Daniel Fisher (lennybacon.com)

SOA, DATA & THE WEB

Re: Windows Impersonation in ASP.NET

Pierre posted an entry bout impersonation in ASP.NET szenarios.

[Pierre]There are several scenario where you have to use the impersonation in ASP.NET. Consider, for example, you have to save and load files from a network share (file server). In that case, if the web site accept anonymous authentications, you have to impersonate a windows user who has enought privileges to access to that resource.

You have three choices (I guess):

  1. Elevate the ASP.NET process identity - worse case since you could compromise the whole site security
  2. Impersonate a windows user during the single call (http://blogs.msdn.com/shawnfa/archive/2005/03/22/400749.aspx)
  3. Demand the task to a COM+ server application

I think that the last is the best since we have more security and maintenance control
[...]

I agree with him that "Demand the task to a COM+ server application" is the best way of the three he listed. But for me impersonation it is still a don't.

By the way i wanted to post this as a comment but "Comments on this post are closed". Yes this is some criticism on weblogs.asp.net :-) ...

So here my opinion as post in my blog:


Avoid impersonation!
If you need to "redirect a binary that is located on a different box than the webserver to the client" utilize another IIS on the 2nd machine or write a service that returns the binary data.

 

Comments

I like the idea to have a COM+ component (server application) which does the work since I don't have to impersonate. In my last application I used a Queued Component to save large documents (1-1.5 MB each) on the share from the web application. Thanks, Pierre

Write a comment