| Groups | Blog | Home |
dotnet security : help on caller credentials !! :-(
I start to loose my hairs. Hoep someone could help me to recover..:-) I have build a remote object hosted in a Windows Service runing as LocalService. I have then a claient application which calling that remote object and based on the caller credential I shouzld authorise hit or not to access to back end database. The situation is as follow : My client is running as BOB. BOB is calling the remote object for data storage. What I try to do is retriveing the caller credential from my remote object in order to athauticated for further process. The problem is that when I check the wndows identity on my server side, it return the context on which my service is running and not my caller's context. MY server config file is as follow : <channels> <!--<channel ref="tcp" port="8090" useDefaultCredentials="False">--> <channel ref="tcp" port="8090" secure="True" impersonationLevel="Impersonate" protectionLevel="EncryptAndSign"> <serverProviders> <formatter ref="binary" typeFilterLevel="Full"/> </serverProviders> </channel> </channels> Note that I am using .NEt 2.0 Thnaks again for your help ( I am fighting for a full week now on this grrr :-() regards
By setting the Network Service instead of local, I will defintly be able to
reveive BOB under my Identity object ? hmmmm Looks so simple, I will give a try.. thnaks serge [quoted text, click to view] "Joe Kaplan" wrote:
> You shouldn't run as local service. You should run as Network Service > instead, as that will allow the service to access the network and > participate in domain-based authentication. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "calderara" <calderara@discussions.microsoft.com> wrote in message > news:551CC5DF-DF28-403E-A30C-A55CD8A2C520@microsoft.com... > > Dear all, > > > > I start to loose my hairs. Hoep someone could help me to recover..:-) > > I have build a remote object hosted in a Windows Service runing as > > LocalService. > > I have then a claient application which calling that remote object and > > based > > on the caller credential I shouzld authorise hit or not to access to back > > end > > database. > > > > The situation is as follow : > > My client is running as BOB. BOB is calling the remote object for data > > storage. What I try to do is retriveing the caller credential from my > > remote > > object in order to athauticated for further process. The problem is that > > when > > I check the wndows identity on my server side, it return the context on > > which > > my service is running and not my caller's context. > > > > MY server config file is as follow : > > > > <channels> > > <!--<channel ref="tcp" port="8090" > > useDefaultCredentials="False">--> > > <channel ref="tcp" port="8090" secure="True" > > impersonationLevel="Impersonate" protectionLevel="EncryptAndSign"> > > <serverProviders> > > <formatter ref="binary" typeFilterLevel="Full"/> > > </serverProviders> > > </channel> > > </channels> > > > > Note that I am using .NEt 2.0 > > > > Thnaks again for your help ( I am fighting for a full week now on this > > grrr > > :-() > > regards > > serge > >
You shouldn't run as local service. You should run as Network Service
instead, as that will allow the service to access the network and participate in domain-based authentication. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- [quoted text, click to view] "calderara" <calderara@discussions.microsoft.com> wrote in message news:551CC5DF-DF28-403E-A30C-A55CD8A2C520@microsoft.com... > Dear all, > > I start to loose my hairs. Hoep someone could help me to recover..:-) > I have build a remote object hosted in a Windows Service runing as > LocalService. > I have then a claient application which calling that remote object and > based > on the caller credential I shouzld authorise hit or not to access to back > end > database. > > The situation is as follow : > My client is running as BOB. BOB is calling the remote object for data > storage. What I try to do is retriveing the caller credential from my > remote > object in order to athauticated for further process. The problem is that > when > I check the wndows identity on my server side, it return the context on > which > my service is running and not my caller's context. > > MY server config file is as follow : > > <channels> > <!--<channel ref="tcp" port="8090" > useDefaultCredentials="False">--> > <channel ref="tcp" port="8090" secure="True" > impersonationLevel="Impersonate" protectionLevel="EncryptAndSign"> > <serverProviders> > <formatter ref="binary" typeFilterLevel="Full"/> > </serverProviders> > </channel> > </channels> > > Note that I am using .NEt 2.0 > > Thnaks again for your help ( I am fighting for a full week now on this > grrr > :-() > regards > serge
