Ad:

ASP.NET Discussion Thread
Unsolved
Views: 12621

May 10th, 2004

-1

Impersonation in ASP.NET

Expand Post »

Hi,
I have one ASP.NET page which allows users to upload their files which are stored in another system (file server) through simple network share. The code is as simple as
FileUpload.PostedFile.SaveAs(strPath)

Here this page gets "access denied" to save the file. I know the application is running under ASPNET local user account. So i even can't give privileges to save file for this local account in another target system.

I solved this problem by using impersonation tags as below in the web.config :

<identity impersonate="true" userid=xxx password=yyyy />

But i have to specify user id and password explicitly in plain text here....
Is there anyway i avoid specifying user id and password like this?

srikkanthan

Reputation Points: 42

Solved Threads: 0

Light Poster

Offline

27 posts
since May 2004

Permalink

May 11th, 2004

Re: Impersonation in ASP.NET

If you define it in the web config, then it isn't available for users to view. Hence it is secure.

Hope this helped.

Slade

Slade

Reputation Points: 115

Solved Threads: 7

Practically a Master Poster

Offline

633 posts
since Mar 2004

Permalink

May 12th, 2004

-1

Re: Impersonation in ASP.NET

Quote originally posted by srikkanthan ...

Hi,
I have one ASP.NET page which allows users to upload their files which are stored in another system (file server) through simple network share. The code is as simple as
FileUpload.PostedFile.SaveAs(strPath)

Here this page gets "access denied" to save the file. I know the application is running under ASPNET local user account. So i even can't give privileges to save file for this local account in another target system.

I solved this problem by using impersonation tags as below in the web.config :

<identity impersonate="true" userid=xxx password=yyyy />

But i have to specify user id and password explicitly in plain text here....
Is there anyway i avoid specifying user id and password like this?

turn off anonymous access to the website and use the integrated nt security...

chanto!

Reputation Points: 45

Solved Threads: 1

Light Poster

Offline

39 posts
since Mar 2004

Permalink

May 13th, 2004

Re: Impersonation in ASP.NET

OR if I recall just give Permission to the IUSR_anonymous User in Windows access to the directory/files. It is the default user used by ASP.Net

Paladine

Team Colleague

Reputation Points: 211

Solved Threads: 27

Master Poster

Offline

793 posts
since Feb 2003

Permalink

Aug 10th, 2007

Re: Impersonation in ASP.NET

Hi,
If you are concerned about the security with respect to some user having access to the machine can read the user credentials, then you can encrypt that particular configuration section of the web.config using aspnet_regiis.exe with the pe / pef commands. This would render the web.config section unreadable if opened physically, but readable from the application.

That brings up another question though. What happens if the company policy madates the change of user passwords at regular intervals? Can we read the user credentials from Active Directory without coding, i.e., can we specify whether to get the user credentials from the AD by specifying user name? Can someone answer these questions?

regards,
Prabin.

prabinv

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

2 posts
since Aug 2007

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in ASP.NET Forum Timeline: Please Help

Next Thread in ASP.NET Forum Timeline: Dropdown appears short in IE

DaniWeb Message

Cancel Changes

User Name
Password