impersonation in asp.net - impersonation

My understanding was that if asp.net application wants to write file to file server, it needs to use impersonation. I use the support.microsoft.com/kb/306158#4 "Impersonate a Specific User in Code" to do it. But it didn't work. The GetLastError() was giving error code 1326 "Logon failure: unknown user name or bad password." ( as per msdn.microsoft.com/en-us/library/ms681385) Then, the only way it worked was I've to create user (My computer > manage > local user and groups > user) with same user name and password as the file server folder. Now, even if I removed the impersonation code, it still works. So, I'm confused. Why do we need impersonation? I'm using XP and windows 2008 server.

You don't need to use impersonation in order for ASP.NET to write files to the local server. You simply need to make sure that the identity that ASP.NET is using has permission to write to the location you're trying to write to.

Related

Is it possible to run an IIS site as a logged in user?

I'm experimenting with running a .NET Core site in IIS as my own logged in user, because I have written an API that interacts with User32.Dll (moves cursor for example).
I don't care about the security aspect of running a website as my own user.
If I set up the site completely normal in IIS (with identity set to ApplicationPoolIdentity), the API starts and everything works, except it's not my user it's trying to interact with.
At this point I've managed to set the identity to DOMAIN\USER (my user), but when I try to start the application pool, it dies (stops) when I send the first request and just returns 503 service unavailable.
I was hoping running an IIS site as my own local user would be easy, but I've spent probably 2 hours now trying to get it to work. What steps do I have to take? I'm quite lost at this point.
EDIT: I should probably mention, that when I start the application pool, w3wp.exe is not being run. So something is definitely wrong, when I try with my own user as the identity.

Jmeter Windows Authentication error - 401

I am trying to record an internal website for which i need to enter credentials that is not same as the windows credential. Later on the same test needs to be run for more than one user. i know how to use the csv file to pass the parameters - username and password.
For Windows Authentication i have added Authorization manager.
From Fiddler i checked it was NTLM authentication(though i am not sure yet) and i did enter the values for NTLM authentication in Authorization Manager.
Now when i try and record the internal website - i cannot even go to homepage after the windows credentials, it keeps on spinning.
When i check the Authorization Manager, i find an extra line added for kerberos Authentication as shown in Picture:
My query here is:
1)why is it recording it as kerberos
2)where is it saving the username and password
3)why is it not loading the website- always keeps spinning and i have to stop it
4)I have tried Kerberos settings and then record, but its not working either , could it be i am using the wrong values in the kerb5.conf file , how do i debug.
Kind of stuck at the moment.
Thanks for help!
If you're uncertain what authentication is being used under the hood - just ask around, application developers or network administrators should be aware of the external authentication scheme. You can also try using a 3rd-party tool like Kerberos Authentication Tester
I don't think you can record and replay Windows authentication so it makes sense to start recording some time after the login screen as long as you can login using JMeter
Looking into JMeter source
// if HEADER_AUTHORIZATION contains "Basic"
// then set Mechanism.BASIC_DIGEST, otherwise Mechanism.KERBEROS
In case of Kerberos credentials are saved directly in the HTTP Authorization Manager in form of ${AUTH_LOGIN} and ${AUTH_PASSWORD}, real credentials are not stored anywhere
Most probably your application doesn't receive valid authentication context therefore it cannot proceed
Add sun.security.krb5.debug=true line to system.properties file (lives in "bin" folder of your JMeter installation), JMeter restart will be required to pick the property up.
More information:
Windows Authentication with Apache JMeter
JAAS and Java GSS-API Tutorials

xpages on browser repeat login

There is an application that we are using it both on XPiNC and browsers.
Before you can access the application, you must log-in with your user.id from lotus notes. The problem is there are several login msgboxes ( where you must again log in with your username and passwords ) saying:
The server says /xsp/.ibmxspres/dojoroot-1.8.1/dojo.
or
The server says /xsp/.ibmxspres/.mini/dojo/.en-us.
or
The server says /xsp/.ibmxspres/.mini/css.
or
The server says /xsp/.ibmxspres/.extlib/icons.
and so on. Even when I just hit F5 when I'm logged on in application ( there is, also, a computed field which displays the username ) those type of messages are being displayed.
What should I do as a developer? Or there must be some settings at the server?
I have the following ACL rights:
ACL: User type: Person and Access: Manager.
Effective access: all the checkboxes are checked except Full Access Administrator
Thanks for your time!
Ok, this should be straight out of the box ;-)
What I find strange is that the ressources you seem to be asked for access to use are some of the "built in" ressources (Dojo, css, etc.) in XPages...???
So first thing is really to test that this has nothing to do with your application:
Create a new application
Set a proper ACL that will force you to log in (Default reader or higher, a person called "Anonymous" no access)
Create a simple XPage and open it from the browser
What happens?
If everything works, then you need to add some elements that use the ressources (css, Dojo, etc.). Then what happens?
I guess you will see the same problems... If so, you need to have a look at the way you have set up your server for web access. Are you using internet sites? Do you use basic or session based authentication?
What does the ACL of your application look like?
What you experience could be caused by "realms" i.e. the "path" to which you log in. A simple example:
If you are required to log in to access the ressource /path/db.nsf/view/doc1?openDocument then your realm will be "/path/db.nsf/view/" - if then you try to create a document using /path/db.nsf/newDoc.xsp then you could be asked for access to the realm "/path/db.nsf/".
I must admit that I haven't seen these issues for quite a while - but that may be due to the fact that I control access to the database as a whole - if users need access to something inside the database I implement it using "public access". But first, let us hear a little more about your findings before we chase it as a realm issue ;-)
EDIT:
Ok, so you are using basic authentication. There are lots of good reasons to use session based authentication instead. However, that does not explain your problem. What OS are you using? An OS with file access in the file structure? Could it be that the user running Domino does not have access to the ressources? Have any (file) restrictions to these directories been set up? You really should not be prompted to login for these ressources....
Did you try another "new" application?
/John
Switch to session based authentication. The multiple prompts point to BASIC where you can't logout unless you close the browser