I'm not certain that will solve all of your issues, but I'm pretty sure that
is a necessary step. In order to get Kerberos-based authentication, you'll likely need to do more than that, but I'm not sure. I'm also not sure if you need Kerberos or if NTLM will suffice. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- [quoted text, click to view] "calderara" <calderara@discussions.microsoft.com> wrote in message news:8DA93168-6DA7-40E1-A6E7-1C1AF2AD223A@microsoft.com... > By setting the Network Service instead of local, I will defintly be able > to > reveive BOB under my Identity object ? hmmmm > Looks so simple, I will give a try.. > > thnaks > serge > > "Joe Kaplan" wrote: > >> You shouldn't run as local service. You should run as Network Service >> instead, as that will allow the service to access the network and >> participate in domain-based authentication. >> >> Joe K. >> >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "calderara" <calderara@discussions.microsoft.com> wrote in message >> news:551CC5DF-DF28-403E-A30C-A55CD8A2C520@microsoft.com... >> > Dear all, >> > >> > I start to loose my hairs. Hoep someone could help me to recover..:-) >> > I have build a remote object hosted in a Windows Service runing as >> > LocalService. >> > I have then a claient application which calling that remote object and >> > based >> > on the caller credential I shouzld authorise hit or not to access to >> > back >> > end >> > database. >> > >> > The situation is as follow : >> > My client is running as BOB. BOB is calling the remote object for data >> > storage. What I try to do is retriveing the caller credential from my >> > remote >> > object in order to athauticated for further process. The problem is >> > that >> > when >> > I check the wndows identity on my server side, it return the context on >> > which >> > my service is running and not my caller's context. >> > >> > MY server config file is as follow : >> > >> > <channels> >> > <!--<channel ref="tcp" port="8090" >> > useDefaultCredentials="False">--> >> > <channel ref="tcp" port="8090" secure="True" >> > impersonationLevel="Impersonate" protectionLevel="EncryptAndSign"> >> > <serverProviders> >> > <formatter ref="binary" typeFilterLevel="Full"/> >> > </serverProviders> >> > </channel> >> > </channels> >> > >> > Note that I am using .NEt 2.0 >> > >> > Thnaks again for your help ( I am fighting for a full week now on this >> > grrr >> > :-() >> > regards >> > serge >> >> >>
hi dominick,
thanks for those points I will give a try. By the way concerning those sample I download did you see my last mesage based on the excfeption I get ? Could not make it run :-( regard serge [quoted text, click to view] "Dominick Baier" wrote:
> several things.. > > a) as Joe pointed out - switch to Network Service > b) you get the client identity from Thread.CurrentPrincipal > c) if you want to delegate the token to a backend service you need an impersonationLevel="Delegation" > d) you additionally need impersonate="true" in your config file, you you > wanto to use the auto impersonation feature > > > very much like the sample you downloaded ;) > > > ----- > Dominick Baier (http://www.leastprivilege.com) > > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) > > > Dear all, > > > > I start to loose my hairs. Hoep someone could help me to recover..:-) > > I have build a remote object hosted in a Windows Service runing as > > LocalService. > > I have then a claient application which calling that remote object and > > based > > on the caller credential I shouzld authorise hit or not to access to > > back end > > database. > > The situation is as follow : > > My client is running as BOB. BOB is calling the remote object for data > > storage. What I try to do is retriveing the caller credential from my > > remote > > object in order to athauticated for further process. The problem is > > that when > > I check the wndows identity on my server side, it return the context > > on which > > my service is running and not my caller's context. > > MY server config file is as follow : > > > > <channels> > > <!--<channel ref="tcp" port="8090" > > useDefaultCredentials="False">--> > > <channel ref="tcp" port="8090" secure="True" > > impersonationLevel="Impersonate" protectionLevel="EncryptAndSign"> > > <serverProviders> > > <formatter ref="binary" typeFilterLevel="Full"/> > > </serverProviders> > > </channel> > > </channels> > > Note that I am using .NEt 2.0 > > > > Thnaks again for your help ( I am fighting for a full week now on this > > grrr > > :-() > > regards > > serge > >
several things..
