Monday, 21 September 2009

Impersonation in DotNetNuke Intranets

We (Glanton) specialise in implementing DotNetNuke ("DNN") as an intranet application for large enterprises and vouch for the fact that it's a very different animal from setting up your standard internet facing DNN site for clients.

I was surprised at the complexities introduced when impersonation is enabled on a DotNetNuke site and hopefully our experiences and thoughts below will help others. I've tried to keep this as simple and non-technical as possible.

When working inside large enterprises, you are not working on your infrastructure; you have very little control and you don't get admin rights to machines to set up as you like. Furthermore you have to adhere to a bewildering array of branding, security, legal, infrastructure, change control, project management and technical standards - which are often quoted but seldom found!

And, of course, you are running across a network - and that means that everything which DotNetNuke does has to be set against the backdrop of the identity in which it runs within that network.

If you are running DotNetNuke as a simple, low level 'brochure-ware' site using DNN authentication, it's simple. DNN will run quite happily in the context of the ASP.NET worker process doing what it needs to do inside its own server walls and never having to venture out into the big bad network.

However, what if we need to implement Active Directory authentication so users can manage DNN using their own familiar network accounts? Now the ASP.NET server account has to go and ask the Active Directory server ("AD") if Joe Bloggs is in AD (identification); if he is indeed Joe Blogs (authentication); what his phone number and email address are (profile management) and what groups he belongs to (role management). Because the ASP.NET account is local and specific to only the server that DNN is installed on, we have to get someone else - that AD knows and trusts - to ask for us. We have to enable impersonation.

Enabling Impersonation

Impersonation is enabled two ways:

1) By adding to the web.config file, the section

 <identity impersonate="true" />

This now means that when Joe Bloggs opens up our web page, DotNetNuke will run under the identity of Joe Bloggs. And because he is a network user, he can access Active Directory and so everything will work just fine - or so we think!

Alternatively, we could add to the web.config
<identity impersonate="true" username="svcUserName" password="P@ssw0rd" />

and actually specify the identity of the user that our DNN should run under instead of the user visiting the site. Rather than using an existing user account, for which the password may change or the user could leave the company (and then the site will simply stop working), we should go and ask the AD admins for a "service account". These are a system type of user account for which passwords can NEVER be changed and which generally have a very low level of access inside of the network (proxy servers, firewalls and AD read permissions) so can't do much damage.

Most Enterprise service desks will prohibit you from adding the service account password in clear text inside of a web.config so you'll have to either encrypt the password or get the service account password added to the server registry and retrieve it through code. This is to stop site users (not network admins) who may have root access to the site, from reading the service account details.

2) By code

A method I prefer is that, if our module needs to go out to other servers on the network, we add a routine to our code that impersonates a service account within the context of that code or module function only. This means we are not locked to the identity of the user set in the web.config. Generally I look up the proxy username and password that is stored under host settings, but the Active Directory authentication provider does it by storing this information in the module settings table and encrypting the password in the database.

The reality is that most DotNetNuke installations will set because of the extra effort of encrypting and retrieving passwords (or blatantly exposing service account passwords in clear text).

Microsoft's MSDN library has lots of technical information on how to use impersonation and delegation in ASP.NET 2.0.

Implications of Impersonation
OK great - we've done what the manual says and we've got impersonation working. Job done? Actually no - now the fun starts when you start getting calls from users saying the file manager is broken, RSS feeds don't work and performance has gone up the pole. Ooops!

File Access
For simplicity sake, assume we set impersonation=true but have not specified a user account so that that DotNetNuke assumes the identity of the visiting user - Joe Bloggs.

If we impersonate Joe Bloggs and he tries to upload a file (or even read the folder contents) through the file manager, it will fail. This is because Joe Bloggs does not have specific read/write/delete file permissions on our web server. Firstly, who are we going to give permissions to? We certainly don't want to give the generic groups "All Users" or "Everyone" permissions because that means that anyone who did manage to get access to the server could cause havoc. Our best option is to give read/write/delete permissions to the "Authenticated Users" system role. Anyone accessing the server would have to be network authenticated first and my network admins tell me network users can't map a direct drive to the share because sharing has not been enabled. So I'm feeling a little more comfortable but I'm still a bit twitchy about giving delete permissions for DNN system files.

So what do we give "Authenticated Users" access to? In summary, I give authenticated users users read/write/modify access to everything and delete permissions over the contents of the /portals folder.

I once fell into a trap where I initially just gave "Authenticated Users" permissions over the portals folder. Because I was the application owner and had been given full access to the share to set things up, I was able to install new modules, read pages (that were cached to file), use modules which write data to bizarre places (like Indogrid which writes to the app_data folder) and so on, and everything worked fine for me. But of course, as soon as it went into production, the phone started to ring with users who had different permissions to me. In one instance, we had to extend permission over the ASP.NET cache folder as well.

