I have my ASP.NET web.config set with impersonation
<identity impersonate="true" userName="domainName\userName" password="userPassword" />
I'm running some a method like
IO.Directory.GetFiles(somePath)
And monitoring the file system access with Process Monitor
I keep getting all the access requests from the aspnet_wp.exe process to the folder, as the ASPNET user.
Why am I not seeing the access as the impersonated user?
My guess is you have anonymous access on ?
As a result it will use the system account... see
Disable anonymous access, and it will use the impersonation account.
#Nix's answer sounds like it might fit the ticket, but you should also check your authorizations in the .config file to make sure they're not conflicting with your impersonation in some way. Have a look at this question for a brief discussion on the subject of grant/deny, and the link in the accepted answer with more info.
Why is <deny users="?" /> included in the following example?
BTW, I have not had conflicts with impersonations and leaving anonymous access on before, so ...
Related
Firstly I just want to say I'm not an ASP developer, I'm PHP through n through...
So my problem is this, all of a sudden a client site has started prompting for users to be logged in when viewing pages in a sub directory, when I download the web.config file I can see the authentication mode set to "Windows" this would appear to be an issue but it was working up until now, so I set it to None and uploaded the file (there isn't a web.config in the sub directory, just the site root) and it continues to prompt me for the login.
Is there something I need to do to "refresh" the server or something? I've looked through the hosting control panel and can't find anything about anonymous access or restarting the server, its on a shared hosting account and the control panel is pretty below average
Any help is greatly appreciated!! I'm in a panic and the hosting company don't have ASP support on hand
Thanks,
Mark
In the folder that you want anonymous access, just use the web.config authorization section to allow anonymous users:
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
The * essentially means Everyone so it just saying that for the current directory, everyone is allowed access- you only need this in the web.config...nothing more.
If you are still receiving prompts after this, then the folder itself must have permissions at the operating centre level (NTFS permissions) which do not allow Anonymous access...Although you say the ASP support isn't at hand, I presume you can raise help tickets with them to enable this access?
Edit
I should add that this setting of authorization is different to setting an Authentication scheme (Windows Authentication, Forms Authentication etc). For example, you might have Forms Authentication for your website but specifically want anonymous access to a folder (like this case) so setting your authentication option isn't actually relevant.
This is a follow on to a previous post about being unable to impersonate a currently logged in Windows user. There were many good suggestions, but the previous thread was getting messy, so I am resetting with this post. Hopefully with the current state documented below it will be obvious what the issue is. This is a well worn path, so I have to believe all I am missing is a little configuration step.
PROBLEM: I need to have ASP.NET impersonate the currently logged in user. When I run under IIS 7.5, it doesn't work. IIS Express works fine, but I believe that is because the debugging session is running under my user id.
I am using Environment.Username to determine who this user is. There was a suggestion that this property always returns the logged in user name, but from my testing it returns the impersonated user from IIS.
For example, if my web.config has…
<identity impersonate="true" />
When I run under IIS 7.5 with that setting, Environment.Username returns IUSR. I believe this is the IIS anonymous user account.
If I change web.config to…
<identity impersonate="true" userName="domain\jlivermore" password="mypassword" />
… then Environment.Username returns jlivemore. However, I need it to return jlivermore without me explicitly setting it in web.config.
Here are my IIS settings…
.NET Authorization Rules
Authentication
One question, if I disable Anonymous Authentication, then I am prompted to login to the site. I thought if you were logged in with an Active Directory account on a domain then this challenge wouldn't appear? Even if I enter my username/password into this prompt, I still don't get the impersonation to work.
Basic Settings
I'm not sure if you've found an answer, but if anyone is having problems with it you will need the following in your web.config file
<authentication mode="Windows"/>
<identity impersonate="true"/>
And in IIS you will need Asp.net Impersonation enabled as well as Windows Authentication enabled, the others should be disabled. And in Windows Authentication, go to Advanced Settings and UNCHECK the Enable Kernel-mode authentication. That should do it. Your site should now be set for Local Intranet apps and using any of the following will work
System.Security.Principal.WindowsIdentity.GetCurrent().Username()
HttpContext.Current.User.Identity.Name
System.Threading.Thread.CurrentPrincipal.Identity.Name
But using Environment.Username will only return the server name, hopefully this helps anyone struggling with this
I had a similar problem as you describe. The basic crux of the matter is that there is a difference between impersonation and delegation. My simple understanding of this is that impersonation will work when the client and server are on the same machine. If however, the client is on a different machine, you need delegation.