a) as Joe pointed out - switch to Network Service b) you get the client identity from Thread.CurrentPrincipal c) if you want to delegate the token to a backend service you need an impersonationLevel="Delegation" d) you additionally need impersonate="true" in your config file, you you wanto to use the auto impersonation feature very much like the sample you downloaded ;) ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) [quoted text, click to view] > Dear all, > > I start to loose my hairs. Hoep someone could help me to recover..:-) > I have build a remote object hosted in a Windows Service runing as > LocalService. > I have then a claient application which calling that remote object and > based > on the caller credential I shouzld authorise hit or not to access to > back end > database. > The situation is as follow : > My client is running as BOB. BOB is calling the remote object for data > storage. What I try to do is retriveing the caller credential from my > remote > object in order to athauticated for further process. The problem is > that when > I check the wndows identity on my server side, it return the context > on which > my service is running and not my caller's context. > MY server config file is as follow : > > <channels> > <!--<channel ref="tcp" port="8090" > useDefaultCredentials="False">--> > <channel ref="tcp" port="8090" secure="True" > impersonationLevel="Impersonate" protectionLevel="EncryptAndSign"> > <serverProviders> > <formatter ref="binary" typeFilterLevel="Full"/> > </serverProviders> > </channel> > </channels> > Note that I am using .NEt 2.0 > > Thnaks again for your help ( I am fighting for a full week now on this > grrr > :-() > regards > serge
hello dominick,
here are few test I have made. I hate things when I am not 100% undersatnd what is going on. I am runing my client application under user BOB on an Windows 2000 machine Then my server component is hosted in a windows service runnning on Vista machine. So far so good. First test BOB is nnot existing at all under vista machine: Running my client will generate an InvaluidCredential Exception (sounds logic) Then I create BOB account on my Vista machine and run the same test. At this phase BOB has been identified and I can log credentila info from server side and I get : Authentication Type=NTLM isAuthenticated = True Name : VISTA-PC\BOB So first of all, I am able to read client credential from my remote object whaterver my service is running under LocalService, Local System, or Network System So what are the difference at this stage of runing my Service as Network Service ?? The impersonation level your are talking about in previous post, do I have to set it from my server side or client side ? Also I have read that setting "Delegation" or delegate is useonly under windows 2000 and prefer mode should be "Impersonate" . Did I get right info ? Extratc form help on line: ------> Anonymous: The client is anonymous to the server. The server process can impersonate the client, but the impersonation token does not contain any information about the client. Default: Uses the default impersonation level for the specified authentication service. In COM+, this setting is provided by the DefaultImpersonationLevel property in the LocalComputer collection. Delegate: The most powerful impersonation level. When this level is selected, the server (whether local or remote) can impersonate the client's security context while acting on behalf of the client Identify The system default level. The server can obtain the client's identity, and the server can impersonate the client to do ACL checks. Impersonate: The server can impersonate the client's security context while acting on behalf of the client. The server can access local resources as the client. <----- thanks to clarify my mind regards serge [quoted text, click to view] "Dominick Baier" wrote:
> several things.. > > a) as Joe pointed out - switch to Network Service > b) you get the client identity from Thread.CurrentPrincipal > c) if you want to delegate the token to a backend service you need an impersonationLevel="Delegation" > d) you additionally need impersonate="true" in your config file, you you > wanto to use the auto impersonation feature > > > very much like the sample you downloaded ;) > > > ----- > Dominick Baier (http://www.leastprivilege.com) > > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) > > > Dear all, > > > > I start to loose my hairs. Hoep someone could help me to recover..:-) > > I have build a remote object hosted in a Windows Service runing as > > LocalService. > > I have then a claient application which calling that remote object and > > based > > on the caller credential I shouzld authorise hit or not to access to > > back end > > database. > > The situation is as follow : > > My client is running as BOB. BOB is calling the remote object for data > > storage. What I try to do is retriveing the caller credential from my > > remote > > object in order to athauticated for further process. The problem is > > that when > > I check the wndows identity on my server side, it return the context > > on which > > my service is running and not my caller's context. > > MY server config file is as follow : > > > > <channels> > > <!--<channel ref="tcp" port="8090" > > useDefaultCredentials="False">--> > > <channel ref="tcp" port="8090" secure="True" > > impersonationLevel="Impersonate" protectionLevel="EncryptAndSign"> > > <serverProviders> > > <formatter ref="binary" typeFilterLevel="Full"/> > > </serverProviders> > > </channel> > > </channels> > > Note that I am using .NEt 2.0 > > > > Thnaks again for your help ( I am fighting for a full week now on this > > grrr > > :-() > > regards > > serge > >
