| Groups | Blog | Home |
asp.net security : IIS/ASP.NET impersonation probelm
these counters am creating in application_start event. to create this counters i used following setting in IIS and web.config file in IIS ---> Directory security tab---> 1) checked anonymus access and integrated windows authentication 2) settings in web.config ---> <identity impersonate = "true" userName = "mycomputername\TestRam" password = "<password>" /> <authorization> <allow users="*" /> </authorization> <authentication mode="Windows" /> with the above settings its works fine, TestRam is local Admin Now with my requirement I should not use plain password in my web.config, i decided to use this thorugh IIS setting in IIS ---> Directory security tab---> 1) checked anonymus access and integrated windows authentication 2) In anonymus section, i used following account as my anonymus account mycomputername\TestRam 3) settings in web.config ---> <identity impersonate = "true" /> <authorization> <allow users="*" /> </authorization> <authentication mode="Windows" /> if i run the application i will get " Reqired registry access not allowed" when i check identity account through "Envirnoment.UserName" i will see the above account and even with "Windowsidentity.GetCurrent().name" Even I gave explicitly full control permissions to above account in following registrys 1)HKEY_LOCAL_MACHINE\SOFTWARE\MICROSFT\WINDOWSNT\CURRENTVERSION\Perflib 2) HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Service as well as ControlSet002 can anybody help me as it is due to move to my technical center Regards Ram
This is a bad approach. You really ought to install things like event log
sources and perf counters during the initial deployment of your application. Let an admin do that. Then, in your code, you just instantiate your perf counters and write to them. You can do this easily by creating some PerformanceCounterInstaller classes in your assembly and having an admin run installutil.exe on your assembly. This way, your app can run as a normally privileged user as well and you won't need to worry about hiding credentials. It is a win/win across the board. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- [quoted text, click to view] "Ram" <Ram@discussions.microsoft.com> wrote in message news:3BC06347-3189-4A04-A5C7-27599083443E@microsoft.com... >I need to create custome performance counters for my asp.net application, > these counters am creating in application_start event. > > to create this counters i used following setting in IIS and web.config > file > > in IIS ---> Directory security tab---> > 1) checked anonymus access and integrated windows authentication > 2) settings in web.config ---> > > <identity impersonate = "true" userName = "mycomputername\TestRam" > password = "<password>" /> > > <authorization> > <allow users="*" /> > </authorization> > > <authentication mode="Windows" /> > > with the above settings its works fine, TestRam is local Admin > > Now with my requirement I should not use plain password in my web.config, > i > decided to use this thorugh IIS setting > > in IIS ---> Directory security tab---> > 1) checked anonymus access and integrated windows authentication > 2) In anonymus section, i used following account as my anonymus account > mycomputername\TestRam > 3) settings in web.config ---> > > <identity impersonate = "true" /> > > <authorization> > <allow users="*" /> > </authorization> > > <authentication mode="Windows" /> > > if i run the application i will get " Reqired registry access not > allowed" > > when i check identity account through "Envirnoment.UserName" i will see > the > above account and even with "Windowsidentity.GetCurrent().name" > > Even I gave explicitly full control permissions to above account in > following registrys > > 1)HKEY_LOCAL_MACHINE\SOFTWARE\MICROSFT\WINDOWSNT\CURRENTVERSION\Perflib > 2) HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Service as well as > ControlSet002 > > > > can anybody help me as it is due to move to my technical center > > > Regards > Ram > > >
Thanks Joe
Yes, I will use installutill to install, in the mean i found the reason why it is not doing before, i am creating counters in application_start event,at this instance still impersonation has not yet applied, still it takes ASPNET user, so i moved my logic to session_start event. it worked well. Ram [quoted text, click to view] "Joe Kaplan (MVP - ADSI)" wrote:
