I have found what I believe to be a serious security issue in ASP.Net. If you have: 1. Your website configured for anonymous access 2. Elect under web.config to set the sessionstate attribute of cookieless to true Anyone from any IP address or across another browser can copy the URL an...more >>

I've been kicking around ADAM on a 2003 server for a couple of days and after getting the major classes in the schema and making a few objects, now I'm ready to programitically test it. I am able to use the LDP tool locally or remotely to logon as a Windows Identity (admin) or as an ADAM user. I h...more >>

Hello, I have a Web Service, a Winform client and a web Application. The Web App and the WinForm Client use the same Web Service (or such is the plan). The WinForm Client and the Webservice work together using Integrated Windows Authentication and works well. The nature of the Web...more >>

Hi, I'm having a problem with the forms-based authentication. The user is getting timed out before long before the timeout period has passed. The forms-based authentication timeout is set to 10 hours and session timeout to 2 hours. Has anyone experienced the same problems? I'm running fr...more >>

In my current asp.net application i'm getting the user network short name and displaying that on the screen. What I want is the users Full name and display that instear. How can i go about doing that, would I use LDAP or Active directory to do that? I never had to do this and not sure how to d...more >>

Hello, I am using xp.and my user was deleted. I create new user.But now my database seem suspect.How can I get back my database Thanks.. ...more >>

Can this utility be used for an impersonated user in Web.Config? I've used it to create the appropriate userName and password keys in the registry and put the settings in Web.Config like this: <identity impersonate="true" userName="registry:HKLM\SOFTWARE\...\ASPNET_SETREG,userName" ...more >>

I'm looking for an ASP.NET(login page) that validates against a database. And after succesful logon ..PRINT the USERS name on the Page(Session)!! Can anybody help? ___ Newsgroups brought to you courtesy of www.dotnetjohn.com...more >>

MSDN documentation says: Removes the authentication ticket. That's it. Where does it remove the authentication ticket from (server / client?). Please help. Ali ...more >>

Hello All Here is what I am attempting to do: I have a NTLM protected site. There are some users who are not part of the domain (visitors) get challenged with a Pop up dialog box prompting for a user id, pwd and domain. In oder to overcome this, I have setup a anonymous site (open to alll)...more >>

Hi I would like to know if Kerberos Delegation is possible in a multi Hop scenario. For example: Is the following scenario possible? A Client C Transfer its {TGT} to server "S" for Delegation, Server S will FORWARD this {TGT} to server T for delegation again, (Second Hop). Server T wi...more >>

Hi Guys. I need a way to change a user's group in the OS. Unfortunately, I don't have Active Directory, so I won't be able to use it. I've searched through the docs, but couldn't find any way of doing so. I believe a task like this will require high permissions for the IIS and ASPNET users, b...more >>

Hi, I developed and installed a Web Service on a Windows Server 2003, the web service works fine on any Windows XP Workstation but not on the server, I keep getting this exception: System.Security.SecurityException: Request for the permission of type System.Net.WebPermission, System, Version=1...more >>

Hi, We have a quite simple asp.net application that works fne on my XP development box. When we deploy it to a Windows 2003 Server performance is really poor when rendering pages. When I turn tracing on it shows that it takes more than 15 seconds between "Begin Render" and "End Render". All a...more >>

Our security people have been able to copy and use the FormsAuthentication cookie. Our Authetication cookie is based on an encrypted ticket and we use FormsAuthentication.SignOut() when users loggout or kill their session, but apparently the secure ticket does not get removed from the server by ...more >>

Hi, I developed a small test app using ASP.NET. I left the vistual folder to be accessible only with windows integrated security. I try to access that app from another PC in my LAN. I don't have a domain controller, the lan works with Workgroup. When I access that page, I get a user login d...more >>

Another security question. Our project interfaces with the Active Directory. To satisfy the security issues, we have a couple options when we talk to the Directory. 1. Use the WindowsIdentity to impersonate the current user either by impersonating the User.Identity where available or by using U...more >>

Hello, My problem is that: I want to open a word document and writing something in it then save it.But it give me granting access error.and say that:To grant ASP.NET write access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the ...more >>

Hi Andrea, Thanx for the link to the article ...It was really useful...but again i have a question which remains unanswered...Please can u help me with that.. If my user is authenticated the FormsAuthentication.RedirectFromLoginPage() takes me to default.aspx...but what i want is if the...more >>

Hello, Let's assume we have setup from-based authentication in a website. And the front page of this website is a login page with some welcome message. A user types in URL and request this front page. But the IIS cannot find AUTH cookie for this user, so it redirect the user to the login page,...more >>

I have a similar problem i have set up a 1 sql server 1 web server 1 client and cannot pass through my identity turned on impersonate in webconfig only NT auth is on for IIS turned on trust delegation on the www server sql has the domain users setup on db dont know whats going on EVERY NEW...more >>

Greetings I am working on a project that can be configured to use Windows or Forms authentication. Occasionally the process may need to impersonate the calling user Using Windows Authentication was fairly easy -- ms code snippet - System.Security.Principal.WindowsImpersonationContext impersona...more >>

Hi, Does anybody know the actual meaning of AspNetHostingPermissionLevel enumeration members? All I've been able to find out is accepted value names and their numeric counterparts. But what is the effect of a particular value? E.g. What is the difference between these two permissions: <IPe...more >>

All -- I've set up a directory where I simply want to know the person's name when he comes into the directory. I've set up the following: * Uncheck allow anon in IIS * Uncheck basic authentication * Check 'Use windows authentication' My web.config file looks as follows: <configuratio...more >>

Anybody has any idea on how I could authenticate against Novell NDS with a functionnality like Windows Authentication. Let me explain. Clients on Windows network don't need to enter their username/password to authenticate. In IIS allow anonymous = false and Windows authentication is set to on, s...more >>

