Unfortunately our organisation isnt planning to migrate to .NET 2.0 for a while and I need to tighten the security of the data (usernames/pwd/connstrings) in our *.config files. From the research I have done, a possible solution is to use DPAPI (Machine) + Isolated Storage. I was planning on ...more >>

I'm updating some classic ASP sites. In their current form they use two datastores for authentication, a sql database for web users and AD via LDAP for internal staff. I'm looking for advice on how best to move to ASP.Net's membership and role management. Is it possible to use forms authentic...more >>

I've tried to run a VBscript with elevated privileges, but with no success. My code works fine, except if I try to run it using impersonation. Have anyone made it work ? Will you try it on your installation to see if it works? Shouldn't take more than a few minutes. I have used the "Imperso...more >>

Hi All, We are using ASP.NET 2.0's Membership, Roles, and Profile in our web application.This website is used by different clients. The application DB is at a central location and all the users for different client are stored in the same DB using the default schema of ASP.NET 2.0's Membership...more >>

I've got a root web and basically two subfolder applications within it. I've been trying to look at the asp.net configuration settings in IIS6. Since I need different login pages (located in different subfolders), and need two different sql servers to lookup login authentication (already establishe...more >>

Hi; Note: I am running this from a winforms app, not ASP.NET. My config is: private static string memberConfig = "<add name='AspNetSqlMembershipProvider' " + "connectionStringName='MembershipSqlServer' enablePasswordRetrieval='false' " + "enablePasswordReset='true' requiresQuesti...more >>

I was reading the article "Exploring S4U Kerberos Extensions in Windows Server 2003" and I have a question regarding the use of the kerberos protocol in an ASP.NET application for delegation. I was thinking that perhaps using once of the Service-for (S4U2Self) protocol transitions may get arou...more >>

Hi; We have a C# Windows app for our setup program that creates the membership DB using aspnet_regsql. But we then need to create the standard roles and sysadmin user from this windows app - we are not in ASP.NET. How do we do this? It seems to me that the sysadmin user must always be cr...more >>

I'm developing a asp.net 2.0 (vb) web site which uses formsauthentication to active directory. The users who will access the web site are from different domains. I manage to get the authentication part working. On my second page I need to do a ldap query. For the query to work, I need the domai...more >>

I want to use Sql Server Roles, Sql Server Logins/Passwords with ASP.Net 2.0, instead of saving One username/password in Connectionstring of Web.Config, is it possible ? Any example will be highly appreciated ? If the sql Server user has the particular role, he can access that table data...more >>

We are having an issue with using a client certificate for authentication on an HTTPS POST using WebClient related classes. We are getting the certificate from the protected certificate store. This seems to work OK, but the certificate is not presented as a valid certificate to IIS at the o...more >>

Hi I have a web application that generates documents and puts the info into a word document wich then should open word for you to either open it or save it. currently I am getting a access denied error when the web app tries to open the word application. I have applied the security as recomende...more >>

Hi, I have code like this in one of my type's constructor: public MyConstructor() { try { AppDomain.CurrentDomain.AssemblyResolve += new ResolveEventHandler(MyAssemblyResolver); ...... } catch (System.Security.SecurityException){} } ...more >>

Hello all, Environment : Windows 2003/ASP.NET 2.0. I have changed the process identity of an application pool to a custom identity following this link : http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000009.asp This is working partially. The worker process ...more >>

I have used the code sample from the KB article http://support.microsoft.com/default.aspx/kb/248187 to impersonate a user from an ASP page and change the security context. The impersonation works fine on Windows 2003 and XP but fails on Windows 2000. The only way I can get impersonation to wo...more >>

I need to develop web service which will be consumed by Java based app. For security reason our client wants to use PKI. Is there any article or samples available to leran how to do that? Thanks, Oleg ...more >>

Hi... I have a huge problem... I need to create a pair of machine Key Containers using an application (with an account with administrator privileges) and then, give the aspnet (or network service) account access to use this machine keycontainer I know about the different switches in the a...more >>

