Hi Scott,
Sorry for the delay. I've been out of the office.
Integrated security is perfectly fine, but you must be aware of some of the
caveats involved. By default, integrated security is going to use NTLM,
and NTLM does not allow for delegation of credentials. In other words, if
your database server is on a different computer than IIS (and it should
be), NTLM security isn't going to work because in order to authenticate to
the database, your user's credentials have to be passed by IIS to the
database server on behalf of the user, and NTLM is designed to fail in that
scenario. Instead, you need to configure Kerberos authentication and
delegation.
810572 HOW TO: Configure an ASP.NET Application for a Delegation Scenario
http://support.microsoft.com/?id=810572
If you want to use integrated security, how you proceed depends upon how
you want the user to be authenticated. For example, if you just want to
make sure that a Windows account is used to access the database server, but
it doesn't necessarily have to be the user who is authenticated to the
site, you can simply impersonate the specific user account necessary in
code so that you can access the database.
306158 INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/?id=306158
If it is important to you that the user be the specific person browsing the
application, you can use the same article to impersonate the authenticated
user. Both of these ideas allow you to run under the context of a
priviledged account for the least amount of time required to get the job
done.
Jim Cheshire, MCSE, MCSD [MSFT]
ASP.NET
Developer Support
ja******@online .microsoft.com
This post is provided "AS-IS" with no warranties and confers no rights.
--------------------
From: "Wm. Scott Miller" <Sc**********@s pam.killer.wvin surance.gov>
References: <#C************ **@TK2MSFTNGP11 .phx.gbl>
<te************ *@cpmsftngxa10. phx.gbl>Subject: Re: Machine.Config -- ProcessModel vs Identity Impersonation
Date: Tue, 25 May 2004 12:07:25 -0400
Lines: 72
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Message-ID: <uF************ **@TK2MSFTNGP11 .phx.gbl>
Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
NNTP-Posting-Host: ip207064.pat.wv net.edu 129.71.207.64
Path:
cpmsftngxa10.ph x.gbl!TK2MSFTNG XA01.phx.gbl!TK 2MSFTNGP08.phx. gbl!TK2MSFTNGP1 1
.phx.gblXref: cpmsftngxa10.ph x.gbl microsoft.publi c.dotnet.framew ork.aspnet:2361 36
X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
So, in the case of wanting to access a network share or database
(integratedsecurity) which would be better or expose the least in security
vulnerabilitie s? Or in the case of the database and ASP.NET, is integrated
the way to go?
Thanks for the reply,
Scott
"Jim Cheshire [MSFT]" <ja******@onlin e.microsoft.com > wrote in message
news:te******* ******@cpmsftng xa10.phx.gbl... Scott,
If you set the processModel element, all threads that are executed by
ASP.NET will run under that context. If you set the <identity> element,
the main thread will run under the impersonated identity, but any new
threads you create will run under the identity specific in the
<processModel >. That is one difference that many developers don't
realize.
You typically would not set the <identity> element in the machine.config.
Instead, it is most often set at the web.config level. It's important to
realize that you do not have to explicitly set a username and password
for the <identity> element. If you simply enable impersonation without
specifying a user, the identity will be that of the user who is
authenticated in IIS or the anonymous account if none is authorized.
In short, the <processModel > element is used to (among other things)
specify which weak account (preferably) will be used to run the worker
process. The <identity> element is used to specify that ASP.NET code
should be run as a user other than the process account.
Jim Cheshire, MCSE, MCSD [MSFT]
ASP.NET
Developer Support
ja******@online .microsoft.com
This post is provided "AS-IS" with no warranties and confers no rights.
-------------------- >From: "Wm. Scott Miller" <Sc**********@s pam.killer.wvin surance.gov>
>Subject: Machine.Config -- ProcessModel vs Identity Impersonation
>Date: Mon, 24 May 2004 14:23:32 -0400
>Lines: 10
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
>Message-ID: <#C************ **@TK2MSFTNGP11 .phx.gbl>
>Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
>NNTP-Posting-Host: ip207064.pat.wv net.edu 129.71.207.64
>Path:
cpmsftngxa10.p hx.gbl!TK2MSFTF EED01.phx.gbl!T K2MSFTNGP08.phx .gbl!TK2MSFTNGP 1
1 phx.gbl >Xref: cpmsftngxa10.ph x.gbl
microsoft.publ ic.dotnet.frame work.aspnet:235 889 >X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
>
>What is the difference between using a username and password in the
>processmodel section vs using one in impersonation in the machine.config
>file? What are the advantages of each and what are the reasons for
using >each?
>
>Thanks for any replies,
>Scott
>
>
>
>
