I have an ASP.NET application where user is Anonymous when he connects to website.
Also I have a printing server inside network.
I want to let this user to print to the network printer.
In order to print I have to use File.Copy command.
When I do this I get "Access denied".
So I tried to impersonate the user with credentials of user that is inside domain and has the rights to print to that specific printer.
The problem is this user has to be Administrator, and I cannot let him be the Administrator.
When this user is not Administrator then the printing is not working ("Access denied").
I tried to use Network Credentials but I don't know how to set credentials to command File.Copy.
This command doesn't have any extensions or overloading for credentials.
Any help will be appreciated :)
You should just grant write access to the folder that you are copying to. Right click on the folder and choose Properties -> Security. Then add the user that you are impersonating in asp.net. You can do the same thing for the anonymous user, although it's a bit more complicated.
Related
Windows server 2016.
Old users (those, having profiles/folders created at "C:\Users") are able to remote into our server via RDP, but new users are not. Initially the error was The User Profile Service service failed the sign-in. User profile cannot be laoded.
Checking server, it seems "C:\Users\Default" has the only folder/entry "AppData", nothing more. I copied the file "NTUSER.DAT" from similar server "Default" folder. Also, folder permissions are identical.
Now new users are able to login, but it goes to a temporary profile and of course, user's profile at "C:\Users" does not get created.
Event logs does not tell much, basically just confirms login errors/notes we get:
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.
How this can be solved?
Open the registry editor and go to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList then find the key where the ProfileImagePath is the profile location of the user that's not being created. Export, then delete that registry key.
I am currently using windows authentication for my intranet asp.net site. I would like to have a portion of my site only be available to those in a windows user group(admins) that I specify, and give access to. Thus far, I have this working fine, with the ASP.net impersonation in IIS set to "Authenticated User." I would also like to download a file from a network location to the clients machine. I am doing this via the following code:
Protected Sub Button1Click(ByVal sender As Object, ByVal e As System.EventArgs)
Dim path3 As String = "file path here"
Dim fi As New FileInfo(path3)
HttpContext.Current.Response.Clear()
HttpContext.Current.Response.ContentType = "application\msword"
HttpContext.Current.Response.AppendHeader("Content-Disposition", "attachment; filename=" & fi.Name)
HttpContext.Current.Response.WriteFile(fi.FullName)
HttpContext.Current.Response.Flush()
HttpContext.Current.Response.Close()
End Sub
This works as well, but only if I switch the ASP.net impersonation from Authenticated User to a specific user. I have checked, and both the specific user and the authenticated user have access to the file path. For example, I am signed in under the windows account JonW, which is part of the group DOMAIN USERS. I know for a fact that DOMAIN USERS has access to the file I want to download.
If I don't use a specific user, then when I click the button to try to download the file, a windows security pops up and asks for my information. When I put in the info (which I don't want to have to do anyway as I'm already signed in), it waits for 15 seconds then asks again. This repeats itself 5 or so times until it tells me that I don't have access (which I know I do).
Thus, the obvious solution is to use a specific impersonated account, correct? Nope, because when I try to gain access to my admins section of the site, I cannot because it is using the specific impersonated user, as opposed to the authenticated user that is part of the admin group. I could give the specific impersonated account access to that section of the site, but then everyone would be able to get in, which I don't want.
So my question is either how can I use a specific impersonated user to download the file, and the authenticated user to gain access to the admin section, or, how can I just use the authenticated user the whole time and get rid of that windows security pop up, and have it use the authenticated users credentials automatically.
I'm a little confused as to why you think you need to impersonate anyone in the first place. There is no need to impersonate anyone unless you need network credentials specific to that user, which most often is not the case.
For example, in your case you can simply run the site as the App Pool User, which, behind the scenes will authenticate over the network as the credentials of the machine on the domain. So, if your IIS servers name is "Webserver" then you need only give \\Domain\$Webserver access to the share/folder/resources necessary to access the files, then you control access to those resources in your application by using standard Windows Authentication.
So, if you don't want "normal" users to access this portion of the site, you just deny them access via the standard ASP.NET authentication tools (web.config, etc..).
If you need to give users access to the area, but only allow them to access some files, but not others, then it becomes more complicated, but still not overly difficult.
In my site administrator can view list all other online users.
Administrator can also disable any account from that list.
Everything was going fine so far. But now I decided to log out the user which is being disabled. How can I do a log out operation for a particular user from the above specified online user list?
NOTE: I'm using default membership schema for my SQL Server database.
You cannot logout a user from outside of their session. See Programatically logout an ASP.NET user for a possible workaround.
very simple question:
I have admin site in my web project. So, how can I make it safe?
What I have until now:
Database handled user with userID and userlevel
on the pageload of the admin master page (which includes all admin sites) there is a clause to check if userID is okay (get the user from database) and if userlevel is right
If Not, redirect to Default.aspx with normal master page
if yes, go trought
How safe is it really?
Edit:
The userID is saved in a session on the server.
There is no way to save the login (no cookies).
