IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1822.18 MB
Powered by
Channel Info
Network: freenodeChannel: #csharp |
Search in www.irclog.org
Log from #csharp at freenode 2006-07-04
[12:58]<sdnffdxdlld>yeah you dont want UTF
[12:58]<sdnffdxdlld>you want the ascii encoding
[12:58]<rwyfcygs>Try the ASCIIEncoding class
[12:58]<ddx>Encoding.Convert(Encoding.ASCII, Encoding.UTF32, chunk);
[12:59]<ddx>or is Convert not static? eheh
[12:59]<fjfyvr>i can't find how to get running processes trouht wmi ):
[12:59]<ddx>I havent msdn'd it yet
[12:59]<sdnffdxdlld>Encoding.ASCII.GetBytes(string)
[12:59]<ddx>lemme look at something..
[13:00]<sdnffdxdlld>pass each split string and it'll chuck out the single byte values for each char
[13:00]<sdnffdxdlld>as a byte[]
[13:00]<ddx>yes thats waht I just tried, brilliant
[13:00]<sdnffdxdlld>:)
[13:01]<zyccus>application can now see all the printers that the user sees (via control panel)
[13:01]<zyccus>but... if the user logs off and logs on as someone else, the application can't see those printers anymore
[13:02]<zyccus>only Microsoft Document Image Writer or whatever it's called
[13:02]<mjzymygo>does the newer user have permissions against the printers?
[13:02]<mjzymygo>oh... which authentication method are you using?
[13:02]<zyccus>they have the same printer list as the user the app runs as
[13:02]<zyccus>anonymous
[13:03]<mjzymygo>not forms auth? or windows auth?
[13:03]<mjzymygo>(in the ASP.NET app for kerberos)
[13:03]<zyccus>no, anon
[13:03]<mjzymygo>then thats the issue
[13:03]<mjzymygo>IIS is holding on to the old security token.
[13:03]<mjzymygo>you need to trash it
[13:03]<zyccus>this works fine everywhere else
[13:03]<mjzymygo>You shoulda used forms auth
[13:04]<zyccus>with respect: rubbish
[13:04]<mjzymygo>or windows auth if the app is LAN based
[13:04]<zyccus>authentication has nothing to do with this
[13:04]<mjzymygo>It's a permissions issue
[13:04]<mjzymygo>which *is* to do with authorisation.
[13:05]<mjzymygo>I *have* encountered this before
[13:05]<mjzymygo>think what you will.
[13:05]<zyccus>ok, ok...
[13:05]<mjzymygo></endhelp>
[13:05]<zyccus>but authentication and impersonation are two entirely separate issues
[13:06]<mjzymygo>yes, but the impersonated individual still under goes the authorisation process.
[13:06]<rwyfcygs>Not impersonating the anonymous user, are you??
[13:06]<mjzymygo>anon is based within IIS.
[13:06]<zyccus>no, impersonating a real user
[13:07]<zyccus>user goes to Login.aspx and logs in
[13:07]<mjzymygo>If the app in LAN based you shouldn't be using anon authorisation, ESPECIALLY when the app needs access to OS based services
[13:07]<zyccus>what should I be using then?
[13:07]<mjzymygo>Windows Authentication.
[13:07]<zyccus>and it isn't necessarily LAN-based - it's also Internet based
[13:07]<zyccus>so windows auth isn't much use
[13:08]<mjzymygo>You can still create an anon user within windows. but WAN based stuff should never have access to stuff like printers
[13:08]<zyccus>but the fact that the application impersonates a local user is what allows it to see printers... which is what works everywhere else
[13:08]<mjzymygo>it's a glaring security hole is what it is.
[13:08]<zyccus>um... you have to log in to print anything
[13:08]<zyccus>where's the hole?
[13:08]<rwyfcygs>Denial of Paper Attack!
[13:09]<mjzymygo>clear text logins are sent
[13:09]<zyccus>Moridin8: not if you're using SSL
[13:09]<mjzymygo>someone sniffs it on the local sub domain
[13:09]<mjzymygo>ever heard of certificate spoofing based off specific sniffs?
[13:09]<mjzymygo>(LAN sub domain only)
[13:10]<mjzymygo>either way, thats beyond topic
[13:10]<mjzymygo>If your using anon, the IIS is handling the kerberos token for the security
[13:11]<mjzymygo>IIS doesn't automatically release it after the user logs out of the site.
[13:11]<mjzymygo>the application can retain the token during it's life time... you have no control over it.
[13:11]<mjzymygo>with Windows authentication you do...
[13:11]<mjzymygo>unless you want to mess with manual impersonation.
[13:12]<zyccus>right... but this is authentication, which is what lets you have access to the application in the first place - it doesn't affect which printers you see
[13:12]<mjzymygo>which if in your circumstances it sounds like you need the anon for WAN functionality.
[13:12]<mjzymygo>so I suggest you look into manual impersonation.
[13:12]<zyccus>which is what I do...
[13:13]<zyccus>and which works beautifully on several dozen installations on various OSes
[13:13]<mjzymygo>then the OS/IIS or your app is caching security tokens somewhere.
[13:13]<mjzymygo>There are some settings in COM+ that will do that.
[13:13]<zyccus>I see
[13:14]<rwyfcygs>I don't suppose this one has some different security config? Maybe someone ran BSA on it ....
[13:14]<zyccus>awilkins: perhaps they did
[13:14]<zyccus>it's a client
[13:14]<zyccus>but I think that's a bit beyond them
[13:14]<mjzymygo>Security token caching is common on busy domains
[13:14]<mjzymygo>the only way to trash it is to log off and log back on.
[13:15]<mjzymygo>(the OS that is)
[13:15]<mjzymygo>but is also depends on the domain policy
[13:15]<zyccus>right...
[13:15]<rwyfcygs>You would not believe the weird crap that you can configure with COM and security. Or maybe you've encountered how horrible it is to get full-trip debugging going on VB6 / IIS / ASP pages?
[13:15]<mjzymygo>so even that doesn't always work on the HUGE systems sometimes
[13:15]<zyccus>dunno, never done ASP - looked at VBScript .ASP pages and screamed
[13:15]<mjzymygo>So I would say its a security policy
[13:15]<rwyfcygs>I only ever got it to work once... las, had a drive crash and never got it working again.....
[13:16]<mjzymygo>awilkins: yeh, that was a knightmare to set up... *bad memories*
[13:18]<mjzymygo>rikkus: trust me, there is. the impersonated user is just that, a temporary impersonation.
[13:18]<zyccus>yes, I know there are differences
[13:18]<mjzymygo>the OS itself still runs under the policy of the logged in user.
[13:18]<zyccus>I'm just trying to guess what's done differently w.r.t. mapping the printer
[13:18]<zyccus>s
[13:18]<mjzymygo>It sounds like someone at your clients might have run one of those off the shelf policy templates.
[13:19]<zyccus>one thing that's different is that if you use COM, you're not impersonating any more
[13:19]<zyccus>I'll ask them about that
[13:19]<mjzymygo>if it is, don't expect them to alter it.
[13:20]<mjzymygo>because I doubt they will without a large report and risk analysis signed in triplicate, lost, found and re-requested ;)
[13:22]<zyccus>hmm it's just a desktop XP machine they're using
[13:22]<mjzymygo>is it part of a domain?