MSDN Reference
What is the difference between impersonation and delegation?
Impersonation flows the original
caller's identity to back-end
resources on the same computer.
Delegation flows the original caller's
identity to back-end resources on
computers other than the computer
running the service.
Related SO questions
Impersonation in ASP.NET MVC
Starting a console application from asp.net using authenticated user credentials
Have you tried using
HttpContext.Current.User.Identity.Name ?
My web app (asp VB 2005) uses Windows authentication. If the user isn't part of a specific AD security group they don't get to edit the data; instead I redirect the user to a read-only page.
The program works fine in the IDE.
I published the web app to my laptop and Disabled anonymous access. When I ran the program I got redirected to the read-only page. I added a write event to the application event log to see what was going on, and found that the WindowsPrincipal.Identity.Name contained my laptop's ID, not my user name.
I reassert: anonymous access is disabled in IIS and the web.config file has Windows Authentication.
Can anyone suggest what else to check? Or can you explain what's going on?
You probably need to set <identity impersonate="true" /> in your web.config:
<configuration>
<system.web>
<identity impersonate="true" />
See http://msdn.microsoft.com/en-us/library/72wdk8cc.aspx for more details.
I need to let an aspx.cs file run code to enumerate the contents of a directory on another server altogether. Basically, use a Directory object, etc.
Here is what I can piece together (I'm really not a network rights guy at all, so this is all confusing to me.) When a user loads my aspx page, that page, code behind, is actually running under some kind of windows user account. IUSR_ or something.
For some reason, the server I need to reach (it's a Page Flex server) will not let me change the "Location" to search for users in so I can't go find /IUSR... and give it rights.
Is there some way to pass credentials as I try to enumerate the contents of a remote server's directories?
I really hope that made sense.
I don't know all your security constraints, but you may want to look into delegation
http://msdn.microsoft.com/en-us/library/aa291350(VS.71).aspx
There's lots of other articles on it if you search google
EDIT:
From: http://msdn.microsoft.com/en-us/library/xh507fc5(VS.71).aspx
<!-- Web.config file. -->
<identity impersonate="true" userName="contoso\Jane" password="pass"/>
The idea is to have the web request run as whatever domain user does have access to the share, instead of the default (IUSR_* or ASPNET user, I can't remember)
I believe you can do this for just a subdirectory or script if you want to limit what scripts are running as this user, see http://msdn.microsoft.com/en-us/library/b6x6shw7.aspx
<location path="ReadUNC.aspx">
<system.web>
<identity impersonate="true" userName="contoso\Jane" password="pass"/>
</system.web>
</location>
And if you want to do the impersonation programmatically, maybe this will help get you started: http://www.west-wind.com/WebLog/posts/1572.aspx
If you have a web application that will run inside a network, it makes sense for it to support windows authentication (active directory?).
Would it make sense to use AD security model as well, or would I make my own roles/security module that some admin would have to configure for each user?
I've never dealt with windows security before, so I am very confused as to how I should be handling security for a web application that runs within a windows network.
I guess there are 2 major points I have to tackle:
1. authentication
2. authorization
I have a feeling that best-practice would say to handle authorization myself, but use AD authentication right?
Basically windows handles everything, you never store usernames or passwords, AD and IIS do all the work for you
add this to your web.config
<system.web>
...
<authentication mode="Windows"/>
...
</system.web>
To configure Windows authentication
Start Internet Information Services
(IIS).
Right-click your
application's virtual directory, and
then click Properties.
Click the
Directory Security tab.
Under
Anonymous access and authentication
control, click Edit.
Make sure the
Anonymous access check box is not
selected and that Integrated Windows
authentication is the only selected
check box.
You can then deal with the business or authorization using web.config again. for example
<authorization>
<deny users="DomainName\UserName" />
<allow roles="DomainName\WindowsGroup" />
</authorization>
Read more here: http://msdn.microsoft.com/en-us/library/ms998358.aspx
This problem is solved in detail by Mr. Scott Guthrie in
Link 1 and Link 2
I used windows security on some of my internal sites.
Basically the way I set it up is I remove anonymous access in IIS, then assign permissions on the sites files though the standard windows security model.
I'm not sure if this is the best practices, but it has always worked well for me.