Hi, I need a code signing certificate with a 2048-bit key to deploy a Windows SxS assembly: http://msdn2.microsoft.com/en-gb/library/aa374228.aspx And it also says for Vista best practices to use a cert with a 2048 bit key: http://msdn.microsoft.com/library/default.asp?url=/library/en-...more >>

Hi, I am having problems passing Windows credentials to a HTTPRequest object using ASP.NET 1.1 Here is my set up Server 1 * ASP.NET 1.1 application * Integrated Authentication Security * <identity impersonate = true> Server 2 * ASP Page * Integrated Autentication Security I am crea...more >>

Greetings, I am attempting to set up my intranet application with Windows Integrated Authentication. I will provide the specifics below, but essentially my problem is that whenever users attempt to pull up my site, they are being prompted for credentials. The site is being hosted on a Win...more >>

Hi; I have the following method: public static InputStream loadResource(String filename, int location) throws IOException { if ((filename == null) || (filename.length() == 0)) return null; if ((location & (THREAD | APP_CLASS | SYSTEM_CLASS)) != 0) { System.IO.Stream str...more >>

I have a class BeanResult which inherits from Object (ie no declared parent class) and it does not have a ToString method so that inherits from Object. One note, this is a J# class, not a C# one. PermCalc gives the following listing which shows a permission request from ToString which means...more >>

Hello group, I am trying to use the login control with authentication to be done from web.config (user/pass in config). My understanding abt the control is that the authentication can happen against a database or AD. Is that true? Any pointers to resolve the issue would be gre...more >>

Hi I have an asp.net application. I would like to allow users in a group on my computer (I also have the IIS on the same computer) to enter the application. So I created a new group named MyGroup. And I added these rows in the config file: <authentication mode="Windows" /> <authorizat...more >>

good morning after many attempts I'm unable to deploy a site with the authentication mode 'forms' I have a site with a sqlserver 2005 database called "test.mdf" that contains the data the security is handled by the usual "ASPNETDB.MDF" that contains the roles, user ... all the access/se...more >>

Hi, I wish to create a user/password for a Web site. But I wish to gather = users details by first emailing them a link to a web page they complete = along with a wobbly drawing of a code. This appears fairly commonmsplace = in E Commerce, but is there a tool/feature/application available to d...more >>

I use VS2005 to develop web applicaiton. The Web applicaiton will install in an windows xp. Some cusotmer doubt the safety of Asp.net. Are there some reports about the safety of OS or database or development tools? ...more >>

Hi; How can I tell at runtime if my app is configured to use Windows Identity, ASP Membership/Roles, or another authentication/authorization method. We support the first 2 and should work with outer systems if web.config is set up right. I have a test page where I want to display what is b...more >>

I'm trying to lock down our company's CAS policy by using only Strong Name membership conditions. I've copied over our intranet to a development server and removed all code groups except for one. It is all code using the nothing permission set. I have three child code groups, the two defau...more >>

Hi everybody, I'm developping an application where I have to read information in the Active Directory (windows 2000). I have to impersonate my calls with specific users to have acces to different parts of the AD. I impersonate the user with the code below (I get token via the function Logon...more >>

Hi All, In IIS, One can set Authentication method for accessing a website. (Virtual folder -> Properties -> Directory Security -> Anonymous access and authentication control -> Edit -> Authentication Methods). On Authentication Methods form, there are following four checkboxes: 1. Anonymo...more >>

Our environment is - we use Visual Studio 2005, Dotnet 2.0, VB to create a web application which we run on IIS 6. Our Web.config file has the following set: <authentication mode="Windows" /> <identity impersonate="true"/> We are using MyPrincipal = New WindowsPrincipal(Curren...more >>

I am getting this error - but I don't know what user to give rights to this directory too - and I think the user that needs it - has it. [UnauthorizedAccessException: Access to the path 'C:\WINDOWS\System32\LogFiles\WindwardPortal\PortalAudit.xml' is denied.] System.IO.__Error.WinIOError(...more >>

I am getting the following error when trying to access a database with a trusted connection: "Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection." My connection string is: "Server=MyServer; Database=MyCatalog; Trusted_Connection=True;" N...more >>

