ASP.NET Security

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello, I hope I got the correct group about security issues I am having for
an ASP.NET 2.0 application.

I have a web app hosted on a server with Windows Server 2003 (IIS 6.0) which
is on a seperate workgroup outside of the domain. This webapp needs to access
a resource located on a server within the domain but I am having difficulties
trying to get that to work.

I am reading articles on ASP.NET authentication and found several articles
on impersonation and delegation. Am I on the right approach here to be able
to access network resources using delegation?

The problem is it is on a separate workgroup but is open to the public, sort
of like a DMZ.

Is this impossible? If not, can any of you point me to the right direction?

Thank you all!
 
Your in the wrong group - you should be in the framework.aspnet group

Anyway - you are going to really struggle to get access to resources on
another server if your not using the same domain account with access to both
servers.

Another approach would be to use a webservice on the server within the
domain to give you access to that local resource, and allow the DMZ server
in the seperate workgroup to access that. Get that working as an anonymous
call, and then try and get impersonation to work.


Regards

John Timney (MVP)
http://www.johntimney.com
http://www.johntimney.com/blog
 
Thanks for John's input.

Hello Jiro,

As John has recommended, you can post the question in some ASP.NET specific
newsgroups. e.g.

microsoft.public.dotnet.framework.aspnet

microsoft.public.dotnet.framework.aspnet.security


Regarding on your question, I'm wondering what kind of resource you would
like to access(on that out-side-of domain remote box)? Shard Folder or
DataBase or anything else?

I assume the remote resource you want to access is protected through
windows authentication. Since your ASP.NET webserver are in the different
domain from that resource server(also not trusted?), you can not
impersonate the application under a domain account to access the remote
machine. However, for windows NTLM authentication, you can create two
duplicated local accounts(with identical username and password) on two
machines so that application running on one machine(under the duplicated
account) can access resource on the other one(as long as its mapping
account on that machine has sufficient permissions). For your scenario,
that means you can create two duplicated local accounts on your ASP.NET
server and the remote resource server. Then, in your ASP.NET application
you can imperonsate the thread running under the duplicated account so as
to access protected resources on the remote resource server. How do you
think of this?

Here is the MSDN reference about how to do impersonation in ASP.NET:

#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn2.microsoft.com/en-us/library/ms998351.aspx

Also, if what you want to access is shared file directory, you can consider
creating a mapped local directory/driver on your ASP.NET server(when
creating it , you can specify the user account--- can be an account on the
remote machine---- used to connect to the file share). Thus, in your
ASP.NET application, you can access the local mapped drive instead of the
remote file share.

In addition, as John suggested, you can setup a webservice for accessing
the resource on that remote server and deploy the webservice on a box
which you can correctly visit in your ASP.NET application.

If you have anything unclear or any further questions, please feel free to
post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top