You also need to consider the implication of changing server permissions if you are working in a three stage DEV/TEST/Production environment - these server permissions have to be applied to all sites - and some support admins may have a problem with opening up permissions on a production site.

Databases
We've recently had to move into an enterprise environment where we had to use Integrated Security (i.e. a 'service account') to connect to a database server. For whatever reason, the Site admins could not set up a direct connection to the DB server so we had to use impersonation. This means we had to change the permission sets on the service account. And to make matters more complicated, the DB admin insisted on a separate service account for each of the three DEV/TEST/PROD databases. A mission to manage and co-ordinate. And then they complain that you can get hosted DNN out on the web for $50 per month!!!

RSS
If you are trying to access an RSS news feed from another web server on the network you are going to have a problem - even if you have enabled impersonation. The server that you are reading from will have to grant your impersonated user permissions to read its data. If you use a service account, it's easy for them to add. But they may not be so keen to open up Read access to "Authenticated Users" on their server. This is a difficult concept to explain to a user who is used to seamlessly accessing content across their intranet.

In Conclusion
I try and avoid impersonation like the plague and have written out of the DNN AD provider any calls that rely on impersonation. I stick to specific DirectoryEntry type searches where we can specify the service account and password stored in DNN. As systems integrators, it cuts down our work tremendously by avoiding all red tape associated with requesting service accounts and permission changes on boxes.

If you do use impersonation, hopefully I've shared with you some of the issues you may encounter - but not have foreseen. Let me know your experiences?




Go to this post's page at www.zinepal.com and get the PDF file or perform various sharing actions.

70 comments:

  1. Very interesting and clear article. I was looking into using impersonation techniques on our sites but after reading this will stay clear.

    It was refreshing to read a technical article that is not full of jargon but explains principles clearly to technically-minded people who are capable of understanding the issues, but may not have the necessary background in this particular technical area.

    ReplyDelete
  2. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a .Net developer learn from Dot Net Training in Chennai. or learn thru Dot Net Training in Chennai. Nowadays Dot Net has tons of job opportunities on various vertical industry.
    or Javascript Training in Chennai. Nowadays JavaScript has tons of job opportunities on various vertical industry.

    ReplyDelete
  3. Wow, I have no idea how you did such an awesome essay in such a small amount of time, but i definitively like it. My professor gave me an A. You are the best!.facebook video downloader tool

    ReplyDelete
  4. During the 2000s, business planning and entrepreneurship experienced a resurgence due to the massive and expansive growth of Web 2.0 businesses and the solid GDP growth of the US. There was a deep hiccup in terms of the 2008 Great Recession, but for all practical purposes, this was nothing more than a major market correction that signaled the exponential change business has undergone with the integration of technology in the way we live life and build wealth. modafinil online review

    ReplyDelete
  5. Thanks for sharing excellent informations. Your web-site is very cool. I'm impressed by the details that you have on this web site. It reveals how nicely you perceive this subject. Bookmarked this web page, will come back for extra articles. You, my pal, ROCK! I found simply the information I already searched all over the place and simply couldn't come across. What a perfect web-site. facetune app free download

    ReplyDelete
  6. When a blind man bears the standard pity those who follow…. Where ignorance is bliss ‘tis folly to be wise…. How To Get Free Instagram Likes

    ReplyDelete
  7. Hi this is somewhat of off topic but I was wondering if blogs use WYSIWYG editors or if you have to manually code with HTML. I’m starting a blog soon but have no coding knowledge so I wanted to get guidance from someone with experience. Any help would be greatly appreciated! kinemaster pro free download

    ReplyDelete
  8. Absolutely pent subject matter, appreciate it for selective information . cotomovies shut down

    ReplyDelete
  9. Thanks for every other excellent post. The place else may just anyone get that kind of info in such an ideal manner of writing? I’ve a presentation subsequent week, and I am at the look for such information. Dead Target mod apk

    ReplyDelete
  10. A blog like yours should be earning much money from adsense.’~::- free patreon

    ReplyDelete
  11. This is really fascinating, You are a very professional blogger. I’ve joined your rss feed and sit up for searching for more of your great post. Also, I have shared your site in my social networks! how to get Tweakbox for free

    ReplyDelete
  12. A blog like yours should be earning much money from adsense..-.,” how to download Tweakbox

    ReplyDelete
  13. Absolutely pent subject matter, appreciate it for selective information . youtube ++ ios

    ReplyDelete
  14. I believe one of your commercials caused my internet browser to resize, you may well want to put that on your blacklist. videostar ios