Can somebody tell me how to authenticate USING SSL against an active directory server? The below code works without SSL, but how do I get it to work using SSL certificate and port 636? I'm assuming that the URL needs to be changed to LDAPS://XX.XXX.X.XX:636/dc=XXXXXX,dc=XXXXX where LDAPS and P...more >>

I have a web server running IIS 6. The network security team here has completely locked down the server. They have installed an application called Cisco Security Agent (CSA). What CSA does is deny or allow access to certain files and folders. Currently they have it set up very restrictively ...more >>

I'm on a network system that has some pretty strict policies that I can not change. My criteria is to use forms login for extranet users, against a sql server database and impersonate an account that is on an intranet Active Directory. Saying it a different way, I need to impersonate an intranet...more >>

Hi; My login page uses css and gif files from the theme. Since the user can change the theme in the web.config file, is there a way to say any file (or preferably any .css, .gif, or .jpg file) anywhere under App_Themes can be read by un-authenticated users? Otherwise if a sysadmin change...more >>

I want to save a file to another computer (via an UNC / mapped network drive) from an ASP.NET 1.1 application running on win xp iis 6.0. I have created an ASPNET account on the remote machine and given this account permissions to write to the folder and I'm able to write the file if I have the f...more >>

Hi; I have a situation where I go to access my app running on IIS on Win2003. In Global.asax I have Application_PostAuthenticateRequest and that is called when HttpContext.Current.User is null. Subsequent to that I get prompted to enter my uname/password by IE so it does make sense that ...more >>

Hi; I have my ASP.NET app set to use Windows authentication. When running from VS 2005 using the integrated webserver, the website knows who I am and I have zero signon. But when I copy the website to IIS on Win2003 it pops up the dialog box asking me to sign in. I enter my domain\userna...more >>

Hello, I am learning .NET 2.0 and I have a question - could anyone explain me the following sentence from the ASP.NET eBook: "The default method of access to a Web application is anonymous access. Anonymous users are granted access through the Windows IUSER_machinename user account." I don't...more >>

Hi; Well I have this mostly working now - limiting my ASP.NET app to only x users when under WindowsIdentity. I can't use HttpApplication.BeginRequest because if the user removes: <httpModules> <add type="FormattingHandler" name="FormattingHandler" /> </httpModules> from Web.Config - t...more >>

Specifically, how do I tell if it's windows authentication/groups vs a MembershipUser/RoleProvider? The best I have come up with is if (HttpContext.Current.User.Identity is WindowsIdentity) -- thanks - dave david_at_windward_dot_net http://www.windwardreports.com Cubicle Wars - http...more >>

Hi everybody, I'm developping a secure web application which will be use over the internet by user registered on the active directory of the company. I want to know if it's possible to authenticate user with his windows credentials and generate a Windows Token to be able to use the ASPNetWind...more >>

We have an ASP.NET (1.1) app running on a Windows 2003 server using IIS 6. Part of the application accesses printer resources on the server using a service application. When the service runs under the Local System account, there is no problem with printing, but when we change the Log On ac...more >>

Hi everyone.I want to catch message before before it's send to the Web Service.Just like WSE 3.0 customer UserNameTokenManager does.If I can do this,I can implement some functions in my framework.For example,I can plug-in a customer security add-in in IIS. I'll appriciate it if you can provide...more >>

Hi; I am trying to run in partial trust and it will not load my assembly. Can anyone point me at what the problem is here? Our code is 100% managed code, strongly named & signed, and I don't think we require any permissions that would cause a problem. Required permissions cannot be acqui...more >>

Hello, I'm in the process of writing my own Active Directory RoleProvider to be able to check if a user is member of a given group. But maybe it already exists somewhere in the community ? I do not want to use AzMan. Basically, it should provide the same functionnality as the WindowsTokenRole...more >>

Hello, I have an issue with X509Certificate2 constructur. --------- FileStream fs = File.Open(m_strCertLocation, FileMode.Open, FileAccess.Read); byte[] buffer = new byte[fs.Length]; int count = fs.Read(buffer, 0, buffer.Length); fs.Close(); X509Certificate2 cert = new X5...more >>