Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to .net Impersonation

Published byΚλυμένη Λούπης Modified over 5 years ago

Similar presentations

Presentation on theme: "Introduction to .net Impersonation"— Presentation transcript:

1 Introduction to .net Impersonation
Vijay Kumar Musham CS 795 Old Dominion University Guide Dr Ravi mukkamala

2 Agenda Introduction Security flow for a request (asp.net)
Brief notes on Authentication and Authorization Impersonation Demo References

3 Security Flow for a Request (ASP.NET)

4 Authentication ASP.NET authentication providers Forms Authentication
Forms, Windows, Passport, Default, and Custom Forms Authentication <authentication mode="Forms"> <forms name=".ASPXAUTH" loginUrl="login.aspx" protection="All" timeout="30" path="/" /> </authentication>

5 Forms Authentication Flow

6 Contd.. Windows Authentication
Can be used in combination with Basic, NTLM, Digest, Kerberos, and so forth User is authenticated by IIS Easiest of all Request flow Client makes request IIS authenticates request, forwards to ASP.NET Impersonation turned on? ASP.NET returns response to client <authentication mode=" Windows" /> <authorization> <deny users="?" /> <allow users= "*" /> </authorization>

7 Impersonation An important security feature is the ability to control the identity under which code is executed. Impersonation is when ASP.NET executes code in the context of an authenticated and authorized client. By default, ASP.NET does not use impersonation and instead executes all code using the same user account as the ASP.NET process, which is typically the ASPNET account

8 Contd.. if a web page has no access controls, then any user can access that web page. HTML pages, ASP pages, and components in version 3.0 and earlier can be accessed through two accounts named IUSR_machinename and IWAM_machinename When IIS receives a request for a web page or other resource that has permission for anonymous access, IIS treats the IUSR_machinename account as the user's account, to access the resources. If the resource requested by the user is an ASP page that uses a COM or COM+ component, that component is executed using the IWAM_machinename account.

9 Contd.. In ASP.NET, when impersonation is turned off, the resources can be accessed using a "local system process" account. When impersonation is turned on, ASP.NET executes every resource using the account of a specified user who is authenticated when the user makes the request. If you specify the IUSR_machinename account to be used as the user account, then ASP.NET will behave like previous versions of ASP, in providing access to the resources.

10 Contd.. In ASP.NET, you first need to check whether the application is configured to use impersonation. In the case of IIS, the IIS impersonates users with its own IUSR account. In the case of ASP.NET, impersonation is used to decide whether the user's request should be executed using the account of the requested user, or that of a local system-process account that ASP.NET uses for anonymous requests.

11 Summary If impersonation is enabled in an ASP.NET application then: • If anonymous access is enabled in IIS, the request is made using the IUSR_machinename account. • If anonymous access is disabled in IIS, the request is made using the account of the authenticated user. • In either case, permissions for the account are checked in the Windows Access Control List (ACL) for the resource(s) that a user requests, and a resource is only available if the account they are running under is valid for that resource.

12 Contd.. If impersonation is disabled in an ASP.NET application then: • If anonymous access is enabled in IIS, the request is made using the system-level process account. • If anonymous access is disabled in IIS, the request is made using the account of the authenticated user. • In either case, permissions for the account are checked in the Windows ACL for the resource(s) that a user requests, and a resource is only available if the account they are running under is valid for that resource.

13 DEMO

14 Result 1 IIS tagged the request with vinay’s access token, and it passed that access token to ASP.NET. ASP.NET knows that the caller is vinay and won’t allow vinay to retrieve an ASPX file (or any other ASP.NET file type) for which vinay lacks access permission. But because Web.config lacks a statement enabling impersonation, any code executed inside the request executes as ASPNET, not as vinay. ASPNET has permission to read Bonuses.xml, so vinay wasn’t prevented from viewing employee bonuses.

15 Result 2 After making the change to Web.config, restart your browser, log in as Vinay, and try to view Bonuses.aspx again. This time, you’re greeted with an error message reporting that an error occurred while processing the page. That message is displayed by the exception handler in Bonuses.aspx’s Page_Load method, which catches the XmlException thrown when ReadXml can’t read Bonuses.xml. Restart your browser and log in as Vijay, however, and you can once again view Bonuses.aspx.

16 References Msdn - impersonation
Programming Microsoft .net – jeff proise Moving a Web Application to Classic Mode

Download ppt "Introduction to .net Impersonation"

Similar presentations

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Web Development in Microsoft Visual Studio 2013. Slide 2 Lecture Overview Introduce Visual Studio 2013 Create a first ASP.NET application.

Web Development in Microsoft Visual Studio Slide 2 Lecture Overview Introduce Visual Studio 2013 Create a first ASP.NET application.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.

Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.
Internet Information Server (IIS)

Internet Information Server (IIS)
Building Applications using ASP.NET and C# / Session 14 / 1 of 18 Session 14.

Building Applications using ASP.NET and C# / Session 14 / 1 of 18 Session 14.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
T U T O R I A L  2009 Pearson Education, Inc. All rights reserved. 1 28 Bookstore Web Application Introducing Visual Web Developer 2008 Express and the.

T U T O R I A L  2009 Pearson Education, Inc. All rights reserved Bookstore Web Application Introducing Visual Web Developer 2008 Express and the.
ASP.NET INTRODUCTION INTO وزارة التربية و التعليم العالي كلية العلوم و التكنولوجيا قسم علوم الحاسوب و تكنولوجيا المعلومات اعداد الاستاذ: عبد الله محمد.

ASP.NET INTRODUCTION INTO وزارة التربية و التعليم العالي كلية العلوم و التكنولوجيا قسم علوم الحاسوب و تكنولوجيا المعلومات اعداد الاستاذ: عبد الله محمد.

Similar presentations

Ads by Google