Hi again, I am still struggling. Can anyone help me with a program that lists the settings of all the elements and child elements that are set in the root web.config. As I have my domain at a shared host I have no access to this file, but it still controls my application. Best regards Ola ...more >>

I thought about writing a stored procedure that will be executed through secure web page that will update the system tables. For example, something like: insert into sysusers (status, name, sid, createdate, updatedate, gid, hasdbaccess, islogin,isntname, isntgroup, isntuser, issqluser, isal...more >>

Thanks for your reply Jason, How about deleting the user profile of the MACHINE\ASPNET account? #How to delete a user profile in Windows Server 2003 http://support.microsoft.com/kb/814584 and for ASP.NET 2.0, you can use the aspnet_regiis.exe to regrant the proper permissions for it. ...more >>

Membership uses a its custom db and tables. I am not aware of such a web interface.. ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) > I need to manage SQL Users and their Ro...more >>

I need to manage SQL Users and their Roles using a web interface. There are no database tables with user information involved, just the SQL Server Security setting for Users and Roles. Does the membership class support this (Login control)? Where do I set the property to look at the SQL rol...more >>

Hi Jason, From your description, the Baseline Analyzer is reporting warning against the machine\ASPNET account since its internet zone setting doesn't fit the expected level. I haven't used the baseline tool much, have you checked to see whether the analyzer has any account specific customi...more >>

Thanks for your prompt and thorough reply. Yes, we are running IIS in v5 compatible mode, so we need to take the time to get our app running properly with v6. It was the non-interactive local account that caused us worries. We've corrected our other service accounts. Otherwise, the ser...more >>

Hi, I have a domain at an ISP provider and try to install an ASP.NET 2.0 application in a subdirectory. It's a wiki called ScrewTurn. I have asked my ISP to set it up according to the developers' specification, but I constantly run into problems. The subdirectory is set as an .net applicati...more >>

I'm not really sure where this should be posted as this is a Baseline Security Analyzer question but I'm hoping someone here would have come across this. I'm using MS Baseline Security Analyzer (2.0.6706.0) to check a web app on Win 2k3 we've developed with .Net but we're getting a Servere ...more >>

This is exactly what we do with out MembershipProviders i.e. return just the count or the PK matching the username and password. If the password is stored in plain text then it can be checked either in SQL or .NET code but I would prefer not returning the password from SQL. You are already ...more >>

For the server in the DMZ, you need to make sure: - It is domain joined to a domain that is part of the forest your users are from or has a trust with that forest or domain somehow - Users have rights to do network login. They usually do, but sometimes people remove the "authenticated users...more >>

I don't understand why you are calling DuplicateToken. You don't need that, do you? You also don't use the token for building the WindowsIdentity in the code below, so that is a little strange. I think the main problem is that you are using the NewCredentials logon type here. That type o...more >>

The DuplicateToken was left over from the impersonation (I orginally got it from an example I found). I changed the logon type to Network, it works great on my local box but now the LogonUser method returns false (when deployed to the server in the DMZ). Current clkLogin method - prote...more >>

You can manually call UrlAuthorizationModule.CheckUrlAccessForPrincipal and do a redirect to your login pages based on the outcome. ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/998...more >>

Hi I am using VS2005 SP1 and using LogonUser() API ASP.NET 2.0 , IIS 6 . Win2003 server SP2 If LogonUser(Username, _ Domain, _ Password, _ LOGON32_LOGON_NETWORK, _ LOGON32_PROVIDER_DEFAULT, token) = True then return succe...more >>

Here's my new clkLogin method - protected void clkLogin(object sender, EventArgs e) { IntPtr iptrUserToken = IntPtr.Zero; IntPtr iptrDuplicateToken = IntPtr.Zero; try { bool bAuthenticated = LDAP.LogonUser(txtUserName.Text, GatewayAdministrationWebConfig.AuthenticationDom...more >>

Yes, exactly. You build the WindowsIdentity from the token and then just access the Groups property. If you want friendly names instead of SIDs (you probably do), then you just use the Translate method on the IdentityReferenceCollection. Do LDAP calls for this is much more complicated, sl...more >>

This seems like a waste. If you have a WindowsIdentity for the user, why not just use the Groups property on the WindowsIdentity? The data you need is already in memory at that point. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide t...more >>

Apparently I'm missing something, at what point to I have a WindowsIdentity for the user? I'm using the WindowsIdentity.Impersonate method to get a WindowsImpersonationContext, is that what you are referring to? "Joe Kaplan" wrote: > This seems like a waste. If you have a WindowsIdentity...more >>

I've got an asp.net site where it's setup to use forms authentication. I take the username and password provided and authenticate them by calling the LogonUser method (from advapi32). If that is successful I call the DuplicateToken method and then using WindowsIdentity impersonate the user a...more >>

It sounds like there might be a problem with cookies for this one browser. If possible, I would have the affected client install a tool like IEHttpHeaders (www.blunck.info) and get a trace of the HTTP headers being sent with each request. That would help determine if this particular browser...more >>

I have an asp.net 1.1 application running on a server on a different network. It runs fine when clients have been accessing it. However there is 1 server from which the forms authentication doesn't work. Basically when I try to access the application I get directed to the login page and whe...more >>

Hi, you have to map the file extensions you want to protect to the ASP.NET ISAPI DLL Go to IIS application properties and have a look to which DLL the .aspx extension is mapped - now do the same for your docs. ----- Dominick Baier (http://www.leastprivilege.com) Developing More S...more >>

Hi, answered in public.dotnet.framework. Please do not multipost. Do a proper crosspost instead. Kind regards, Henning Krause "DR" <softwareengineer98037@yahoo.com> wrote in message news:OFnIcD0nIHA.2292@TK2MSFTNGP03.phx.gbl... > GC.Collect() not cleaning memory, how to find out wh...more >>

GC.Collect() not cleaning memory, how to find out what references to lots of memory still exist? When all my processign is done i set everything to null and then: GC.Collect(); and then GC.WaitForPendingFinalizers(); but it still shows that my process takes 400 MB of memory. Is there any ea...more >>

I have a simple asp.net 2.0 application that includes two components: - a file uploader - a lister of files that have been uploaded Files are word processing documents; they get stored to a "papers" subdirectory of the application. It would be good if both the file lister *and* the files ...more >>

OK - this is possible. Use your server name as a domain like "www.server.com" if web app and service are in different vdirs / servers you also need to sync the <machineKey /> element. ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 A...more >>

Hi, Acturally I'm looking for sharing authcookie between web applications and web services. Both use Forms Authentication, and use .NET memberhsip framework to authenticate user. Senario 1. After user login to web application by providing user id and password, create System.Net.Cookie by c...more >>

Hello All, We have an application in which we are planning to have a virtual url system which is completely driven by configuration files. to accomplish this we need to receive all urls at the same directory path, and then according to url rules write them out to different pages which m...more >>

For some(very less in fact) users, our forms authentication based .NET application (using ActiveWindowMembershipProvider) not letting them login. When we checked we found that, the MembershipUser object returning null for those usernames !! Other usernames are getting validated and retur...more >>