Application Flow / security issues

[Justin Rich]

im having some issues with application security and i was wondering if
anyone could point me in the direction of some good resources that would
explain the different levels of security.

the problem im currently having is im trying to make a web app that will
pull a file from the client (clients are on the lan and part of the domain)
and its giving me a denied access..

I have set IIS to not allow anon access (verified with
System.Security.Principal.WindowsIdentity.GetCurrent().Name) which shows the
username correctly.

I assume that whats happening now is its using the application pool identity
(set to Network Service by default) to go back to the client instead of the
logged in user creds. I tried messing with the identity of the application
pool with no luck


FileInfo fi1 = new FileInfo(path) <-- problem line

path resolves to something like \\ip\c$\folder\file.txt

I expect the users of my app to be local admins on the machine.

ASP.NET 2.0


Thanks
Justin

 

[Jesse Houwing]

Hello Justin,

im having some issues with application security and i was wondering if
anyone could point me in the direction of some good resources that
would explain the different levels of security.

the problem im currently having is im trying to make a web app that
will pull a file from the client (clients are on the lan and part of
the domain) and its giving me a denied access..

I have set IIS to not allow anon access (verified with
System.Security.Principal.WindowsIdentity.GetCurrent().Name) which
shows the username correctly.

I assume that whats happening now is its using the application pool
identity (set to Network Service by default) to go back to the client
instead of the logged in user creds. I tried messing with the identity
of the application pool with no luck

FileInfo fi1 = new FileInfo(path) <-- problem line

path resolves to something like \\ip\c$\folder\file.txt

I expect the users of my app to be local admins on the machine.

ASP.NET 2.0

You can set impersonation in the web.config. That should fix your problem.

http://msdn2.microsoft.com/en-us/library/aa292118(VS.71).aspx

 

[Guest]

Hello Justin,













You can set impersonation in the web.config. That should fix your problem.

http://msdn2.microsoft.com/en-us/library/aa292118(VS.71).aspx

--
Jesse Houwing
jesse.houwing at sogeti.nl- Hide quoted text -

- Show quoted text -

or try

System.Security.Principal.WindowsImpersonationContext
impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)HttpContext.Current.User.Identity).Impersonate();

FileInfo fi1 = new FileInfo(path)
....
impersonationContext.Undo();

 

[jesse.houwing]

Hello Alexey,

or try

System.Security.Principal.WindowsImpersonationContext
impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)HttpContext.Current.User.I
dentity).Impersonate();
FileInfo fi1 = new FileInfo(path)
...
impersonationContext.Undo();

if you're using an impersonationContext, you *must* also use either a try/catch/finally
block or use a using statement to make sure the impersonation is undone.

WindowsImpersonationContext impersonationContext = null;
try
{
impersonationContext = ((System.Security.Principal.WindowsIdentity)HttpContext.Current.User.Identity).Impersonate();
// do stuff
}
catch
{
// Handle exceptions
}
finally
{
if (impersonationContext != null)
{
impersonationContext.Undo();
}
}

Or

Using (System.Security.Principal.WindowsImpersonationContext impersonationContext
= ((System.Security.Principal.WindowsIdentity)HttpContext.Current.User.Identity).Impersonate())
{
// Do stuff.
}

 

[Justin Rich]

I had already set the web config which is why i was able to get the user
info but it seems that when i go to access the file it refuses to use that
account. even when i tried your code it still didnt work.

the link made mention of delegation.. how do i know when thats needed? im
pretty confused. it says "Delegation is a more powerful form of
impersonation and makes it possible for the server process to access remote
resources while acting as the client."
isnt it always the server process? Anything i toss in the cs file i assume
is executed as the server process which in turn is actually the application
pool.

I have already looked in to the delegation and because of how the network is
run i will be unable to do that.

I enabled all of the auditing to see if i can catch the failed attempt and
there are no entries (i did however find some other guy trying to get on my
box)..

Im going to attempt to deploy this on an XP or 2k box rather than a 2k3
because i assume the root of this problem is the application pool.
if anyone can provide some insight as to whats going on here i would greatly
appreciate it.

Thanks
Justin

 

[Justin Rich]

I tried a using statement as you had suggested and i still get the
UnauthorizedAccessException

 

[Justin Rich]

if i set it so i can see errors remotely im told this.
"ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request identity.
ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or
Network Service on IIS 6) that is used if the application is not
impersonating. If the application is impersonating via <identity
impersonate="true"/>, the identity will be the anonymous user (typically
IUSR_MACHINENAME) or the authenticated request user. "

again, this doesnt make sense. I have the impersonate on in the web.config
and anon access disabled (as i said i verified that with the
windowsIdentity.GetCurrent() ) and its from the server to my workstation and
i have admin rights on my workstation and for that matter, the server..

 

[Joe Kaplan]

You need delegation IF:
- You are using integrated windows auth in your web app
- Your browser users are accessing the web server from a different machine
(are not logged in locally)
- You want to use the credentials of the authenticated web app user to
access the file share (or other remote resource) via impersonation
- The file share is on a different machine than the web server

It sounds to me like all this is true.

If so, simply impersonating the authenticated user will not work. What will
happen is that if the application is not configured for delegation, the web
app process will not be able to delegate and will instead fall back to an
NTLM login to the file share using the anonymous user for the login. That
will almost certainly always fail and won't give you the results you want
anyway.

