W2k Server, IIS 5.0, COM+, ASP, Impersonating users 
Author Message
 W2k Server, IIS 5.0, COM+, ASP, Impersonating users

Hi,

I am writing a DNA Web site, using Visual Basic as a development tool for
the middle-tier (COM+ components).
I need to enforce security on a method level of the COM+ components, so I
decided to use COM+ Role-based security.
The idea is that users should come on the login page as anonymous users,
they sould enter correct username, password and this would apply their Role
(e.g. one of five NTFS accounts created especially for this application).
Everytime they would call any middle-tier method, the impersonation of the
NTFS account would happen, method would get executed, and on object
destruction user would be put back as anonymous user.

How security is applied:
Site allows anonymous access, so users come on the login page as
IUSR_<server_name.>
At the login page users should enter Username, Password. If they are
correct, user should assume one role out of five (based on their
privilegies). Users have all their data (username, password, privilegies)
stored in SQL Server 2000 Database.
So I created a ActiveX component exactly as described in MS KB Article
http://www.*-*-*.com/
component uses API calls to ImpersonateLoggedOnUser, LogonUser and
RevertToSelf.

I also created ASP exactly as described in article. But it doesnt work. It
compiles, registers OK, even if I run ASP it doesnt report any problems, but
security is not enforced.
So I did a debug of the component and saw that LogonUser method returns an
error number 1314, which means "ERROR_PRIVILEGE_NOT_HELD: A required
privilege is not held by the client.". If I understood documentation
correctly, this means that user I am trying to impersonate doesnt have
enough privilegies, but I used local Administrator account! Even more weird
is that it reports exactly the same error if I use a non-existent username
and password.

I am sure here must be a very simple solution, but I cannot find it. If
anyone helps I would be very happy.

Thank you for helping,
Borut Zagar



Sun, 26 Oct 2003 19:22:12 GMT  
 W2k Server, IIS 5.0, COM+, ASP, Impersonating users
Hello,

to use the LogonUser API you need to set "Act as part of the operating
system" in the Security Policis/User Rights Assignment.
Only then the program is able to impersonate another user.

Thomas


Quote:
> Hi,

> I am writing a DNA Web site, using Visual Basic as a development tool for
> the middle-tier (COM+ components).
> I need to enforce security on a method level of the COM+ components, so I
> decided to use COM+ Role-based security.
> The idea is that users should come on the login page as anonymous users,
> they sould enter correct username, password and this would apply their
Role
> (e.g. one of five NTFS accounts created especially for this application).
> Everytime they would call any middle-tier method, the impersonation of the
> NTFS account would happen, method would get executed, and on object
> destruction user would be put back as anonymous user.

> How security is applied:
> Site allows anonymous access, so users come on the login page as
> IUSR_<server_name.>
> At the login page users should enter Username, Password. If they are
> correct, user should assume one role out of five (based on their
> privilegies). Users have all their data (username, password, privilegies)
> stored in SQL Server 2000 Database.
> So I created a ActiveX component exactly as described in MS KB Article
> http://support.microsoft.com/support/kb/articles/Q248/1/87.ASP. This
> component uses API calls to ImpersonateLoggedOnUser, LogonUser and
> RevertToSelf.

> I also created ASP exactly as described in article. But it doesnt work. It
> compiles, registers OK, even if I run ASP it doesnt report any problems,
but
> security is not enforced.
> So I did a debug of the component and saw that LogonUser method returns an
> error number 1314, which means "ERROR_PRIVILEGE_NOT_HELD: A required
> privilege is not held by the client.". If I understood documentation
> correctly, this means that user I am trying to impersonate doesnt have
> enough privilegies, but I used local Administrator account! Even more
weird
> is that it reports exactly the same error if I use a non-existent username
> and password.

> I am sure here must be a very simple solution, but I cannot find it. If
> anyone helps I would be very happy.

> Thank you for helping,
> Borut Zagar



Tue, 28 Oct 2003 04:59:00 GMT  
 W2k Server, IIS 5.0, COM+, ASP, Impersonating users
Hi,

How do i set "Act as part of the operating system"

/Alex

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!



Fri, 28 Nov 2003 15:59:57 GMT  
 
 [ 3 post ] 

 Relevant Pages 

1. W2k Server, IIS 5.0, COM+, ASP, Impersonating users

2. W2k Server, IIS 5.0, COM+, ASP, Impersonating users

3. W2k Server, IIS 5.0, COM+, ASP, Impersonating users

4. W2K Impersonating user Security Policis/User Rights Assignment

5. COM forn ASP under IIS 5.0

6. IIS 5.0/ ASP 3 server objects

7. com problem with web server (IIS 5.0)

8. Impersonate IIS 5 User

9. What happened to Data Type Coercion in ASP IIS 5.0/VBScript 5.0

10. Help COM and IIS on W2K hangs.

11. Help: W2K, IIS, ASP, Component Services, SQL, NT Service and VB

12. Impersonate User on a Logonpage (ASP)

 

 
Powered by phpBB® Forum Software