SaferCreateLevel SAFER_LEVELID_UNTRUSTED: The application was unable to start correctly (0xc0000142)

i'm trying to launch a process (any process) as "untrusted" using the SaferCreateLevel with the SAFER_LEVELID_UNTRUSTED safer level:
Allows programs to execute with access only to resources granted to open well-known groups, blocking access to Administrator and Power User privileges and personally granted rights.
Using the code from Michael Howards DropMyRights MDSN article (Browsing the Web and Reading E-mail Safely as an Administrator) the pseudo-code is:
//get a handler on a Safer level
hSaferLevel = SaferCreateLevel(SAFER_SCOPEID_USER, SAFER_LEVELID_UNTRUSTED);
//Create a security token out of the safer level handle
hSecurityToken = SaferComputeTokenFromLevel(hSaferLevel);
//Create process as user
CreateProcessAsUser(hSecurityToken, "myapp.exe");
Except that the process fails to launch:
The application was unable to start correctly (0xc0000142).
What's going on here?
Note: Launching a process at the SAFER_LEVELID_NORMALUSER works fine:
Allows programs to execute as a user that does not have Administrator or Power User user rights. Software can access resources accessible by normal users.
Although since everyone already runs as a "Normal User" these days, there's little value in it.
My application is able to handle running as a "low" user.
The end goal was to run the process with the same privelages as a MandatoryIntegrity\Low process would get (although not tagged as "low"). So i tested that.
i used icacls to mark my application to run Mandatory Integrity Level\Low:
C:\Develop>icacls RTMS.exe /setintegritylevel Low
processed file: RTMS.exe
Successfully processed 1 files; Failed processing 0 files
And my application launches correctly, and is running at the low integrity level:
While i might be able to use the AddMandatoryAce API, or fiddle with the ACLs in the security token myself, i'm curious what's up with an UNTRUSTED Safer level - and why i can't get anything to launch.
Note: On Windows 7 if you mark calc or notepad as /setintegritylevel low they will fail to launch (no error, just never appear), even though this MSDN article talks about using calc as a test of low integrity level:
0xc0000142 = STATUS_DLL_INIT_FAILED
Maybe Process Monitor will give you some clues?
UNTRUSTED is probably too restriced for most things. You can't access your own profile, e.g.:
HKEY_CURRENT_USER
%temp%
Did you try CONSTRAINED?
Another alternative is to use CreateRestrictedToken and compute a token that is just restrictive enough.
I'm guessing that MS sort of forgot about the Safer*Level functions in NT6 and we got UAC instead. (The RunAs GUI dialog on XP had the protect my computer option, but that dialog box is now gone (Even in XP, it was too restrictive for most things))

What causes error 4063 - Database ...databasename... has not been opened yet

I have an scheduled agent that is trying to access a database on another server. When it runs I get an error 4063 - Database ...databasename... has not been opened yet.
The servers is listed in the ACL as manager.
What are some other possible causes for this errors?
Does the other server trust the server executing the agent? Check the server document -> Security -> Trusted servers.
It's possible to get a handle to a database without opening it. If you try and call most methods without opening it first then you will get that error. The most likely explanation though is that you don't have access to open it.
What id signed the agent? Probably not the server. The agent will run with the authority of the agent signer, so that is the id that needs to be in the ACL of the database you are trying to open.
There are a whole bunch of rules about how agents can run under different authorities and on behalf of different users. That can get pretty complex if the situation requires it. But check the agent signer has rights to open the database first then look at any "run on behalf of" settings.
Check the server document of the server, where the database resides. In the Access server section does the Trusted servers field contains the name of the server, where the agent runs?
One tip: print out beforehand db.Server and db.Filepath to see what exactly you are trying to open.

Resources