473,387 Members | 1,476 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > c# / c sharp > questions > avoiding identity impersonate

Join Bytes to post your question to a community of 473,387 software developers and data experts.

Avoiding Identity Impersonate

Hey folks,

I'm trying to use the HttpWebResponse object in an ASP application, but I
get a 401 unauthorized error on this line:
HttpWebResponse response = (HttpWebResponse)webRequest.GetResponse();

I have:
identity impersonate = true
authentication mode = windows
IIS set to use windows authentication
and I set: webRequest.Credentials = CredentialCache.DefaultCredentials;

This works when I run the page from the server, but from a remote machine it
gives me the unauthorized error. However, if in the web config file I
specify identity impersonate = true with a username and password, then it
works fine. I don't want to do this however.

Is there any way to avoid specifying a username and password in the
web.config and without setting up delegation on the server (not an option)?

Thanks!
Nov 17 '05 #1
4 5351
Hi John,

can you tell me whether you are using NTFS in your domain? NTFS is only
able to make 1 'hop' using impersonation. This is due to the fact that
there are no credentials passed, only tokens.
You probably have the following scenario (3 distinct machines):

Client ---> WebServer ---> Database server

As you can see, this setup takes two hops and will not work using
impersonation. If you switch to Kerberos for authentication this will
work. But I do believe this isn't used to mutch...

Hope it helps,

Grtz, Wouter van Vugt
Info Support - Netherlands
www.infosupport.com
blogs.infosupport.com/wouterv

John Smith schreef:
Hey folks,

I'm trying to use the HttpWebResponse object in an ASP application, but I
get a 401 unauthorized error on this line:
HttpWebResponse response = (HttpWebResponse)webRequest.GetResponse();

I have:
identity impersonate = true
authentication mode = windows
IIS set to use windows authentication
and I set: webRequest.Credentials = CredentialCache.DefaultCredentials;

This works when I run the page from the server, but from a remote machine it
gives me the unauthorized error. However, if in the web config file I
specify identity impersonate = true with a username and password, then it
works fine. I don't want to do this however.

Is there any way to avoid specifying a username and password in the
web.config and without setting up delegation on the server (not an option)?

Thanks!


Nov 17 '05 #2
jay
I'm guessing you don't want to put it in the config for security
reasons. I wouldn't want to either! You can store the username and
password as encrypted values in the registry. You then point the
web.config file to look in the registry for the values.

This site explains the process of using aspnet_setreg.exe to encrypt
the values in the registry as well as how to reference them in your
web.config file.

http://support.microsoft.com/default...b;en-us;329290

If you are running Windows 2000 as your server environment there is an
additional step; the ASPNET account (the account which the Aspnet
process runs under) needs to have something called TCB (Trusted
Computing Base) or what is more commonly known as "Act as part of the
operating system." privileges. These privileges are pretty powerful and
it's not recommended to grant them to any account.

Note: From what I gather, the above requirement only applies to the
..NET Framework 1.0 on Windows 2000. Windows XP and .NET 1.1 don't
require this.

This is one way to use impersonation securely.

Experts please correct my inaccuracies. :)

-Jay

Nov 17 '05 #3
Thanks for the link. If there's no other way of doing it, then I'll do this.

I'm still just confused on why it's not impersonating the logged in user and
why I have to specify a new username and password.

"ja*@gloryfish.org" wrote:
I'm guessing you don't want to put it in the config for security
reasons. I wouldn't want to either! You can store the username and
password as encrypted values in the registry. You then point the
web.config file to look in the registry for the values.

This site explains the process of using aspnet_setreg.exe to encrypt
the values in the registry as well as how to reference them in your
web.config file.

http://support.microsoft.com/default...b;en-us;329290

If you are running Windows 2000 as your server environment there is an
additional step; the ASPNET account (the account which the Aspnet
process runs under) needs to have something called TCB (Trusted
Computing Base) or what is more commonly known as "Act as part of the
operating system." privileges. These privileges are pretty powerful and
it's not recommended to grant them to any account.