    ReplyDelete
  15. I have been meaning to read this and just never obtained a chance. It’s an issue that I’m really interested in, I just started reading and I’m glad I did. You’re a fantastic blogger, one of the best that I’ve seen. This weblog undoubtedly has some facts on topic that I just wasn’t aware of. Thanks for bringing this stuff to light. bloons td battles mod

    ReplyDelete
  16. Glad to be one of the visitors on this awe inspiring web site : D. mkx mobile hack

    ReplyDelete
  17. Youre so cool! I dont suppose Ive learn anything like this before. So nice to find any person with some unique thoughts on this subject. realy thank you for starting this up. this web site is one thing that is wanted on the net, somebody with a little bit originality. helpful job for bringing one thing new to the web! putlocker

    ReplyDelete
  18. Many thanks for this particular info I has been checking all Yahoo to come across it! watch online freemovie7

    ReplyDelete
  19. Cheap Gucci Handbags Is usually blogengine much better than wp for reasons unknown? Should be which is turning out to be popluar today. Plague Inc.

    ReplyDelete
  20. I am glad that it turned out so well and I hope it will continue in the future because it is so worthwhile and meaningful to the community. how to get apple music free

    ReplyDelete
  21. Heya i’m for the first time here. I found this board and I to find It truly helpful & it helped me out a lot. I hope to provide something back and aid others such as you helped me. how to get free YouTube++

    ReplyDelete
  22. I like this blog so much, saved to my bookmarks . how to hack pokemon go

    ReplyDelete
  23. Absolutely pent subject matter, appreciate it for selective information . coin master cheats

    ReplyDelete
  24. I bookmared your site a couple of days ago coz your blog impresses me.’`;*, how to get Netflix for free

    ReplyDelete
  25. Sweet web site , super design and style , real clean and employ friendly . tutuapp vip

    ReplyDelete
  26. If you occasionally plan on using the web browser that’s not an issue, but if you’re planning to browse the web alot from your PMP then the iPod’s larger screen and better browser may be important. SEO Gatineau

    ReplyDelete
  27. It is perfect time to make some plans for the future and it is time to be happy. I've read this post and if I could I desire to suggest you some interesting things or suggestions. Perhaps you could write next articles referring to this article. I want to read more things about it! undefined

    ReplyDelete
  28. What an incredibly beautiful story, despite the fact that it is rugged but the result turned out to be kind and good and now it has become a tradition that is passed on in every generation. Pressure washing

    ReplyDelete
  29. We are always prefer to write and post the monthly updates. The valuable facts I have chosen to mncenterfornursing.org to review posts. So, I am interested in writing different essay articles. 토토사이트

    ReplyDelete
  30. Tôi phải nói blog thú vị, các sự kiện và thông tin được viết ở đây là chính xác. áo khoác da đen sbobet

    ReplyDelete
  31. 그것은 나에게 매우 도움이되는 것으로 판명되었으며 나는 모든 주석가들에게 확신합니다! 토토사이트

    ReplyDelete
  32. 절대로 문제를 해결하고 선택 정보를 제공합니다. 토토사이트

    ReplyDelete
  33. 좋은 블로그와 절대적으로 뛰어난. 당신은 훨씬 더 좋은 일을 할 수는 있지만 나는 여전히 완벽하다고 말합니다. 토토사이트

    ReplyDelete
  34. Hi Dear, have you been certainly visiting this site daily, if that's the case you then will certainly get good knowledge. Ufabet

    ReplyDelete
  35. Nice work i love your work keep it up..... seohouse

    ReplyDelete
  36. I can set up my new idea from this post. It gives in depth information. Thanks for this valuable information for all,.. https://reeljackpot.com/

    ReplyDelete
  37. I can set up my new idea from this post. It gives in depth information. Thanks for this valuable information for all,.. https://reelpolice.com/

    ReplyDelete
  38. This is promoting special offers activities to help you valuable take a look at prior to putting up. Put simply to put in writing more potent position this way. https://reeldaiso.com/

    ReplyDelete
  39. This is promoting special offers activities to help you valuable take a look at prior to putting up. Put simply to put in writing more potent position this way. https://goldciderssun.com/

    ReplyDelete
  40. This is promoting special offers activities to help you valuable take a look at prior to putting up. Put simply to put in writing more potent position this way. https://toto-connect.com/

    ReplyDelete
  41. This is promoting special offers activities to help you valuable take a look at prior to putting up. Put simply to put in writing more potent position this way. บาคาร่า

    ReplyDelete
  42. This is promoting special offers activities to help you valuable take a look at prior to putting up. Put simply to put in writing more potent position this way. dark web wallet

    ReplyDelete
  43. This is promoting special offers activities to help you valuable take a look at prior to putting up. Put simply to put in writing more potent position this way. https://reeljackpot.com/

    ReplyDelete
  44. It is moreover an outstanding release we actually liked going through. It isn't really day-to-day i develop the chance to discover anything. https://reelpolice.com/

