Print Web Reports (impersonate)

[Alvaro Pereira]

I have a ASP.NET project that prints a report to a NETWORK-
PRINTER. I have impersonate=true in my web.config, but all
reports are printed under ASPNET user (the one that is
setted in MACHINE.CONFIG).

I'm using Crystal Reports on WEB-SERVER, and it is running
FRAMEWORK 1.0 in Windows 2000 Server. My IIS security is
setted to "Windows Integrated Authentication" and
Anonymous Access is disabled.

Does any one knows how to send the report with the client
identification.

Thanks in advance,

Alvaro Pereira

 

[Steven Cheng[MSFT]]

Hi Alvaro Pereira,

Thank you for using Microsoft Newsgroup Service. Based on your description,
you are dealing with a WebReport, the application is Internet based and you
want the user view the report to it using its own access token(identity)
when printing the
web report. Also, you've set the impersonation="true" in the web.config
file and done the right setting in IIS, however you found that when the
report is printing , the asp.net workprocess still runnging under the
ASP.NET account(the default workprocess account)? Please correct me if my
understanding is not quite accurate.

If so, this problem is concerned to the ASP.NET web security. As for the
impersonation, this feature is mostly used for the "intranet based" web
application since the workprocess will access other resources under the
user's access token(identity).
This feature is buildin ASP.NET, it should be used together with the IIS.
Generally, you should
1. set the IIS's security configuration:
select the "Windows Integrated Authentication" and disable the "Anonymous
User"
2. In asp.net web applicaiton's web.config file(note that the relative
setting in Machine.config can be overwritten by the web.config):
set the authentication mode as "Windows", for example:
<authentication mode="Windows">
</authentication>

and set the "impersonation= true"
<identity impersonate ="true" />

Then, when the user access the web application, he'll first check identity
in the IIS if pass, his identity(token) will be passed by the IIS to the
ASP.NET applicatioh(because you set the authentication mode="Windows"). And
as you also set the impersonate="true", when the asp.net workproeccess is
executing or calling some other server resources , it is using the
identity(token) passed by the IIS(just the user's identity, it should be a
valid account on the server machine).

For more infomation on ASP.NET's security mode and configuration, you can
view the tech articels on MSDN, here is the web link for the asp.net
security architecture:
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconaspnetarchitecture
..asp?frame=true
and the impersonation:
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconaspnetimpersonatio
n.asp?frame=true

Please try the preceding suggestion. If you have any questions on it,
please feel free to let me know.

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Guest]

Hi Steven,

I'm already with the following configuratins:
1. In IIS Anonymous Access is unckecked, and "Integrated
Windows authentication is checked"
2. In Applications WEB.CONFIG we already have
<authentication mode="Windows"> and <identity impersonate
="true" />.

The web server is in the same domain as the end-user.
Everythink works fine, except that, when the end-user
prints a report, the report goes to printer queue under
ASPNET user context, and so, the end user can't manage it
using default printer ACL, in witch only a member of
Administrators group or the report OWNER can manage the
report (restart, purge, etc...).

 

[Steven Cheng[MSFT]]

Hi Alvaro Pereira ,


Thank you for the response. I've reviewed some other reference on the
ASP.NET's web security machism. The setting in the ASP.NET 's web.config
file is correct. The problem is probably due to the IIS settting or the
operating system. Is the NETWORK printer at the same machine with the
ASP.NET WEB SERVER or on another remote server?

1.If the webserver and the printer are on the same machine, It seems a bit
strange since all the configuration you've mentioned are all ok. Would you
please try out access other resources on the server machine, such as
database server. For example, use the SQL profiler for SQLServer to test
whether the impersonate is ok.

2. If the printer is a printer in on another public remote server(not the
same machine with the ASP.NET web server), I think this problem should due
to the ASP.NET application's "delegation" not simply "impersonation".
Because impersonation only make the asp.net workprocess running under the
client user's token when he access the protected resources on the server
machine. If the resources are on another machine, then the "delegation"
machism is on effect. The delegation will allow the asp.net workprocess use
the client user's token to access those protected resoures on other
machine, however, there'll have more limits and requirement on "delegation"
than impersonation, such as IIS authentication mode, operation system....
For the detailed info on "delegation" , you can visit the following web
link:

http://msdn.microsoft.com/library/en-us/vsent7/html/vxconaspnetdelegation.as
p?frame=true

When you use the integrid windows authentication in IIS, if you want to
permit "delegation" in the asp.net, both the client (Internet Explorer 5.0
and later) and server (IIS 5.0 and later) are running Windows 2000 or
later, and both are members of the same domain or trusted domains.
Otherwise, the server defaults to using NTLM(which won't support the
"delegation").

I think you can also try accessing some remote database server for testing.

Please try out the suggestion and let me know your result. If you have any
new findings please also let me know.



Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Guest]

Hi Steven,

Thank you for your response. Here goes more information:

1. The Web Server is in one machine and the print server
is in another machine;
2. Both machines are under the same domain
3. Both machines are running W2K and the WEB SERVER runs
IIS 5
4. All clients runs at least IE 5.5

I'll study and try to use the delegation. I will return
ASAP.

Thanks

Alvaro Pereira