473,791 Members | 3,111 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

WindowsPrincipa l and WindowsIdentity .

This is more of a solution that raised a question.

I have a Web service that does not allow anonymous users.
For debugging I put in the following lines in my Web
Service:

WindowsIdentity wi = WindowsIdentity .GetCurrent();
WindowsPrincipa l wp = Thread.CurrentP rincipal as
WindowsPrincipa l;
wi = wp.Identity as WindowsIdentity ;
wi.Impersonate( );

My question was the the first WindowsIdentity returned
from GetCurrent shows MACHINE\ASPNET (MACHINE is the name
of the machine) yet the WindowsIdentity returned from
CurrentPrincipa l shows DOMAIN\kburton (DOMAIN is the name
of the domain I am logged in as a domain user when I am
running this). The Web service needs to access a database
and the ASPNET account cannot be used to access the
database. It seems that Impersonate() makes the
identity "correct". My question is why is GetCurrent and
CurrentPrincipa l different? Under what conditions will
they be different? Why does Impersonate make them the
same?

Thank you for your help in understanding this.

Kevin Burton
rk**********@ch arter.net
Nov 18 '05 #1
3 4302
asp.net broke out the authenication identity (who called this page -
Principle) from the security identity used by the thread servicing the page.
the default is for the page threads to run under the asp.net account.

you can achieve the same result without code by specifing in you web.config:

<identity impersonate="tr ue" />

note: if the user hitting the site is is not logged on the local machine
(try hitting you site from another box) the Impersonated identity is not a
primmary token, so can not be used to access resources (say a sqlserver) on
another box.

-- bruce (sqlwork.com)
"Kevin Burton" <an*******@disc ussions.microso ft.com> wrote in message
news:07******** *************** *****@phx.gbl.. .
This is more of a solution that raised a question.

I have a Web service that does not allow anonymous users.
For debugging I put in the following lines in my Web
Service:

WindowsIdentity wi = WindowsIdentity .GetCurrent();
WindowsPrincipa l wp = Thread.CurrentP rincipal as
WindowsPrincipa l;
wi = wp.Identity as WindowsIdentity ;
wi.Impersonate( );

My question was the the first WindowsIdentity returned
from GetCurrent shows MACHINE\ASPNET (MACHINE is the name
of the machine) yet the WindowsIdentity returned from
CurrentPrincipa l shows DOMAIN\kburton (DOMAIN is the name
of the domain I am logged in as a domain user when I am
running this). The Web service needs to access a database
and the ASPNET account cannot be used to access the
database. It seems that Impersonate() makes the
identity "correct". My question is why is GetCurrent and
CurrentPrincipa l different? Under what conditions will
they be different? Why does Impersonate make them the
same?

Thank you for your help in understanding this.

Kevin Burton
rk**********@ch arter.net

Nov 18 '05 #2
Thank you for your reply. It was most helpful.

One more question.

If I just have the <identitiy> token in the web.config I
still get an error:

WebException: 'The request failed with HTTP status 401:
Access Denied.'
Status: 'ProtocolError'
at
System.Web.Serv ices.Protocols. SoapHttpClientP rotocol.ReadR
esponse(SoapCli e
ntMessage message, WebResponse response, Stream
responseStream, Boolean asyncCal
l)

Unless before the Web Service call I add credentials as:

WService webService = new WService();
webService.Cred entials =
CredentialCache .DefaultCredent ials;

I don't quite understand the reason for this.

Kevin
-----Original Message-----
asp.net broke out the authenication identity (who called this page -Principle) from the security identity used by the thread servicing the page.the default is for the page threads to run under the asp.net account.
you can achieve the same result without code by specifing in you web.config:
<identity impersonate="tr ue" />

note: if the user hitting the site is is not logged on the local machine(try hitting you site from another box) the Impersonated identity is not aprimmary token, so can not be used to access resources (say a sqlserver) onanother box.

-- bruce (sqlwork.com)
"Kevin Burton" <an*******@disc ussions.microso ft.com> wrote in messagenews:07******* *************** ******@phx.gbl. ..
This is more of a solution that raised a question.

I have a Web service that does not allow anonymous users. For debugging I put in the following lines in my Web
Service:

WindowsIdentity wi = WindowsIdentity .GetCurrent();
WindowsPrincipa l wp = Thread.CurrentP rincipal as
WindowsPrincipa l;
wi = wp.Identity as WindowsIdentity ;
wi.Impersonate( );

My question was the the first WindowsIdentity returned
from GetCurrent shows MACHINE\ASPNET (MACHINE is the name of the machine) yet the WindowsIdentity returned from
CurrentPrincipa l shows DOMAIN\kburton (DOMAIN is the name of the domain I am logged in as a domain user when I am
running this). The Web service needs to access a database and the ASPNET account cannot be used to access the
database. It seems that Impersonate() makes the
identity "correct". My question is why is GetCurrent and CurrentPrincipa l different? Under what conditions will
they be different? Why does Impersonate make them the
same?

Thank you for your help in understanding this.

Kevin Burton
rk**********@ch arter.net

.

Nov 18 '05 #3
More permission questions.

If I change IIS to allow anonymous login and I change the
<identity> token to the following:

<identity impersonate="tr ue"
userName="domai n\domainuser"
password="01234 56"
/>

I get an HTML error:

<b> Parser Error Message: </b>Could not
create Windows user token fr
om the credentials specified in the config file. Error
from the operating system
'A required privilege is not held by the client.
'<br><br>

I have checked and the user name, domain, and password
are all correct. Do I need some extra permission just to
impersonate?

Thank you.

