T
Top Poster
Hi all,
I am trying to work out how I can use impersonation to connect to an Oracle
9i database such that I can avoid sending a clear text username and password
to the Oracle server.
We are using Windows 2000 and IIS 5.0. Currently the database and the
Webserver are running on the same machine (which I'll call MyMachineName)
Until now I have been using a connection string in the web.config file on an
IIS Web Server as follows:
<appSettings>
<add key="ConnectionString" value="Data Source=mydatabase;User
Id=scott;Password=tiger;Integrated Security=no;"/>
</appSettings>
This works fine but it is not a satisfactory long term solution.
I have tried to use Impersonation so that the UserId and Password can be
stored in the registry on the Web Server to achieve the same result. I have
performed these steps on the IIS Web Server:
From the command line:
aspnet_setreg.exe -k:SOFTWARE\myWebService\identity -u:"scott" -p:"tiger"
Added to web.config:
<identity impersonate="true"
userName="registry:HKLM\SOFTWARE\myWebService\identity\ASPNET_SETREG,userNam
e"
password="registry:HKLM\SOFTWARE\myWebService\identity\ASPNET_SETREG,passwor
d"
/>
I have kept the appSettings section but removed the username and password:
<appSettings>
<add key="ConnectionString" value="Data Source=mydatabase;Integrated
Security=no;"/>
</appSettings>
Used regedt32.exe to grant permissions for the ASP.NET account on these
registry keys. ie:
Click on the HKEY_LOCAL_MACHINE\SOFTWARE\myWebService\ subkey
On the Security menu, click Permissions
Click Add
In the "Look In" combo box (which appears in a Win2K environment) select the
machine name (not the domain name because the ASPNET user has not been added
to our domain)
The user MyMachineName\ASPNET has now been granted permissions on the
ASP.NET account.
The web service is configured to use anonymous access.
At this point I tried to navigate to the Virtual Directory
(...service1.asmx) using Internet Explorer and received this error message:
Configuration error ... Error from the operating system ... "A required
privilege is not held by the client"
Then I read that a possible workaround is to change the Local Policies as
follows:
Start,Settings,Control Panel,Administrative Tools,Local Security
Policy,Local Policies,User Rights Assignment,Act as part of the operating
system,
Add,MyMachineName\ASPNET
Unfortunately I am still getting the same error ... "A required privilege is
not held by the client"
I also tried modifying the machine.config file processModel section with
userName="SYSTEM" and password="AutoGenerate"
Does anyone have any suggestions to either fix the problem or to try an
alternative approach?
I am worried about the possibility that using a 3rd party product (Oracle)
has compromised the likelihood of resolving the problem.
Do I need to set up ASPNET as a domain user?
Do I need to further change the appSettings section of the web.config file?
Does ASPNET have to be defined as a database user ? (currently it is not)
Many thanks,
DJ
I am trying to work out how I can use impersonation to connect to an Oracle
9i database such that I can avoid sending a clear text username and password
to the Oracle server.
We are using Windows 2000 and IIS 5.0. Currently the database and the
Webserver are running on the same machine (which I'll call MyMachineName)
Until now I have been using a connection string in the web.config file on an
IIS Web Server as follows:
<appSettings>
<add key="ConnectionString" value="Data Source=mydatabase;User
Id=scott;Password=tiger;Integrated Security=no;"/>
</appSettings>
This works fine but it is not a satisfactory long term solution.
I have tried to use Impersonation so that the UserId and Password can be
stored in the registry on the Web Server to achieve the same result. I have
performed these steps on the IIS Web Server:
From the command line:
aspnet_setreg.exe -k:SOFTWARE\myWebService\identity -u:"scott" -p:"tiger"
Added to web.config:
<identity impersonate="true"
userName="registry:HKLM\SOFTWARE\myWebService\identity\ASPNET_SETREG,userNam
e"
password="registry:HKLM\SOFTWARE\myWebService\identity\ASPNET_SETREG,passwor
d"
/>
I have kept the appSettings section but removed the username and password:
<appSettings>
<add key="ConnectionString" value="Data Source=mydatabase;Integrated
Security=no;"/>
</appSettings>
Used regedt32.exe to grant permissions for the ASP.NET account on these
registry keys. ie:
Click on the HKEY_LOCAL_MACHINE\SOFTWARE\myWebService\ subkey
On the Security menu, click Permissions
Click Add
In the "Look In" combo box (which appears in a Win2K environment) select the
machine name (not the domain name because the ASPNET user has not been added
to our domain)
The user MyMachineName\ASPNET has now been granted permissions on the
ASP.NET account.
The web service is configured to use anonymous access.
At this point I tried to navigate to the Virtual Directory
(...service1.asmx) using Internet Explorer and received this error message:
Configuration error ... Error from the operating system ... "A required
privilege is not held by the client"
Then I read that a possible workaround is to change the Local Policies as
follows:
Start,Settings,Control Panel,Administrative Tools,Local Security
Policy,Local Policies,User Rights Assignment,Act as part of the operating
system,
Add,MyMachineName\ASPNET
Unfortunately I am still getting the same error ... "A required privilege is
not held by the client"
I also tried modifying the machine.config file processModel section with
userName="SYSTEM" and password="AutoGenerate"
Does anyone have any suggestions to either fix the problem or to try an
alternative approach?
I am worried about the possibility that using a 3rd party product (Oracle)
has compromised the likelihood of resolving the problem.
Do I need to set up ASPNET as a domain user?
Do I need to further change the appSettings section of the web.config file?
Does ASPNET have to be defined as a database user ? (currently it is not)
Many thanks,
DJ