Security :: Double Hop Delegation - Can't Get The Web Service To Run Under The Callers Context
Sep 3, 2010
I have an ASP.NET 2.0 web app which calls a one way web method on a web service. This web method contacts remote servers and pulls back config information to confirm the state of new server builds (settings etc) and inserts the collected data into a SQL database. The web app is supposed to pass through the callers kerberos ticket to the web service and then again to the newly built server which is being checked, all via impersonation and delegation using the calling users administrator privileges.
The trouble is, I just can't get the web service to run under the callers context. I have the SPN's set up, delegation turned on in the active directory objects for the computer running the web app and service and the worker process domain user service account. I have windows authentication on and impersonation set to true in both the web app and service's web.config, integrated authentication in IIS, and IE settings are all ok. All has been checked out and passes the tests in DelegConfig, but it still won't work.
It appears that any data that's is written to the database is written under the context of the web pool service account, and not the calling users, plus along with the fact that I get access denied messages when trying to collect data from the server says impersonation isn't working. Also, is it possible to run the checks under the calling users context, but write to the database with the web pool identity service account without specifying the user details in the web config?? I am working in a secure environment and we must user windows based accounts only, no SQL accounts.
View 1 Replies
Similar Messages:
Nov 10, 2010
I want to use IIS impersonation to connecto to a SQL server database as the user who is currently accessing a website. This is for auditing and security reasons. I've done some reading and discovered that because the SQL Server is on a sepearate physical server I need to enable Protocol Transitioning and Constrained delegation for the server that's running IIS. This is the article that I found. [URL] I didn't realise at the time I first read it but this article has the following header. Retired Content
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. What I want to know is, does the information in the article still apply, if I want to impersonate the user all the way to the SQL Server, do i still need Constrained Delegation or has this been implemented in some other way for ASP.NET 4?
View 1 Replies
Dec 2, 2010
my ASP.NET web application uses windows authentication on our intranet. I want it to be able to make a server-side http request to another server on the same domain that also requires windows authentication. I've followed the instructions on temporarily impersonating the authenticated user when making the additional request here: [URL] Using code like this:
using System.Security.Principal;
// Obtain the authenticated user's Identity
WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;
WindowsImpersonationContext ctx = null;
try
{
// Start impersonating
ctx = winId.Impersonate();
// Now impersonating
// Access resources using the identity of the authenticated user
var request = WebRequest.Create("http://intranet/secureapp");
request.Credentials = CredentialCache.DefaultCredentials;
var response = request.GetResponse();
using (var streamReader = new StreamReader(response.GetResponseStream()))
{
Response.Write(streamReader.ReadToEnd());
}
}
// Prevent exceptions from propagating
catch
{
}
finally
{
// Revert impersonation
if (ctx != null)
ctx.Undo();
}
// Back to running under the default ASP.NET process identity
But, unfortunately, I always get a 401 unauthorized error. Do I need to configure our webserver with active directory to allow it to delegate the autenticated user (could be any one of about 200 users, so don't want to have to do anything 200 times :))? If so, can anyone tell me how to do this?
View 1 Replies
Feb 10, 2011
I'm currently trying to work out the best way to build this web application, which will then be intergrated on other systems, such as WinForms, Intranets etc.
We hope to include the usual layers i.e. DAL, BLL, BOL and UI but I have been experimenting with Entity Framework 4 and WCF Data Services and managed to get something in place where I was using WCF as a gateway to EF4.
i.e. Adding a Service Reference to my project and then using the EF4 context and writing LINQ queries against the DB
e.g.[Code]....
Now with the current setup I would still need to write a DAL Class Library, that interacts with the Data Service, because as I said WCF Data Services only seems to be a gateway, I can't see where to put the code (above) in the Data Service and then how I could these methods.
My questions are: 1. How do I develop a WCF Data Service in such a way to allow this behaviour - I know how I could do it using ASMX web service, something like [Code]....
2. If I am to use WCF Data Services, how is serialization handled (if at all) - again I know how to do something in ASMX web services
3. Again, If I am to use WCF, how do I add Security and only allow my applications to access the web service - for obvious reasons
4. Would it be possible / logical to also include the Business Logic Layer into the web service?
View 4 Replies
Jul 30, 2010
I'm having problems with impersonation in WCF. Namely, I'm calling a named pipe service from within ASP.NET with impersonation turned on. This fails (due to permissions on the pipe blocking anyone from the network). So, is there any way I can make the call outside of the impersonation context? I don't need to be impersonating to make this call, but can't see any way of doing this.
PS. I need to do this declaratively, through config...
View 1 Replies
Mar 17, 2011
We are using membership provider for LDAP authentication. It is working as it should.
But what all configuration settings I have to do so that
all the future requests to this application run under the security context of the Logged in user account not through the some default user set in IIS.
We need to have this working because all the permissions on the database are based on the logged in user.
We are using form authentication for LDAP authentication. And having impersonation = true in web.config.
View 1 Replies
Mar 18, 2011
If I am using AD authentication for my internal ASP.NET app how can I enable that that same AD User is authenticating on the internal web service that is being called by that internal ASP.NET application?
View 2 Replies
Mar 31, 2010
Give the following control hierarchy on a ASP.NET page:
Page
HeaderControl (User Control)
TitleControl (Server Control)
TabsControl (User Control)
other controls
I'm trying to raise an event (or some notification) in the TitleControl that bubbles to the Page level. Then, I'd like to (optionally) register an event handler at the Page codebehind that will take the EventArgs and modify the TabsControl in the example above. The important thing to note is that this design will allow me to drop these controls into any Page and make the entire system work seamlessly if the event handler is wired up. The solution should not involve a call to FindControl() since that becomes a strong association. If no handler is defined in the containing Page, the event is still raised by TitleControl but is not handled.
My basic goal is to use event-based programming so that I can decouple the user controls from each other. The event from TitleControl is only raised in some instances, and this seemed to be (in my head) the preferred approach. However, I can't seem to find a way to cleanly achieve this. Here are my (poor) attempts:
Using HttpContext.Current.Items
Add the EventArgs to the Items collection on TitleControl and pick it up on the TabsControl. This works but it's fundamentally hard to decipher since the connection between the two controls is not obvious.
Using Reflection
Instead of passing events, look for a function on the container Page directly within TitleControl as in: Page.GetType().GetMethod("TabControlHandler").Invoke(Page, EventArgs);
This will work, but the method name will have to be a constant that all Page instances will have to defined verbatim. I'm sure that I'm over-thinking this and there must be a prettier solution using delegation, but I can't seem to think of it.
View 4 Replies
Jan 2, 2011
I'm using the membership class in my application, but when I assign a Role to a User it create again the same user with other ID.
This is my Web.Config:
<?xml version="1.0"?>
View 2 Replies
Nov 26, 2010
I'm using WCF services ensuring that UserName/Password must be provided for each request. I need use same service from many clients, but I need impersonate the call to access the appropriate resources for each client. When I call the service directly from the client there is no problem, because I use for each client a pair UserName/Password defined in theirs web.config. The problem came when I need to call a second Web service from a call to the first-one using the same identity. This second Web service requires UserName/Password, but I only know who is the caller (UserName) but not the password.
How I can impersonate this second call without knowing the password for the corresponding username?
EDIT: The app (Web App and Services) is running in a shared hosting environment where I can't use Windows Authentication to configure Kerberos for Delegation. I have defined a UserNameValidator to process on each call the pair UserName/Password against a custom SQLServer database. Moreover, the intended customers of this app will use it from Internet, without requiring a windows account, that is because I need a more flexible, SQL-based, authentication schema.
View 2 Replies
Jan 13, 2011
I am developing an application using VS2008 .Net 3.5 with MS SQL 2008 targeting .Net 2.0
The project is created as Web Application ... does not use any third party controls
I have changed both my web.config and assemblyinfo.cs with AllowPartiallyTrustedCallers ...
I am still getting the error message, "That assembly does not allow partially trusted callers"
View 3 Replies
Jan 8, 2011
I'm using this: http://code.google.com/apis/recaptcha/docs/aspnet.html ...
Security Exception
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.
Exception Details: System.Security.SecurityException: That assembly does not allow partially trusted callers.
Source Error: [Code]....
Source File: d:hosting4646264htmlgreenstormsContact.aspx Line: 228 Stack Trace: [Code]....
Version Information: Microsoft .NET Framework Version:2.0.50727.3615; ASP.NET Version:2.0.50727.4049
View 1 Replies
May 7, 2015
Using iTextSharp.text;using iTextSharp.text.html.simpleparser;using iTextSharp.text.pdf;
Added dll to Bin folder.
Response.ContentType = "application/pdf";
// Response.AddHeader("content-disposition", "attachment;filename=TestPage.pdf
string name = lblname.Text.Replace(" ","") + ".pdf";
Response.AddHeader("content-disposition", "attachment;filename=" + name);
[Code] ....
Got error in server as
System.Security.SecurityException: That assembly does not allow partially trusted callers.
View 1 Replies
Jan 1, 2010
On my master page i have a link button which should be visible only by Administrator or Supervisors roles.
So in the code behind file of the master page i have put the following code in page load event
[Code]....
but i am getting following error
The name 'User' does not exist in the current context
View 2 Replies
Jan 23, 2010
I am writing two ASP.NET apps. One is a web service that provides xml data and the other is a web client that will use the service to display and manipulate data. I would like for the web service to do the membership authentication and authorization. Is there any way to simply point the login controls in my client application to the web service instead of to a database. I assume I would have to provide the necesarry methods in my web service interface, which would then use the membership provider database I created and pass the results back through to the client.
Is this possible? I have seen many articles on security provisioin from a web service but none has really been what I am looking for. I was hoping that, since my service and my client are both written in ASP.NET, there might be some built functionality that would benefit me.
View 8 Replies
Feb 7, 2010
I currently have a ProfileCommon enabled on my site and would like to know where I would start to transfer this ProfileCommon's context to a user's profile after he/she has logged in. Here is a snippet of how I have defined this ProfileCommon:
[Code]....
View 2 Replies
Apr 18, 2010
We just moved an ASP.net application to a new server and are now getting this error when we try to return to a page: Http/1.1 Service Unavailable
In testing, I find that the address of the page does not include the SSL designator. It is trying to use http:// instead of https://. This value is coming from the Context.Request.Url property of the page.
why Context.Request.Url would not return the "https" for a page under SSL?
View 2 Replies
Jun 13, 2010
To avoid going to the Databse to get the user Id, Id like to append userId to the Context.User.Idenity.name field. This way I can split the returned string to get the UserId without going to the database.
Where can I do this when using the login controls?
Is there some event handler where I can add:
FormsAuthentication.SetAuthCookie(NamePlusUserID, false);
View 1 Replies
Jun 18, 2010
Trying to set up the Login control as a User control, but none of the controls exist in the current context?
None of my code below is recognised? I've rebuilt the solution many times.
if (Membership.ValidateUser(this.UserName.Text, this.Password.Text))
{
FormsAuthentication.RedirectFromLoginPage(UserName.Text, RememberMe.Checked);
}
else
{
Msg.Text = "Login failed. Please check your user name and password and try again.";
}
View 5 Replies
Mar 17, 2010
Does anyone have a clue why setting the Principal for the context would be so slow that a request times out? I have a custom HttpModule that subscribes to the "AuthenticateRequest" event. I have this call which works fine to create the Principal (which makes all the DB queries)
[Code]....
where context.User is source.Context.User where source is the HttpApplication.
View 2 Replies
Aug 28, 2010
Trying to set up the Login control as a User control, but none of the controls exist in the current context?
if (Membership.ValidateUser(this.UserName.Text, this.Password.Text))
{
FormsAuthentication.RedirectFromLoginPage(UserName.Text, RememberMe.Checked);
}
else
{
Msg.Text = "Login failed. Please check your user name and password and try again.";
}
View 15 Replies
Nov 22, 2010
I need an app pool recycle to be completely transparent to the users of my web app. I use ASP.NET 3.5 MVC 1.
Currently, upon an IIS 7 App Pool recycle all users logged into my web app are kicked out and are required to log back in (Context.User.Identity.IsAuthenticated is set to false). I employ SQL State Server, I use forms authentication and both are configured to use cookies. I was under the impression that .NET and/or IIS handles authentication of cookies.
However, every time the app pool is recycled Context.User.Identity.IsAuthenticated is set to false my users are kicked out and are required to log back in. I can see that the session id remains the same throughout logins, I can also view this session information in the database/state server.
Logon method:
[Code]....
Custom Controller Attribute:
[Code]....
WebConfig:
[Code]....
View 1 Replies
Dec 15, 2010
I have to invoke SSIS packages from web service in the most secure way. I think that windows authentication will be secure but i am not sure. I do not have much knowledge about how to achieve this and the information on the internet is very distributed.
View 1 Replies
Oct 13, 2010
I'm using linq to sql,everything seems to be working fine except one thing,I'm showing any mapped float fields from my db tables as "Double?" instead of "Double", and when binding to a datagrid, any of those "Double?"fields don't show.If I iterate through the items and spit out the property,the float value is indeed there and properly returned.
View 3 Replies
Jan 24, 2010
I have written simple HttpModule. context.Response.Output.Write is working fine. but not context.Response.Write().
View 2 Replies
