开发者

How can I prevent username and password from being displayed when my impersonation account is locked?

开发者 https://www.devze.com 2023-04-13 05:45 出处:网络
I\'m currently hosting a web application written in VB.NET 4. the app uses impersonation which stores a username and password in the web.config. My problem is when the impersonate account is locked (w

I'm currently hosting a web application written in VB.NET 4. the app uses impersonation which stores a username and password in the web.config. My problem is when the impersonate account is locked (which takes down the site), the site displays an error page with a stack trace revealing the username and password in clear text.

Custom error messages are set to off so I'm not sure wh开发者_运维技巧y this is happening. I don't have the option of encrypting this portion of the web.config because we have a staging server that replicates to the production server, and the encryption keys are different on each server.

Entry in the web.config that is being displayed:

<identity impersonate="true" userName="test\myservice.account" password="123"/>
<machineKey validationKey="11111111" decryptionKey="222222222" validation="SHA1"/>


You stated that custom errors mode is off, which means you'll see web.config output. Set custom errors to true, specify the error page, and then you shouldn't see web.config output.


You should probably encrypt that portion of your configuration.

Encrypting Configuration Information Using Protected Configuration

or alternatively create a separate application pool for your site to run in and set the identity of the application pool.

0

精彩评论

暂无评论...
验证码 换一张
取 消