|
Home > Archive > IIS Server Security > December 2007 > asp.net 2.0 security question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
asp.net 2.0 security question
|
|
| ireallyneedtoknow2007@yahoo.com 2007-12-20, 1:25 pm |
| I am using the following code to provide security to a web page
SecurityIdentifier sid = WindowsIdentity.GetCurrent().User;
NTAccount account = (NTAccount)sid.Translate(typeof(NTAccount));
I then account.ToString().
This works fine in development - I get domain\user as expected.
After publishing the website and accessing the page I get - machinename
\ASPNET
I have also tried
WindowsPrincipal winPrincipal =
(WindowsPrincipal)HttpContext.Current.User;
account = winPrincipal.Identity.Name;
Again, the dev display works as expected - domain\user ,
but the published website doesn't display anything.
web.config has <allow users="*"/> and
<authentication mode="Windows"> </authentication> I have also tried
"None"
but that gives me
"Unable to cast object of type
'System.Security.Principal.GenericPrincipal'
to type 'System.Security.Principal.WindowsPrincipal'. "
I have also tried checking/unchecking Anonymous Access and
Integrated Windows Authentication in IIS with no luck.
Can anyone tell me why I get the result I am getting. Thanks
| |
| Alexey Smirnov 2007-12-20, 1:25 pm |
| On Dec 20, 3:54 pm, ireallyneedtoknow2...@yahoo.com wrote:
> I am using the following code to provide security to a web page
>
> SecurityIdentifier sid = WindowsIdentity.GetCurrent().User;
> NTAccount account = (NTAccount)sid.Translate(typeof(NTAccount));
>
> I then account.ToString().
> This works fine in development - I get domain\user as expected.
> After publishing the website and accessing the page I get - machinename
> \ASPNET
>
> I have also tried
>
> WindowsPrincipal winPrincipal =
> (WindowsPrincipal)HttpContext.Current.User;
> account = winPrincipal.Identity.Name;
> Again, the dev display works as expected - domain\user ,
> but the published website doesn't display anything.
>
> web.config has <allow users="*"/> and
> <authentication mode="Windows"> </authentication> I have also tried
> "None"
> but that gives me
> "Unable to cast object of type
> 'System.Security.Principal.GenericPrincipal'
> to type 'System.Security.Principal.WindowsPrincipal'. "
>
> I have also tried checking/unchecking Anonymous Access and
> Integrated Windows Authentication in IIS with no luck.
>
> Can anyone tell me why I get the result I am getting. Thanks
Read about impersonation. To get your own username on a server you
need to run the application in the context of your user. By default,
impersonation is disabled and you get machinename\ASPNET on Win2000,
or Network Service on Win2003 (default accounts on IIS). The easiest
way to turn it on is to add <identity impersonate="true"/> in the
web.config file.
http://msdn2.microsoft.com/en-us/library/xh507fc5.aspx
http://msdn2.microsoft.com/en-us/library/ms998351.aspx
| |
| ireallyneedtoknow2007@yahoo.com 2007-12-21, 1:25 pm |
| thank you, impersonation solved the problem!
| |
| Jim Wyatt 2007-12-23, 1:36 am |
| Impersonation makes it more difficult to manage security at a domain level.
I would suggest you change the application pool identity to make the
privalleges more transparent.
<ireallyneedtoknow2007@yahoo.com> wrote in message
news:a4c47ca1-9349-4a97-833e-366fefc46c7a@18g2000hsf.googlegroups.com...
> thank you, impersonation solved the problem!
>
|
|
|
|
|