Monthly Archives: November 2005

Advanced Developers Conference

You can catch me in the next two days at ADC, Rosenheim. I am doing two talks: New security features in .NET 2.0 .NET RBAC and Authorization Manager thanks for attending! the demos I showed in the .NET 2.0 security … Continue reading

Posted in Uncategorized | Leave a comment

Cloned Machines and the DTC

Yesterday I spent three hours troubleshooting a distributed transaction problem – ASP.NET just gave me a E_FAIL – which was not very helpful. After testing the connection with DTCPing – I got the message that both machines have the same CID value (a GUID … Continue reading

Posted in Uncategorized | Leave a comment

ASP.NET Authorization Settings

A lot of people have asked me in the past why they need an explicit <deny user=”*” /> at the end of ASP.NET authorization control lists. Let’s demystify that. ASP.NET has a hierarchical configuration system. The root web.config is stored … Continue reading

Posted in Uncategorized | Leave a comment

Dinis is blogging again

Dinis Cruz, the man behind the .NET branch of OWASP has a new blog – and it looks like he has a lot to say :) http://owasp.net/blogs/dinis_cruz/default.aspx  

Posted in Uncategorized | Leave a comment

IIS6 and Client Certificates

Adding client certificate authentication to a web application can enable some interesting scenarios, e.g. multi-factor authentication (something you have: a certificate / something you know: a password) restrict access to an application to selected hardware where the cert is installed. You … Continue reading

Posted in Uncategorized | Leave a comment

ShowContexts – another update – I admit it

After finding this issue, I felt like I have to look at the different principals more granularly. It is now showing: authentication & impersonation configuration settings type of Membership and Role provider trust level type of current IPrincipal/IIdentity on Context.User type of current … Continue reading

Posted in Uncategorized | Leave a comment

Context.User vs. Thread.CurrentPrincipal

The whole .NET authentication/authorization infrastructure is centered around two interfaces: IIdentity (taking care of who the user is – authentication) and IPrincipal (coupling roles with the Identity – used for authorization). The designated place to store that information is Thread.CurrentPrincipal. … Continue reading

Posted in Uncategorized | Leave a comment