Impersonation in asp.net

[Samuel Shum]

Hello, I have a problem on the impersonation in asp.net: I've developed some
components which can create user accounts on the web server. The asp files
resided on the server will call these components to do the job BUT the
"aspnet" (asp.net worker process account) doesn't have enough privilege to
do so... (as the components are called in the context of this "low
privilege" account). I understand that .Net framework has something called
"impersonation" which can run the worker process in the context of some
"higher" account (in this case, accounts under administrators group). The
problem seems to be solved with this approach but now the problem is that
the "impersonated" account, which is the "admin" account's name and
password, is stored in "cleartext" in the web.config file which imposes
serious security issue... A solution solving this is to store the username
and password in the registry and encrypt them... however, the debugger
returns error that the "password" entry cannot be read from the registry...
even I did give the permission "read" to the worker process... so how can
this be resolved? Or is this the right way to do this kind of job?

Thanks in advance.

Samuel

 

[Guest]

Use the DPAPI or one of the .NET encryption methods to encrpt the information in the web.config file. Information on this topic is in the Building Secure ASP.NET practices paper http://msdn.microsoft.com/library/d...-us/dnnetsec/html/secnetlpMSDN.asp?frame=true

 

[Samuel Shum]

Thanks Mark for the information, sorry if my query mislead you. I'd done the
encryption part: the username and password are encrypted and stored in the
registry with the tool "aspnet_setreg"
(http://support.microsoft.com/default.aspx?scid=kb;en-us;329290) and those
can be retrieved by stating the following entry in the web.config file:

<identity impersonate="true"
userName="registry:HKLM\Software\DummyApplication\Identity\ASPNET_SETREG,use
rName"
password="registry:HKLM\Software\DummyApplication\Identity\ASPNET_SETREG,pas
sword" />

I follow the procedures exactly but the browser returns the following error:
***
Configuration Error
Description: An error occurred during the processing of a configuration file
required to service this request. Please review the specific error details
below and modify your configuration file appropriately.

Parser Error Message: Error reading the password from the registry.

Source Error:

Line 83: <globalization requestEncoding="utf-8" responseEncoding="utf-8"
/>
Line 84:
Line 85: <identity impersonate="true"
userName="registry:HKLM\Software\DummyApplication\Identity\ASPNET_SETREG,use
rName"
password="registry:HKLM\Software\DummyApplication\Identity\ASPNET_SETREG,pas
sword" />
Line 86: </system.web>

Source File: c:\inetpub\wwwroot\Encryption\web.config Line: 85

----------------------------------------------------------------------------
----
Version Information: Microsoft .NET Framework Version:1.1.4322.573; ASP.NET
Version:1.1.4322.573
***

I'd given the "aspnet" account the permission to read the entries, just
don't know what the error exactly means.

Samuel

 

[Stephen Shirley, MCSD .NET]

Possible Solution: I have wrestled with this one also. I finally got
it to work by giving the MachineName(change this)\ASPNET account
permissions to read the registry key ASPNET_SETREG directly, not the
Identity key. Note, everytime you run aspnet_setreg it will drop and
recreate the key, so you will have to add the permissions everytime
you run it. Hope this helps.

Stephen Shirley,
MCSD .NET