Monthly Archives: November 2005

You can catch me in the next two days at ADC, Rosenheim. I am doing two talks: New security features in .NET 2.0 .NET RBAC and Authorization Manager thanks for attending! the demos I showed in the .NET 2.0 security … Continue reading →

Yesterday I spent three hours troubleshooting a distributed transaction problem – ASP.NET just gave me a E_FAIL – which was not very helpful. After testing the connection with DTCPing – I got the message that both machines have the same CID value (a GUID … Continue reading →

A lot of people have asked me in the past why they need an explicit <deny user=”*” /> at the end of ASP.NET authorization control lists. Let’s demystify that. ASP.NET has a hierarchical configuration system. The root web.config is stored … Continue reading →

Dinis Cruz, the man behind the .NET branch of OWASP has a new blog – and it looks like he has a lot to say :) http://owasp.net/blogs/dinis_cruz/default.aspx  

Adding client certificate authentication to a web application can enable some interesting scenarios, e.g. multi-factor authentication (something you have: a certificate / something you know: a password) restrict access to an application to selected hardware where the cert is installed. You … Continue reading →

After finding this issue, I felt like I have to look at the different principals more granularly. It is now showing: authentication & impersonation configuration settings type of Membership and Role provider trust level type of current IPrincipal/IIdentity on Context.User type of current … Continue reading →

The whole .NET authentication/authorization infrastructure is centered around two interfaces: IIdentity (taking care of who the user is – authentication) and IPrincipal (coupling roles with the Identity – used for authorization). The designated place to store that information is Thread.CurrentPrincipal. … Continue reading →

Hopefully the final update – now it shows: authentication & impersonation configuration settings type of Membership and Role provider type of current IPrincipal/IIdentity on Context.User  process identity thread identity (if impersonating) Context.User IIS authentication outcome used by FileAuthorizationModule client certificate … Continue reading →

Final update – this tool shows how to encrypt/sign files using certificates. Updated to RTM. CrypterPK_RTM.zip (15.45 KB)  

Often, the last secret weapon you have when troubleshooting networked applications is a packet sniffer. If you ever need one, don’t bother looking around, grab a copy of ethereal. But there are also situations where sniffing is not easily possible, … Continue reading →