Am i right that you want to do a 2nd hop? meaning bob will call the middle
tier - and the middle tier will call a back end service using Bob's credentials?? If yes - then you need a domain environment - for delegation the Kerberos authentication protocol is required - and you get that only by installing Active Directory. maybe this answers all of your questions... otherwise you have to tell us exactly what you are trying to do... ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) [quoted text, click to view] > hello dominick, > > here are few test I have made. I hate things when I am not 100% > undersatnd what is going on. > > I am runing my client application under user BOB on an Windows 2000 > machine Then my server component is hosted in a windows service > runnning on Vista machine. So far so good. > > First test BOB is nnot existing at all under vista machine: Running my > client will generate an InvaluidCredential Exception (sounds logic) > > Then I create BOB account on my Vista machine and run the same test. > At this phase BOB has been identified and I can log credentila info > from > server side and I get : > Authentication Type=NTLM > isAuthenticated = True > Name : VISTA-PC\BOB > So first of all, I am able to read client credential from my remote > object whaterver my service is running under LocalService, Local > System, or Network System > > So what are the difference at this stage of runing my Service as > Network Service ?? > > The impersonation level your are talking about in previous post, do I > have to set it from my server side or client side ? > > Also I have read that setting "Delegation" or delegate is useonly > under windows 2000 and prefer mode should be "Impersonate" . Did I get > right info ? > > Extratc form help on line: > ------> > Anonymous: > The client is anonymous to the server. The server process can > impersonate > the client, but the impersonation token does not contain any > information > about the client. > Default: > Uses the default impersonation level for the specified authentication > service. In COM+, this setting is provided by the > DefaultImpersonationLevel > property in the LocalComputer collection. > Delegate: > The most powerful impersonation level. When this level is selected, > the > server (whether local or remote) can impersonate the client's security > context while acting on behalf of the client > Identify The system default level. The server can obtain the client's > identity, and the server can impersonate the client to do ACL checks. > Impersonate: > The server can impersonate the client's security context while acting > on > behalf of the client. The server can access local resources as the > client. > <----- > thanks to clarify my mind > regards > serge > "Dominick Baier" wrote: > >> several things.. >> >> a) as Joe pointed out - switch to Network Service >> >> b) you get the client identity from Thread.CurrentPrincipal >> >> c) if you want to delegate the token to a backend service you need an >> impersonationLevel="Delegation" >> >> d) you additionally need impersonate="true" in your config file, you >> you >> >> wanto to use the auto impersonation feature >> >> very much like the sample you downloaded ;) >> >> ----- >> Dominick Baier (http://www.leastprivilege.com) >> Developing More Secure Microsoft ASP.NET 2.0 Applications >> (http://www.microsoft.com/mspress/books/9989.asp) >> >>> Dear all, >>> >>> I start to loose my hairs. Hoep someone could help me to >>> recover..:-) >>> I have build a remote object hosted in a Windows Service runing as >>> LocalService. >>> I have then a claient application which calling that remote object >>> and >>> based >>> on the caller credential I shouzld authorise hit or not to access to >>> back end >>> database. >>> The situation is as follow : >>> My client is running as BOB. BOB is calling the remote object for >>> data >>> storage. What I try to do is retriveing the caller credential from >>> my >>> remote >>> object in order to athauticated for further process. The problem is >>> that when >>> I check the wndows identity on my server side, it return the context >>> on which >>> my service is running and not my caller's context. >>> MY server config file is as follow : >>> <channels> >>> <!--<channel ref="tcp" port="8090" >>> useDefaultCredentials="False">--> >>> <channel ref="tcp" port="8090" secure="True" >>> impersonationLevel="Impersonate" protectionLevel="EncryptAndSign"> >>> <serverProviders> >>> <formatter ref="binary" typeFilterLevel="Full"/> >>> </serverProviders> >>> </channel> >>> </channels> >>> Note that I am using .NEt 2.0 >>> Thnaks again for your help ( I am fighting for a full week now on >>> this >>> grrr >>> :-() >>> regards >>> serge
Hello again.
