Threads & Impersonation

[Guest]

Hi!

I am trying to write an asp.net app (page/class) which is going to make several calls to distibuted objects (com+/serviced componentes) which in turns talks to other distributed computers. These COM+/serviced componentes object has security settings that allows only privileged users to instanciate and use them. So I have the impersonate=true flag setted in web.config.

Because of the long responsetimes and low CPU usage when calling these objects I thought it would be a great idea to run several questions in threads in a parallel manner.

It was here I encountered some problems I have't been able to solve yet.

The main thread run as my user(checked System.Security.Principal.WindowsIdentity.Current) BUT the child-threads run as the ASPNET user and as a cause of this, they do not have the right priveledges to execute my Serviced Components.

I doesn't make any difference if i use the threadpool (ThreadPool.QueueUserWorkItem) or just create a new Thread.

Nether if I change the user in machine.config, from "machine" to "SYSTEM" or to "domain/johnDoe", i.e. a real user, do I get my page to work, just "access denied" all the time.

So, please, does anybody has a workaround? Unfortunatly I can't use the Impersonate-method, because of my companys security policies.

I just want the damn thread to run under the same Identity

Regards!

/Markus P

 

[Scott Allen]

Markus:

You mentioned even when changing the ASPNET process identity from
machine to domain/JohnDoe you still have access denied? Is the johnDoe
account supposed to have permissions to access the COM+ components?
That should be working for you.

 

[bruce barker]

when the OS creates a thread, its identity is that of the creating process,
not creating thread. in the case of asp.net, it will be the identity of
aspnet_wp.exe (usually the aspnet account).

when you start your thread, it will have to call back to its creator thread
to to get its identity to impersonate (you will need a primary token).

-- bruce (sqlwork.com)

Hi!

I am trying to write an asp.net app (page/class) which is going to make

several calls to distibuted objects (com+/serviced componentes) which in
turns talks to other distributed computers. These COM+/serviced componentes
object has security settings that allows only privileged users to
instanciate and use them. So I have the impersonate=true flag setted in
web.config.

Because of the long responsetimes and low CPU usage when calling these

objects I thought it would be a great idea to run several questions in
threads in a parallel manner.

It was here I encountered some problems I have't been able to solve yet.

The main thread run as my user(checked

System.Security.Principal.WindowsIdentity.Current) BUT the child-threads run
as the ASPNET user and as a cause of this, they do not have the right
priveledges to execute my Serviced Components.

I doesn't make any difference if i use the threadpool

(ThreadPool.QueueUserWorkItem) or just create a new Thread.

Nether if I change the user in machine.config, from "machine" to "SYSTEM"

or to "domain/johnDoe", i.e. a real user, do I get my page to work, just
"access denied" all the time.

So, please, does anybody has a workaround? Unfortunatly I can't use the

Impersonate-method, because of my companys security policies.

 

[Alvin Bruney [MVP]]

or how about passing in the identity to the thread in the constructor???

 

[Lan H. Nguyen]

How do you pass the identity to the thread in the constructor? Thread takes
only a threadstart delegate.

Thanks,
Lan

or how about passing in the identity to the thread in the constructor???

--
Regards,
Alvin Bruney
[ASP.NET MVP http://mvp.support.microsoft.com/default.aspx]
Got tidbits? Get it here... http://tinyurl.com/27cok

when the OS creates a thread, its identity is that of the creating
process,
not creating thread. in the case of asp.net, it will be the identity of
aspnet_wp.exe (usually the aspnet account).

when you start your thread, it will have to call back to its creator
thread
to to get its identity to impersonate (you will need a primary token).

-- bruce (sqlwork.com)


several calls to distibuted objects (com+/serviced componentes) which in
turns talks to other distributed computers. These COM+/serviced
componentes
object has security settings that allows only privileged users to
instanciate and use them. So I have the impersonate=true flag setted in
web.config.
objects I thought it would be a great idea to run several questions in
threads in a parallel manner.
System.Security.Principal.WindowsIdentity.Current) BUT the child-threads
run
as the ASPNET user and as a cause of this, they do not have the right
priveledges to execute my Serviced Components.
(ThreadPool.QueueUserWorkItem) or just create a new Thread. "SYSTEM"
or to "domain/johnDoe", i.e. a real user, do I get my page to work, just
"access denied" all the time. the
Impersonate-method, because of my companys security policies.

 

[Alvin Bruney [MVP]]

follow this link for an explanation
http://www.yoda.arachsys.com/csharp/threadstart.html

--
Regards,
Alvin Bruney
[ASP.NET MVP http://mvp.support.microsoft.com/default.aspx]
Got tidbits? Get it here... http://tinyurl.com/27cok

How do you pass the identity to the thread in the constructor? Thread
takes
only a threadstart delegate.

Thanks,
Lan

or how about passing in the identity to the thread in the constructor???

--
Regards,
Alvin Bruney
[ASP.NET MVP http://mvp.support.microsoft.com/default.aspx]
Got tidbits? Get it here... http://tinyurl.com/27cok

when the OS creates a thread, its identity is that of the creating
process,
not creating thread. in the case of asp.net, it will be the identity of
aspnet_wp.exe (usually the aspnet account).

when you start your thread, it will have to call back to its creator
thread
to to get its identity to impersonate (you will need a primary token).

-- bruce (sqlwork.com)

Hi!

