Alik Levin's

Clarity, Technology, and Solving Problems | PracticeThis.com 

September, 2007

  • Alik Levin's

    Authentication And Identity Flow When ASP Page Consumes ASP.NET Web Service

    • 4 Comments

    "Classic" ASP has application isolation that is different from ASP.NET. Here is one of the real world scenarios where it might matter.

    image

    There is a legacy web application written in ASP and hosted on Win2K3 box (IIS 6.0). It is of course in the process of migration to ASP.NET. As part of the migration process there were several ASP.NET web services factored out of the classic ASP app. These web services are hosted on another Win2K3 box and require windows authentication. Classic ASP must consume these web services while satisfying the requirement of windows authentication. ASP page consumes the web service via .Net COM interop invoking .Net component:

    The question here is what is this account that ASP page authenticates to ASP.NET web service on another machine?

    It is common mistake assuming that the account is the application pool's one. ASP does not run in the context of the application pool. In case of anonymous access It runs in the context of what defined for anonymous user:

    image

    Said that, in order to let ASP page authenticate to ASP.NET web service based on windows authentication one needs to define domain account in above property page for virtual directory where ASP resides. This is the account that will hit the ASP.NET web service.

  • Alik Levin's

    TechEd 2007 Barcelona- I Will Be Giving Web Security Session

    • 3 Comments

    This session discusses common coding anti-patterns which usually lead to security vulnerabilities. Come and see how these vulnerabilities can be exploited to penetrate the application. We will be demonstrating common attacks that take advantage of the vulnerabilities using freely available tools. Among these attacks are Google, Live.com Hacking, Remoting and WCF hacking, Assemblies hijacking. The other part of the session will be dedicated to coding best practices and how to counter these attacks using another set of freely available tools.

    Microsoft TechEd EMEA

     

    My related posts:

  • Alik Levin's

    Memi Is Blogging On Architecture And More...

    • 3 Comments

    Memi, my comrade, finally decided to share his architecture insights via his new and shiny blog.

    Check this out!! He even knows how to count to three :).

    Software Architecture and more...

    I know you have so much insights to share with us.

     

    Good luck buddy!

Page 1 of 2 (4 items) 12