using integrated windows..invoking a webmethod using the app pool credentials NOT the authenticated users credentials.

I have a dillema and I am unsure how to accomplish what I am needing.

 I have successfully configured a web service running under a specific user account to use windows integrated authentication.

 

The keys to accomplishing this lie in three steps..

1. creating the app pool account and getting it registered in iis with the iis_wpg group..

http://msdn.microsoft.com/en-us/library/ms998297.aspx

 

2. Setting the authentication to use NTLM instead of kerboros (otherwise it wont allow integrated windows authentication)

http://support.microsoft.com/kb/871179

 

and Finally to get around a temp directory issue granting security rights to the windows/temp directory to the iis_wpg group

 http://support.targetprocess.com/Default.aspx?g=posts&t=138

 

 

So here is my problem.

 

I need the integrated windows because i basically need to capture the identy of anyone invoking the web methods in one web service.

 

ONce I validate the users identity however I need to invoke a different web method on a seperate service as the service account the app pool is running under NOT with the credentials of the authenticated user.

 The reason fro the service account is becaus of security requirements in the environemnt the developers cant know the password of the account that the call has to use so simply performing an impersonation and passing in the user id and password of the account to impersonate doesnt work.  So basically having capture the credentials of the person who ivoked the method I now need to call other methods as the account the service is runnning under.

 

I have no idea how to accomplish this however. 

0
Prysson
1/22/2009 4:50:21 PM
asp.net.security 27051 articles. 1 followers. Follow

4 Replies
1125 Views

Similar Articles

[PageSpeed] 5

Prysson:

 

I need the integrated windows because i basically need to capture the identy of anyone invoking the web methods in one web service.

 

ONce I validate the users identity however I need to invoke a different web method on a seperate service as the service account the app pool is running under NOT with the credentials of the authenticated user.

 The reason fro the service account is becaus of security requirements in the environemnt the developers cant know the password of the account that the call has to use so simply performing an impersonation and passing in the user id and password of the account to impersonate doesnt work. 

 

If I understand your question correctly, you want to invoke web method with the Network Service credentials, because you can not impersonate the authenticated user. But, if you are able to, that would be the preferred method. If thats true, please look at the following article, which explains how to impersonate based on a user token. If I misunderstood your question, please explain

 http://alt.pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToImpersonateAUserGivenHerToken.html

 


Kumar Reddi
0
Kumar
1/22/2009 6:55:51 PM

Actually its just the oposite.. I have to accept impersonation initially because I have to be able to validate the user invoking the method.

 

BUT once I verify the user invoking the method I actually have to run the method with the credntials that the service is running under..so essetnially I need to stop the impersonation and run the rest of the method with the credentials the service is running under.

 

 

0
Prysson
1/23/2009 12:45:08 AM

Ok. So you need to turn off the impersonation temporarily. Please look at the following msdn article, that explains how to turn off impersonation programmatically

http://msdn.microsoft.com/en-us/library/ms998351.aspx

if you need to access specific resources such as local files by using the process identity, you can temporarily remove the impersonation token from the ASP.NET request thread by using the following code:

// Stop impersonation
WindowsImpersonationContext ctx = WindowsIdentity.Impersonate(IntPtr.Zero);
try 
{
  // Thread is now running under the process identity.
  // Any resource access here uses the process identity.
}
finally 
{
  // Resume impersonation
  ctx.Undo(); 
}


Kumar Reddi
0
Kumar
1/23/2009 2:17:44 AM

That was exactly what I needed. Much thanks!!!

0
Prysson
1/23/2009 5:17:35 PM
Reply:

Similar Artilces:

Will IIS 7 Application Pool Identity Always be Used as the User When Authenticating to SQL Server Using Integrated Security?
 Hello, Will the IIS 7 application pool identity always be used as the user when authenticating to SQL Server using Integrated Security in an application's connection string?If you reply with a yes or no answer, could you please post a link to somewhere that describes the use of Integrated Security connections with ASP.NET applications?  In my case, IIS7 & SQL Server 2008 are running on the same machine.Thank You for any help! Hi,DarinessIIS 7.application pool runs under "Network Service" account by default.SQL Server Integrated Security is applied through...