I am trying to write an asp.net app (page/class) which is going to
make
several calls to distibuted objects (com+/serviced componentes) which
in
turns talks to other distributed computers. These COM+/serviced
componentes
object has security settings that allows only privileged users to
instanciate and use them. So I have the impersonate=true flag setted in
web.config.

Because of the long responsetimes and low CPU usage when calling these
objects I thought it would be a great idea to run several questions in
threads in a parallel manner.

It was here I encountered some problems I have't been able to solve yet.

The main thread run as my user(checked
System.Security.Principal.WindowsIdentity.Current) BUT the
child-threads
run
as the ASPNET user and as a cause of this, they do not have the right
priveledges to execute my Serviced Components.

I doesn't make any difference if i use the threadpool
(ThreadPool.QueueUserWorkItem) or just create a new Thread.

Nether if I change the user in machine.config, from "machine" to "SYSTEM"
or to "domain/johnDoe", i.e. a real user, do I get my page to work,
just
"access denied" all the time.

So, please, does anybody has a workaround? Unfortunatly I can't use the
Impersonate-method, because of my companys security policies.

I just want the damn thread to run under the same Identity

Regards!

/Markus P

 

[Guest]

Scott:

The problem isn't the johnDoe users permissions, but the fact that the new threads don't run under that users account when I change the processModel to userName="domain\johnDoe" password="******" in machine.config but still is executing under machinename\ASPNET account, and this of course leads to the access denied.

Pleace notice that if I specify a user in machine.config/processModel i CAN remove <identity impersonate="true"/> in web.config, and the Main Thread is executing under the user specified in machine.config. But new threads aren't!

Can anyone please confirm this? I'm starting to think I'm going mad. This is on XP pro/framework1.1

Best regards!

 

[Guest]

Scott:

The problem isn't the johnDoe users permissions but the fact all new thread don't inherit that users account even if it's specified in machine.config. All new thread gets the machinename\ASPNET account regardless of what user i specify in <processModel>.

Please notice that if I change the <processModel userName="machine" password="AutoGenerate"/> to <processModel userName="domain\johnDoe" password="******"/> I can remove <identity impersonate="true"/> from web.config and the MAIN thread still executes under the right user account, i.e. johnDoe, but all new threads, no matter what user in machine.config, runs under machinename\ASPNET account!!

Can someone please confirm this? I think I'm starting to go insane This is on WinXP Pro/framework 1.1

Best regards!

 

[Guest]

Scott:

The problem isn't the johnDoe users permissions but the fact all new thread don't inherit that users account even if it's specified in machine.config. All new thread gets the machinename\ASPNET account regardless of what user i specify in <processModel>.

Please notice that if I change the <processModel userName="machine" password="AutoGenerate"/> to <processModel userName="domain\johnDoe" password="******"/> I can remove <identity impersonate="true"/> from web.config and the MAIN thread still executes under the right user account, i.e. johnDoe, but all new threads, no matter what user in machine.config, runs under machinename\ASPNET account!!

Can someone please confirm this? I think I'm starting to go insane This is on WinXP Pro/framework 1.1

Best regards!

 

[Scott Allen]

Hi Markus:

This is what seems odd, if the process is configured to run as
johnDoe, the threads you spin up should get the identity of the
process they are in: johnDoe. If you are not seeing this behavior
perhaps you could double check all the configurations.

--s

 

[Lan H. Nguyen]

Thanks for the link to the article. It is helpful for asynchronous
operations.

follow this link for an explanation
http://www.yoda.arachsys.com/csharp/threadstart.html

--
Regards,
Alvin Bruney
[ASP.NET MVP http://mvp.support.microsoft.com/default.aspx]
Got tidbits? Get it here... http://tinyurl.com/27cok

How do you pass the identity to the thread in the constructor? Thread
takes
only a threadstart delegate.

Thanks,
Lan

or how about passing in the identity to the thread in the constructor???

--
Regards,
Alvin Bruney
[ASP.NET MVP http://mvp.support.microsoft.com/default.aspx]
Got tidbits? Get it here... http://tinyurl.com/27cok
when the OS creates a thread, its identity is that of the creating
process,
not creating thread. in the case of asp.net, it will be the identity of
aspnet_wp.exe (usually the aspnet account).

when you start your thread, it will have to call back to its creator
thread
to to get its identity to impersonate (you will need a primary token).

-- bruce (sqlwork.com)

Hi!

I am trying to write an asp.net app (page/class) which is going to
make
several calls to distibuted objects (com+/serviced componentes) which
in
turns talks to other distributed computers. These COM+/serviced
componentes
object has security settings that allows only privileged users to
instanciate and use them. So I have the impersonate=true flag setted in
web.config.

Because of the long responsetimes and low CPU usage when calling these
objects I thought it would be a great idea to run several questions in
threads in a parallel manner.

It was here I encountered some problems I have't been able to solve yet.

The main thread run as my user(checked
System.Security.Principal.WindowsIdentity.Current) BUT the
child-threads
run
as the ASPNET user and as a cause of this, they do not have the right
priveledges to execute my Serviced Components.

I doesn't make any difference if i use the threadpool
(ThreadPool.QueueUserWorkItem) or just create a new Thread.

Nether if I change the user in machine.config, from "machine" to "SYSTEM"
or to "domain/johnDoe", i.e. a real user, do I get my page to work,
just
"access denied" all the time.

So, please, does anybody has a workaround? Unfortunatly I can't use the
Impersonate-method, because of my companys security policies.

I just want the damn thread to run under the same Identity

Regards!

/Markus P