| Groups | Blog | Home |
iis security : Howto refresh IIS 6 Application pool identity credential info ?
We are having problems with the following situation. If we change security settings for an application pool identity (something like putting it in a security group (to have NTFS access on a folder, accessible through a virtual directory in IIS)), the access is only granted after IISRESET. It's a domain account (I don(t know if this is important.). It seems like we have the following scenario : On start of IIS, all application pool identities are given a logon session. I can see that using logonsessions.exe from sysinternals. The logon session is only refreshed/renewed after IISRESET. Is there a better , less impacting , way to get the specific logon sesssion renewed ? Grtz, Peter
Ken,
Thx for the response, but stopping/starting the application pool doesn't help. It seems that the domain account security is cached at startup of IIS, and doesn't change until IISRESET is executed. After IISRESET, I see that the logon time for the account has changed (using sysinternals tool). An application pool restart doesn't change the credential info. FYI, the sysinternal tool shows that it has an authentication package of type Kerberos and the logon type is Batch. So I think the solution could be found in "renewing" the Kerberos ticket, but I have no idea how to do that. IISRESET does the job so the code is somewhere in there :-(. Kind regards, Peter [quoted text, click to view] "Ken Schaefer" wrote:
> You should just be able to restart the web application pool in question. > > Cheers > Ken > > > "Peke" <peke@nospam.nospam> wrote in message > news:53EA3347-C41F-42CE-964B-7EF6EA321BCA@microsoft.com... > > Hi, > > > > We are having problems with the following situation. > > > > If we change security settings for an application pool identity (something > > like putting it in a security group (to have NTFS access on a folder, > > accessible through a virtual directory in IIS)), the access is only > > granted > > after IISRESET. It's a domain account (I don(t know if this is > > important.). > > It seems like we have the following scenario : > > On start of IIS, all application pool identities are given a logon > > session. > > I can see that using logonsessions.exe from sysinternals. > > The logon session is only refreshed/renewed after IISRESET. > > Is there a better , less impacting , way to get the specific logon > > sesssion > > renewed ? > > > > Grtz, > > > > Peter > > >
You should just be able to restart the web application pool in question.
Cheers Ken [quoted text, click to view] "Peke" <peke@nospam.nospam> wrote in message
news:53EA3347-C41F-42CE-964B-7EF6EA321BCA@microsoft.com... > Hi, > > We are having problems with the following situation. > > If we change security settings for an application pool identity (something > like putting it in a security group (to have NTFS access on a folder, > accessible through a virtual directory in IIS)), the access is only > granted > after IISRESET. It's a domain account (I don(t know if this is > important.). > It seems like we have the following scenario : > On start of IIS, all application pool identities are given a logon > session. > I can see that using logonsessions.exe from sysinternals. > The logon session is only refreshed/renewed after IISRESET. > Is there a better , less impacting , way to get the specific logon > sesssion > renewed ? > > Grtz, > > Peter >
Ken,
FYI, the results of logonsessions.exe (SysInternals) Logon session 00000000:0327e6da: User name: DEV\NfnOUser Auth package: Kerberos Logon type: Batch Session: 0 Sid: S-1-5-21-1275210071-688789844-725345543-4792 Logon time: 7/02/2008 7:58:32 Logon server: DEVDC1 DNS Domain: DEV.DIGANT.ANTWERPEN.LOCAL UPN: --- application pool stop/start Logon session 00000000:0327e6da: User name: DEV\NfnOUser Auth package: Kerberos Logon type: Batch Session: 0 Sid: S-1-5-21-1275210071-688789844-725345543-4792 Logon time: 7/02/2008 7:58:32 Logon server: DEVDC1 DNS Domain: DEV.DIGANT.ANTWERPEN.LOCAL UPN: ---> nothing changed --- IISRESET Logon session 00000000:04efb566: User name: DEV\NfnOUser Auth package: Kerberos Logon type: Batch Session: 0 Sid: S-1-5-21-1275210071-688789844-725345543-4792 Logon time: 11/02/2008 7:49:36 Logon server: DEVDC1 DNS Domain: DEV.DIGANT.ANTWERPEN.LOCAL UPN: ---> new logon session (session ID and logon time) Grtz, Peter [quoted text, click to view] "Peke" wrote:
> Ken, > > Thx for the response, but stopping/starting the application pool doesn't help. > It seems that the domain account security is cached at startup of IIS, and > doesn't change until IISRESET is executed. After IISRESET, I see that the > logon time for the account has changed (using sysinternals tool). An > application pool restart doesn't change the credential info. > > FYI, > the sysinternal tool shows that it has an authentication package of type > Kerberos and the logon type is Batch. So I think the solution could be found > in "renewing" the Kerberos ticket, but I have no idea how to do that. > > IISRESET does the job so the code is somewhere in there :-(. > > Kind regards, > Peter > > "Ken Schaefer" wrote: > > > You should just be able to restart the web application pool in question. > > > > Cheers > > Ken > > > > > > "Peke" <peke@nospam.nospam> wrote in message > > news:53EA3347-C41F-42CE-964B-7EF6EA321BCA@microsoft.com... > > > Hi, > > > > > > We are having problems with the following situation. > > > > > > If we change security settings for an application pool identity (something > > > like putting it in a security group (to have NTFS access on a folder, > > > accessible through a virtual directory in IIS)), the access is only > > > granted > > > after IISRESET. It's a domain account (I don(t know if this is > > > important.). > > > It seems like we have the following scenario : > > > On start of IIS, all application pool identities are given a logon > > > session. > > > I can see that using logonsessions.exe from sysinternals. > > > The logon session is only refreshed/renewed after IISRESET. > > > Is there a better , less impacting , way to get the specific logon > > > sesssion > > > renewed ? > > > > > > Grtz, > > > > > > Peter > > > > >
Hi Peter,
What you detected should be an expected behavior. Have you also tried access any resources on the web site after changing application pool's identity and restarting/recycling the pool? If so, you should see a logon event with the changed credential when the new http request is arriving. The fact is: After we change a pool's identity, the custom user account's username and password is simply encrypted and saved by IIS without any validation or logon attempts. That's why you don't see the credential change immediately. As soon as a new request to the corresponding web site which the AppPool needs to serve comes in, IIS W3SVC service will then start up a new worker process(w3wp.exe - can be viewed in task manager or process explorer, etc) with the new identity. You should see the expected logon attemps at that time. The difference of IISRESET here is when we restart the whole IIS services, the startup process will try to test logon all the identity accounts to check if all the username and password are valid. If not, IIS will disable that pool. Furthermore, a main problem of using custom domain account as application pool identity is we must manually setup SPN for Kerberos to work for Integrated Windows authentication. Also only one SPN(of the domain account) can be set for HTTP service on the server. Otherwise, you will need to use NTLM. 871179 You receive an "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials" error message when you try to access a Web site that is part of an IIS 6.0 application pool http://support.microsoft.com/default.aspx?scid=kb;EN-US;871179 I hope the above information helps. Please update here if you have any further question. Have a nice week. Sincerely, WenJun Zhang Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to: http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at: http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
Hello WenJun,
Sorry for the delay. Thx for enlightning the working of security in IIS 6. I will try the following : stop the application pool, change the password of the application pool identity to an invalid value, start the application pool, make a request --> app pool will get disabled, change the password of the application pool identity to a its original (valid) value, start the application pool, make a request. Will this solve the problem ? Or is there another way to do something like IISRESET but just for one application pool (or account) ? About the domain user account as an application pool identity. I know that using domain accounts is a problem. That's why we disabled the Kerberos Authentication (changed Negotiate to NTLM). I'll try to explain the reason why we are using domain accounts for the application identity. Our applications (.NET) are build using a multilayered architecture : UI, WebService, BusinessFacade, BusinesRules, DataAccess,... (Some newer applications use the new layers as proposed in Service Software Factory (codeplex), but still the ASMX version). The applications have application security based on roles and privileges (custom made) (comparable to AzMan, which didn't exist at that time). Wat we are trying to achief is to have a 'simple' centralized security management model. We check the security (priviliges) in the 'business' part and we access the data store (DB, File System, other WS, ...) with the identity of the application pool (= owner of the W3WP.exe process) using Integrated Security. In other words : No EndUsers have to be managed to secure the data store(s) and we're using integrated security (which is safe) to access the data store. Only Administrators know/have access to the password of the application pool identity. Is there a better way to achieve the same ? (and solve the setspn stuff) (perhaps .NET impersonation, but we don't want any credential info in the config file). Kind regards, Peter [quoted text, click to view] ""WenJun Zhang[msft]"" wrote:
> Hi Peter, > > What you detected should be an expected behavior. Have you also tried > access any resources on the web site after changing application pool's > identity and restarting/recycling the pool? If so, you should see a logon > event with the changed credential when the new http request is arriving. > The fact is: > > After we change a pool's identity, the custom user account's username and > password is simply encrypted and saved by IIS without any validation or > logon attempts. That's why you don't see the credential change immediately. > As soon as a new request to the corresponding web site which the AppPool > needs to serve comes in, IIS W3SVC service will then start up a new worker > process(w3wp.exe - can be viewed in task manager or process explorer, etc) > with the new identity. You should see the expected logon attemps at that > time. > > The difference of IISRESET here is when we restart the whole IIS services, > the startup process will try to test logon all the identity accounts to > check if all the username and password are valid. If not, IIS will disable > that pool. > > Furthermore, a main problem of using custom domain account as application > pool identity is we must manually setup SPN for Kerberos to work for > Integrated Windows authentication. Also only one SPN(of the domain account) > can be set for HTTP service on the server. Otherwise, you will need to use > NTLM. > > 871179 You receive an "HTTP Error 401.1 - Unauthorized: Access is denied > due to invalid credentials" error message when you try to access a Web site > that is part of an IIS 6.0 application pool > http://support.microsoft.com/default.aspx?scid=kb;EN-US;871179 > > I hope the above information helps. Please update here if you have any > further question. > > Have a nice week. > > Sincerely, > > WenJun Zhang > > Microsoft Online Community Support > > ================================================== > > Get notification to my posts through email? Please refer to: > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif > ications. > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues > where an initial response from the community or a Microsoft Support > Engineer within 1 business day is acceptable. Please note that each follow > up response may take approximately 2 business days as the support > professional working with you may need further investigation to reach the > most efficient resolution. The offering is not appropriate for situations > that require urgent, real-time or phone-based interactions or complex > project analysis and dump analysis issues. Issues of this nature are best > handled working with a dedicated Microsoft Support Engineer by contacting > Microsoft Customer Support Services (CSS) at: > > http://msdn.microsoft.com/subscriptions/support/default.aspx. > > ================================================== > > This posting is provided "AS IS" with no warranties, and confers no rights. >
Hi WenJun,
I've tried the 'invalidate' application pool trick I described below, but that didn't help. I do see an authentication entry for the specified user in Security Event log, but it seems like it's just reusing the logonsession info : Logonsession info before invalidate : [91] Logon session 00000000:080309d0: User name: DEV\VtgOUser Auth package: Kerberos Logon type: Batch Session: 0 Sid: S-1-5-21-1275210071-688789844-725345543-3948 Logon time: 13/02/2008 11:12:56 Logon server: DEVDC1 DNS Domain: DEV.DIGANT.ANTWERPEN.LOCAL UPN: Logonsession info after invalidate en correct user (entry in Security Event log) [95] Logon session 00000000:080309d0: User name: DEV\VtgOUser Auth package: Kerberos Logon type: Batch Session: 0 Sid: S-1-5-21-1275210071-688789844-725345543-3948 Logon time: 13/02/2008 11:12:56 Logon server: DEVDC1 DNS Domain: DEV.DIGANT.ANTWERPEN.LOCAL UPN: --> nothing changed : same logon session id, same logon time, ... Logonsession info after IISRESET : [50] Logon session 00000000:08153dc4: User name: DEV\VtgOUser Auth package: Kerberos Logon type: Batch Session: 0 Sid: S-1-5-21-1275210071-688789844-725345543-3948 Logon time: 13/02/2008 11:47:58 Logon server: DEVDC1 DNS Domain: DEV.DIGANT.ANTWERPEN.LOCAL UPN: --> NEW logon session ID, new logon-time --> all working fine. So I think I need something like IISRESET but only for a specific Application pool/User. Any ideas ? Greetings, Peter [quoted text, click to view] "Peke" wrote:
> Hello WenJun, > > Sorry for the delay. > Thx for enlightning the working of security in IIS 6. > > I will try the following : > stop the application pool, change the password of the application pool > identity to an invalid value, start the application pool, make a request --> > app pool will get disabled, change the password of the application pool > identity to a its original (valid) value, start the application pool, make a > request. > > Will this solve the problem ? > Or is there another way to do something like IISRESET but just for one > application pool (or account) ? > > > About the domain user account as an application pool identity. > > I know that using domain accounts is a problem. That's why we disabled the > Kerberos Authentication (changed Negotiate to NTLM). > > I'll try to explain the reason why we are using domain accounts for the > application identity. Our applications (.NET) are build using a multilayered > architecture : UI, WebService, BusinessFacade, BusinesRules, DataAccess,... > (Some newer applications use the new layers as proposed in Service Software > Factory (codeplex), but still the ASMX version). The applications have > application security based on roles and privileges (custom made) (comparable > to AzMan, which didn't exist at that time). Wat we are trying to achief is to > have a 'simple' centralized security management model. We check the security > (priviliges) in the 'business' part and we access the data store (DB, File > System, other WS, ...) with the identity of the application pool (= owner of > the W3WP.exe process) using Integrated Security. In other words : No EndUsers > have to be managed to secure the data store(s) and we're using integrated > security (which is safe) to access the data store. Only Administrators > know/have access to the password of the application pool identity. > > Is there a better way to achieve the same ? (and solve the setspn stuff) > (perhaps .NET impersonation, but we don't want any credential info in the > config file). > > Kind regards, > > Peter > > > > > > > ""WenJun Zhang[msft]"" wrote: > > > Hi Peter, > > > > What you detected should be an expected behavior. Have you also tried > > access any resources on the web site after changing application pool's > > identity and restarting/recycling the pool? If so, you should see a logon > > event with the changed credential when the new http request is arriving. > > The fact is: > > > > After we change a pool's identity, the custom user account's username and > > password is simply encrypted and saved by IIS without any validation or > > logon attempts. That's why you don't see the credential change immediately. > > As soon as a new request to the corresponding web site which the AppPool > > needs to serve comes in, IIS W3SVC service will then start up a new worker > > process(w3wp.exe - can be viewed in task manager or process explorer, etc) > > with the new identity. You should see the expected logon attemps at that > > time. > > > > The difference of IISRESET here is when we restart the whole IIS services, > > the startup process will try to test logon all the identity accounts to > > check if all the username and password are valid. If not, IIS will disable > > that pool. > > > > Furthermore, a main problem of using custom domain account as application > > pool identity is we must manually setup SPN for Kerberos to work for > > Integrated Windows authentication. Also only one SPN(of the domain account) > > can be set for HTTP service on the server. Otherwise, you will need to use > > NTLM. > > > > 871179 You receive an "HTTP Error 401.1 - Unauthorized: Access is denied > > due to invalid credentials" error message when you try to access a Web site > > that is part of an IIS 6.0 application pool > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;871179 > > > > I hope the above information helps. Please update here if you have any > > further question. > > > > Have a nice week. > > > > Sincerely, > > > > WenJun Zhang > > > > Microsoft Online Community Support > > > > ================================================== > > > > Get notification to my posts through email? Please refer to: > > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif > > ications. > > > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues > > where an initial response from the community or a Microsoft Support > > Engineer within 1 business day is acceptable. Please note that each follow > > up response may take approximately 2 business days as the support > > professional working with you may need further investigation to reach the > > most efficient resolution. The offering is not appropriate for situations > > that require urgent, real-time or phone-based interactions or complex > > project analysis and dump analysis issues. Issues of this nature are best > > handled working with a dedicated Microsoft Support Engineer by contacting > > Microsoft Customer Support Services (CSS) at: > >
Hi Peter,
What's the result if you change it to another user account instead of invalid password? Will it still logon the previous account? I think dynamically changing the application pool identity in web application code is a good enough design. If your web application need to access resource with special required privilege, impersontion is the recommended approach. Other than saving the username password in configuration file, you should consider directly implement impersonation in your code. Please refer to "Impersonate the Authenticating User in Code" in below article: How to implement impersonation in an ASP.NET application http://support.microsoft.com/kb/306158/en-us The code of .net fx 3.5: WindowsIdentity..::.Impersonate Method http://msdn2.microsoft.com/en-us/library/w070t6ka.aspx Please let me know if you have any further concern on this. Have a nice day. Sincerely, WenJun Zhang Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to: http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at: http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
Hello WenJun,
After changing the appliction pool id with a new account that doesn't already have a logon session, a new logon session is created for the new account. If I use an account that already has a logon session, that logon session is reused (logon session info stays the same). Changing the identity account is not an option in our environment because the account is used to access the backend. Our policy is that a developer doesn't need to know the application account and even can't find out (programmatically) what the password is for the application account (which accesses the back-end). If we would use the programmatic impersonation, the developer can get the password because the account is created programmatically and the password will be available. So I guess I'm back where I started --> How can I force a refresh (or purge) of the logon session for a particular account like IISRESET does ? BTW, I'm not really a developer. Regards, Peter [quoted text, click to view] ""WenJun Zhang[msft]"" wrote:
> Hi Peter, > > What's the result if you change it to another user account instead of > invalid password? Will it still logon the previous account? > > I think dynamically changing the application pool identity in web > application code is a good enough design. If your web application need to > access resource with special required privilege, impersontion is the > recommended approach. Other than saving the username password in > configuration file, you should consider directly implement impersonation in > your code. Please refer to "Impersonate the Authenticating User in Code" in > below article: > > How to implement impersonation in an ASP.NET application > http://support.microsoft.com/kb/306158/en-us > > The code of .net fx 3.5: > > WindowsIdentity..::.Impersonate Method > http://msdn2.microsoft.com/en-us/library/w070t6ka.aspx > > Please let me know if you have any further concern on this. > > Have a nice day. > > Sincerely, > > WenJun Zhang > > Microsoft Online Community Support > > ================================================== > > Get notification to my posts through email? Please refer to: > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif > ications. > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues > where an initial response from the community or a Microsoft Support > Engineer within 1 business day is acceptable. Please note that each follow > up response may take approximately 2 business days as the support > professional working with you may need further investigation to reach the > most efficient resolution. The offering is not appropriate for situations > that require urgent, real-time or phone-based interactions or complex > project analysis and dump analysis issues. Issues of this nature are best > handled working with a dedicated Microsoft Support Engineer by contacting > Microsoft Customer Support Services (CSS) at: > > http://msdn.microsoft.com/subscriptions/support/default.aspx. > > ================================================== > > This posting is provided "AS IS" with no warranties, and confers no rights. >
Peter,
Due to the issue and further investigation is going to be more and more complicated, we may not be able to get a final conclusion in the newsgroup. I'd like to suggest you use one of your MSDN Technical Support Incidents to work with us via telephone based support. This will be the most effective way to assist you on complicated and project based issue. Also you won't even need to spend the incident account if the problem is finally confirmed to be a product issue or can be simply fixed by applying hotfix. Please refer to the support note below. About the information of free incident support for MSDN subscribers, please look at: http://msdn.microsoft.com/subscriptions/support/default.aspx. To obtain the phone numbers for Microsoft Customer Service and Support services technology request, please take a look at the web site listed below. http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS Thanks. Sincerely, WenJun Zhang Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to: http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at: http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
Hi WenJun,
Thx for the effort. Before opening a case I want to try one more thing : purge the logon session, any idea how to do that ? Peter [quoted text, click to view] ""WenJun Zhang[msft]"" wrote:
> Peter, > > Due to the issue and further investigation is going to be more and more > complicated, we may not be able to get a final conclusion in the newsgroup. > I'd like to suggest you use one of your MSDN Technical Support Incidents to > work with us via telephone based support. This will be the most effective > way to assist you on complicated and project based issue. Also you won't > even need to spend the incident account if the problem is finally confirmed > to be a product issue or can be simply fixed by applying hotfix. Please > refer to the support note below. > > About the information of free incident support for MSDN subscribers, please > look at: > http://msdn.microsoft.com/subscriptions/support/default.aspx. > > To obtain the phone numbers for Microsoft Customer Service and Support > services technology request, please take a look at the web site listed > below. > http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS > > Thanks. > > Sincerely, > > WenJun Zhang > > Microsoft Online Community Support > > ================================================== > > Get notification to my posts through email? Please refer to: > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif > ications. > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues > where an initial response from the community or a Microsoft Support > Engineer within 1 business day is acceptable. Please note that each follow > up response may take approximately 2 business days as the support > professional working with you may need further investigation to reach the > most efficient resolution. The offering is not appropriate for situations > that require urgent, real-time or phone-based interactions or complex > project analysis and dump analysis issues. Issues of this nature are best > handled working with a dedicated Microsoft Support Engineer by contacting > Microsoft Customer Support Services (CSS) at: > > http://msdn.microsoft.com/subscriptions/support/default.aspx. > > ================================================== > > This posting is provided "AS IS" with no warranties, and confers no rights. > > >
Hi Peter,
Definitely this has been out of the scope of IIS newsgroup.. Probably it has something to do with the WM_QUERYENDSESSION and WM_ENDSESSION Windows messages. You may take a look at: Logging Off http://msdn2.microsoft.com/en-us/library/aa376876(VS.85).aspx Have a nice week. Sincerely, WenJun Zhang Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to: http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at: http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
Hello WenJun,
Thx for all the information. Kind regards, Peter [quoted text, click to view] ""WenJun Zhang[msft]"" wrote:
> Hi Peter, > > Definitely this has been out of the scope of IIS newsgroup.. Probably it > has something to do with the WM_QUERYENDSESSION and WM_ENDSESSION Windows > messages. You may take a look at: > > Logging Off > http://msdn2.microsoft.com/en-us/library/aa376876(VS.85).aspx > > Have a nice week. > > Sincerely, > > WenJun Zhang > > Microsoft Online Community Support > > ================================================== > > Get notification to my posts through email? Please refer to: > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif > ications. > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues > where an initial response from the community or a Microsoft Support > Engineer within 1 business day is acceptable. Please note that each follow > up response may take approximately 2 business days as the support > professional working with you may need further investigation to reach the > most efficient resolution. The offering is not appropriate for situations > that require urgent, real-time or phone-based interactions or complex > project analysis and dump analysis issues. Issues of this nature are best > handled working with a dedicated Microsoft Support Engineer by contacting > Microsoft Customer Support Services (CSS) at: > > http://msdn.microsoft.com/subscriptions/support/default.aspx. > > ================================================== > > This posting is provided "AS IS" with no warranties, and confers no rights. >
Can you explain why you want to dynamically change the security
permissions on the Application Pool Identity user? The reason why SetSPN is failing is the same sort of logic behind why you cannot dynamically change the security permissions on the Application Pool Identity. Imagine this scenario -- you have a web garden with lazy read (i.e. don't recycle on config change) enabled, and you change permissions on Application Pool Identity. *IF* things changed immediately, you end up with w3wp.exe each with different security permissions and further security implications. Or in your scenario, what happens if two users which required different permissions on the Application Pool Identity try to use the same application served by the same application pool. The w3wp.exe can only have one process identity, so one of those two users must wait until the other is done -- not a good user experience. Basically, we did not design for Process Identity changing on the fly like that - we designed for thread impersonation to be changing on the fly like that. The Process Identity is the base unit of isolation. Impersonation is the base unit of functionality. Is there anything that prevents you from using a single domain account as Application Pool identity, and you dynamically impersonate (depending on your application framework layer, this may be easy). Because when you do that, SetSPN will also work against your single fixed Application Pool identity, and I believe impersonation flows outward on your next hop to the DB, FileSystem, etc. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] On Feb 25, 11:28=A0pm, Peke <p...@nospam.nospam> wrote: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=> Hello WenJun, > > Thx for all the information. > > Kind regards, > > Peter > > > > ""WenJun Zhang[msft]"" wrote: > > Hi Peter, > > > Definitely this has been out of the scope of IIS newsgroup.. Probably it= > > has something to do with the WM_QUERYENDSESSION and WM_ENDSESSION Window= s > > messages. You may take a look at: > > > Logging Off > >http://msdn2.microsoft.com/en-us/library/aa376876(VS.85).aspx > > > Have a nice week. > > > Sincerely, > > > WenJun Zhang > > > Microsoft Online Community Support > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D [quoted text, click to view] > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=> > Get notification to my posts through email? Please refer to: > >http://msdn.microsoft.com/subscriptions/managednewsgroups/default.asp... > > ications. > > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issu= es > > where an initial response from the community or a Microsoft Support > > Engineer within 1 business day is acceptable. Please note that each foll= ow > > up response may take approximately 2 business days as the support > > professional working with you may need further investigation to reach th= e > > most efficient resolution. The offering is not appropriate for situation= s > > that require urgent, real-time or phone-based interactions or complex > > project analysis and dump analysis issues. Issues of this nature are bes= t > > handled working with a dedicated Microsoft Support Engineer by contactin= g > > Microsoft Customer Support Services (CSS) at: > > >http://msdn.microsoft.com/subscriptions/support/default.aspx. > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D [quoted text, click to view] >