Note: From what I gather, the above requirement only applies to the
..NET Framework 1.0 on Windows 2000. Windows XP and .NET 1.1 don't
require this.

This is one way to use impersonation securely.

Experts please correct my inaccuracies. :)

-Jay

Nov 17 '05 #4
I'm using the logged in credentials to connect to our database server and it
works fine.

"wo******@hotmail.com" wrote:
Hi John,

can you tell me whether you are using NTFS in your domain? NTFS is only
able to make 1 'hop' using impersonation. This is due to the fact that
there are no credentials passed, only tokens.
You probably have the following scenario (3 distinct machines):

Client ---> WebServer ---> Database server

As you can see, this setup takes two hops and will not work using
impersonation. If you switch to Kerberos for authentication this will
work. But I do believe this isn't used to mutch...

Hope it helps,

Grtz, Wouter van Vugt
Info Support - Netherlands
www.infosupport.com
blogs.infosupport.com/wouterv

John Smith schreef:
Hey folks,

I'm trying to use the HttpWebResponse object in an ASP application, but I
get a 401 unauthorized error on this line:
HttpWebResponse response = (HttpWebResponse)webRequest.GetResponse();

I have:
identity impersonate = true
authentication mode = windows
IIS set to use windows authentication
and I set: webRequest.Credentials = CredentialCache.DefaultCredentials;

This works when I run the page from the server, but from a remote machine it
gives me the unauthorized error. However, if in the web config file I
specify identity impersonate = true with a username and password, then it
works fine. I don't want to do this however.

Is there any way to avoid specifying a username and password in the
web.config and without setting up delegation on the server (not an option)?

Thanks!


Nov 17 '05 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

12
Issue with ASP.NET client, COM Interop, and Identity impersonation
by: Anil Krishnamurthy | last post by:
We have an ASP.NET application that uses COM objects through Interop. The web application requires access to network and database resources and hence, needs to impersonate a domain account. The...
.NET Framework
1
Identity Impersonate - help!
by: Svein Terje Gaup | last post by:
I have a website running on Windows 2000 Server, that should be able to retrieve data from a datawarehouse on another machine running Windows 2000 Server, SQL Server 2000 and SQL Server 2000...
ASP.NET
1
Identity impersonate
by: Sorin Sandu | last post by:
How can I override Identity Impersonate setting from machine.config on a site on the same server ? I am using impersonate on most web sites but on one I need to use Windows Identity.
ASP.NET
8
Error casting User.Identity to WindowsIdentity
by: Razak | last post by:
Hi, I have a class which basically do Impersonation in my web application. From MS KB sample:- ++++++++++++++++++++code starts Dim impersonationContext As...
ASP.NET
2
Accessing resources fails with <identity impersonate="true"/>
by: franzhe | last post by:
Hi all, in a simple ASP.Net application with resources in satellite assemblies I have the following problem: If I set <identity impersonate="true"/>, accessing a culture specific resource...
ASP.NET
3
URGENT: Strange Prob With Web.config <<identity> section.
by: Sonal | last post by:
I am trying to impersonate user with windows account. If I write following lines in web.config it show error <identity impersonate="true" userName="contoso\Jane" password="pass"/> ERROR:...
ASP.NET
6
Effects of <identity impersonate="true"/>
by: Meena Desai | last post by:
Hi, What are the effects of using <identity impersonate="true"/> in web.config on windows auhtentication? Does it affect windows security? Thanx in advance, Meena.
ASP.NET
0
identity element on DC not allowed
by: martin | last post by:
Hi, I am having trouble using impersonation -- with integrated security - on a domain controller. The authentication on IIS is set to integrated security only --- (NO annoymosy access allowed)...
ASP.NET
8
Global.asax not allowing identity impersonation?
by: Doug | last post by:
Visual Studio 2005, SQL Server 2000, ASP.NET/VB.NET Not allowed to use the ASPNET machine account in SQL Server (very strict environment). Need to use Windows authentication, so we use...
ASP.NET
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!