I am planning a public Web Api in ASP.Net Core. Also there is a database connected and sign on is planned as well.
There is a connection from my application to the database open using Integrated Security=True;. Is it possible to connect to the database using a different user (from active directory). Not the one under which the application is running, but any other user from Active Diretory.
My understandin is:
The application runs as a certain user. Integrated Security=True; will open a connection as that user -> Not possible.
Impersonation of another user requires the app to have elevated rights and know the password from that user -> Not an option.
Doing it without a password means the applications right have to be elevated to the highest possible -> not an option.
So is there any way to connect to the database as a certain user from our AD? I have the feeling it's not possible.
Thank you!
Is that MSDN Article what you are looking for?
ASP.NET Core doesn't implement impersonation. Apps run with the app's
identity for all requests, using app pool or process identity. If the
app should perform an action on behalf of a user, use
WindowsIdentity.RunImpersonated in a terminal inline middleware in
Startup.Configure. Run a single action in this context and then close
the context.
Related
I'm trying to use, for the first time, Windows authentication on my ASP.NET Core 3.1 MVC site to connect to SQL Server using EF Core.
Locally everything is ok (using IIS Express), but on the server, something goes wrong.
My site has "hi,<myDomain/myAccount>!" on the top right of the page, and it is correct, but when I request a page with database query, I get this error:
SqlException: Login failed for user 'MyDomain\MyServerName$'
Why? How do I configure EF Core connection string?
Update:
I can't use form authentication
I don't have a user list table
I can use impersonation (WinAuth? active dir?)
Every user(more can login to site has the access to the sql database
I can change some IIS Server settings
This is the first time i use the winAuth (auto configured by visual studio create project tool => with windows authentication)
"what kind of user is the app pool running under?" i don't know, the default one i think
This is likely an issue having to do with the credentials running the app pool in IIS, and the access rights those particular credentials have. You say you are NOT using impersonation, in which case the request to SQL Server from your app running on IIS needs to be made using a system account that has proper database access. A system account being a singleton account that only exists to run as the "Application Pool Identity" for the app in IIS.
On IIS on your server, what kind of user is the app pool running under? In most cases with Windows Authentication, you want to use a system account of some kind to run the app pool and then give that system account access to the database. If you don't want to use a system account, you would have to use impersonation, and then use an AD Group to give the impersonated users access to the SQL Server Database.
Since you're saying the request to SQL server is coming across as DOMAIN\SERVERNAME, you likely need to change that setting in IIS to set the request to come from a system account, and then give that system account explicit access to the SQL Server database.
You can change this by adjusting your Advanced Settings in IIS and inputting the information (Username/PW) of the account you want to run the app under or "as" in IIS.
Then, add this same DOMAIN\USERNAME account to the Database as a user who can Read/Write/Delete etc. You could also simply add the DOMAIN\SERVERNAME that is being denied in it's request to the database here, if you don't want to use a custom system account.
As for "How to configure EFCore connection string?", this is usually done in the Startup.cs file. There you can input a connection string from your appsettings.json directly with the .UseSqlServer(connectionstring) method.
You access the connection string using Configuration.GetConnectionString("KEY").
Once configured there, you don't need to configure it again (unless perhaps to change from dev/qa/prod environments).
I have a windows application that needs to run in system context. And it needs to authenticate to a proxy for internet access.
Limitations are : 1) Cannot ask user for credentials as it is not a user-facing application and basic authentication is not preferred option as well 2) using computer identity for authentication may not be an option as it depends on individual enterprise configuration.
If I want to use Integrated Windows Authentication (for NTLM/ Kerberos) to leverage the context of already logged on user, is there a way the application running in system context can switch to user context? Or is there is any other cleaner way for an application running in system context to authenticate to proxy?
We have developed a product which is a web application. While configuring it in IIS, we disable all the authentication modes except Windows authentication (app works on Windows authentication only).
We create a service account and provide admin access to that account on all the servers, and on database servers.
We configure the connection string in web.config with username and password of that service account. Everything was working fine till now.
We received a new requirement which says, no service account will be created and individual users will be granted database access. We have to configure our application in such a way that Windows credentials are used to access the app gets passed to SQL Server. Reason for this change: we can log the user accessing the database.
I set Integrated Security=SSPI in the connection string and tried with different App Pool Identity but to no avail.
We are even ready to change the code if same is required to achieve the functionality.
Can someone please help me what am I missing, or how it can be achieved? Please let me know if more information is required and I will be happy to provide the same.
App server and database server are on the same domain and network but different machines. Users accessing the application will be on the same domain and network. This is a intranet based application.
You need to enable and configure constrained delegation. Follow this document: How to Implement Kerberos Constrained Delegation with SQL Server. Your app pool need to be configured to impersonate, see Using IIS Authentication with ASP.NET Impersonation.
Also this will be a hop scenario so you will have to enable delegation for the IIS server and if you intend to pass user credentials then you need to enable delegation for the user accounts too. You can use the tool delegconfig to troubleshoot this.
I have a deployed application that is using the Active Directory Membership Provider in order to authenticate users to our domain on an extranet. The application is using the .NET 3.5 framework. If you run the application locally it goes straight to the login page. But if you run the application from its deployed location on the server it first prompts with a Windows Security login prompt and after logging in, you are taken to the login page where you must login again. Why is this?
Your web application seems to be configured to use Active Directory Authentication (and doesn't allow anonymous access). Your users internally are already logged on to the domain and so IIS simply lets them past.
Your login.aspx page is protected by IIS so that you must be a member of the domain in order to even see the login.aspx page. This is a configuration issue in IIS and has very little to do with asp.net or C#.
If you are using forms authentication, you should be able to allow anonymous authentication in IIS and handle authentication using Forms only. However, this entirely depends on the web app and enabling anonymous access may inadvertently expose information you didn't intend to be publicly accessible.
Without knowing more about your application it's difficult to offer any more advice. Good luck.
I need to use a Windows application running on remote clients that will connect to a web service. The web service will access an SQL database to verify users, and roles, and perform other tasks. I am using ASP.NET Membership to manage the users and roles. I have ASP.NET Membership, and the web service working on the development machine. I have a windows client with a service reference that works when I access methods that do not access the database, but when I try to access a service method that access a database method I get The user is not associated with a trusted SQL Server connection. I get various permissions errors depending on what I am try to fix this, but this is the gist. I don't want the Windows client to need DB permissions. I want it to send a user name, and password to the web service, then the web service wraps Membership.ValidateUser(userName, password)
Can someone tell me how to set this up?
You should consider setting up SQL Server to use SQL and Windows Authentication (mixed mode). It's most likely running in Windows Authentication mode only. You can take a look at this link to get started.
It sounds like, by the way you have it designed, is that you would have to set up an account for each user. In my experience it's best to just create a specific SQL account with the necessary permissions, and have each client use that account. You could specify this in the connection string.
Assuming you have named pipes authentication enabled in SQL, your SQL connection string in your ASP.NET application could be configured to use integrated security (Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;). Then in SSMS, give the appropriate ASP.NET user privileges to the database. The user that IIS uses depends on what version of IIS you're running, and can be seen in the App Pool configuration for the server in question.