Impersonation question regarding a microsoft article

[Brian Newtz]

Hello everyone!

I recently read "ASP.NET Impersonation" from the .NET
Framework Developer's Guide
(http://msdn.microsoft.com/library/default.asp?
url=/library/en-
us/cpguide/html/cpconaspnetimpersonation.asp) and it says
the following:

"Only application code is impersonated; compilation and
configuration are read as the process token. The result
of the compilation is put in the "Temporary ASP.NET
files" directory. The account that is being impersonated
needs to have read/write access to this directory."

So, this is basically telling me that every authenticated
user has to have access to my 'Temporary ASP.NET files'
directory in order to view the pages??? I've verified
that this is definitely not the case, as my 'Temporary
ASP.NET files' directory has only the following security
permissions(my computer name is BNEWTZ):

Administrators (BNEWTZ\Administrators)
aspnet ([email protected])
CREATOR OWNER
LOCAL SERVICE
NETWORK SERVICE
Power Users (BNEWTZ\Administrators)
SYSTEM
Users (BNEWTZ\Users)

With these permissions (which are the default, except
that I've added the domain aspnet account which I use in
the processmodel section of machine.config) any domain
user can get to the website just fine. So is the article
incorrect in that statement?

Thanks!
-Brian

 

[Jim Cheshire [MSFT]]

Brian,

That documentation is incorrect. The process account has to have full
control on that folder, but the impersonated account does not in the case
of first-time JIT compile.

Jim Cheshire, MCSE, MCSD [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.


--------------------

 

[Brian Newtz]

Jim,

Thanks!

-Brian

-----Original Message-----
Brian,

That documentation is incorrect. The process account has to have full
control on that folder, but the impersonated account does not in the case
of first-time JIT compile.

Jim Cheshire, MCSE, MCSD [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.


--------------------

Content-Class: urn:content-classes:message
From: "Brian Newtz"

Sender: "Brian Newtz"

Subject: Impersonation question regarding a microsoft article
Date: Tue, 23 Dec 2003 08:17:43 -0800
Lines: 40
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Thread-Index: AcPJcEtQodKge0h2Sd+UR2DdUFfdag==
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
Newsgroups: microsoft.public.dotnet.framework.aspnet.security
Path: cpmsftngxa07.phx.gbl
Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework.aspnet.security:8036
NNTP-Posting-Host: tk2msftngxa14.phx.gbl 10.40.1.166
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security

Hello everyone!

I recently read "ASP.NET Impersonation" from the .NET
Framework Developer's Guide
(http://msdn.microsoft.com/library/default.asp?
url=/library/en-
us/cpguide/html/cpconaspnetimpersonation.asp) and it says
the following:

"Only application code is impersonated; compilation and
configuration are read as the process token. The result
of the compilation is put in the "Temporary ASP.NET
files" directory. The account that is being impersonated
needs to have read/write access to this directory."

So, this is basically telling me that every authenticated
user has to have access to my 'Temporary ASP.NET files'
directory in order to view the pages??? I've verified
that this is definitely not the case, as my 'Temporary
ASP.NET files' directory has only the following security
permissions(my computer name is BNEWTZ):

Administrators (BNEWTZ\Administrators)
aspnet ([email protected])
CREATOR OWNER
LOCAL SERVICE
NETWORK SERVICE
Power Users (BNEWTZ\Administrators)
SYSTEM
Users (BNEWTZ\Users)

With these permissions (which are the default, except
that I've added the domain aspnet account which I use in
the processmodel section of machine.config) any domain
user can get to the website just fine. So is the article
incorrect in that statement?

Thanks!
-Brian

.