In my C# web application hosted in IIS I want to connect to my database with a technical user without any credentials in my web.config (a user AD).
Moreover, my application communicate with a Sharepoint library with a kerberos authentication.
schema
My problem is I don't know how to do it.
Until now, the DB credentials were in the web.config and all worked perfectly but for more security I have to remove credentials from the web.config.
My IIS is configured with a technical user in the application pool, kerberos is correctly configured and the IIS authentication is configured like this:
enter image description here
Could you please help me and say me if it's possible, if yes how to do that.
Thank's a lot
If you use Win Auth with impersonation in IIS to forward the Kerberos token to SharePoint your web process is impersonated.
Your only options are:
use a sql login and encrypt the conneciton string in web.config
use impersonation in C# and use cryptography and a secure Location for
your AD tech. user password.
Related
We have developed a product which is a web application. While configuring it in IIS, we disable all the authentication modes except Windows authentication (app works on Windows authentication only).
We create a service account and provide admin access to that account on all the servers, and on database servers.
We configure the connection string in web.config with username and password of that service account. Everything was working fine till now.
We received a new requirement which says, no service account will be created and individual users will be granted database access. We have to configure our application in such a way that Windows credentials are used to access the app gets passed to SQL Server. Reason for this change: we can log the user accessing the database.
I set Integrated Security=SSPI in the connection string and tried with different App Pool Identity but to no avail.
We are even ready to change the code if same is required to achieve the functionality.
Can someone please help me what am I missing, or how it can be achieved? Please let me know if more information is required and I will be happy to provide the same.
App server and database server are on the same domain and network but different machines. Users accessing the application will be on the same domain and network. This is a intranet based application.
You need to enable and configure constrained delegation. Follow this document: How to Implement Kerberos Constrained Delegation with SQL Server. Your app pool need to be configured to impersonate, see Using IIS Authentication with ASP.NET Impersonation.
Also this will be a hop scenario so you will have to enable delegation for the IIS server and if you intend to pass user credentials then you need to enable delegation for the user accounts too. You can use the tool delegconfig to troubleshoot this.
I have created a web service using ASP .Net. My web service contains a web config file, which stores security information of our Microsoft Dynamics Axapta AOS server, username and password for Axapta authentication.
My web service calls a Dynamics Axapta web service and exchanges some data. I have deployed my ASP .Net web service to IIS 7.0 which is located in DMZ zone. Now i have to give web service address to a payment service. This payment service should only know the web service address and the methods of this web service. This is my first time, i am developing such a service stored in IIS:
My question is:
How i need to configure IIS? (Authentication)
Which security tips i need to follow?
What should i do, to make my web config file to be secure?
How i need to allow this payment service to my local server?
Any suggestions and explanation will be huge help to me, because i am newbie to this topic.
Thanks a lot, sincerely, Ilkin.
Your IIS Application Pool should run as custom account identity (like domain\svc-ax-payment-user). Then add this Active Directory user to AX users and grant / add it to role with access to required roles. In this scenario password is saved securely in IIS.
Another option is to encrypt password with machine key (eg. your IIS server is not trusted in AX domain).
aspnet_regiis.exe -pef "appSettings" C:\web_app_dir
Run this command as administrator.
Check How To: Encrypt Configuration Sections for more information.
You can also create your own Machine Key for your application. In this case your web.config is portable and not bound to one specific server.
I have web application which needs to access user mail box using EWS.
I am having trouble implementing impersontation.
If I impersonate my application in IIS or do run time impersonation and browser through localhost it works fine, however neither impersonation (using IIS config or runtime) works when i browse my application using IP.
I have tried Basic Authenticatio/Anonymous Authentication along with windows auth but failed to get it working. I tried my app to use either/both NTLM and Kerberos.
Ideal configuration for my app is only windows authentication on NTLM.
Please help if someone has faced this issue.
App should run for a account, but should impersonate user when needed to access his/her mailbox. I am running .net 4.5 on IIS 7.5
What you are seeing is the server double-hop authentication issue. By default Windows does not allow the user's credentials to be delegated from the web server running your ASP.NET site to your Exchange server. It works locally because there is only a single server hop as you are logged in to the machine running the ASP.NET site.
Kerberos is the way to go to make it work. You have to set your web server up to be trusted for delegation. I have no idea how to actually do this but this SO question may help you:
How can I fix the Kerberos double-hop issue?
I'm configuring an ADFS Server and are trying to achieve user-friendly sign-on for our relying party applications.
Currently there are two relevant options as far as I know:
Windows authentication: this works great as a single-sign-on provider, but provides a user-unfriendly pop-up if the user is not currently in the correct windows domain.
Forms Authentication: this will always ask for a login method regardless of where the user is coming from.
My question here is, is it possible to satsify these requirements:
If the user is logged in with the windows account, provide SSO
Otherwise, display the forms login page and let the user enter his windows credentials.
Generically speaking, there is no programatic way of detecting if the user is on the domain or not from a website. Because the moment your site is configured with Windows Auth (and disable Anonymous), an ntlm challenge is sent to the browser and the credentials prompt popup if you are not in the domain.
https://serverfault.com/questions/380302/can-i-detect-authenticated-domain-users-in-iis-asp-net-without-prompting-every
The way you achieve that is with DNS and that's what ADFS recommends by introducing the proxy role. You will have the internal DNS resolving login.yourcompany.com to the internal ADFS which has windows auth enabled and the external DNS resolving login.yourcompany.com to the proxy ADFS role which has forms auth enabled. So you need another server hosted on the DMZ so users outside the network/domain can reach it.
There is no way to do this with a single ADFS server unless you do some hack (i.e. not supported) having an artificial website on the same ADFS server bound to the external IP and that website has a redirect to "/adfs/ls/forms"
More info about proxy and its setup
http://blogs.technet.com/b/askds/archive/2012/01/05/understanding-the-ad-fs-2-0-proxy.aspx
Matias
You may find it interesting, directing to form authentication or integrated authentication based on the user-agent string informed by the browser: https://blogs.ncl.ac.uk/isg/?p=296
Ok, I have looked around and could not find a solution to this problem. I have an ASP.NET web application that is using Windows Authentication.
I have a public web services that I use for an iPad App I have developed. For security reasons all of my Web Services requires a header with login information.
Right now, I have a separate database that I authenticate users from. Its a built in authentication for when my application is installed using Forms Authentication.
What I would like to do is when the user on the iPad logs into the system, it passes the Login and Password to the Web Service in the hearder... which it does now.
But, how can I Authenticate that User and Password against the Active Directory to make sure the user has access?
Thannks,
Cory
But, how can I Authenticate that User and Password against the Active
Directory to make sure the user has access?
That's straightforward in c#: Validate a username and password against Active Directory?
More AD tasks in c# (including authentication)
Right now, I have a separate database that I authenticate users from.
Its a built in authentication for when my application is installed
using Forms Authentication.
Based on this statement, it sounds like you have a database of credentials which duplicates credentials in AD? If that's the case, not sure that's a good idea.
And/or it also sounds like credentials which match those in AD are being passed around (possibly in plain text?) This might be a business requirement, but I would recommend that all communication is done over SSL and that the AD accounts belong to a domain setup specifically for this purpose that is not trusted (or only partially trusted) by the rest of the network.