> This is a bad approach. You really ought to install things like event log > sources and perf counters during the initial deployment of your application. > Let an admin do that. Then, in your code, you just instantiate your perf > counters and write to them. > > You can do this easily by creating some PerformanceCounterInstaller classes > in your assembly and having an admin run installutil.exe on your assembly. > This way, your app can run as a normally privileged user as well and you > won't need to worry about hiding credentials. It is a win/win across the > board. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "Ram" <Ram@discussions.microsoft.com> wrote in message > news:3BC06347-3189-4A04-A5C7-27599083443E@microsoft.com... > >I need to create custome performance counters for my asp.net application, > > these counters am creating in application_start event. > > > > to create this counters i used following setting in IIS and web.config > > file > > > > in IIS ---> Directory security tab---> > > 1) checked anonymus access and integrated windows authentication > > 2) settings in web.config ---> > > > > <identity impersonate = "true" userName = "mycomputername\TestRam" > > password = "<password>" /> > > > > <authorization> > > <allow users="*" /> > > </authorization> > > > > <authentication mode="Windows" /> > > > > with the above settings its works fine, TestRam is local Admin > > > > Now with my requirement I should not use plain password in my web.config, > > i > > decided to use this thorugh IIS setting > > > > in IIS ---> Directory security tab---> > > 1) checked anonymus access and integrated windows authentication > > 2) In anonymus section, i used following account as my anonymus account > > mycomputername\TestRam > > 3) settings in web.config ---> > > > > <identity impersonate = "true" /> > > > > <authorization> > > <allow users="*" /> > > </authorization> > > > > <authentication mode="Windows" /> > > > > if i run the application i will get " Reqired registry access not > > allowed" > > > > when i check identity account through "Envirnoment.UserName" i will see > > the > > above account and even with "Windowsidentity.GetCurrent().name" > > > > Even I gave explicitly full control permissions to above account in > > following registrys > > > > 1)HKEY_LOCAL_MACHINE\SOFTWARE\MICROSFT\WINDOWSNT\CURRENTVERSION\Perflib > > 2) HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Service as well as > > ControlSet002 > > > > > > > > can anybody help me as it is due to move to my technical center > > > > > > Regards > > Ram > > > > > > > >
IMO this is still a bad approach - you run your app with elevated privs...whats
wrong with pre-registering that stuff from an admin console?? --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > Thanks Joe > > Yes, I will use installutill to install, in the mean i found the > reason why > it is not doing before, i am creating counters in application_start > event,at > this instance still impersonation has not yet applied, still it takes > ASPNET > user, so i moved my logic to session_start event. > it worked well. > Ram > > "Joe Kaplan (MVP - ADSI)" wrote: > >> This is a bad approach. You really ought to install things like >> event log sources and perf counters during the initial deployment of >> your application. Let an admin do that. Then, in your code, you just >> instantiate your perf counters and write to them. >> >> You can do this easily by creating some PerformanceCounterInstaller >> classes in your assembly and having an admin run installutil.exe on >> your assembly. This way, your app can run as a normally privileged >> user as well and you won't need to worry about hiding credentials. >> It is a win/win across the board. >> >> Joe K. >> >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "Ram" <Ram@discussions.microsoft.com> wrote in message >> news:3BC06347-3189-4A04-A5C7-27599083443E@microsoft.com... >>> I need to create custome performance counters for my asp.net >>> application, these counters am creating in application_start event. >>> >>> to create this counters i used following setting in IIS and >>> web.config file >>> >>> in IIS ---> Directory security tab---> >>> 1) checked anonymus access and integrated windows authentication >>> 2) settings in web.config ---> >>> <identity impersonate = "true" userName = "mycomputername\TestRam" >>> password = "<password>" /> >>> >>> <authorization> >>> <allow users="*" /> >>> </authorization> >>> <authentication mode="Windows" /> >>> >>> with the above settings its works fine, TestRam is local Admin >>> >>> Now with my requirement I should not use plain password in my >>> web.config, >>> i >>> decided to use this thorugh IIS setting >>> in IIS ---> Directory security tab---> >>> 1) checked anonymus access and integrated windows authentication >>> 2) In anonymus section, i used following account as my anonymus >>> account >>> mycomputername\TestRam >>> 3) settings in web.config ---> >>> <identity impersonate = "true" /> >>> >>> <authorization> >>> <allow users="*" /> >>> </authorization> >>> <authentication mode="Windows" /> >>> >>> if i run the application i will get " Reqired registry access not >>> allowed" >>> >>> when i check identity account through "Envirnoment.UserName" i will >>> see >>> the >>> above account and even with "Windowsidentity.GetCurrent().name" >>> Even I gave explicitly full control permissions to above account in >>> following registrys >>> >>> 1)HKEY_LOCAL_MACHINE\SOFTWARE\MICROSFT\WINDOWSNT\CURRENTVERSION\Perf >>> lib 2) HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Service as well as >>> ControlSet002 >>> >>> can anybody help me as it is due to move to my technical center >>> >>> Regards >>> Ram
Don't see what you're looking for? Try a search.
|
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |