Security :: No Impersonation - But Wrong Account Being Used To Access Files?
Aug 2, 2010
I run a simple .aspx website on a Windows Server 2008 machine.There is no impersonation, and System.Security.Principal.WindowsIdentity.GetCurrent().Name returns NT AUTHORITYNETWORK SERVICE, which it the account which the application pool runs.I tried to test the security of the application and server by removing file permissions to the .aspx files. I was greatly worried when the website continued to run without problem (it should not have been able to read the .aspx files).By turning on file level auditing, I discovered that the .aspx files were being read by the machine$ account (if the machine is called Serv1, then the files would be read by the Serv1$ account, which seems to have access to all files on the local machine).Is this a security breach or is this behaviour by design ?
View 4 Replies
Similar Messages:
Jul 14, 2010
Have I done something wrong ?I am running a web-site with simple .aspx files on a standalone workgroup Windows Server 2008 called 'Max'.I had assumed that the .aspx files were accessed by the 'Network Service' account.The application pool for the website is running with 'Network Service' as the process account.I was puzzled, since 'Network Service' had no permission on these .aspx files, and I coudln't understand how these files were being accessed at the file level.So I added event level auditing to the files, and I was suprised to learn that the .aspx files were being accessed by an account called Max$ (ie the computer account).Is this correct ?Why is the Network Service account not being used ??
View 11 Replies
Jun 18, 2010
I wrote an asp.net application that I'm trying to run on a godaddy domain I bought. I need to read a file in a folder that I did not give read access to so that your average user cannot see in the informaion in that folder. I assumed that the asp.net program would have the same credentials as myself because server-side code. Turns out I am wrong. When I go to use the asp.net application it throws an access denied error saying that the ASP.NET user account has to be given permissions to access the folder.
After talking to two different tech support people at godaddy I've come to the realization that they are either dumb or lazy (or a combo of the two).I came across some code that you can put into the web.config file that would allow the asp.net application to impersonate a user, which would work great to use myself as the impersonated user. However it seems that godaddy cannot give me the name of the server that my domain is on (that's understandable) so I don't know what to put in the identity tag to get this to work.
Here is the code I found:
[Code]....
(of course I filled in the username and password with the correct info)
When I went to use it again it threw this error:
System.Web.HttpException: The current identity (PHX3username) does not have write access to 'C:WindowsMicrosoft.NETFrameworkv2.0.50727Temporary ASP.NET Files'.
View 3 Replies
Jun 2, 2010
in my asp.net application, I am trying to upload email from outlook of my account. I get the error mentioned below.
[System.Web.Services.Protocols.SoapException] = {"The server to which the application is connected cannot impersonate the requested user due to insufficient permission."}
View 1 Replies
Sep 28, 2010
My feeling says it's not posible but anyway I am curious if there is at least a workaround for accomplish this.Basically I am working at my client site and my machine is not connected to the domain.What I want to do is running a web application locally under a domain account, and using the webdev server.The webapp uses the default authentication, windows authentication that is.I tried using impersonation with domainuser & password but I got the following error Could not create Windows user token from the credentials specified in the config file. Error from the operating system 'Logon failure: unknown user name or bad password.I have to mention that the username and the password are correct.
View 2 Replies
Jun 4, 2010
Programmatic impersonation access denied to UNC path
[WebMethod]
View 1 Replies
Apr 26, 2010
If you use anonymous access + impersonation of a windows domain account to access a file on a network share, is the password sent in clear text?
View 3 Replies
Apr 23, 2010
I've been researching and I've spent pratically all day on this. Here's my issue. The website uses forms authentication that we authenticate against active directory. I've been attempting to access files we have on a network share and push them down to the user (when they request them) in an http response. I keep getting "Access to the path <unc path> is denied".
Here's the code:
[Code]....
Things I've tried:1) When I add the "Computer" to the permissions of the folder it works and I dont even need to emulate a user (essentially just commenting out this code), but I'm not sure we want to explicitly give the computer access to some of our network shares 2) I've verified it's the correct username and password for the active directory account and that they have permissions on these network shares 3) I've fooled around with the WebProxy class with no luck (as I'm not entirely familiar with it) 4) I've tried impersonating the user by creating a windows token and passing the token as credentials (i've done this with similar websites) with no luck, plus this seemed a bit complicated for something I figured would be relatively easy.Its almost as if, the WebClient class isn't even using the credentials i've passed it.We've got it working now, but only by giving the "Computer" specific permissions on the network shares, which we'd like to avoid.
View 1 Replies
Apr 9, 2010
the only way to make themes work is to allow user "Everyone" to access the folder App_Themes. I am wondering if a more specific user instead of "Everyone" can be granted the access to allow themems work.Account "IIS_IUSRS" and "NETWORK SERVICE" have already been granted access.This is about folder access of Windows 7 running IIS7, not web page authorization configured via web.config. The web page is browsed via local host (i.e. the web page address is something like "[URL]
View 1 Replies
Dec 8, 2010
I need an idea please, i have the task of disabling the Domain Administrator account, but we have a very messed up AC and im practilly new employee here. The administrator account has been used on several services, servers, print servers, etc. Across the network and sites. All our intersite communication is perfect.So what i want is a way to know in which devices this account is configured.Is there a way or tool, where i can input the account, and the output should be a list of servers, ip adresses or devices where the account is configured?
View 1 Replies
Oct 4, 2010
I have created an asp.net web application on windows server 2008. I have created a website in IIS 7 with an application pool. The application pool has the identity "NETWORKSERVICE". I have a web reference in my application with a certificate.
When I create a new web application and add the code below and add the web reference, and run the web application from the solution (and not from a website in IIS), the web service works fine. I think the local administrator has permissions and the network service account not.
public static PartsService MyCompanyPartsService
{
get
{
if (_partsService != null)
return _partsService;
_partsService = new PartsService();
_partsService.PreAuthenticate = true;
[Code]....
View 1 Replies
Jul 27, 2010
Let me explain briefly how the app is being setup (by the previous architect).. I have the following app:
1) Server1
2) Server2
3) WPF app which installed on the client desktop
4) WCF app which hosted on IIS in Server1
5) SQL server instance which installed on Server2 (with internal IP addr 10.111.3.10)
WPF on client side calls the WCF service on Server1 and WCF on server1 accesses the database on Server2. The connection string on WCF web config (server1) looks like this:
<add name="App.ConnectionString" connectionString="Persist Security Info=False;Initial Catalog=customerDB;Data Source=10.111.3.10;Integrated Security=SSPI"/>.
There is a windows account (say winAcc1) on the Server2 which is currently dedicated as DBowner of customerDB.
Now the question is "How does the WCF on Server1 know to access the database with "winAcc1" windows account?" I have checked on web config or anywhere app and i could not find any impersonation or programmatically set the network credential to be "winAcc1".
View 1 Replies
Aug 1, 2010
I have a weird thing happening. I have two identical databases installed on one virtual machine but under two different instances of SQLServer. For some reason, periodically when saving from one it will save to the other instead. Using debug, I have verified that the connection string is correct and when the item saves, it still saves to the wrong database.I use session variable, and am of the belief that it might have something to do with it...and t hat when I go from one to the other it is still getting the connection string form the other for some reason.To make sure that it isn't a problem, I make sure that I completely close out one database before opening the other in a new IE window.I assume that when I completely close out an internet explorer window that it abandons all session states. Is that true?
View 7 Replies
Jun 15, 2010
I have built an online CMS that is forms authenticated. The CMS allows administrators to upload files to the website. These files are stored outside of the Forms Authenticated section of the site so that they can be accessed from another site I have built. This other site is also forms authenticated, so users must log in and then they can access the files on the CMS site. site1.com: CMS for administrators only. Site stores all the files. site2.com: Access site.
My second website (The access site), is basically an empty shell that is filled with all of its content through the CMS using an SQL database and then displayed on the page. This works fine as only authenticated users have access to the interface used to view and download the files. My problem was, even though there is no public interface to find the files, someone could surely type [URL] and the video would be available to them. I dont really know what to do here, is there any way that people could be blocked from retrieving the files like this?
View 1 Replies
Oct 4, 2010
I have an app that uses impersonation to gain access to a database (on server separate from IIS). The app connects to the database using a trusted connection and seems to be working just fine. However, we get these logon failure events in the security event viewer:
[Code]....
It must have something to do with impersonation because the login failure is for the domain account which my app is impersonating under. But again, the app is working fine so I'm having a hard time figuring out how to stop these logon failures.