not easy for me to explain in english but lets try again. Yes you are right by saying that I have an other stage where I will pas credential to a back end database. What I am trying to explain and do is to apply proper security to my remote object in order that in works as a kind of gate keeper. The idea is that if the client has not the rights to log into sql database or access tables then I should refuse the acces and return an error. This is all what I am trying to do. The whole stuff will not belongs to a domain but a simple workgroup. Only the back end SQL server maybe. In fact I simply try to flow the client user until the database level. Hosting my remote object in IIS would be much more simple but thi is not my goal. I have seen one way to do it was to identify the user from my remote object host and then pass client credential as parmeter's for a store procedure that will make the checks. Thnaks for coments regards serge [quoted text, click to view] "Dominick Baier" wrote:
> Am i right that you want to do a 2nd hop? meaning bob will call the middle > tier - and the middle tier will call a back end service using Bob's credentials?? > > If yes - then you need a domain environment - for delegation the Kerberos > authentication protocol is required - and you get that only by installing > Active Directory. > > maybe this answers all of your questions... > > otherwise you have to tell us exactly what you are trying to do... > > > ----- > Dominick Baier (http://www.leastprivilege.com) > > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) > > > hello dominick, > > > > here are few test I have made. I hate things when I am not 100% > > undersatnd what is going on. > > > > I am runing my client application under user BOB on an Windows 2000 > > machine Then my server component is hosted in a windows service > > runnning on Vista machine. So far so good. > > > > First test BOB is nnot existing at all under vista machine: Running my > > client will generate an InvaluidCredential Exception (sounds logic) > > > > Then I create BOB account on my Vista machine and run the same test. > > At this phase BOB has been identified and I can log credentila info > > from > > server side and I get : > > Authentication Type=NTLM > > isAuthenticated = True > > Name : VISTA-PC\BOB > > So first of all, I am able to read client credential from my remote > > object whaterver my service is running under LocalService, Local > > System, or Network System > > > > So what are the difference at this stage of runing my Service as > > Network Service ?? > > > > The impersonation level your are talking about in previous post, do I > > have to set it from my server side or client side ? > > > > Also I have read that setting "Delegation" or delegate is useonly > > under windows 2000 and prefer mode should be "Impersonate" . Did I get > > right info ? > > > > Extratc form help on line: > > ------> > > Anonymous: > > The client is anonymous to the server. The server process can > > impersonate > > the client, but the impersonation token does not contain any > > information > > about the client. > > Default: > > Uses the default impersonation level for the specified authentication > > service. In COM+, this setting is provided by the > > DefaultImpersonationLevel > > property in the LocalComputer collection. > > Delegate: > > The most powerful impersonation level. When this level is selected, > > the > > server (whether local or remote) can impersonate the client's security > > context while acting on behalf of the client > > Identify The system default level. The server can obtain the client's > > identity, and the server can impersonate the client to do ACL checks. > > Impersonate: > > The server can impersonate the client's security context while acting > > on > > behalf of the client. The server can access local resources as the > > client. > > <----- > > thanks to clarify my mind > > regards > > serge > > "Dominick Baier" wrote: > > > >> several things.. > >> > >> a) as Joe pointed out - switch to Network Service > >> > >> b) you get the client identity from Thread.CurrentPrincipal > >> > >> c) if you want to delegate the token to a backend service you need an > >> impersonationLevel="Delegation" > >> > >> d) you