Sending Mail Using System.Net.Mail with out using User credentials
HI, I have an application where in i send mails based on some condition, the user is already authenticated, so i need not check the User Credentials.Right now this is how the piece lokks:- mailClient.Credentials = new NetworkCredential(USERID, USER_PWD,DOMAIN); I want to send the mail, with out validating the user credentials, Can i skip the above line. Please post aqlong with the sample code.   Thanx in Advance. Anil Kumar.   I think you cannot skip. but store user credentials in session variables after login and then pass.If this post was useful to you, please mark it as...

Using Forms Authentication to pass credentials to Windows authentication
I know this question has been asked a lot.  But I have just 2 specific requests: 1) All I need is a way to pass the credentials that are manually entered in a custom form to Windows authentication2) Can the example - please - be in Visual Basic? Specific way I want to use forms authentication:I have an application that is run on an intranet.  This application is restricted to a list of users contained in a database. I don't want to store any of the user's passwords - so I have been successful using Windows Authentication and only check for their UserID. Late...

Using an authenticated Forms user's credentials?
Hello,  First time poster here, and I hope someone here can answer my question. I am developing an ASP.NET site that is backed by a particular suite of web services.  Both the site and the web services reside on the same server, both use Forms authentication, and use the same Membership store coming from the same database. The web services I am using implement permissions logic of their own, so I am trying to find a way to pass the credentials of the authenticated ASP.NET user to the web services when I access the web services from the ASP.NET code. The code does ...

Using current users credentials to authenticate web service request
 Hello, I'm building a web application that has a search that searches both the contents in this application as well as my company's Moss-server using the http://site/_vti_bin/search.asmx web service.Background on the moss web service (this could be any web service or http service that uses windows integrated authentication)The moss web webservice request needs to have the users credentials set from whose contents the search results are returned. The web service's virtual directory has Windows Integrated Authentication enabled, i.e. Moss uses the credentials to only ret...

Is it possible to use Windows authentication for users hitting the web app from the internet?
We are developing a web app that is for company personnel only. Most users will access the app from within the organizations LAN but some users must use the internet to gain access. I have configured the app for windows authentication and everthing works fine when accessing the app when it resides on a test server which is co-located with the SQL server it is accessing. When I publish to the production server I get 403 errors when hitting a page that tries to access SQL server. I can retrieve active directory information just can't access the SQL server. I am using an admin account so pe...

Using forms authentication but connect to sql server using windows authentication
HiI want to use forms authentication to login to my internet application, but I want to connect to sql server 2000 using windows authentication ( via impersonation of a single windows domain account ) ( Windows 2000 server )Both web server and sql server are running on different machinesCan you tell me the configurations I need to do to allow thisThanks timoth by default the ASP.Net will try to connect with your SQl Server using ASP.Net Services Account. If you are not using a Domain Account for ASp.Net service then you can use Mirrored account i.e. create a local account with same name an...

Using forms authentication
HiI am writing an internet application that requires forms authentication to login remote usersI also want to connect to sql server using windows authenticationThe question is can Ido this?I thought if I allow IIS anonymous access, create an actual windows account to use for the anonymous access then in web.config, set impersonate = true and authentication mode = formsWill this work Many thanks Windows authentication is not delegatable unless you set up your configuration to use Kerberos.Setting up the anonymous account as a domain account with access to the database and impersonating this...

How to use net use?
Please can any one tell me how to use the dos command net use properly? I have read the help but can't seem to get it to work. Keep getting sytax error message. Thanks in advance. "Beowulf" <who-knows@no-one.com> wrote in message news:9krutk$puu$1@news.grc.com... > Please can any one tell me how to use the dos command net use properly? > > I have read the help but can't seem to get it to work. Keep getting sytax > error message. what are you trying to do? There are about 50 options to "net use" that do a ton of different thin...

Adding Forms authentication to a folder in a site using Windows integrated authentication
Hello all, I have created an Intranet site which is secured using Windows Integrated authentication and this is working fine. However, part of this site deals with sensitive personal information and I would like to add a 2nd layer of security to this section only. ie so you have to enter a password before you can look at edit you bank details etc. (This information may be vulnerable when users log on to their systems and then leave them unattended). Is it possible to add forms authentication to a folder within a site using Windows authentication? Or is it necessary to use some k...