> > This posting is provided "AS IS" with no warranties, and confers no righ= ts.- Hide quoted text - > > - Show quoted text -
Hello David,
Sorry for the delay. I'll try to explain how our applications work. We develop .NET application using multitier-layer (UI, Webservice, ...). We've build our own application security, comparable to AzMan, which wasn't available at that time (Windows 2000 Active Directory) ; it is based on roles and privileges. IIS (6) is configured to use 'Integrated Security'. Basically : users are put in a group (or removed from if they no longer need access) that has Read rights on the filesystem where the IIS virtual directory (or IIS virtual server) is pointing to. The user's privileges are checked in the business part (Business Facade), and from that point de application pool identity (a domain user) is used to access the data store(s). That 'data store' can also be another WebService (Service Agent). --> this is where the problem is : the application pool identity is becoming a member of another group to get access to the other application. But the security context is only 'refreshed' after IISRESET. A few reasons why we do it that way : - Easy security maintenance on the data store (only the application pool account needs the necessary rights). - A developer doesn't have to do anything special in code. - Application pool identity password is not available in code (and can't be mis-used; if we would use impersonation -using config file or in code - then the password would be available). I hope this makes any sense. Do you have any suggestions ? Kind regards, Peter P.S. You mentioned something about 'lazy read', no recycle on config change, how is this done ? [quoted text, click to view] "David Wang" wrote:
> Can you explain why you want to dynamically change the security > permissions on the Application Pool Identity user? > > The reason why SetSPN is failing is the same sort of logic behind why > you cannot dynamically change the security permissions on the > Application Pool Identity. > > Imagine this scenario -- you have a web garden with lazy read (i.e. > don't recycle on config change) enabled, and you change permissions on > Application Pool Identity. *IF* things changed immediately, you end up > with w3wp.exe each with different security permissions and further > security implications. > > Or in your scenario, what happens if two users which required > different permissions on the Application Pool Identity try to use the > same application served by the same application pool. The w3wp.exe can > only have one process identity, so one of those two users must wait > until the other is done -- not a good user experience. > > Basically, we did not design for Process Identity changing on the fly > like that - we designed for thread impersonation to be changing on the > fly like that. The Process Identity is the base unit of isolation. > Impersonation is the base unit of functionality. > > Is there anything that prevents you from using a single domain account > as Application Pool identity, and you dynamically impersonate > (depending on your application framework layer, this may be easy). > Because when you do that, SetSPN will also work against your single > fixed Application Pool identity, and I believe impersonation flows > outward on your next hop to the DB, FileSystem, etc. > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > > > On Feb 25, 11:28 pm, Peke <p...@nospam.nospam> wrote: > > Hello WenJun, > > > > Thx for all the information. > > > > Kind regards, > > > > Peter > > > > > > > > ""WenJun Zhang[msft]"" wrote: > > > Hi Peter, > > > > > Definitely this has been out of the scope of IIS newsgroup.. Probably it > > > has something to do with the WM_QUERYENDSESSION and WM_ENDSESSION Windows > > > messages. You may take a look at: > > > > > Logging Off > > >http://msdn2.microsoft.com/en-us/library/aa376876(VS.85).aspx > > > > > Have a nice week. > > > > > Sincerely, > > > > > WenJun Zhang > > > > > Microsoft Online Community Support > > > > > ================================================== > > > > > Get notification to my posts through email? Please refer to: > > >http://msdn.microsoft.com/subscriptions/managednewsgroups/default.asp... > > > ications. > > > > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues > > > where an initial response from the community or a Microsoft Support > > > Engineer within 1 business day is acceptable. Please note that each follow > > > up response may take approximately 2 business days as the support > > > professional working with you may need further investigation to reach the > > > most efficient resolution. The offering is not appropriate for situations > > > that require urgent, real-time or phone-based interactions or complex > > > project analysis and dump analysis issues. Issues of this nature are best > > > handled working with a dedicated Microsoft Support Engineer by contacting > > > Microsoft Customer Support Services (CSS) at: > > > > >http://msdn.microsoft.com/subscriptions/support/default.aspx. > > > > > ================================================== > > > > > This posting is provided "AS IS" with no warranties, and confers no rights.- Hide quoted text - > > > > - Show quoted text - >
I'm sorry, but I do not have any suggestions. I understand what you
are doing and it is pretty clever to a degree, but I believe there are fundamental problems with your design beyond just incompatibility with IIS6 that you must choose another design. IIS is being consistent with security while what you are doing is not consistent with security (but I do admit it is clever and can be convenient in some contexts), so it is unlikely IIS will change. I understand that you have an existing codebase that is being migrated, so it is really not going to change. So the design has to change. For example, your design either serializes access to the webserver to one user at a time, or it is insecure. How? Proof by contradiction -- assume two different users belong to two different user groups have authorized access overlapping in time. User1 comes in and the AppPool identity changes group membership to have Group1 and accesses data. While this is happening, User2 comes in and the AppPool identity *needs* to change group membership to have Group2 and access data. What if the two groups are different or conflicting in access privileges -- you certainly do not want User1 to temporarily have access to files of User2 simply because your AppPool Identity momentarily has group membership in both Group1 and Group2 while both users are accessing different resources through the same system at overlapping times. Thus, to be secure, the process identity must be in only one Group at a time, which means that only one user can be actively using the web server at a time --> this is serialization. Or if you allow multiple users simultaneously it means that User1 will temporarily run with a process identity that is in both Group1 and Group2, thus have additional and/or contradicting privileges --> this is insecure. Also, what if the action triggered by the user is asynchronous? How do you ensure that the user group membership of the Process Identity on the async callback is the same one as when the call was first made? Remember, the async callback can happen at any time. The only secure way to use your authorization scheme using Group Membership is to make everything synchronous and single user, which works but will never scale. Basically, your design looks clever and avoids passwords, but it is really not feasible when you look at the details. You basically mapped Roles to Group Membership and to avoid passwords you chose the Process Identity. However, this fails for all the reasons I stated above, so IIS never allowed such behavior in Application Pool Identity (let's not even get into how your scheme plays havoc with Web Garden, or Skip Process Recycle on Config Change). Impersonation with user identities and having delegation enabled on credentials with static and diverse Group Membership flowing through the system is really the built-in option of how to be secure and scalable. AzMan approach is a suitable alternative where the Roles are dynamically bound. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] On Mar 4, 11:08=A0pm, Peke <p...@nospam.nospam> wrote:
> Hello David, > > Sorry for the delay. > > I'll try to explain how our applications work. > > We develop .NET application using multitier-layer (UI, Webservice, ...). > We've build our own application security, comparable to AzMan, which wasn'= t > available at that time (Windows 2000 Active Directory) ; it is based on ro= les > and privileges. > > IIS (6) is configured to use 'Integrated Security'. > > Basically : users are put in a group (or removed from if they no longer ne= ed > access) that has Read rights on the filesystem where the IIS virtual > directory (or IIS virtual server) is pointing to. > > The user's privileges are checked in the business part (Business Facade), > and from that point de application pool identity (a domain user) is used t= o > access the data store(s). > That 'data store' can also be another WebService (Service Agent). > --> this is where the problem is : the application pool identity is becomi= ng > a member of another group to get access to the other application. But the > security context is only 'refreshed' after IISRESET. > > A few reasons why we do it that way : > - Easy security maintenance on the data store (only the application pool > account needs the necessary rights). > - A developer doesn't have to do anything special in code. > - Application pool identity password is not available in code (and can't b= e > mis-used; if we would use impersonation -using config file or in code - th= en > the password would be available). > > I hope this makes any sense. > > Do you have any suggestions ? > > Kind regards, > > Peter > > P.S. You mentioned something about 'lazy read', no recycle on config chang= e, > how is this done ? > > > > "David Wang" wrote: > > Can you explain why you want to dynamically change the security > > permissions on the Application Pool Identity user? > > > The reason why SetSPN is failing is the same sort of logic behind why > > you cannot dynamically change the security permissions on the > > Application Pool Identity. > > > Imagine this scenario -- you have a web garden with lazy read (i.e. > > don't recycle on config change) enabled, and you change permissions on > > Application Pool Identity. *IF* things changed immediately, you end up > > with w3wp.exe each with different security permissions and further > > security implications. > > > Or in your scenario, what happens if two users which required > > different permissions on the Application Pool Identity try to use the > > same application served by the same application pool. The w3wp.exe can > > only have one process identity, so one of those two users must wait > > until the other is done -- not a good user experience. > > > Basically, we did not design for Process Identity changing on the fly > > like that - we designed for thread impersonation to be changing on the > > fly like that. The Process Identity is the base unit of isolation. > > Impersonation is the base unit of functionality. > > > Is there anything that prevents you from using a single domain account > > as Application Pool identity, and you dynamically impersonate > > (depending on your application framework layer, this may be easy). > > Because when you do that, SetSPN will also work against your single > > fixed Application Pool identity, and I believe impersonation flows > > outward on your next hop to the DB, FileSystem, etc. > > > //David > >http://w3-4u.blogspot.com > >http://blogs.msdn.com/David.Wang > > // > > > On Feb 25, 11:28 pm, Peke <p...@nospam.nospam> wrote: > > > Hello WenJun, > > > > Thx for all the information. > > > > Kind regards, > > > > Peter > > > > ""WenJun Zhang[msft]"" wrote: > > > > Hi Peter, >