additionally need impersonate="true" in your config file, you > >> you > >> > >> wanto to use the auto impersonation feature > >> > >> very much like the sample you downloaded ;) > >> > >> ----- > >> Dominick Baier (http://www.leastprivilege.com) > >> Developing More Secure Microsoft ASP.NET 2.0 Applications > >> (http://www.microsoft.com/mspress/books/9989.asp) > >> > >>> Dear all, > >>> > >>> I start to loose my hairs. Hoep someone could help me to > >>> recover..:-) > >>> I have build a remote object hosted in a Windows Service runing as > >>> LocalService. > >>> I have then a claient application which calling that remote object > >>> and > >>> based > >>> on the caller credential I shouzld authorise hit or not to access to > >>> back end > >>> database. > >>> The situation is as follow : > >>> My client is running as BOB. BOB is calling the remote object for > >>> data > >>> storage. What I try to do is retriveing the caller credential from > >>> my > >>> remote > >>> object in order to athauticated for further process. The problem is > >>> that when > >>> I check the wndows identity on my server side, it return the context > >>> on which > >>> my service is running and not my caller's context. > >>> MY server config file is as follow : > >>> <channels> > >>> <!--<channel ref="tcp" port="8090" > >>> useDefaultCredentials="False">--> > >>> <channel ref="tcp" port="8090" secure="True" > >>> impersonationLevel="Impersonate" protectionLevel="EncryptAndSign"> > >>> <serverProviders> > >>> <formatter ref="binary" typeFilterLevel="Full"/> > >>> </serverProviders> > >>> </channel> > >>> </channels> > >>> Note that I am using .NEt 2.0 > >>> Thnaks again for your help ( I am fighting for a full week now on > >>> this > >>> grrr > >>> :-() > >>> regards > >>> serge > >
ok - so then it works as expected, right?
Local Service has not Windows network access (all outgoing traffic will be done as anonymous) Network service has network access (all outgoing traffic will be done as the machine account) This distinction is more relevant to domain environments. Let's wrap up: Bob calls the remoting server - the server gets bob account from Thread.CurrentPrincipal and you can pass that e.g. to a sproc. Mission accomplished? ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) [quoted text, click to view] > hello dominick, > > here are few test I have made. I hate things when I am not 100% > undersatnd what is going on. > > I am runing my client application under user BOB on an Windows 2000 > machine Then my server component is hosted in a windows service > runnning on Vista machine. So far so good. > > First test BOB is nnot existing at all under vista machine: Running my > client will generate an InvaluidCredential Exception (sounds logic) > > Then I create BOB account on my Vista machine and run the same test. > At this phase BOB has been identified and I can log credentila info > from > server side and I get : > Authentication Type=NTLM > isAuthenticated = True > Name : VISTA-PC\BOB > So first of all, I am able to read client credential from my remote > object whaterver my service is running under LocalService, Local > System, or Network System > > So what are the difference at this stage of runing my Service as > Network Service ?? > > The impersonation level your are talking about in previous post, do I > have to set it from my server side or client side ? > > Also I have read that setting "Delegation" or delegate is useonly > under windows 2000 and prefer mode should be "Impersonate" . Did I get > right info ? > > Extratc form help on line: > ------> > Anonymous: > The client is anonymous to the server. The server process can > impersonate > the client, but the impersonation token does not contain any > information > about the client. > Default: > Uses the default impersonation level for the specified authentication > service. In COM+, this setting is provided by the > DefaultImpersonationLevel > property in the LocalComputer collection. > Delegate: > The most powerful impersonation level. When this level is selected, > the > server (whether local or remote) can impersonate the client's security > context while acting on behalf of the client > Identify The system default level. The server can obtain the