The user must login to get the userID in the session
The login is saved in a database table user_log with username, password, ip, loginsucceeded and userID
The basic idea looks ok. It all comes down to how you are getting that UserID to make the checks against. If the userID is being passed as a querystring, then that is very bad. If it is stored in a session via sometype of pre authorization then it is better. If you are using SSL, IP checking, etc it will improve your level of security.
The main thing is HOW you are getting the userID to verify against. That is where the exploit will occur. Secure that process and you should be ok with your setup.
Edit: Based on your update this looks ok but it also depends on how secure you really need this to be. How secure is your sign in page? Are you using SSL? Any worries about session highjacking? Why not store an IP with the userID and verify the request IP against the stored IP when doing the UserID fetch from the session?
There are so many security solutions out there. You need to decide how far you need to safely go to ensure the level of security that is necessary for your particular application.
We use integrated windows authentication.
In IIS manager, click the "Directory Security" tab
Uncheck "Anonymous Access"
Check "Integrated Windows Authentication"
This lets you administer who has rights to your admin site by modifying domain accounts instead of using a roll-your-own solution. You can still get the logged-in user's credentials via the Environment class, which can be used to associate any web-specific properties for each user that you want to store in your database. This also has the advantage of automatically handling timeouts, relogin requirement if browser was closed, etc.
Your solution looks almost fine, though it sounds as though you're adding individual user accounts to the SQL server instead of handling everything through the ASP.NET service account login. I'd avoid adding individual user accounts into your database. In ASP.NET, unless you're jumping through some useless hoops, the ASP.NET service account is what is authenticated for DB connectivity, not the user that's logged into the site.
We have an ASP.NET application that manages it's own User, Roles and Permission database and we have recently added a field to the User table to hold the Windows domain account.
I would like to make it so that the user doesn't have to physically log in to our application, but rather would be automatically logged in based on the currently logged in Windows domain account DOMAIN\username. We want to authenticate the Windows domain account against our own User table.
This is a piece of cake to do in Windows Forms, is it possible to do this in Web Forms?
I don't want the user to be prompted with a Windows challenge screen, I want our system to handle the log in.
Clarification: We are using our own custom Principal object.
Clarification: Not sure if it makes a difference or not, but we are using IIS7.
Integration of this sort is at the server level, it's IIS that decides that the user is not logged in; and it's IIS that sends back the authentication prompt to the user, to which the browser reacts.
As you want to use the domain login there is only one way to do this; integrated windows authentication. This will only work if the IIS server is also part of the domain and the users are accessing the machine directly, not through a proxy, and from machines which are also part of the domain (with the users suitably logged in).
However your custom principal object may create fun and games; authentication of this type will be a WindowsPrincipal and a WindowsIdentity; which you can access via the User object (see How To: Use Windows Authentication in ASP.NET 2.0)
I assume you want a custom principal because of your custom roles? I doubt you can get the two to play nicely; you could create a custom role provider which looks at your data store or look at you could look at ADAM, an extension to AD which provides roles on a per program basis and comes with nice management tools.
I did pretty much exactly what you want to do a few years ago. Im trying to find some code for it, though it was at a previous job so that code is at home.
I do remember though i used this article as my starting point. You set up the LDAP provider so you can actually run a check of the user vs the LDAP. One thing to make sure of if you try the LDAP approach. In the setting file where you set up the LDAP make sure LDAP is all caps, if it is not it will not resolve.
using System.Security.Principal;
...
WindowsPrincipal wp = (WindowsPrincipal)HttpContext.Current.User;
to get the current domain user. Of course you have to make sure that the IIS is set up to handle Windows Authentication.
This might be helpful:
WindowsIdentity myIdentity = WindowsIdentity.GetCurrent();
WindowsPrincipal myPrincipal = new WindowsPrincipal(myIdentity);
string name = myPrincipal.Identity.Name;
string authType = myPrincipal.Identity.AuthenticationType;
string isAuth = myPrincipal.Identity.IsAuthenticated.ToString();
string identName = myIdentity.Name;
string identType = myIdentity.AuthenticationType;
string identIsAuth = myIdentity.IsAuthenticated.ToString();
string iSAnon = myIdentity.IsAnonymous.ToString();
string isG = myIdentity.IsGuest.ToString();
string isSys = myIdentity.IsSystem.ToString();
string token = myIdentity.Token.ToString();
Disclaimer: I got this from a technet article, but I can't find the link.
You can use System.Threading.Thread.CurrentPrincipal.
Request.ServerVariables["REMOTE_USER"]
This is unverified for your setup, but I recall using this awhile back.
Try Request.ServerVariables("LOGON_USER").
If the directory security options are set so that this directory does not allow anonymous users, when the surfer hits this page they will be prompted with the standard modal dialog asking for username and password. Request.ServerVariables("LOGON_USER") will return that user.
However, this will probably not work for you because you are using your own custom security objects. If you can figure out how to get around that logon box, or pass in NT credentials to the site before it askes for them, then you would be all set.
Have you thought about impersonation? You could store the user's NT logon credentials in your custom security object, and then just impseronate the user via code when appropriate.
http://msdn.microsoft.com/en-us/library/aa292118(VS.71).aspx