    ReplyDelete
  45. This is promoting special offers activities to help you valuable take a look at prior to putting up. Put simply to put in writing more potent position this way. Buy weed online

    ReplyDelete
  46. It is moreover an outstanding release we actually liked going through. It isn't really day-to-day i develop the chance to discover anything. gelato 41 strain

    ReplyDelete
  47. It is moreover an outstanding release we actually liked going through. It isn't really day-to-day i develop the chance to discover anything. European bank account

    ReplyDelete
  48. This is promoting special offers activities to help you valuable take a look at prior to putting up. Put simply to put in writing more potent position this way. บาคาร่า

    ReplyDelete
  49. Wow! This could be one particular of the most useful blogs We have ever arrive across on this subject. Actually Magnificent. I am also a specialist in this topic so I can understand your effort. https://reeldaiso.com/

    ReplyDelete
  50. Wow! This could be one particular of the most useful blogs We have ever arrive across on this subject. Actually Magnificent. I am also a specialist in this topic so I can understand your effort. https://goldciderssun.com/

    ReplyDelete
  51. 좋은 게시물이지만이 주제에 대해 조금 더 쓸 수 있는지 궁금합니다. 조금 더 자세히 설명해 주시면 감사하겠습니다. 감사합니다! 토토

    ReplyDelete
  52. Wow! This could be one particular of the most useful blogs We have ever arrive across on this subject. Actually Magnificent. I am also a specialist in this topic so I can understand your effort. https://toto-connect.com/

    ReplyDelete
  53. Wow! This could be one particular of the most useful blogs We have ever arrive across on this subject. Actually Magnificent. I am also a specialist in this topic so I can understand your effort. snorting klonopin

    ReplyDelete
  54. Wow! This could be one particular of the most useful blogs We have ever arrive across on this subject. Actually Magnificent. I am also a specialist in this topic so I can understand your effort. fired for going to rehab

    ReplyDelete
  55. Wow! This could be one particular of the most useful blogs We have ever arrive across on this subject. Actually Magnificent. I am also a specialist in this topic so I can understand your effort. midhudsonaddictionrecovery.com/roxicet-addiction-treatment-new-york/

    ReplyDelete
  56. Wow! This could be one particular of the most useful blogs We have ever arrive across on this subject. Actually Magnificent. I am also a specialist in this topic so I can understand your effort. {www.veintreatmentnj.com}

    ReplyDelete
  57. This is very interesting, You are a very skilled blogger. I’ve joined your rss feed and look forward to seeking more of your magnificent post. Also, I have shared your website in my social networks! casinoslot

    ReplyDelete
  58. Wow! This could be one particular of the most useful blogs We have ever arrive across on this subject. Actually Magnificent. I am also a specialist in this topic so I can understand your effort. https://floorballontario.com/

    ReplyDelete
  59. The best and clear News is very much imptortant to us. shoulder pain treatment dr

    ReplyDelete
  60. I am really enjoying reading your well written articles. It looks like you spend a lot of effort and time on your blog. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work. supertotobet

    ReplyDelete
  61. The best and clear News is very much imptortant to us. https://lucawin.com/

    ReplyDelete
  62. The best and clear News is very much imptortant to us. https://lacountyweeddelivery.com/

    ReplyDelete
  63. The best and clear News is very much imptortant to us. https://kamakazeebaitco.com/

    ReplyDelete
  64. 잘 쓰여진 기사를 읽는 것을 정말 좋아합니다. 블로그에 많은 노력과 시간을 투자 한 것 같습니다. 나는 그것을 북마크했고 나는 새로운 기사를 읽기를 고대하고있다. 좋은 일을 계속하십시오 토토사이트추천

    ReplyDelete
  65. The best and clear News is very much imptortant to us. simmering center

    ReplyDelete
  66. The best and clear News is very much imptortant to us. https://www.riverbendresidence.com/

    ReplyDelete
  67. Youre so cool! I dont suppose Ive learn anything like this before. So nice to find any person with some authentic thoughts on this subject. realy thank you for starting this up. this website is something that is wanted on the internet, someone with a little bit originality. useful job for bringing something new to the web! https://www.recreatelifecounseling.com/dangers-of-smoking-heroin/

    ReplyDelete
  68. This particular papers fabulous, and My spouse and i enjoy each of the perform that you have placed into this. I’m sure that you will be making a really useful place. I has been additionally pleased. Good perform! yoga en ligne

    ReplyDelete
  69. Youre so cool! I dont suppose Ive learn anything like this before. So nice to find any person with some authentic thoughts on this subject. realy thank you for starting this up. this website is something that is wanted on the internet, someone with a little bit originality. useful job for bringing something new to the web! {obriety quotes

    ReplyDelete