client's > identity, and the server can impersonate the client to do ACL checks. > Impersonate: > The server can impersonate the client's security context while acting > on > behalf of the client. The server can access local resources as the > client. > <----- > thanks to clarify my mind > regards > serge > "Dominick Baier" wrote: > >> several things.. >> >> a) as Joe pointed out - switch to Network Service >> >> b) you get the client identity from Thread.CurrentPrincipal >> >> c) if you want to delegate the token to a backend service you need an >> impersonationLevel="Delegation" >> >> d) you additionally need impersonate="true" in your config file, you >> you >> >> wanto to use the auto impersonation feature >> >> very much like the sample you downloaded ;) >> >> ----- >> Dominick Baier (http://www.leastprivilege.com) >> Developing More Secure Microsoft ASP.NET 2.0 Applications >> (http://www.microsoft.com/mspress/books/9989.asp) >> >>> Dear all, >>> >>> I start to loose my hairs. Hoep someone could help me to >>> recover..:-) >>> I have build a remote object hosted in a Windows Service runing as >>> LocalService. >>> I have then a claient application which calling that remote object >>> and >>> based >>> on the caller credential I shouzld authorise hit or not to access to >>> back end >>> database. >>> The situation is as follow : >>> My client is running as BOB. BOB is calling the remote object for >>> data >>> storage. What I try to do is retriveing the caller credential from >>> my >>> remote >>> object in order to athauticated for further process. The problem is >>> that when >>> I check the wndows identity on my server side, it return the context >>> on which >>> my service is running and not my caller's context. >>> MY server config file is as follow : >>> <channels> >>> <!--<channel ref="tcp" port="8090" >>> useDefaultCredentials="False">--> >>> <channel ref="tcp" port="8090" secure="True" >>> impersonationLevel="Impersonate" protectionLevel="EncryptAndSign"> >>> <serverProviders> >>> <formatter ref="binary" typeFilterLevel="Full"/> >>> </serverProviders> >>> </channel> >>> </channels> >>> Note that I am using .NEt 2.0 >>> Thnaks again for your help ( I am fighting for a full week now on >>> this >>> grrr >>> :-() >>> regards >>> serge
Mission acomplish in a way yes :-)
Even I get thr credential at server side, I am still confuse about parameter used in config files. And this is what I am trying to solved now, in order to know what are the minimum parameter that I need to set to make it work. Does by default .net 2.0 chanels flow user credential to server object without any extra parameter in config files ? usually what I am doing after I get in work in one direction, I try to get it fails by removing parameters abd then I will know exactly needed parmeters. I have to say that documentatio is really poor for that :-( So for now here is chanel setting I have in the config file from server side : ---> <channel ref="tcp" port="8090" secure="True" impersonate="True" ProtectionLevel="EncryptAndSign"> <--- Does those secure, impersonate,protectionLevel are necessary or does .net remoting do it automaticaly by default ? I have made the test to remote them all and I can still retreve client credntila from my server side, so i was wondering if my settings get correct .... regards serge [quoted text, click to view] "Dominick Baier" wrote:
> ok - so then it works as expected, right? > > Local Service has not Windows network access (all outgoing traffic will be > done as anonymous) > Network service has network access (all outgoing traffic will be done as > the machine account) > > This distinction is more relevant to domain environments. > > Let's wrap up: > > Bob calls the remoting server - the server gets bob account from Thread.CurrentPrincipal > and you can pass that e.g. to a sproc. > > Mission accomplished? > > > ----- > Dominick Baier (http://www.leastprivilege.com) > > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) > > > hello dominick, > > > > here are few test I have made. I hate things when I am not 100% > > undersatnd what is going on. > > > > I am runing my client application under user BOB on an Windows 2000 > > machine Then my server component is hosted in a windows service > > runnning on Vista machine. So far so good. > > > > First test BOB is nnot existing at all under vista machine: Running my > > client will generate an InvaluidCredential Exception (sounds logic) > > > > Then I create BOB account on my Vista machine and run the same test. > > At this phase BOB has been identified and I can log credentila info > > from > > server side and I get : > > Authentication Type=NTLM > > isAuthenticated = True > > Name : VISTA-PC\BOB > > So first of all, I am able to read client credential from my remote > > object whaterver my service is running under LocalService, Local > > System, or Network System > > > > So what are the difference at this stage of runing my Service as > > Network Service ?? > > > > The impersonation level your are talking about in previous post, do I > > have to set it from my server side or client side ? > > > > Also I have read that setting "Delegation" or delegate is useonly > > under windows 2000 and prefer mode should be "Impersonate" . Did I get > > right info ? > > > > Extratc form help on line: > > ------> > > Anonymous: > > The client is anonymous to the server. The server process can > > impersonate > > the client, but the impersonation token does not contain any > > information > > about the client. > > Default: > > Uses the default impersonation level for the specified authentication > > service. In COM+, this setting is provided by the > > DefaultImpersonationLevel > > property in the LocalComputer collection. > > Delegate: > > The most powerful impersonation level. When this level is selected, > > the > > server (whether local or remote) can impersonate the client's security > > context while acting on behalf of the client > > Identify The system default level. The server can obtain the client's > > identity, and the server can impersonate the client to do ACL checks. > > Impersonate: > > The server can impersonate the client's security context while acting > > on > > behalf of the client. The server can access local resources as the > > client. > > <----- > > thanks to clarify my mind > > regards > > serge > > "Dominick Baier" wrote: > > > >> several things.. > >> > >> a) as Joe pointed out - switch to Network Service > >> > >> b) you get the client identity from Thread.CurrentPrincipal > >> > >> c) if you want to delegate the token to a backend service you need an > >> impersonationLevel="Delegation" > >> > >> d) you additionally need impersonate="true" in your config file, you > >> you > >> > >> wanto to use the auto impersonation feature > >> > >> very much like the sample you downloaded ;) > >> > >> ----- > >> Dominick Baier (http://www.leastprivilege.com) > >> Developing More Secure Microsoft ASP.NET 2.0 Applications > >> (http://www.microsoft.com/mspress/books/9989.asp) > >> > >>> Dear all, > >>> > >>> I start to loose my hairs. Hoep someone could help me to > >>> recover..:-) > >>> I have build a remote object hosted in a Windows Service runing as > >>> LocalService. > >>> I have then a claient application which calling that remote object > >>> and > >>> based > >>> on the caller credential I shouzld authorise hit or not to access to > >>> back end > >>> database. > >>> The situation is as follow : > >>> My client is running as BOB. BOB is calling the remote object for > >>> data > >>> storage. What I try to do is retriveing the caller credential from > >>> my > >>> remote > >>> object in order to athauticated for further process. The problem is > >>> that when > >>> I check the wndows identity on my server side, it return the context > >>> on which > >>> my service is running and not my caller's context. > >>> MY server config file is as follow : > >>> <channels> > >>> <!--<channel ref="tcp" port="8090" > >>> useDefaultCredentials="False">--> > >>> <channel ref="tcp" port="8090" secure="True" > >>> impersonationLevel="Impersonate" protectionLevel="EncryptAndSign"> > >>> <serverProviders> > >>> <formatter ref="binary" typeFilterLevel="Full"/> > >>> </serverProviders> > >>> </channel> > >>> </channels> > >>> Note that I am using .NEt 2.0 > >>> Thnaks again for your help ( I am fighting for a full week now on > >>> this > >>> grrr > >>> :-() > >>> regards > >>> serge > >
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |