|
.net
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Is Delegation Necessary?My ASP.NET app needs to access an Excel file sitting on another
computer on a the network using ADO.NET. I've tried this using just impersonation and it seems to work fine but everything I read says that accessing network resources requires delegation. Is that necessary in this case? If so, why is this working? Thanks, Dave "headware" <david.k.l***@gmail.com> wrote in message No.news:cca35402-9116-4233-994f-db64e10bed00@x6g2000prc.googlegroups.com... > Is that necessary in this case? > If so, why is this working? Because it's not necessary in this case...
Show quote
Hide quote
On Jul 8, 2:56 pm, "Mark Rae [MVP]" <m...@markNOSPAMrae.net> wrote: Would you please explain why it's not required in this case?> "headware" <david.k.l***@gmail.com> wrote in message > > news:cca35402-9116-4233-994f-db64e10bed00@x6g2000prc.googlegroups.com... > > > Is that necessary in this case? > > No. > > > If so, why is this working? > > Because it's not necessary in this case... > > -- > Mark Rae > ASP.NET MVPhttp://www.markrae.net "headware" <david.k.l***@gmail.com> wrote in message I'm not quite sure how to answer your question - it's not required because news:56df8081-c783-4d30-b675-4b3c995e5af7@y28g2000prd.googlegroups.com... >>> If so, why is this working? >> >> Because it's not necessary in this case... >> > Would you please explain why it's not required in this case? it's not required, in the same way that it's not required to use a web service, or AJAX, or remoting, or <insert any particular technology you like> to query an Excel file with ADO.NET. Perhaps it might be simpler if you explain why you think it should be required...?
Show quote
Hide quote
On Jul 8, 5:30 pm, "Mark Rae [MVP]" <m...@markNOSPAMrae.net> wrote: Well, I've read in several places that it's required in order to> "headware" <david.k.l***@gmail.com> wrote in message > > news:56df8081-c783-4d30-b675-4b3c995e5af7@y28g2000prd.googlegroups.com... > > >>> If so, why is this working? > > >> Because it's not necessary in this case... > > > Would you please explain why it's not required in this case? > > I'm not quite sure how to answer your question - it's not required because > it's not required, in the same way that it's not required to use a web > service, or AJAX, or remoting, or <insert any particular technology you > like> to query an Excel file with ADO.NET. > > Perhaps it might be simpler if you explain why you think it should be > required...? > > -- > Mark Rae > ASP.NET MVPhttp://www.markrae.net access network resources. Here are some examples: From Microsoft: http://msdn.microsoft.com/en-us/library/ms998351.aspx "you can use impersonation to access local resources . . . Delegation allows you to use an impersonation token to access network resources." Non-Microsoft: http://www.infosysblogs.com/microsoft/2009/02/impersonation_and_delegation_t.html "In summary, impersonation is pretending to be someone else, other than the process identity, and access local resources . . . delegation is authentication across machine boundary on behalf of someone else." I don't have a lot of experience with impersonation and delegation so it's entirely possible that I'm misunderstanding this. If that's the case, maybe you could give me an example of when it would be necessary to use delegation and why impersonation wouldn't be sufficient. Thanks, Dave "headware" <david.k.l***@gmail.com> wrote in message That article says that you *CAN* use impersonation to access local news:e8092b00-3a3e-45aa-8c84-cd5b18d5b2f4@b14g2000yqd.googlegroups.com... >> Perhaps it might be simpler if you explain why you think it should be >> required...? > > Well, I've read in several places that it's required in order to > access network resources. Here are some examples: > > From Microsoft: > http://msdn.microsoft.com/en-us/library/ms998351.aspx > "you can use impersonation to access local resources . . . Delegation > allows you to use an impersonation token to access network resources." resources - it doesn't say that you *HAVE TO*... It further says that delegation allows you to use an impersonation token to access network resources - IF YOU NEED ONE! In your case, you clearly don't...
Show quote
Hide quote
On Jul 9, 4:51 am, "Mark Rae [MVP]" <m...@markNOSPAMrae.net> wrote: I'm trying to access a file on another computer over the network. You> "headware" <david.k.l***@gmail.com> wrote in message > > news:e8092b00-3a3e-45aa-8c84-cd5b18d5b2f4@b14g2000yqd.googlegroups.com... > > >> Perhaps it might be simpler if you explain why you think it should be > >> required...? > > > Well, I've read in several places that it's required in order to > > access network resources. Here are some examples: > > > From Microsoft: > >http://msdn.microsoft.com/en-us/library/ms998351.aspx > > "you can use impersonation to access local resources . . . Delegation > > allows you to use an impersonation token to access network resources." > > That article says that you *CAN* use impersonation to access local > resources - it doesn't say that you *HAVE TO*... > > It further says that delegation allows you to use an impersonation token to > access network resources - IF YOU NEED ONE! In your case, you clearly > don't... > > -- > Mark Rae > ASP.NET MVPhttp://www.markrae.net don't consider that a network resource? Maybe this is a just a definition issue. I realize that impersonation and delegation are not required in every situation, but there are cases where they are. Maybe if you gave an example of a situation where delegation would be required and why, it would help explain things better. "headware" <david.k.l***@gmail.com> wrote in message Yes, it is a network resource, but it involves only two machines - the news:1a00ca45-4385-4456-a3f2-38597f1849f5@18g2000yqa.googlegroups.com... > I'm trying to access a file on another computer over the network. You > don't consider that a network resource? Maybe this is a just a > definition issue. machine that the browser is running on, and the webserver. > I realize that impersonation and delegation are not required in every If a third machine were involved, then this would require delegation. The > situation, but there are cases where they are. Maybe if you gave an > example of a situation where delegation would be required and why, it > would help explain things better. first computer connects to the second computer via a standard network connection - this doesn't require delegation. However, if the second computer then tries to connect to a third computer using the credentials by which the first computer accessed the second computer, then this would require delegation because the third computer would need to trust the second computer's authentication of the first computer. As an FYI, these issues really have nothing to do with ASP.NET whatsoever.
It's the Windows security model that's in control. If you understand how that works, everything will be easily understood. The devil's in the details of course but it's not nearly as complicated as people think. The real problem is that there's virtually no documenation from MSFT that *clearly* explains how this model works. Instead, get yourself the book "Programming Windows Security" by Keith Brown. It was published many years ago but still the most relevant book on the subject I've ever seen (and still applicable to all professional versions of MSFT OSs). Spend the time to get through it and you'll be glad you did. It will forever eliminate your security problems. On Jul 9, 7:01 am, "Larry Smith" <_nospam@_no_spam.com> wrote: Thanks for the reference. Reading the topic list, it does cover a lot> As an FYI, these issues really have nothing to do with ASP.NET whatsoever.. > It's the Windows security model that's in control. If you understand how > that works, everything will be easily understood. The devil's in the details > of course but it's not nearly as complicated as people think. The real > problem is that there's virtually no documenation from MSFT that *clearly* > explains how this model works. Instead, get yourself the book "Programming > Windows Security" by Keith Brown. It was published many years ago but still > the most relevant book on the subject I've ever seen (and still applicable > to all professional versions of MSFT OSs). Spend the time to get through it > and you'll be glad you did. It will forever eliminate your security > problems. of the things I'm interested in. Good cover art too. I found another one called "The .NET Developer's Guide to Windows Security" that might be worth a look as well. I really don't want to be a Windows admin but this stuff does come up quite a bit especially with web apps. A developer focused book would be ideal. headware <david.k.l***@gmail.com> wrote in news:cca35402-9116-4233-994f-
db64e10be***@x6g2000prc.googlegroups.com: > My ASP.NET app needs to access an Excel file sitting on another FYI: There is a certain amount of "delegation" involved in impersonation, > computer on a the network using ADO.NET. I've tried this using just > impersonation and it seems to work fine but everything I read says > that accessing network resources requires delegation. Is that > necessary in this case? If so, why is this working? > > Thanks, > Dave although it is under the hood. ;-) BTW, is this drive mapped or are you using a UNC path? Just curious. -- Show quoteHide quoteGregory A. Beamer MVP; MCP: +I, SE, SD, DBA Twitter: @gbworld Blog: http://gregorybeamer.spaces.live.com ******************************************* | Think outside the box! | ******************************************* On Jul 8, 3:25 pm, "Gregory A. Beamer"
<NoSpamMgbwo...@comcast.netNoSpamM> wrote: Show quoteHide quote > headware <david.k.l***@gmail.com> wrote in news:cca35402-9116-4233-994f- It's a UNC path to a share on another box.> db64e10be***@x6g2000prc.googlegroups.com: > > > My ASP.NET app needs to access an Excel file sitting on another > > computer on a the network using ADO.NET. I've tried this using just > > impersonation and it seems to work fine but everything I read says > > that accessing network resources requires delegation. Is that > > necessary in this case? If so, why is this working? > > > Thanks, > > Dave > > FYI: There is a certain amount of "delegation" involved in impersonation, > although it is under the hood. ;-) > > BTW, is this drive mapped or are you using a UNC path? Just curious. > > -- > Gregory A. Beamer > MVP; MCP: +I, SE, SD, DBA > > Twitter: @gbworld > Blog:http://gregorybeamer.spaces.live.com > > ******************************************* > | Think outside the box! | > ******************************************* headware <david.k.l***@gmail.com> wrote in
news:5c2c9455-8315-40fd-a05d-05db33c0ba87@j9g2000prh.googlegroups.com: If it is working, I would roll with it. It is not the "best" solution, but > > It's a UNC path to a share on another box. > I have read nothing that convinces me it is a horrible option that you should not use. Note, however, if the network admins lock down security, it could fail. This is a risk with any external resource you are linked to, UNC or mapped. -- Show quoteHide quoteGregory A. Beamer MVP; MCP: +I, SE, SD, DBA Twitter: @gbworld Blog: http://gregorybeamer.spaces.live.com ******************************************* | Think outside the box! | ******************************************* > My ASP.NET app needs to access an Excel file sitting on another No> computer on a the network using ADO.NET. I've tried this using just > impersonation and it seems to work fine but everything I read says > that accessing network resources requires delegation. Is that > necessary in this case? > If so, why is this working? It's working because delegation means allowing the *remote* machine to access network resources. You can access the remote machine with your Excel file IOW (which involves its own authentication - long story) but that machine can't turn around and access another machine unless you permitted delegation in the first place (which is potentially very dangerous since the remote machine then has your network credentials and can masquerade as you on another machine which can do the same and so forth - each new machine thinks it's you and so can cause damage in *your* name - your credentials are also spread across all these machines - not good). with only two computers delegation is not required. its required when
you involve 3. a sends its credentials to b, and b tries to use these credentials to access c. this is because c, has to trust b's authentication of a. as long as the web browser used in on the same computer as the web server, no delegation (which requires kerberos) is needed. if you hit your website from another computer, then delegtion will be required. -- bruce (sqlwork.com) headware wrote: Show quoteHide quote > My ASP.NET app needs to access an Excel file sitting on another > computer on a the network using ADO.NET. I've tried this using just > impersonation and it seems to work fine but everything I read says > that accessing network resources requires delegation. Is that > necessary in this case? If so, why is this working? > > Thanks, > Dave  
Other interesting topics
session state time out
Using if on ASPX-side instead of in code behind restrict number of users Calling Application_Start After Worker Process is Recycled Page refresh - Alternative to using frames á ÇáÅÓáÇã Úä ÇáÅÑåÇÈ¿ Redirect To Login Page - Forms Authentication Trap Data Tier Errors? How can the Login control stop authenticating? American and European Converted from Christianity to ISLAM |
|||||||||||||||||||||||