Reviewing the code in "Building Secure Microsoft ASP.NET Applications" for hashing passwords with salt, I see that the salt is stored in the same table as the hashed password. The idea of using salt is to make a dictionary attack harder but if we store the salt close to the hashed password then t...more >>

What I'm trying to do is Create an ASP.Net app that has both Windows-authenticated users and Anonymous users. The idea is this: When authenticated users attempt to access the site, their credentials are passed to the Request, and I use the DOMAIN\USER value via the AUTH_USER server variable to...more >>

Dear all, Pls help me to do : How to share [same]session value between 2 different webapplication I am using sqlserver to store session Both the web application running in same web server Pls help asap Million of thanx in advance Thanx Gopal Prabhakaran ...more >>

I am converting an ASP Website running Windows NT 4.0 to ASP.NET running Windows 2000 on a different computer across the Internet. During this process, both will be active and availble to users. The ASP site A uses Basic Authentication and has the user enter a UserID and Password that are Aut...more >>

Hi, May I know how can I use Forms Authentication without storing my credentials information in web.Config but in some other Xml file of my own . Since I am creating users at runtime I need to store username and passwords in a different xml file which i need to use to authenticate the users...more >>

Is it possible to have an ASP and ASP.NET application share the same login page and have the security credentials carry throughout both sites? If so, how? Thank you....more >>

Hi, May I know how can I use Forms Authentication without storing my credentials information in web.Config but in some other Xml file of my own . Since I am creating users at runtime I need to store username and passwords in a different xml file which i need to use to authenticate the users...more >>

I have to write asp applicacion that will be read/write and open file on local disc via Internet Browser. I know that such operation is highly restricted, so how can I ask a user for allowing browser to disc access? Tomasz ...more >>

I have an ASP.Net application running on IIS 6.0 that is configured to impersonate the identity of the user who is accessing the page. I am wanting to have code that runs as the identity of the application pool for which this website runs as. is there a way to do this in code? ...more >>

Hi, I have a problem with web.config unsuccessfully controlling access to a subdirectory. I'm using VS03 and IIS5.0 on NT2K. I have been able to reproduce this behaviour on two machines (the 2nd being a WXP machine) and both times I'm having the same result. I created a simplified example...more >>

Hi All I have an asp.net Application. It calls an assembly which copies a file from one location say c:\temp to another directory say c:\temp1. I created an assembly to do this where i did not have any problems after giving the ASPNet User write access to that destination forlder c:\temp1. We f...more >>

Hi, I have to check all textboxes in my web application for SQL injection. Is there any ready product that detect SQL inhection patterns? A regular expression also would be helpfull. Any help would be apprecited, Ali ...more >>

Hi, I can generate a dataset just fine in design mode using a SQL server that's on my computer, but when I launch it, the ASPNET user can't access my database. I've made the ASPNET user on my computer be an administrator, but that didn't work. What do I need to change to allow this user to a...more >>

Hi I'm trying to invoke a Web Service which is using BASIC authentication. Code for invoking: CredentialCache cc = new CredentialCache(); //the network credential used to authenticate client NetworkCredential networkCred = new NetworkCredential("USERNAME", "PASSWORD"); ...more >>

Hi, I have to develop a website demo using .Net Passport service. I'm wondering about this requirements: -Shall I have to install SSL server? -Should the computer be outside the firewall?Even if the website is an "internal" application...? Thanks Daniele...more >>

I'm confounded how difficult it is to setup a connection from an ASP.NET application to SQL Server on a different machine in the same windows domain using windows authentication. My research has found the following options: 1. Use delegation to leverage the current user's account. 2. Replace t...more >>

I am using forms authentication. My application has frames [some of them are 20 pixels height]. When session times out and user clicks in one of these tiny frames, login page is loaded in this tiny frame but not visible Is there a way to send the top most parent's url as ReturnUrl instead of the t...more >>

Hi! When my ASP.NET app timeout I want it to redirect to a page that tells the user that they are timed out. I don't want them to just end up att the default Login page just like that. In web.config I can set loginUrl to a certain URL. If there is a timeout, that page is used. Q: Is that login...more >>

I've got an ASP.NET project that i need to support multiple types of login authentication. I've tried initially to create a login system where you are presented with an Account / Password page and then also a link that would allow them to say "Use my Windows NT account". The forms authenticatio...more >>

I have a web application that is using Forms Authentication (with users/passwords stored in a database) and for the most part it is working. I have a web page with links on it to files of different types (exe, zip, pdf) When the user clicks on one of these links I'd like them to have to log ...more >>

I have an ASP.NET web application running on a load-balanced Windows Server 2003 web farm running IIS 6.0, using Active Directory authentication. I'm trying to programmatically create a new directory on a different server in the same domain. Before we switched to 2003, I was able to simply cha...more >>

Hello there people As taken from the KB ... After you install Microsoft Visual Studio .NET or the Microsoft .NET Framework on a domain controller or on a backup domain controller, if you try to run an ASP.NET application, the browser displays the following error message: Server Applicatio...more >>

Relatively new to ASP.Net but have a strange problem. My site uses forms authentication for a large administration section however after the user logs in each page they subsequently click on brings up a basic authentication dialogue box. Clicking cancel will still allow the user to view the pa...more >>

I am sure this has been covered as I am just now "sinking" into asp.net. I am getting an "Access Denied" error when the following code tries to execute: Dim myProcesses() As Process Dim myProcess As Process myProcesses = Process.GetProcesses() 'This line FAILS! I am using a local machine...more >>

Hi, I need to store the database connection string inside web.config file. What would be the best way to encrypt and decrypt it? Thanks, Ali ...more >>