all groups > asp.net security > recent posts
Re: Problems with ASP.NET 2.0 application in subdirectory on a shared host
Posted by Ola Lie at 4/24/2008 7:25:33 AM
Hi again, I am still struggling. Can anyone help me with a program that
lists the settings of all the elements and child elements that are set in
the root web.config. As I have my domain at a shared host I have no access
to this file, but it still controls my application.
Best regards
Ola ... more >>
Re: Web interface for SQL Security Users and Roles
Posted by tucson at 4/23/2008 2:12:02 PM
I thought about writing a stored procedure that will be executed through
secure web page that will update the system tables.
For example, something like:
insert into sysusers (status, name, sid, createdate, updatedate, gid,
hasdbaccess, islogin,isntname, isntgroup, isntuser, issqluser, isal... more >>
RE: Internet Explorer zones do not have secure settings for some u
Posted by stcheng@online.microsoft.com at 4/23/2008 2:16:36 AM
Thanks for your reply Jason,
How about deleting the user profile of the MACHINE\ASPNET account?
#How to delete a user profile in Windows Server 2003
http://support.microsoft.com/kb/814584
and for ASP.NET 2.0, you can use the aspnet_regiis.exe to regrant the
proper permissions for it.
... more >>
Re: Web interface for SQL Security Users and Roles
Posted by Dominick Baier at 4/22/2008 10:16:44 PM
Membership uses a its custom db and tables.
I am not aware of such a web interface..
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
> I need to manage SQL Users and their Ro... more >>
Web interface for SQL Security Users and Roles
Posted by tucson at 4/22/2008 2:49:01 PM
I need to manage SQL Users and their Roles using a web interface. There are
no database tables with user information involved, just the SQL Server
Security setting for Users and Roles.
Does the membership class support this (Login control)? Where do I set the
property to look at the SQL rol... more >>
RE: Internet Explorer zones do not have secure settings for some users
Posted by stcheng@online.microsoft.com at 4/22/2008 2:48:09 AM
Hi Jason,
From your description, the Baseline Analyzer is reporting warning against
the machine\ASPNET account since its internet zone setting doesn't fit the
expected level. I haven't used the baseline tool much, have you checked to
see whether the analyzer has any account specific customi... more >>
RE: Internet Explorer zones do not have secure settings for some u
Posted by Jason at 4/22/2008 12:50:00 AM
Thanks for your prompt and thorough reply.
Yes, we are running IIS in v5 compatible mode, so we need to take the time
to get our app running properly with v6. It was the non-interactive local
account that caused us worries. We've corrected our other service accounts.
Otherwise, the ser... more >>
Problems with ASP.NET 2.0 application in subdirectory on a shared host
Posted by Ola Lie at 4/22/2008 12:09:31 AM
Hi,
I have a domain at an ISP provider and try to install an ASP.NET 2.0
application in a subdirectory. It's a wiki called ScrewTurn. I have asked my
ISP to set it up according to the developers' specification, but I
constantly run into problems. The subdirectory is set as an .net applicati... more >>
Don't see what you're looking for? Search DevelopmentNow.com.
Internet Explorer zones do not have secure settings for some users
Posted by Jason at 4/21/2008 10:59:00 AM
I'm not really sure where this should be posted as this is a Baseline
Security Analyzer question but I'm hoping someone here would have come across
this.
I'm using MS Baseline Security Analyzer (2.0.6706.0) to check a web app on
Win 2k3 we've developed with .Net but we're getting a Servere ... more >>
Re: user authentication by SQL lookup
Posted by Misbah Arefin at 4/19/2008 9:31:55 PM
This is exactly what we do with out MembershipProviders i.e. return just the
count or the PK matching the username and password.
If the password is stored in plain text then it can be checked either in SQL
or .NET code but I would prefer not returning the password from SQL. You are
already ... more >>
Re: ADSI - Able to authenticate but unable to get memberOf informa
Posted by Joe Kaplan at 4/18/2008 12:25:08 PM
For the server in the DMZ, you need to make sure:
- It is domain joined to a domain that is part of the forest your users are
from or has a trust with that forest or domain somehow
- Users have rights to do network login. They usually do, but sometimes
people remove the "authenticated users... more >>
Re: ADSI - Able to authenticate but unable to get memberOf informa
Posted by Joe Kaplan at 4/18/2008 10:18:46 AM
I don't understand why you are calling DuplicateToken. You don't need that,
do you? You also don't use the token for building the WindowsIdentity in
the code below, so that is a little strange.
I think the main problem is that you are using the NewCredentials logon type
here. That type o... more >>
Re: ADSI - Able to authenticate but unable to get memberOf informa
Posted by deltalimagolf at 4/18/2008 9:36:01 AM
The DuplicateToken was left over from the impersonation (I orginally got it
from an example I found). I changed the logon type to Network, it works
great on my local box but now the LogonUser method returns false (when
deployed to the server in the DMZ).
Current clkLogin method -
prote... more >>
Re: url rewriting and authentication
Posted by Dominick Baier at 4/18/2008 6:41:18 AM
You can manually call
UrlAuthorizationModule.CheckUrlAccessForPrincipal
and do a redirect to your login pages based on the outcome.
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/998... more >>
LogonUser() fails on same domain
Posted by eagleeye at 4/18/2008 6:27:45 AM
Hi
I am using VS2005 SP1 and using LogonUser() API
ASP.NET 2.0 , IIS 6 . Win2003 server SP2
If LogonUser(Username, _
Domain, _
Password, _
LOGON32_LOGON_NETWORK, _
LOGON32_PROVIDER_DEFAULT, token) = True then
return succe... more >>
Re: ADSI - Able to authenticate but unable to get memberOf informa
Posted by deltalimagolf at 4/18/2008 6:19:01 AM
Here's my new clkLogin method -
protected void clkLogin(object sender, EventArgs e)
{
IntPtr iptrUserToken = IntPtr.Zero;
IntPtr iptrDuplicateToken = IntPtr.Zero;
try
{
bool bAuthenticated =
LDAP.LogonUser(txtUserName.Text,
GatewayAdministrationWebConfig.AuthenticationDom... more >>
Re: ADSI - Able to authenticate but unable to get memberOf informa
Posted by Joe Kaplan at 4/17/2008 7:16:01 PM
Yes, exactly. You build the WindowsIdentity from the token and then just
access the Groups property. If you want friendly names instead of SIDs (you
probably do), then you just use the Translate method on the
IdentityReferenceCollection.
Do LDAP calls for this is much more complicated, sl... more >>
Re: ADSI - Able to authenticate but unable to get memberOf information
Posted by Joe Kaplan at 4/17/2008 4:18:23 PM
This seems like a waste. If you have a WindowsIdentity for the user, why
not just use the Groups property on the WindowsIdentity? The data you need
is already in memory at that point.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide t... more >>
Re: ADSI - Able to authenticate but unable to get memberOf informa
Posted by deltalimagolf at 4/17/2008 2:27:01 PM
Apparently I'm missing something, at what point to I have a WindowsIdentity
for the user? I'm using the WindowsIdentity.Impersonate method to get a
WindowsImpersonationContext, is that what you are referring to?
"Joe Kaplan" wrote:
> This seems like a waste. If you have a WindowsIdentity... more >>
ADSI - Able to authenticate but unable to get memberOf information
Posted by deltalimagolf at 4/17/2008 1:52:01 PM
I've got an asp.net site where it's setup to use forms authentication. I
take the username and password provided and authenticate them by calling the
LogonUser method (from advapi32). If that is successful I call the
DuplicateToken method and then using WindowsIdentity impersonate the user a... more >>
Re: Authentication Not working from 1 client
Posted by Joe Kaplan at 4/17/2008 10:42:21 AM
It sounds like there might be a problem with cookies for this one browser.
If possible, I would have the affected client install a tool like
IEHttpHeaders (www.blunck.info) and get a trace of the HTTP headers being
sent with each request. That would help determine if this particular
browser... more >>
Authentication Not working from 1 client
Posted by SpankyATL at 4/17/2008 6:37:00 AM
I have an asp.net 1.1 application running on a server on a different network.
It runs fine when clients have been accessing it. However there is 1 server
from which the forms authentication doesn't work. Basically when I try to
access the application I get directed to the login page and whe... more >>
Re: Securing a directory and its files with forms authentication
Posted by Dominick Baier at 4/17/2008 5:29:10 AM
Hi,
you have to map the file extensions you want to protect to the ASP.NET ISAPI
DLL
Go to IIS application properties and have a look to which DLL the .aspx extension
is mapped - now do the same for your docs.
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More S... more >>
Re: GC.Collect() not cleaning memory, how to find out what references to lots of memory still exist?
Posted by Henning Krause [MVP - Exchange] at 4/15/2008 2:50:20 PM
Hi,
answered in public.dotnet.framework.
Please do not multipost. Do a proper crosspost instead.
Kind regards,
Henning Krause
"DR" <softwareengineer98037@yahoo.com> wrote in message
news:OFnIcD0nIHA.2292@TK2MSFTNGP03.phx.gbl...
> GC.Collect() not cleaning memory, how to find out wh... more >>
GC.Collect() not cleaning memory, how to find out what references to lots of memory still exist?
Posted by DR at 4/15/2008 2:03:29 PM
GC.Collect() not cleaning memory, how to find out what references to lots of
memory still exist?
When all my processign is done i set everything to null and then:
GC.Collect();
and then
GC.WaitForPendingFinalizers();
but it still shows that my process takes 400 MB of memory. Is there any ea... more >>
Securing a directory and its files with forms authentication
Posted by Frank at 4/15/2008 1:27:49 PM
I have a simple asp.net 2.0 application that includes two components:
- a file uploader
- a lister of files that have been uploaded
Files are word processing documents; they get stored to a "papers"
subdirectory of the application.
It would be good if both the file lister *and* the files ... more >>
Re: System.Net.Cookie vs System.Web.Cookie
Posted by Dominick Baier at 4/14/2008 7:08:21 PM
OK - this is possible.
Use your server name as a domain like "www.server.com"
if web app and service are in different vdirs / servers you also need to
sync the <machineKey /> element.
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 A... more >>
Re: System.Net.Cookie vs System.Web.Cookie
Posted by william at 4/14/2008 11:47:00 AM
Hi,
Acturally I'm looking for sharing authcookie between web applications and
web services. Both use Forms Authentication, and use .NET memberhsip
framework to authenticate user.
Senario 1. After user login to web application by providing user id and
password, create System.Net.Cookie by c... more >>
url rewriting and authentication
Posted by Ashish at 4/14/2008 9:38:53 AM
Hello All,
We have an application in which we are planning to have a virtual url
system which is completely driven by configuration files. to accomplish
this we need to receive all urls at the same directory path, and then
according to url rules write them out to different pages which m... more >>
some valid users not able to login with ActiveWindowMembershipProv
Posted by Mahavir at 4/14/2008 7:30:01 AM
For some(very less in fact) users, our forms
authentication based .NET application (using ActiveWindowMembershipProvider)
not letting them login.
When we checked we found that, the MembershipUser object returning null
for those usernames !!
Other usernames are getting validated and retur... more >>
|