false" requestLimit="10" pageOutput="false"
> traceMode="SortByTime" localOnly="true" />
>
>
> <!-- SESSION STATE SETTINGS
> By default ASP.NET uses cookies to identify which requests
belong
> to a particular session.
> If cookies are not available, a session can be tracked by adding
a
> session identifier to the URL.
> To disable cookies, set sessionState cookieless="true".
> -->
> <sessionState
> mode="InProc"
> stateConnectionString="tcpip=127.0.0.1:42424"
> sqlConnectionString="data
source=127.0.0.1;Trusted_Connection=yes"
> cookieless="false"
> timeout="20"
> />
>
> <!-- GLOBALIZATION
> This section sets the globalization settings of the application.
> -->
> <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
>
>
>
>
> </system.web>
>
> </configuration>
>
>
>
>
>
>
>
>
>
> "Norman Yuan" wrote:
>
> > Disable ALL security? How about disable IIS and SQL Server altogether?
:(.
> >
> > It seems your ASP.NET cannot access Pub database on SQL server. It is
> > simple: you need to grant the user account , which is used to run
ASP.NET
> > application on the IIS, access permission to SQL Server and Pub database
(or
> > any other database that your ASP.NET app uses). If you did not make
special
> > configuration to your Asp.net app, by default, the user account used is
> > MachineName\ASPNET. You need create a login on SQL Server for this
account
> > and grant it access to Pub database. If you have SQL Server' Enterprise
> > Manager installed, it is a very simple task.
> >
> > I understand your "disable all security" rant was out of frustration,
but
> > the reality is, if no security, no SQL Server and no ASP.NET. Period.
>
.
- Follow-Ups:
- Re: How to disable all this security?
- From: kvr901
- Re: How to disable all this security?
- References:
- How to disable all this security?
- From: kvr901
- Re: How to disable all this security?
- From: Norman Yuan
- Re: How to disable all this security?
- From: kvr901
- How to disable all this security?
- Prev by Date: Array of classes and a pointer to it
- Next by Date: Re: How to disable all this security?
- Previous by thread: Re: How to disable all this security?
- Next by thread: Re: How to disable all this security?
- Index(es):
Relevant Pages
|