Using Windows Integrated Security
Hi there, has anyone managed to customise ASPNetForums to use Windows Authentication instead of the built in users stored in the Users table? (or a combination of both i guess - not sure if it's possible) If so, i would really be interested as to how it was done. Thanks Paulo...

Net Use and W2K3 credentials
I'm racking my brain trying to figure out how to minimize hassles when we migrate some of our data to a Windows server. My thought is to simply change "map" commands to "net use" commands. I think that I'll be able to insert W2K3 user names into the login scrip via variable (we imported them in the eDir). However, those W2K3 user IDs are not the same as in eDir, and I'm struggling with a way to have a login w/o a second login prompt (transparent). Any ideas? Thanks! Tim -- Tim Wohlford, CNE -----------------------------------------...

Authenticating using machine credentials
 Hello everybody, In my application I am authenticating user with Active Directory using the approach recommended here: http://msdn.microsoft.com/en-us/library/ms998360.aspx   Everything is working fine, but I need the website to display the user info without him having to log on in a login.aspx page (should look like a single sign on). for example. Right now after login, the default page displays Hello, user name and other info. This should be displayed with out login.aspx, authenticating him/her with machine. Is there a way for this to be authenticated witho...

How to use user/password authentication/security within users' public_html folders
Hello, I have NW5.1SP5.1.5 and Netware Enterprise Web Server 3.5.3 installed. Can I provide my account owners the ability to use user/password authentication/security within their public_html folders of their home directories ? Regards. Mustafa Cagatayli: > within their public_html folders of their home > directories ? > sure, go into the admin server, click the Restrict Access link, and remove PUBLIC_HTML from the list of public directory designations. Joe Moore Novell Support Connection Volunteer Sysop http://just.fdisk-it.com - Coming soon: &q...

Web resources about - using integrated windows..invoking a webmethod using the app pool credentials NOT the authenticated users credentials. - asp.net.security

Authenticated encryption - Wikipedia, the free encyclopedia
Authenticated Encryption ( AE ) or Authenticated Encryption with Associated Data ( AEAD ) is a block cipher mode of operation which simultaneously ...

Google Spam Report (Authenticated) - Flickr - Photo Sharing!
When you are logged into Google Webmaster Central, you can report any site that is spamming the SERPs through this tool. Post at Does Google ...

Authenticated electricity: Sony power outlets will charge you for charging
Sony is building a new kind of power outlet that raises a not entirely pleasant prospect—in the future, plugging a phone into a public wall socket ...

MLB Authenticated Game-Used Base Bar Stool
Like. From The Green Head: "If you love America's favorite pastime, now you can sit on an actual piece of it. These unique collectible bar stools ...

C-SPAN Moving to Authenticated TV Ch. Streaming
C-SPAN is launching a beta test of its migration of live online feeds of its TV channels—C-SPAN 1,2,3—to an authentication model starting Monday, ...

FDA "Corruption" Letter Authenticated: Lawyers, Start Your Engines!
The FDA's official recognition of the letter means that lawyers who want to use it to demonstrate that the FDA isn't perfect won't have to go ...

Buddy Rich's Authenticated and Complete 1960s Zildjian Cymbal Set Available on eBay for $29,995
Buddy Rich's complete 1960s Zildjian cymbal set is available for purchase on eBay. In the massive world of the Internet, anything is apparently ...

FileVault's authenticated restart has hardware requirements
If you use FileVault and wish to restart remotely, you can do so with the 'fdesetup' command; however, this does have some hardware limitations. ...

BREAKING: Michael Brown Audio Aired By CNN Authenticated
Video messaging service Glide has confirmed to the Washington Post the exact time and date the audio recording with gunshot sounds on it was ...

Sheriff: Brenham vet can't be charged with killing cat unless Facebook photo is authenticated
As a team investigated the image, the clinic where Kristen Lindsey worked said Friday that she'd been fired and condemned her post "in the strongest ...

Resources last updated: 12/25/2015 4:16:39 AM