DotNet Security: Identity: impersonate=True?

  • djinn1 / 102 / Wed, 24 Jun 2009 20:16:00 GMT / Comments (4)
  • This issue has to do with security when accessing a web service anonymously and trying to write to appliication event log.
    ****
    IIS anonymous account = domain\ProxyAccount With the above setting when trying to write to the application event log I receive:
    Source: security
    Catagory: Privilege Use
    Type: Failure Audit
    Event Id: 578
    Privileges: SeBackupPrivilege
    User: ProxyAccount

    I understand that SeBackupPrivilege is required by the RegSaveKey and RegSaveKeyExfunctions.
    The thing I don't understand is when I use the following which is to hardcode the userName and password into the web.config I no longer see this error.

    **** The goal is not to hardcode the username and password.
    I have to get an explanation for management why using the domain account when not hardcoding it (impersonate="true": using the anonymous IIS) does not allow writing to the event log but when hardcoding the same domain account it does allow writing to the event log.

    Is there any articles on this that I am missing. I have been researching this and not finding a concrete explaination of why.

    Also is there a fix for this issue.
    Thanks!!
  • Keywords:

    identity, impersonate, dotnet, security, .net

  • http://dotnet.itags.org/dotnet-security/60926/«« Last Thread - Next Thread »»

    1. Does anyone have any ideas or can anyone point me in the right direction.

      Thanks!!

      djinn1 | Sat, 05 Jan 2008 20:47:00 GMT |

    2. In my opinion the IIS use in your first example

      <identity impersonate="true" /
      the account of logged user (if you connect the IIS with your browser your own account "domain\YourUser". That's the ID behind the impersonation.
      In your second example you enforce the impersonation with a hard coded account.

      Best regards.

      uk1967 | Sat, 05 Jan 2008 20:49:00 GMT |

    3. That is true if you are using Windows Authentication.
      With the use of Forms and allowing access to this web service anonymously it uses the "domain\ProxyAccount" which is the anonymous user listed in IIS.

      When viewing the security identity in either example the user is the same.

      When using the IIS identity instead of enforcing it by hard coding it with in the identity tag it is lacking the correct permissions or privlege.

      When the security error (event id 578) occurs it names the user that is trying to write to the event log as "domain\ProxyAccount" when using the IIS Anonymous account.
      If hard code the same domain account it works fine and it does have the correct permissions.

      I don't know but it seems like the hardcoded account gets the correct/all of the permissions and privleges but when impersonating the IIS anonymous account it does not.

      djinn1 | Sat, 05 Jan 2008 20:50:00 GMT |

    4. I did forget to mention that the "domain\ProxyAccount" does have the correct permissions on the server to write to the Event Log (file and registry).

      djinn1 | Sat, 05 Jan 2008 20:51:00 GMT |