Results 1 to 2 of 2

Thread: web.config with impersonate

  1. #1

    Thread Starter
    Member
    Join Date
    Aug 2001
    Location
    Ottawa
    Posts
    38

    web.config with impersonate

    In my web.config file, I have the standard impersonate line:

    <identity impersonate="true" userName="domain\username" password="password"/>

    Which works great and after I publish the site, I run an encryption on this section so security is not really an issue. However, I am trying to update my sites so that the password is read from a table (which is stored in an encrypted format) via a function that also runs a decryption. I'm not sure if I can do this in a web.config or not, but barring that, are there any other suggestions for how to accomplish this? The end result is that I would like to be able to change the password in my table and have that change automatically go down to all my sites that use this account.

    Ideally, I would like the impersonate line to read:

    <identity impersonate="true" userName="domain\username" password="myDecryptFunction.Decrypt(username)"/>

  2. #2
    Learning .Net danasegarane's Avatar
    Join Date
    Aug 2004
    Location
    VBForums
    Posts
    5,853

    Re: web.config with impersonate

    There are few ways .

    1. From MSDN.

    To encrypt the user name and password and store them in the registry, set the userName and password as follows.
    Copy

    userName="registry:HKLM\Software\AspNetProcess,Name"
    password="registry:HKLM\Software\AspNetProcess,Pwd"

    The portion of the string after the keyword registry and before the comma indicates the name of the registry key that ASP.NET opens. The portion after the comma contains a single string value name from which ASP.NET will read the credentials. The comma is required, and the credentials must be stored in the HKLM hive. If the configuration format is incorrect, ASP.NET will not launch the worker process and the current account creation failure code path will be followed.

    The credentials must be in REG_BINARY format, containing the output of a call to the Windows API function CryptProtectData. You can create the encrypted credentials and store them in the registry with the ASP.NET Set Registry console application (Aspnet_setreg.exe), which uses CryptProtectData to accomplish the encryption. To download Aspnet_setreg.exe, along with the Visual C++ source code and documentation, visit the Web site www.asp.net and search for "aspnet_setreg".

    You should configure access to the key storing the encrypted credentials so that access is provided only to Administrators and SYSTEM. Because the key will be read by the ASP.NET process running as SYSTEM, you should set the following permissions:

    Administrators:F

    SYSTEM:F

    CREATOR OWNER:F

    ProcessAccount:R

    This provides two lines of defense to help protect the data:

    * The ACL permissions require the identity accessing the data to be an Administrator.
    * An attacker must run code on the server (CryptUnprotectData) to recover the credentials for the account.

    2. Impersonate in code behind. Example here in MSDN
    Please mark you thread resolved using the Thread Tools as shown

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width