Kevin
-----Original Message-----
asp.net broke out the authenication identity (who called this page -Principle) from the security identity used by the thread servicing the page.the default is for the page threads to run under the asp.net account.
you can achieve the same result without code by specifing in you web.config:
<identity impersonate="tr ue" />

note: if the user hitting the site is is not logged on the local machine(try hitting you site from another box) the Impersonated identity is not aprimmary token, so can not be used to access resources (say a sqlserver) onanother box.

-- bruce (sqlwork.com)
"Kevin Burton" <an*******@disc ussions.microso ft.com> wrote in messagenews:07******* *************** ******@phx.gbl. ..
This is more of a solution that raised a question.

I have a Web service that does not allow anonymous users. For debugging I put in the following lines in my Web
Service:

WindowsIdentity wi = WindowsIdentity .GetCurrent();
WindowsPrincipa l wp = Thread.CurrentP rincipal as
WindowsPrincipa l;
wi = wp.Identity as WindowsIdentity ;
wi.Impersonate( );

My question was the the first WindowsIdentity returned
from GetCurrent shows MACHINE\ASPNET (MACHINE is the name of the machine) yet the WindowsIdentity returned from
CurrentPrincipa l shows DOMAIN\kburton (DOMAIN is the name of the domain I am logged in as a domain user when I am
running this). The Web service needs to access a database and the ASPNET account cannot be used to access the
database. It seems that Impersonate() makes the
identity "correct". My question is why is GetCurrent and CurrentPrincipa l different? Under what conditions will
they be different? Why does Impersonate make them the
same?

Thank you for your help in understanding this.

Kevin Burton
rk**********@ch arter.net

.

Nov 18 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
0
1312
ArgumentException when call WindowsPrincipal.IsInRole
by: Dan Kelley | last post by:
I receive multiple (handled) ArgumentExceptions when I call WindowsPrinciple.IsInRole. The exception text is: A first chance exception of type 'System.ArgumentException' occurred in mscorlib.dll Additional information: Item has already been added. Key in dictionary: "DOMAINNAME\userGroup" Key being added: "DOMAINNAME\userGroup"
C# / C Sharp
8
33049
WindowsIdentity.Impersonate() vs ImpersonateLoggedOnUser()
by: BLiTZWiNG | last post by:
After playing with the code shown and utilising Willy Denyottes' help, I have come to the conclusion that there is some form of difference between the managed WindowsIdentity.Impersonate() over the unmanaged ImpersonateLoggedOnUser(). Below is my code showing a file copy to a remote computer's shared folder using both WindowsImpersonationContext and ImpersonateLoggedOnUser/RevertToSelf, with the latter currently commented out. The...
C# / C Sharp
0
1967
CurrentPrincipal, WindowsPrincipal
by: Mark | last post by:
Hello Friends Please check following Code Dim x As System.Security.Principal.WindowsPrincipal x = System.Threading.Thread.CurrentPrincipal Response.Write (System.Security.Principal.WindowsIdentity.GetCurrent.Authe nticationType & "<BR>") Response.Write
ASP.NET
1
3900
Sending the WindowsPrincipal object
by: Johan Johansson (Sweden) | last post by:
I am writing a webService that is going to be accessed anonymously (I don't want to "configurable" depend on windows integrated authentication). But I still want to authenticate the client (or rather the user using the client). Because of this I want to send the WindowsPrincipal from the client to the webService in the SoapHeader. I don't want to send the credentials (userName, password and domain) because I want the client to be unaware...
.NET Framework
13
12961
Authenticate to a webservice by WindowsIdentity
by: ALI-R | last post by:
I know how to authenticate to a webservice using either of these ways(Assuming that rService represents the webservice): 1) rService.Credentials = new System.Net.NetworkCredential("username","password","domainName"); 2)rService.Credentials = System.Net.CredentialCache.DefaultCredentials; My question is that is there a way to authenticate to a user using WindowsIdentity ???
.NET Framework
0
1397
FileSecurity - Test if WindowsIdentity has write access?
by: Ed Sutton | last post by:
Is there a FileSecurity method that can determine if the current WindowsIdentity has write access to a file? I can get the current windows identity and use FileSecurity to return the AuthorizationRuleCollection and then search for the FileSystemAccessRule's that apply to my identity. The problem is my current identity may be "MYDOMAIN\JDOE", but I do not know how to determine if a group this identity belongs, for example "EVERYONE",...
ASP.NET
0
1308
security using windowsprincipal class
by: wk6pack | last post by:
Hi, I'm trying to get my application to authenticate using role based when the user runs the application. When the user logs on and is in the security group "school", the user gets into the application no problem. But when the user is removed from the group but doesnt log back in, he still has permissions to run the application. This is also true if the user is already logged on and then placed in the security group, the user cannot...
.NET Framework
1
3641
WindowsPrincipal.IsInRole fails when there is Whitespace in role n
by: =?Utf-8?B?RjVGNUY1?= | last post by:
I use the following function to ascertain if the current user is in ann AD security group. It appears to work, except if the group contains any space characters, it always returns false. For example I am a member of groups "NWDeveloper" and "IT Development" if I call the function CurrentUserInRole(@"DOMAIN\NWDeveloper"); it returns true, however CurrentUserInRole(@"DOMAIN\IT Development"); it returns false. I need to be able to...
C# / C Sharp
1
5615
WindowsPrincipal.IsInRole actually check roles and NOT groups?
by: Andy | last post by:
Hi, I currently have my application setup and built using Windows Authentication (WindowsPrincipal). For security checks, I simply do an IsInRole call on the Principal. The role permissions are hard- coded, something like this: private static string allowedReadRoles = new string { "Sales", "Ordering" };
C# / C Sharp
0
9669
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
9517
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
9997
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
9030
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
7537
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
6776
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
5435
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
5559
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
2
3718
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us