View 2 Replies
Jun 7, 2010
Summary: One of our web applications requires write access to C:WindowsTemp. However, no matter how much I weaken the NTFS permission, procmon shows ACCESS DENIED.Background (which might or might not be relevant for the problem): We are using OLEDB to access an MS Access database (which is located outside of C:WindowsTemp). Unfortunately, this OLEDB driver requires write access to the user profile's TEMP directory (which happens to be C:WindowsTemp when running under IIS 7.5), otherwise the dreaded "Unspecified Error" OleDbException is thrown.
View 1 Replies
Aug 19, 2010
Here is my dilema, on my site i have a WordPress Audio player (http://wpaudioplayer.com/standalone) that plays my mp3's.
It loads the Mp3's in by javascript...example below:
AudioPlayer.embed("audioplayer_7", { soundFile: "/Files/Music/[name of file].mp3" });
This file name is clearly visible in the browser source. Not a problem, however this means that any user can legitimately browse to the file directly and download it.
Now i still need the mp3 player (which is flash) to have access to the file but if a user was to try accessing the file directly, they would not be allowed access to it.
I am not sure how to go about this, i am circling the idea of a httphandler but not sure if this is sufficiant to stop the direct access to the file.
View 2 Replies
Aug 11, 2010
I have a folder with username and password over it.I wanna make a page where i can access files under that folders in .net and be able to download them.How to code that in VB.net?
View 2 Replies
Mar 7, 2011
My restricted files are all stored in ~/Secured folder on the root. Authorized users have no trouble accessing aspx files in that folder. Recently I added a part of an application whose files I wanted to keep separate and created a ~/Secured/HR folder. I am getting a "resource not found" error trying to use any aspx file in HR folder even after user successfully logs in, as if the file does not exist at all. Here is my web.config security settings:
[Code]....
Do I need to configure security for that folder separately?
View 1 Replies
Jan 29, 2010
I have a web app, which contains a folder Uploads, to which users (authenticated) upload their files (for some reason it has to be a folder in the root of the web app).I want to deny access to this folder and files to all non-authenticated users.
In my web.config I have:
[Code]....
and everything seems to work in development, but on a staging server it redirects non-authenticated users to login page ONLY from aspx pages, but not when entering the url to the file in Uploads folder.
View 5 Replies
Mar 4, 2010
what is impersonation in asp.net? Is authentication and impersonation both are same ?I googled and found both are one type of security.
View 3 Replies
Mar 3, 2011
Is there a reason Impersonation does not seem to work with a UNC path using File.OpenRead()? I'm utilizing codeproject's Impersonation utility: [URL] I have a user with rights to the share that I'm passing to OpenRead(). This is my code and it's not accessing the file:
try
{
bool canImp = imp.ImpersonateValidUser(impUser, domain, impPwd);
FileStream fs = File.OpenRead(filePath);
logger.Debug("File stream opened...");
byte[] b = new byte[fs.Length];
fs.Read(b, 0, b.Length);
fs.Close();
//code continued
View 1 Replies
Aug 18, 2010
Why can I still access files inside a forms authenticated part of my site? Any webpages say that you need to login to view them, but people can still access images by typing in the address bar. I am using forms authentication with my own database, so none of the aspnetdb services like membership roles etc. Is this a bad way to do things because I'm pretty deep into it now and it would be very difficult to change.
View 16 Replies
Mar 13, 2011
We are in the process of building ASP.NET windows auth application. Where user need to interact with other internal system using the same single sign on. To interact application DB the system relies on App Pool account, for this we are every time doing the imporsanation to before every DB call. We can not have all useres added to DB, or create an SQL account. Which requires password and user to store in Web Config. We can encrypt it again you encrypt with what and etc ..So we have one windows account wihich same windows account used for our app pool as well.
I would like to know from the team is what is the best way to do the DB connection in this case?What is the implcations if we imporsanate the DB calls based on the app pool account ? Is it a best practice? I have read it creates its own thred and stuff, Do we need to worry ?
View 1 Replies
Apr 13, 2010
I noticed impersonation is turned on by default in MOSS web configs. I tried disabling it but the web app returns an error. So my question, is it possible to disable impersonation in MOSS? If it is possible are there any special considerations I should be aware of?
If you're interested in why I need to do this...I need to have a custom web part (developed with SmartPart) talk to a separate SQL server using the application pool rather than the current user (Kerberos is enabled). If I set the authentication mode to NTLM I get NTAuthority/ANonymous login errors from my SQL connection. If I turn Kerberos on, the currently logged in user's credentials are passed. If I hard code the user id and password in the connection string it seems to ignore it and default to whichever security model is in place (NTLM or Kerberos).
View 6 Replies