David,
Thx for the response. I understand what is going on so I'll have to discuss this with our security people. In your previous mail, you mentioned something about 'lazy read', no recycle on config change; how is this done ? Kind regards, Peter [quoted text, click to view] "David Wang" wrote:
> I'm sorry, but I do not have any suggestions. I understand what you > are doing and it is pretty clever to a degree, but I believe there are > fundamental problems with your design beyond just incompatibility with > IIS6 that you must choose another design. > > IIS is being consistent with security while what you are doing is not > consistent with security (but I do admit it is clever and can be > convenient in some contexts), so it is unlikely IIS will change. I > understand that you have an existing codebase that is being migrated, > so it is really not going to change. So the design has to change. > > For example, your design either serializes access to the webserver to > one user at a time, or it is insecure. How? Proof by contradiction -- > assume two different users belong to two different user groups have > authorized access overlapping in time. User1 comes in and the AppPool > identity changes group membership to have Group1 and accesses data. > While this is happening, User2 comes in and the AppPool identity > *needs* to change group membership to have Group2 and access data. > What if the two groups are different or conflicting in access > privileges -- you certainly do not want User1 to temporarily have > access to files of User2 simply because your AppPool Identity > momentarily has group membership in both Group1 and Group2 while both > users are accessing different resources through the same system at > overlapping times. Thus, to be secure, the process identity must be in > only one Group at a time, which means that only one user can be > actively using the web server at a time --> this is serialization. Or > if you allow multiple users simultaneously it means that User1 will > temporarily run with a process identity that is in both Group1 and > Group2, thus have additional and/or contradicting privileges --> this > is insecure. > > Also, what if the action triggered by the user is asynchronous? How do > you ensure that the user group membership of the Process Identity on > the async callback is the same one as when the call was first made? > Remember, the async callback can happen at any time. > > The only secure way to use your authorization scheme using Group > Membership is to make everything synchronous and single user, which > works but will never scale. > > Basically, your design looks clever and avoids passwords, but it is > really not feasible when you look at the details. You basically mapped > Roles to Group Membership and to avoid passwords you chose the Process > Identity. However, this fails for all the reasons I stated above, so > IIS never allowed such behavior in Application Pool Identity (let's > not even get into how your scheme plays havoc with Web Garden, or Skip > Process Recycle on Config Change). > > Impersonation with user identities and having delegation enabled on > credentials with static and diverse Group Membership flowing through > the system is really the built-in option of how to be secure and > scalable. AzMan approach is a suitable alternative where the Roles are > dynamically bound. > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > > > > On Mar 4, 11:08 pm, Peke <p...@nospam.nospam> wrote: > > Hello David, > > > > Sorry for the delay. > > > > I'll try to explain how our applications work. > > > > We develop .NET application using multitier-layer (UI, Webservice, ...). > > We've build our own application security, comparable to AzMan, which wasn't > > available at that time (Windows 2000 Active Directory) ; it is based on roles > > and privileges. > > > > IIS (6) is configured to use 'Integrated Security'. > > > > Basically : users are put in a group (or removed from if they no longer need > > access) that has Read rights on the filesystem where the IIS virtual > > directory (or IIS virtual server) is pointing to. > > > > The user's privileges are checked in the business part (Business Facade), > > and from that point de application pool identity (a domain user) is used to > > access the data store(s). > > That 'data store' can also be another WebService (Service Agent). > > --> this is where the problem is : the application pool identity is becoming > > a member of another group to get access to the other application. But the > > security context is only 'refreshed' after IISRESET. > > > > A few reasons why we do it that way : > > - Easy security maintenance on the data store (only the application pool > > account needs the necessary rights). > > - A developer doesn't have to do anything special in code. > > - Application pool identity password is not available in code (and can't be > > mis-used; if we would use impersonation -using config file or in code - then > > the password would be available). > > > > I hope this makes any sense. > > > > Do you have any suggestions ? > > > > Kind regards, > > > > Peter > > > > P.S. You mentioned something about 'lazy read', no recycle on config change, > > how is this done ? > > > > > > > > "David Wang" wrote: > > > Can you explain why you want to dynamically change the security > > > permissions on the Application Pool Identity user? > > > > > The reason why SetSPN is failing is the same sort of logic behind why > > > you cannot dynamically change the security permissions on the > > > Application Pool Identity. > > > > > Imagine this scenario -- you have a web garden with lazy read (i.e. > > > don't recycle on config change) enabled, and you change permissions on > > > Application Pool Identity. *IF* things changed immediately, you end up > > > with w3wp.exe each with different security permissions and further > > > security implications. > > > > > Or in your scenario, what happens if two users which required > > > different permissions on the Application Pool Identity try to use the > > > same application served by the same application pool. The w3wp.exe can > > > only have one process identity, so one of those two users must wait > > > until the other is done -- not a good user experience. > > > > > Basically, we did not design for Process Identity changing on the fly > > > like that - we designed for thread impersonation to be changing on the > > > fly like that. The Process Identity is the base unit of isolation. > > > Impersonation is the base unit of functionality. > > > > > Is there anything that prevents you from using a single domain account > > > as Application Pool identity, and you dynamically impersonate > > > (depending on your application framework layer, this may be easy).
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/f=
e949097-0c50-4ee2-91db-f7511725fe80.mspx?mfr=3Dtrue This is not the default behavior because in a it allows your w3wp.exe to have different settings than what the IIS Manager UI shows. It also allows w3wp.exe in Web garden to have different settings, and if the application pool never recycles, you can be running a long time where w3wp.exe does not match your configuration. This leads to urban myth that you need to recycle IIS for settings to take effect when in reality it is simply user error. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] On Mar 5, 11:47=A0pm, Peke <p...@nospam.nospam> wrote:
> David, > > Thx for the response. I understand what is going on so I'll have to discus= s > this with our security people. > > In your previous mail, you mentioned something about 'lazy read', no recyc= le > on config change; how is this done ? > > Kind regards, > > Peter > > > > "David Wang" wrote: > > I'm sorry, but I do not have any suggestions. I understand what you > > are doing and it is pretty clever to a degree, but I believe there are > > fundamental problems with your design beyond just incompatibility with > > IIS6 that you must choose another design. > > > IIS is being consistent with security while what you are doing is not > > consistent with security (but I do admit it is clever and can be > > convenient in some contexts), so it is unlikely IIS will change. I > > understand that you have an existing codebase that is being migrated, > > so it is really not going to change. So the design has to change. > > > For example, your design either serializes access to the webserver to > > one user at a time, or it is insecure. How? Proof by contradiction -- > > assume two different users belong to two different user groups have > > authorized access overlapping in time. User1 comes in and the AppPool > > identity changes group membership to have Group1 and accesses data. > > While this is happening, User2 comes in and the AppPool identity > > *needs* to change group membership to have Group2 and access data. > > What if the two groups are different or conflicting in access > > privileges -- you certainly do not want User1 to temporarily have > > access to files of User2 simply because your AppPool Identity > > momentarily has group membership in both Group1 and Group2 while both > > users are accessing different resources through the same system at > > overlapping times. Thus, to be secure, the process identity must be in > > only one Group at a time, which means that only one user can be > > actively using the web server at a time --> this is serialization. Or > > if you allow multiple users simultaneously it means that User1 will > > temporarily run with a process identity that is in both Group1 and > > Group2, thus have additional and/or contradicting privileges --> this > > is insecure. > > > Also, what if the action triggered by the user is asynchronous? How do > > you ensure that the user group membership of the Process Identity on > > the async callback is the same one as when the call was first made? > > Remember, the async callback can happen at any time. > > > The only secure way to use your authorization scheme using Group > > Membership is to make everything synchronous and single user, which > > works but will never scale. > > > Basically, your design looks clever and avoids passwords, but it is > > really not feasible when you look at the details. You basically mapped > > Roles to Group Membership and to avoid passwords you chose the Process > > Identity. However, this fails for all the reasons I stated above, so > > IIS never allowed such behavior in Application Pool Identity (let's > > not even get into how your scheme plays havoc with Web Garden, or Skip > > Process Recycle on Config Change). > > > Impersonation with user identities and having delegation enabled on > > credentials with static and diverse Group Membership flowing through > > the system is really the built-in option of how to be secure and > > scalable. AzMan approach is a suitable alternative where the Roles are > > dynamically bound. > > > //David > >http://w3-4u.blogspot.com > >http://blogs.msdn.com/David.Wang > > // > > > On Mar 4, 11:08 pm, Peke <p...@nospam.nospam> wrote: > > > Hello David, > > > > Sorry for the delay. > > > > I'll try to explain how our applications work. > > > > We develop .NET application using multitier-layer (UI, Webservice, ...= ). > > > We've build our own application security, comparable to AzMan, which w= asn't > > > available at that time (Windows 2000 Active Directory) ; it is based o= n roles > > > and privileges. > > > > IIS (6) is configured to use 'Integrated Security'. > > > > Basically : users are put in a group (or removed from if they no longe= r need > > > access) that has Read rights on the filesystem where the IIS virtual > > > directory (or IIS virtual server) is pointing to. > > > > The user's privileges are checked in the business part (Business Facad= e), > > > and from that point de application pool identity (a domain user) is us= ed to > > > access the data store(s). > > > That 'data store' can also be another WebService (Service Agent). > > > --> this is where the problem is : the application pool identity is be= coming > > > a member of another group to get access to the other application. But = the > > > security context is only 'refreshed' after IISRESET. > > > > A few reasons why we do it that way : > > > - Easy security maintenance on the data store (only the application po= ol > > > account needs the necessary rights). > > > - A developer doesn't have to do anything special in code. > > > - Application pool identity password is not available in code (and can= 't be > > > mis-used; if we would use impersonation -using config file or in code = - then > > > the password would be available). > > > > I hope this makes any sense. > > > > Do you have any suggestions ? > > > > Kind regards, > > > > Peter > > > > P.S. You mentioned something about 'lazy read', no recycle on config c= hange, > > > how is this done ? > > > > "David Wang" wrote: > > > > Can you explain why you want to dynamically change the security > > > > permissions on the Application Pool Identity user? > > > > > The reason why SetSPN is failing is the same sort of logic behind wh= y > > > > you cannot dynamically change the security permissions on the > > > > Application Pool Identity. > > > > > Imagine this scenario -- you have a web garden with lazy read (i.e. > > > > don't recycle on config change) enabled, and you change permissions = on > > > > Application Pool Identity. *IF* things changed immediately, you end = up > > > > with w3wp.exe each with different security permissions and further
Hello again David,
We are 'investigating' the impersonation alternative. What is your suggestion for Application pool identity ? "preconfigured network service account" or a domain user ? (for a clustered environment). Our applications are developed in .NET. How can we protect the impersonation information ? We've been checking 'protected sections' in web.config and the aspnet_setreg.exe utility, but in both cases it's really easy to get the impersonation info with a few lines of code (see below). And since we would use just one account, it would have access to the impersonation info of ALL the applications. Other pitfalls : - what if an async call is made ? --> by default the process Id would be used. - what if a developer removes the section from the config file ? Seems to me that you have to trust the developer a lot. I know that a developer can do anything he likes in his code, but as long as it's just his own application, I don't care. But in your scenario, he could get access to other applications by reading the impersonation info using the process account and so have access to the backend systems of other applications. This seems very dangerous to me. Any suggestions on how to close that security gap ? Kind regards, Peter --------------------------------------- Imports System.Security.Cryptography Public Class Form1 Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click TextBox1.Clear() TextBox1.AppendText("userName : " & GetValue("userName") & vbNewLine) TextBox1.AppendText("password : " & GetValue("password")) End Sub Private Function GetValue(ByVal key As String) As String Dim readValue As Byte() readValue = My.Computer.Registry.GetValue _ ("HKEY_LOCAL_MACHINE\Software\Digipolis\PekeApp\Identity\ASPNET_SETREG", key, Nothing) readValue = ProtectedData.Unprotect(readValue, Nothing, DataProtectionScope.LocalMachine) Return System.Text.Encoding.Unicode.GetString(readValue) End Function End Class ------------------------------ [quoted text, click to view] "David Wang" wrote:
> I'm sorry, but I do not have any suggestions. I understand what you > are doing and it is pretty clever to a degree, but I believe there are > fundamental problems with your design beyond just incompatibility with > IIS6 that you must choose another design. > > IIS is being consistent with security while what you are doing is not > consistent with security (but I do admit it is clever and can be > convenient in some contexts), so it is unlikely IIS will change. I > understand that you have an existing codebase that is being migrated, > so it is really not going to change. So the design has to change. > > For example, your design either serializes access to the webserver to > one user at a time, or it is insecure. How? Proof by contradiction -- > assume two different users belong to two different user groups have > authorized access overlapping in time. User1 comes in and the AppPool > identity changes group membership to have Group1 and accesses data. > While this is happening, User2 comes in and the AppPool identity > *needs* to change group membership to have Group2 and access data. > What if the two groups are different or conflicting in access > privileges -- you certainly do not want User1 to temporarily have > access to files of User2 simply because your AppPool Identity > momentarily has group membership in both Group1 and Group2 while both > users are accessing different resources through the same system at > overlapping times. Thus, to be secure, the process identity must be in > only one Group at a time, which means that only one user can be > actively using the web server at a time --> this is serialization. Or > if you allow multiple users simultaneously it means that User1 will > temporarily run with a process identity that is in both Group1 and > Group2, thus have additional and/or contradicting privileges --> this > is insecure. > > Also, what if the action triggered by the user is asynchronous? How do > you ensure that the user group membership of the Process Identity on > the async callback is the same one as when the call was first made? > Remember, the async callback can happen at any time. > > The only secure way to use your authorization scheme using Group > Membership is to make everything synchronous and single user, which > works but will never scale. > > Basically, your design looks clever and avoids passwords, but it is > really not feasible when you look at the details. You basically mapped > Roles to Group Membership and to avoid passwords you chose the Process > Identity. However, this fails for all the reasons I stated above, so > IIS never allowed such behavior in Application Pool Identity (let's > not even get into how your scheme plays havoc with Web Garden, or Skip > Process Recycle on Config Change). > > Impersonation with user identities and having delegation enabled on > credentials with static and diverse Group Membership flowing through > the system is really the built-in option of how to be secure and > scalable. AzMan approach is a suitable alternative where the Roles are > dynamically bound. > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > > > > On Mar 4, 11:08 pm, Peke <p...@nospam.nospam> wrote: > > Hello David, > > > > Sorry for the delay. > > > > I'll try to explain how our applications work. > > > > We develop .NET application using multitier-layer (UI, Webservice, ...). > > We've build our own application security, comparable to AzMan, which wasn't > > available at that time (Windows 2000 Active Directory) ; it is based on roles > > and privileges. > > > > IIS (6) is configured to use 'Integrated Security'. > > > > Basically : users are put in a group (or removed from if they no longer need > > access) that has Read rights on the filesystem where the IIS virtual > > directory (or IIS virtual server) is pointing to. > > > > The user's privileges are checked in the business part (Business Facade), > > and from that point de application pool identity (a domain user) is used to > > access the data store(s). > > That 'data store' can also be another WebService (Service Agent). > > --> this is where the problem is : the application pool identity is becoming > > a member of another group to get access to the other application. But the > > security context is only 'refreshed' after IISRESET. > > > > A few reasons why we do it that way : > > - Easy security maintenance on the data store (only the application pool > > account needs the necessary rights). > > - A developer doesn't have to do anything special in code.
