IIS 6.0 Bug?

TheMSsForum.com: The Microsoft Software Forum

Hi,

I apologize for the extensive cross-posting but I'm getting desparate.

We have a web page calling one or another web service. Both web service
communicate with Sharepoint 2003, and both temporarily change impersonation
using WindowsImpersonationContext class and then revert back with
WindowsImpersonationContext.Undo() to typically save documents with the
correct user name.

Calling the web services synchronously works fine, but we need it to work
asynchronously (typically creating and saving a document before the web
services do some work on it).

The problem is, instead of reverting to the original user,
WindowsImpersonationContext ends up as the user running the Application
Pool
for the web page. I have been unable to find out anything why this
happens.

Furthermore, I created a new Application Pool for the web page, thinking
perhaps sharing the same pool was the problem, but before I could attach it
to the web page the problem appeared to solve itself, for a short time.

Doing some extensive testing I have concluded this:
WindowsImpersonationContext.Undo() works for a short time if a dummy
application pool (not used by anything) is STARTED
WindowsImpersonationContext.Undo() works for a short time if a dummy
application pool (not used by anything) is STOPPED
When it works, it seems to work as long as only one web service is called,
and it stops working as soon as the other web service is called.

????

The only google result I could come up with related to this does not have a
solution or email address

http://www.derkeiler.com/Newsgroups/microsoft.public.dotnet.security/2005-02/0223.html

Any idea, suggestions or something to try is extremely welcome

- Morten
Top

Re: IIS 6.0 Bug? by Dominick

Dominick
Wed Sep 13 04:46:50 CDT 2006

Hi,

which framework version are you using. Impersonation tokens are not always
propagated to async operations.

In 1.1 they are never propagated. In 2.0 you can control that via a config
setting

http://www.leastprivilege.com/WhatIsAspnetconfig.aspx

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

> Hi,
>
> I apologize for the extensive cross-posting but I'm getting desparate.
>
> We have a web page calling one or another web service. Both web
> service communicate with Sharepoint 2003, and both temporarily change
> impersonation using WindowsImpersonationContext class and then revert
> back with WindowsImpersonationContext.Undo() to typically save
> documents with the correct user name.
>
> Calling the web services synchronously works fine, but we need it to
> work asynchronously (typically creating and saving a document before
> the web services do some work on it).
>
> The problem is, instead of reverting to the original user,
> WindowsImpersonationContext ends up as the user running the
> Application
> Pool
> for the web page. I have been unable to find out anything why this
> happens.
> Furthermore, I created a new Application Pool for the web page,
> thinking perhaps sharing the same pool was the problem, but before I
> could attach it to the web page the problem appeared to solve itself,
> for a short time.
>
> Doing some extensive testing I have concluded this:
> WindowsImpersonationContext.Undo() works for a short time if a dummy
> application pool (not used by anything) is STARTED
> WindowsImpersonationContext.Undo() works for a short time if a dummy
> application pool (not used by anything) is STOPPED
> When it works, it seems to work as long as only one web service is
> called,
> and it stops working as soon as the other web service is called.
> ????
>
> The only google result I could come up with related to this does not
> have a solution or email address
>
> http://www.derkeiler.com/Newsgroups/microsoft.public.dotnet.security/2
> 005-02/0223.html
>
> Any idea, suggestions or something to try is extremely welcome
>
> - Morten
>


Top

Re: IIS 6.0 Bug? by Morten

Morten
Wed Sep 13 06:07:14 CDT 2006

We use .Net 2.0, and upon further studies, it is not connected to =

WindowsImpersonationContext since only one web service uses that.

What configuration is required?

We use an encrypted identity section

<trust level=3D"Full" originUrl=3D""/>
<identity configProtectionProvider=3D"RsaProtectedConfigurationProv=
ider">
<EncryptedData Type=3D"http://www.w3.org/2001/04/xmlenc#Element"
xmlns=3D"http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod =

Algorithm=3D"http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns=3D"http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns=3D"http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod =

Algorithm=3D"http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns=3D"http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>IKGgtOuiQqSL6KZOurRXMNSJxNioerQcyGGS3Ng2y6Sg=
snjZqWQMztRTALlkbaVQM3zsh4BSnACU4pN+s1tWHDV1EKSyfCM7m5R5G54vUvF+oqj9MVtZ=
12QVhv2i2hun95oHNtgAgYJjVbzAudcKMTe/phWP61iXqTgxKKNc+xw=3D</CipherValue>=

</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>RrRnNXdcQQozeNEGPuinT9aaRT2M9RGgOBe1O9/u9IIAzOfl=
IZRr2UN0jWfiGk+WduHx/kM3ZN2s05k3/gQMcwZhykXHRFLAcURapxzjBRqz2HBh2ad05Q=3D=
=3D</CipherValue>
</CipherData>
</EncryptedData>
</identity>

and

<authentication mode=3D"Windows"/>
<authorization>
<allow users=3D"*"/>
</authorization>


- Morten

On Wed, 13 Sep 2006 11:46:50 +0200, Dominick Baier =

<dbaier@pleasepleasenospam_leastprivilege.com> wrote:

> Hi, which framework version are you using. Impersonation tokens are no=
t =

> always propagated to async operations.
>
> In 1.1 they are never propagated. In 2.0 you can control that via a =

> config setting
>
> http://www.leastprivilege.com/WhatIsAspnetconfig.aspx
>
> ---
> Dominick Baier, DevelopMentor
> http://www.leastprivilege.com
>
>> Hi,
>> I apologize for the extensive cross-posting but I'm getting desparat=
e.
>> We have a web page calling one or another web service. Both web
>> service communicate with Sharepoint 2003, and both temporarily change=

>> impersonation using WindowsImpersonationContext class and then revert=

>> back with WindowsImpersonationContext.Undo() to typically save
>> documents with the correct user name.
>> Calling the web services synchronously works fine, but we need it to=

>> work asynchronously (typically creating and saving a document before
>> the web services do some work on it).
>> The problem is, instead of reverting to the original user,
>> WindowsImpersonationContext ends up as the user running the
>> Application
>> Pool
>> for the web page. I have been unable to find out anything why this
>> happens.
>> Furthermore, I created a new Application Pool for the web page,
>> thinking perhaps sharing the same pool was the problem, but before I
>> could attach it to the web page the problem appeared to solve itself,=

>> for a short time.
>> Doing some extensive testing I have concluded this:
>> WindowsImpersonationContext.Undo() works for a short time if a dummy
>> application pool (not used by anything) is STARTED
>> WindowsImpersonationContext.Undo() works for a short time if a dummy
>> application pool (not used by anything) is STOPPED
>> When it works, it seems to work as long as only one web service is
>> called,
>> and it stops working as soon as the other web service is called.
>> ????
>> The only google result I could come up with related to this does not=

>> have a solution or email address
>> http://www.derkeiler.com/Newsgroups/microsoft.public.dotnet.security=
/2
>> 005-02/0223.html
>> Any idea, suggestions or something to try is extremely welcome
>> - Morten
>>
>
>



-- =

Happy Coding!
Morten Wennevik [C# MVP]
Top