So, if you need to delegate, you have more work to do. You need to ensure
that:
- Kerberos authentication to the web app is enabled and working
- Kerberos authentication to the remote resource (the file share in this
case) is also working (make sure you are using NetBIOS or DNS names and not
IP addresses, as Kerb doesn't work with IP addresses)
- The app pool identity is trusted for delegation
- The users being authenticated have not been set to disallow delegation

If your AD domain is 2003 native, you can also use protocol transition login
and constrained delegation. That allows you to have NTLM auth instead of
only Kerberos on the front end web app, so you can ease one of these
restrictions.

Getting all the Kerb auth stuff working can be an adventure, so good luck!

Joe K.

 

[Justin Rich]

I dont suppose there is some other adventure i can embark on?
The problem is that i dont run the domain and getting them to do anything
for me is pretty close to impossible.

what are some of my other options? even if they are a bit out there im
willing to try.

Thanks
Justin

 

[Joe Kaplan]

Do you absolutely need to access the file share with the credentials of the
authenticated user or can you use a fixed service account (the so-called
trusted subystem architecture)?

If you can use a trusted subsystem design, then this is easy to fix. You
just disable impersonation and make sure your process identity (the app
pool) has the necessary rights on the remote resource.

If you have to delegate and can't configure Kerberos delegation, the only
other way I know of to make this work is to collect plaintext credentials
from the user and log them in locally on the web server. If you impersonate
a token created that way, then delegation is not required. However,
prompting for credentials or using Basic auth to collect them may not be
acceptable to the end users.

Otherwise, if you really need this type of delegated distributed
authentication model, you have to use the stuff that Microsoft gives you to
do this (Kerberos delegation). If your AD guys won't play ball, you'll need
to get the whole politics thing going and address that.

Joe K.

 

[Justin Rich]

I configured a custom app pool using the default settings and then used my
domain creds as the identity. one thing to note (for anyone else reading
this) is that you need to add the account to the IIS_WPG group to allow it
to run an app pool.. had me stumped for a min..

this seems to work, and since ive already spent FAR to much time monkeying
with this, im just going to leave it. hopefully i can get them to create me
a service account.. difficult, but they will at least do that..

I liked it better when i ran small networks and had complete control.. never
had problems like this

I appreciate your help and detailed responses joe!

Thanks
Justin

 

[Joe Kaplan]

Sounds like you didn't need delegation after all.

You should be able to use the network service account on the machine for the
app pool identity and have this work as well. A custom service account
should not be needed. When the network service account is used, the login
will appear to the remote resource to be the AD machine account of the
server. So, if you ACL the resource so that the machine account has the
required access, that should work too.

Running the app pool with your domain account is not a good long term
solution.

Joe K.

 

[Justin Rich]

need is a touchy word

So are you saying that if I add the computer account of my server to the
admin group of my clients I can leave the app pool under the default context
of network service?


I just checked with corp. and if I want to do delegation I have to ask much
higher up than I thought.. and I doubt id even get a hello back from them
let alone permission to do that..
as far as a service account apparently im limited to 60 machines it can
access, and my count is over 400..

so, if I understand you correctly, I'll use the machine account, I think I
can pull that one off.. that or im stuck using my creds, which would suck..

just so you have a picture of whats going on im having the techs run a
monitor calibration on the workstations and then log in to my website. the
web app pulls the calibration info (text file) from the workstation and some
other stuff as well as some manually entered info and dumps it in to a
database so that we can monitor the degradation of monitor quality.

This whole time I was looking at your name and wondering where I recognized
it from and when I finally read your sig I realized where, the book. great
publication! I've received help from Ryan in the past with some AD stuff and
I must say you both seem to know your stuff extremely well!

Thanks
Justin

 

[Joe Kaplan]

Thanks for the kind words. I'm Ryan's better half in the .NET LDAP world.
I also do this "distributed authentication in web apps" stuff quite a
bit.

So basically, if you can ACL the file shares on the machines that you need
to access such that the machine account for the web server has the
appropriate file system rights to do what you want to do (read a file or
whatever), then it should work to use Network Service as an app pool
identity. You won't need a special service account.

If the use case of the app is basically to have a user log in and then loop
back to their own workstation to access a file share there, then using the
trusted subsystem design in this case basically just means that you would
ACL the share to grant access to the machine account instead of granting
access to that user's own account.

Obviously, you would want to test that.

I'm not sure how your admins would enforce a limit on how many machines a
particular service account could access, but I don't want to have anything
to do with your organization's internal politics around the management of
their directory, so I'll steer clear of that one.

You might also consider using the website to upload the file. That might be
even easier than looping back around via a file share.

I hope that helps,

Joe K.

 

[Justin Rich]

I actually have a few domain groups that are added to the workstations admin
group so this will be easy to deploy. just need to toss that computer
account in the group and its golden. I tested it and it worked great. I had
always wondered what good a computer account would be in a group, now i know


ohh come on now, the politics are the best part
I work for Mass general hospital in the radiology dept as the system
administrator. MGH is part of Partners Healthcare, so im removed from them
by about 3 levels. We are also the only IT department in the hospital other
than Partners themselves. so to say we are the black sheep of the family
would be putting it lightly. Always some battle to fight..

I had considered doing a file upload but this is only one project i have
with this problem. Im also trying to make a web service that is basically an
interface to PowerShell. Ran in to the same problem and i suspect this will
fix that.

Again i really appreciate all of your help with this.

Thanks
Justin

 

[Joe Kaplan]

Sure thing, I'm glad that worked out. As always, good luck with the
politics.

Joe K.