Identificación en ASP con password almacenada
1) Usando texto plano
<identity impersonate="true" userName="contoso\Jane" password="pass"/>
2) usando el registro de windows (aspnet_setreg)
userName="registry:HKLM\Software\AspNetIdentity,Name"password="registry:HKLM\Software\AspNetIdentity,Password"
The credentials must be in REG_BINARY format, containing the output of a call to the Windows API function CryptProtectData. You can create the encrypted credentials and store them in the registry with the ASP.NET Set Registry console application(Aspnet_setreg.exe), which uses CryptProtectData to accomplish the encryption. To download Aspnet_setreg.exe, along with the Visual C++ source code and documentation, visit the Web site www.asp.net and search for "aspnet_setreg".
You should configure access to the key storing the encrypted credentials so that access is provided only to Administrators and SYSTEM. Because the key will be read by the ASP.NET process running as SYSTEM, you should set the following permissions:
Administrators:F
SYSTEM:F
CREATOR OWNER:F
ProcessAccount:R
3) Usando el web.config y encriptando la informacion de usuario y clave
The Aspnet_regiis.exe tool (located in the %SystemRoot%\Microsoft.NET\Framework\versionNumber folder)includes options for encrypting and decrypting sections of a Web.config file, creating or deleting key containers, exporting and importing key container information, and managing access to a key container.
Once you have specified which provider to use, you can encrypt or decrypt the contents of the Web.config file for your application.
Use the –app option to identify the application for which the Web.config file will be encrypted and the -site option to identify which Web site the application is a part of. The Web site is identified using the site number from the Internet Information Services (IIS) metabase. You can retrieve the site number from the INSTANCE_META_PATH server variable in the ServerVariables collection. For example, when IIS is installed, a Web site named "Default Web Site" is created as site 1. In pages served from that site, the INSTANCE_META_PATH server variable returns "/LM/W3SVC/1". If you do not specify a -site option, site 1 is used.
To see all the possible server variables in IIS, place the following code into an Active Server Page, then browse to it:
<table BORDER="1">
<th COLSPAN="2">ServerVariables</th>
<%
Dim var
For Each var in Request.ServerVariables
Call Response.Write("<TR>")
Call Response.Write("<TD><B>" & var & "</B>:</TD>")
Call Response.Write("<TD>" & Request.ServerVariables(var) _
& "</TD>")
Call Response.Write("</TR>")
Next
%>
</table>
Use the –prov option to identify the name of the ProtectedConfigurationProvider that will perform the encryption and decryption. If you do not specify a provider using the -prov option, the provider configured as the defaultProvider is used.
Un ejemplo que encripta el connectionstring del web.config
aspnet_regiis -pe "connectionStrings" -app "/SampleApplication" -prov "RsaProtectedConfigurationProvider"
Para desencriptar :
aspnet_regiis -pd "connectionStrings" -app "/SampleApplication"
Para MicrosoftCRM utilizo el siguiente aspx para sacar las serverVariables
<%@ Page language="vb" Inherits="Microsoft.Crm.Web.Loader" %>
<%@ Register TagPrefix="loc" Namespace="Microsoft.Crm.Application.Controls.Localization" Assembly="Microsoft.Crm.Application.Components.Application" %>
<%@ Register TagPrefix="cnt" Namespace="Microsoft.Crm.Application.Controls" Assembly="Microsoft.Crm.Application.Components.Application" %>
<%@ Import Namespace="Microsoft.Crm.Utility" %>
<%@ Import Namespace="Microsoft.Crm.Application.Pages.Common" %>
<html>
<table BORDER="1">
<th COLSPAN="2">ServerVariables</th>
<%
Dim var
For Each var in Request.ServerVariables
Call Response.Write("<TR>")
Call Response.Write("<TD><B>" & var & "</B>:</TD>")
Call Response.Write("<TD>" & Request.ServerVariables(var) _
& "</TD>")
Call Response.Write("</TR>")
Next
%>
</table>
</body>
</html>
No hay comentarios:
Publicar un comentario