Peter,
I probably didn't get the exact requirement that took you to change the group membership of the Pool account, or why you're not using kerberos delegation for your needs. But I'd set the process identity with least previledge (NETWORK_SERVICE or a simple domain account). Create the needed Aliases/SPNs/HostHeaders. I'd then delegate the identity with Kerberos from the UI to the application layer (WebService). The application layer (WebService/BAL/DAL) again authenticates and authorizes the account as needed. The Pool identity is the one accessing the backend resources like DBs, etc... U = User Identity P = Pool Identity U => (U) UI (U) => (U) WebService/BAL/DAL (P) => (P) DB Where doesn't this scenario fit? Tiago Halm [quoted text, click to view] "Peke" <peke@nospam.nospam> wrote in message
news:345B6F2C-93B2-4184-839E-29132BDBCD38@microsoft.com... > Hello again David, > > We are 'investigating' the impersonation alternative. > > What is your suggestion for Application pool identity ? "preconfigured > network service account" or a domain user ? (for a clustered environment). > > Our applications are developed in .NET. > > How can we protect the impersonation information ? > We've been checking 'protected sections' in web.config and the > aspnet_setreg.exe utility, but in both cases it's really easy to get the > impersonation info with a few lines of code (see below). > > And since we would use just one account, it would have access to the > impersonation info of ALL the applications. > > Other pitfalls : > - what if an async call is made ? --> by default the process Id would be > used. > - what if a developer removes the section from the config file ? > > Seems to me that you have to trust the developer a lot. I know that a > developer can do anything he likes in his code, but as long as it's just > his > own application, I don't care. > But in your scenario, he could get access to other applications by reading > the impersonation info using the process account and so have access to > the > backend systems of other applications. This seems very dangerous to me. > > Any suggestions on how to close that security gap ? > > Kind regards, > > Peter > > > > > > --------------------------------------- > > Imports System.Security.Cryptography > > Public Class Form1 > Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As > System.EventArgs) Handles Button1.Click > > TextBox1.Clear() > > TextBox1.AppendText("userName : " & GetValue("userName") & > vbNewLine) > TextBox1.AppendText("password : " & GetValue("password")) > > End Sub > > > Private Function GetValue(ByVal key As String) As String > > Dim readValue As Byte() > > readValue = My.Computer.Registry.GetValue _ > > ("HKEY_LOCAL_MACHINE\Software\Digipolis\PekeApp\Identity\ASPNET_SETREG", > key, > Nothing) > > readValue = ProtectedData.Unprotect(readValue, Nothing, > DataProtectionScope.LocalMachine) > > Return System.Text.Encoding.Unicode.GetString(readValue) > > End Function > > End Class > > ------------------------------ > > "David Wang" wrote: > >> I'm sorry, but I do not have any suggestions. I understand what you >> are doing and it is pretty clever to a degree, but I believe there are >> fundamental problems with your design beyond just incompatibility with >> IIS6 that you must choose another design. >> >> IIS is being consistent with security while what you are doing is not >> consistent with security (but I do admit it is clever and can be >> convenient in some contexts), so it is unlikely IIS will change. I >> understand that you have an existing codebase that is being migrated, >> so it is really not going to change. So the design has to change. >> >> For example, your design either serializes access to the webserver to >> one user at a time, or it is insecure. How? Proof by contradiction -- >> assume two different users belong to two different user groups have >> authorized access overlapping in time. User1 comes in and the AppPool >> identity changes group membership to have Group1 and accesses data. >> While this is happening, User2 comes in and the AppPool identity >> *needs* to change group membership to have Group2 and access data. >> What if the two groups are different or conflicting in access >> privileges -- you certainly do not want User1 to temporarily have >> access to files of User2 simply because your AppPool Identity >> momentarily has group membership in both Group1 and Group2 while both >> users are accessing different resources through the same system at >> overlapping times. Thus, to be secure, the process identity must be in >> only one Group at a time, which means that only one user can be >> actively using the web server at a time --> this is serialization. Or >> if you allow multiple users simultaneously it means that User1 will >> temporarily run with a process identity that is in both Group1 and >> Group2, thus have additional and/or contradicting privileges --> this >> is insecure. >> >> Also, what if the action triggered by the user is asynchronous? How do >> you ensure that the user group membership of the Process Identity on >> the async callback is the same one as when the call was first made? >> Remember, the async callback can happen at any time. >> >> The only secure way to use your authorization scheme using Group >> Membership is to make everything synchronous and single user, which >> works but will never scale. >> >> Basically, your design looks clever and avoids passwords, but it is >> really not feasible when you look at the details. You basically mapped >> Roles to Group Membership and to avoid passwords you chose the Process >> Identity. However, this fails for all the reasons I stated above, so >> IIS never allowed such behavior in Application Pool Identity (let's >> not even get into how your scheme plays havoc with Web Garden, or Skip >> Process Recycle on Config Change). >> >> Impersonation with user identities and having delegation enabled on >> credentials with static and diverse Group Membership flowing through >> the system is really the built-in option of how to be secure and >> scalable. AzMan approach is a suitable alternative where the Roles are >> dynamically bound. >> >> >> //David >> http://w3-4u.blogspot.com >> http://blogs.msdn.com/David.Wang >> // >> >> >> >> >> >> On Mar 4, 11:08 pm, Peke <p...@nospam.nospam> wrote: >> > Hello David, >> > >> > Sorry for the delay. >> > >> > I'll try to explain how our applications work. >> > >> > We develop .NET application using multitier-layer (UI, Webservice, >> > ...). >> > We've build our own application security, comparable to AzMan, which >> > wasn't >> > available at that time (Windows 2000 Active Directory) ; it is based on >> > roles >> > and privileges.
Hello Tiago,
I'm not that familiar with Kerberos delegation. Let me try to explain what we want to achieve : Let's assume we have 2 servers : an Application Server (AS) and a Database Server (DS). Let's assume we have 2 applications : A and B. Application A is hosted on AS and has his own application pool : AP-A Application B is hosted on AS and has his own application pool : AP-B Application A has a database on DS : DB-A Application B has a database on DS : DB-B Only account A has access to database DB-A Only account B has access to database DB-B Application A and Application B have an application security based on Active Directory and NTFS on AS : For example : a user that wants to use application A, has to be in a group G-A that has file access to the files of application A. Sometimes that user can be account B. We tried to use Account A and B as Application pool accounts, but if Account B is added to the group G-A, the security info is only refreshed after IISRESET. Another problem of this implementation is that we can't use Kerberos in a clustered environment (???? problems with SPN's --> different accounts for the same 'physical target' ???? ) Would Kerberos Delegation help in this case ? And if that is the case, how should it be done ? Kind Regards, Peter [quoted text, click to view] "Tiago Halm" wrote:
> Peter, > > I probably didn't get the exact requirement that took you to change the > group membership of the Pool account, or why you're not using kerberos > delegation for your needs. But I'd set the process identity with least > previledge (NETWORK_SERVICE or a simple domain account). Create the needed > Aliases/SPNs/HostHeaders. I'd then delegate the identity with Kerberos from > the UI to the application layer (WebService). The application layer > (WebService/BAL/DAL) again authenticates and authorizes the account as > needed. The Pool identity is the one accessing the backend resources like > DBs, etc... > > U = User Identity > P = Pool Identity > > U => (U) UI (U) => (U) WebService/BAL/DAL (P) => (P) DB > > Where doesn't this scenario fit? > > Tiago Halm > > "Peke" <peke@nospam.nospam> wrote in message > news:345B6F2C-93B2-4184-839E-29132BDBCD38@microsoft.com... > > Hello again David, > > > > We are 'investigating' the impersonation alternative. > > > > What is your suggestion for Application pool identity ? "preconfigured > > network service account" or a domain user ? (for a clustered environment). > > > > Our applications are developed in .NET. > > > > How can we protect the impersonation information ? > > We've been checking 'protected sections' in web.config and the > > aspnet_setreg.exe utility, but in both cases it's really easy to get the > > impersonation info with a few lines of code (see below). > > > > And since we would use just one account, it would have access to the > > impersonation info of ALL the applications. > > > > Other pitfalls : > > - what if an async call is made ? --> by default the process Id would be > > used. > > - what if a developer removes the section from the config file ? > > > > Seems to me that you have to trust the developer a lot. I know that a > > developer can do anything he likes in his code, but as long as it's just > > his > > own application, I don't care. > > But in your scenario, he could get access to other applications by reading > > the impersonation info using the process account and so have access to > > the > > backend systems of other applications. This seems very dangerous to me. > > > > Any suggestions on how to close that security gap ? > > > > Kind regards, > > > > Peter > > > > > > > > > > > > --------------------------------------- > > > > Imports System.Security.Cryptography > > > > Public Class Form1 > > Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As > > System.EventArgs) Handles Button1.Click > > > > TextBox1.Clear() > > > > TextBox1.AppendText("userName : " & GetValue("userName") & > > vbNewLine) > > TextBox1.AppendText("password : " & GetValue("password")) > > > > End Sub > > > > > > Private Function GetValue(ByVal key As String) As String > > > > Dim readValue As Byte() > > > > readValue = My.Computer.Registry.GetValue _ > > > > ("HKEY_LOCAL_MACHINE\Software\Digipolis\PekeApp\Identity\ASPNET_SETREG", > > key, > > Nothing) > > > > readValue = ProtectedData.Unprotect(readValue, Nothing, > > DataProtectionScope.LocalMachine) > > > > Return System.Text.Encoding.Unicode.GetString(readValue) > > > > End Function > > > > End Class > > > > ------------------------------ > > > > "David Wang" wrote: > > > >> I'm sorry, but I do not have any suggestions. I understand what you > >> are doing and it is pretty clever to a degree, but I believe there are > >> fundamental problems with your design beyond just incompatibility with > >> IIS6 that you must choose another design. > >> > >> IIS is being consistent with security while what you are doing is not > >> consistent with security (but I do admit it is clever and can be > >> convenient in some contexts), so it is unlikely IIS will change. I > >> understand that you have an existing codebase that is being migrated, > >> so it is really not going to change. So the design has to change. > >> > >> For example, your design either serializes access to the webserver to > >> one user at a time, or it is insecure. How? Proof by contradiction -- > >> assume two different users belong to two different user groups have > >> authorized access overlapping in time. User1 comes in and the AppPool > >> identity changes group membership to have Group1 and accesses data. > >> While this is happening, User2 comes in and the AppPool identity > >> *needs* to change group membership to have Group2 and access data. > >> What if the two groups are different or conflicting in access > >> privileges -- you certainly do not want User1 to temporarily have > >> access to files of User2 simply because your AppPool Identity > >> momentarily has group membership in both Group1 and Group2 while both > >> users are accessing different resources through the same system at > >> overlapping times. Thus, to be secure, the process identity must be in > >> only one Group at a time, which means that only one user can be > >> actively using the web server at a time --> this is serialization. Or > >> if you allow multiple users simultaneously it means that User1 will > >> temporarily run with a process identity that is in both Group1 and > >> Group2, thus have additional and/or contradicting privileges --> this > >> is insecure. > >> > >> Also, what if the action triggered by the user is asynchronous? How do > >> you ensure that the user group membership of the Process Identity on
I doubt the cluster environment has problems with kerberos tickets, as long
as the account name and SPN alias is correctly defined on both nodes. You'd need to register an SPN for both Applications and database, assuming they can all authenticate kerberos. For example assume a browser accessing a webpage, the webpage accesses a webservice, the webservice access a database. Now assume the following logical layers: webapp.mycompany.com running with domain\webappAcc hosted in IIS websvc.mycompany.com running with domain\websvcAcc hosted in IIS data.mycompany.com running with domain\dataAcc running SQL Server instance You'd need to create the following SPNs: setspn.exe -A http/webapp.mycompany.com domain\webappAcc setspn.exe -A http/websvc.mycompany.com domain\webappAcc setspn.exe -A MSSqlserver/data.mycompany.com:1433 domain\dataAcc (need to check this one on MSDN) Next, make sure domain\webappAcc, and domain\webappAcc have delegation enabled to the proper SPN (this can be done in AD after setting the SPNs) Finally, make sure the webapp and the webservice delegate the accounts. The webapp can delegate via <identity impersonate="true" />. The webservice (if ASMX) can do the same, or if WCF can be done via changing the config file or programatically (recommended in security terms). Setting kerberos on all layers should not be difficult, the only difficult piece is your data layer (I don't know which is), but should be simple. Hope it all makes sense. Tiago Halm [quoted text, click to view] "Peke" <peke@nospam.nospam> wrote in message
news:69115199-EEBB-4055-B9E5-40CFE3E87B21@microsoft.com... > Hello Tiago, > > I'm not that familiar with Kerberos delegation. > > Let me try to explain what we want to achieve : > > Let's assume we have 2 servers : an Application Server (AS) and a Database > Server (DS). > Let's assume we have 2 applications : A and B. > > Application A is hosted on AS and has his own application pool : AP-A > Application B is hosted on AS and has his own application pool : AP-B > > Application A has a database on DS : DB-A > Application B has a database on DS : DB-B > > Only account A has access to database DB-A > Only account B has access to database DB-B > > > Application A and Application B have an application security based on > Active > Directory and NTFS on AS : > > For example : a user that wants to use application A, has to be in a > group > G-A that has file access to the files of application A. > Sometimes that user can be account B. > > We tried to use Account A and B as Application pool accounts, but if > Account > B is added to the group G-A, the security info is only refreshed after > IISRESET. Another problem of this implementation is that we can't use > Kerberos in a clustered environment (???? problems with SPN's --> > different > accounts for the same 'physical target' ???? ) > > Would Kerberos Delegation help in this case ? And if that is the case, how > should it be done ? > > Kind Regards, > > Peter > > > > > "Tiago Halm" wrote: > >> Peter, >> >> I probably didn't get the exact requirement that took you to change the >> group membership of the Pool account, or why you're not using kerberos >> delegation for your needs. But I'd set the process identity with least >> previledge (NETWORK_SERVICE or a simple domain account). Create the >> needed >> Aliases/SPNs/HostHeaders. I'd then delegate the identity with Kerberos >> from >> the UI to the application layer (WebService). The application layer >> (WebService/BAL/DAL) again authenticates and authorizes the account as >> needed. The Pool identity is the one accessing the backend resources like >> DBs, etc... >> >> U = User Identity >> P = Pool Identity >> >> U => (U) UI (U) => (U) WebService/BAL/DAL (P) => (P) DB >> >> Where doesn't this scenario fit? >> >> Tiago Halm >> >> "Peke" <peke@nospam.nospam> wrote in message >> news:345B6F2C-93B2-4184-839E-29132BDBCD38@microsoft.com... >> > Hello again David, >> > >> > We are 'investigating' the impersonation alternative. >> > >> > What is your suggestion for Application pool identity ? "preconfigured >> > network service account" or a domain user ? (for a clustered >> > environment). >> > >> > Our applications are developed in .NET. >> > >> > How can we protect the impersonation information ? >> > We've been checking 'protected sections' in web.config and the >> > aspnet_setreg.exe utility, but in both cases it's really easy to get >> > the >> > impersonation info with a few lines of code (see below). >> > >> > And since we would use just one account, it would have access to the >> > impersonation info of ALL the applications. >> > >> > Other pitfalls : >> > - what if an async call is made ? --> by default the process Id would >> > be >> > used. >> > - what if a developer removes the section from the config file ? >> > >> > Seems to me that you have to trust the developer a lot. I know that a >> > developer can do anything he likes in his code, but as long as it's >> > just >> > his >> > own application, I don't care. >> > But in your scenario, he could get access to other applications by >> > reading >> > the impersonation info using the process account and so have access to >> > the >> > backend systems of other applications. This seems very dangerous to me. >> > >> > Any suggestions on how to close that security gap ? >> > >> > Kind regards, >> > >> > Peter >> > >> > >> > >> > >> > >> > --------------------------------------- >> > >> > Imports System.Security.Cryptography >> > >> > Public Class Form1 >> > Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As >> > System.EventArgs) Handles Button1.Click >> > >> > TextBox1.Clear() >> > >> > TextBox1.AppendText("userName : " & GetValue("userName") & >> > vbNewLine) >> > TextBox1.AppendText("password : " & GetValue("password")) >> > >> > End Sub >> > >> > >> > Private Function GetValue(ByVal key As String) As String >> > >> > Dim readValue As Byte() >> > >> > readValue = My.Computer.Registry.GetValue _ >> > >> > ("HKEY_LOCAL_MACHINE\Software\Digipolis\PekeApp\Identity\ASPNET_SETREG", >> > key, >> > Nothing) >> > >> > readValue = ProtectedData.Unprotect(readValue, Nothing, >> > DataProtectionScope.LocalMachine) >> > >> > Return System.Text.Encoding.Unicode.GetString(readValue) >> > >> > End Function >> > >> > End Class >> > >> > ------------------------------ >> > >> > "David Wang" wrote: >> > >> >> I'm sorry, but I do not have any suggestions. I understand what you >> >> are doing and it is pretty clever to a degree, but I believe there are >> >> fundamental problems with your design beyond just incompatibility with >> >> IIS6 that you must choose another design. >> >>
Hi Tiago, I think I understand, but I still have some questions. This is our situation : We have the following configuration : For simplicity I'll use simple names. 2 WebUI Servers (W2K3, IIS6) , named WEBUI1.mycompany.local and WEBUI2.mycompany.local, both have a A-record in DNS (it's the 'physical' name of the machine). The WebUI Servers are load balanced clustered, with the name WEBUICluster.mycompany.local, it has a A-record in DNS. 2 Application Servers (WK3, IIS6), named APP1.mycompany.local and APP2.mycompany.local, both have a A-record in DNS (it's the 'physical' name of the machine). The Application Servers a |