I have a SharePoint 2013 WebService and want to use SSO (Single Sign On). The service has been deployed in IIS 15 hive and converted to an application.
IIS
Then I configured web.config
<authentication mode="Windows" />
<identity impersonate="false" />
Web Service is an asmx file
[ScriptService]
public class Services : WebService
{
[WebMethod]
public void DoAction() {
...
}
}
So…Now I´m logged in windows as an user (let´s say sp\user1). When I run Internet explorer (IE), the IE should run under the same user credentials and when accessing the web service this also should by executed as sp\user1, but there always comes a Login Authentication Required window.
How can I achieve SSO and prevent extra login?
Environment Win2008R2, IIS 7.5, SP2013, C#
Asked same question on sharepoint.stackexchange
You need to configure the SharePoint 2013 Authentication provider to handle the kerberos token . This can be done from the central admin of SharePoint. Also, You site must send the kerberos token when request by the SHarePoint during authentication.
This link will give high level idea about the Windows authenticatication (kerberos) of SHarePoint.
Also, refer http://blog.blksthl.com/2012/09/26/the-first-kerberos-guide-for-sharepoint-2013-technicians/
Related
I have created an ASP .NET Web Application with MVC and Authentication as Individual User Accounts.
I have populated the app with some controllers, actions and views. Some of them are [AllowAnonymous] and other [Authorize].
It works perfectly in IIS express. I can create multiple accounts. And logging. And see the pages I have access to.
When I deployed the app to my local IIS, the authentication stopped working. I can create accounts. But I cant log in. When I try to log in it only redirects me toward the home page and I cant see the pages. When i try to put fake access it detects that they are incorrect.
I tried to fiddle around in the IIS settings but a don't know what to do.
Please, help me.
In IIS, for the site search for Authentication feature and enable windows authentication and disable Anonymous.
You need to keep your application to run anonymous authentication instead of windows authentication. Otherwise, you login page will get into infinite loop.
Besides,are you trying to connect a localdb with individual user account template in IIS?
Have you tried to set applciation pool like this in applicationhost.config and remove "AttachDbFilename=....." from your web.config connection string? If I take the steps above, I can get both register and create work in my IIS.
<add name="my app pool" autoStart="true">
<processModel identityType="ApplicationPoolIdentity" setProfileEnvironment="true" />
</add>
In my C# web application hosted in IIS I want to connect to my database with a technical user without any credentials in my web.config (a user AD).
Moreover, my application communicate with a Sharepoint library with a kerberos authentication.
schema
My problem is I don't know how to do it.
Until now, the DB credentials were in the web.config and all worked perfectly but for more security I have to remove credentials from the web.config.
My IIS is configured with a technical user in the application pool, kerberos is correctly configured and the IIS authentication is configured like this:
enter image description here
Could you please help me and say me if it's possible, if yes how to do that.
Thank's a lot
If you use Win Auth with impersonation in IIS to forward the Kerberos token to SharePoint your web process is impersonated.
Your only options are:
use a sql login and encrypt the conneciton string in web.config
use impersonation in C# and use cryptography and a secure Location for
your AD tech. user password.
I have created a web service using ASP .Net. My web service contains a web config file, which stores security information of our Microsoft Dynamics Axapta AOS server, username and password for Axapta authentication.
My web service calls a Dynamics Axapta web service and exchanges some data. I have deployed my ASP .Net web service to IIS 7.0 which is located in DMZ zone. Now i have to give web service address to a payment service. This payment service should only know the web service address and the methods of this web service. This is my first time, i am developing such a service stored in IIS:
My question is:
How i need to configure IIS? (Authentication)
Which security tips i need to follow?
What should i do, to make my web config file to be secure?
How i need to allow this payment service to my local server?
Any suggestions and explanation will be huge help to me, because i am newbie to this topic.
Thanks a lot, sincerely, Ilkin.
Your IIS Application Pool should run as custom account identity (like domain\svc-ax-payment-user). Then add this Active Directory user to AX users and grant / add it to role with access to required roles. In this scenario password is saved securely in IIS.
Another option is to encrypt password with machine key (eg. your IIS server is not trusted in AX domain).
aspnet_regiis.exe -pef "appSettings" C:\web_app_dir
Run this command as administrator.
Check How To: Encrypt Configuration Sections for more information.
You can also create your own Machine Key for your application. In this case your web.config is portable and not bound to one specific server.
Scenario:
https asp/asp.net website running of IIS 7.5 (windows server 2008)
IIS currently configured to allow anonymous authentication and forms authentication ,asp.net impersonation are disabled while windows authentication is not installed (I understand that windows authentication needs to installed for this.)
a single custom login page for both internal and external users
Requirment:
Internal users seamlessly login while capturing their LOGON name (window authentication)
External users (not on domain) should be prompted a manual login
Questions:
What approach can be used to implement this?
Looking for the IIS 7.5 and web.config settings
Approaches Found:
make 2 pages within 1 website, winlogin and weblogin(front page). Allow windows auth=true and anonymous auth=false on winlogin.aspx and vice versa on weblogin.aspx
user with a ip hits weblogin, if ip is known redirect to winlogin to capture logon and redirect to weblogin if the ip is unknown
have winlogin.aspx as the main page and redirect 401 errors to weblogin.aspx
This is how to configure IIS for integrated authentication.
http://netpl.blogspot.com/2012/06/iis-75-integrated-security-with-no.html
This will make your site available for intranet users WITHOUT the prompt for credentials.
Note that this also works for web users. A built-in web browser window is displayed as a result of HTTP 401. A user provides his/her credentials and is in.
If you rather want to show your custom web form as a result of 401 (unauthorized), you'd have to trick the browser a little:
http://www.codeproject.com/Articles/11202/Redirecting-to-custom-401-page-when-quot-Access-de
This way you can redirect an unauthorized response to a web form of your choice (for example, to show an asp.net login form).
Although the integrated authentication can be easily configured, prepare for a lot of experiments when setting up your mixed (integrated/forms) authentication. Things change with every version of IIS; also IIS7 behaves differently if a pool is in classic vs integrated mode.
What is the difference between these two lines of web.config code
1.
<identity impersonate="true" />
2.
<identity impersonate="true" userName="MyUserName" password="MyPassword"/>
Where MyuserName and MyPassword are my windows credentials. If you have IIS setup to use windows credentials shouldn't "1." pass in my windows credentials and hence be the same as "2."?
My app is dying when I use "1" with an authentication error when trying to connect to my WCF service. There is obviously nothing wrong with the code in my service and the code that calls my service as "2" works just fine and passes the client credentials to my WCF service.
the IIS config for the website is setup for windows authentication and the user it runs under is trusted for delegation.
So how can I get my windows credentials passed through without hard coding them?
What you're seeing is a problem with delegation. If you use
<identity impersonate="true" />
then what happens is your ASP.NET pages will run under the credentials of the user logged in (assuming Windows authentication). However these credentials are not passed onto any calls made outside of your application such as a connection to SQL or a connection to a WCF service. You need to use the credentials passed to ASP.NET and then use impersonation before calling your web service;
using (((WindowsIdentity)HttpContext.Current.User.Identity).Impersonate())
{
WCFTestService.ServiceClient myService = new WCFTestService.ServiceClient();
Response.Write(myService.GetData(123) + "<br/>");
myService.Close();
}
There's more details on the WCF Security Patterns and Practices site.
If you read the MSDN page about the ASP.NET identity impersonation, you will notice that if the <identity> element does not include credentials, ASP.NET will impersonate the token passed to it by IIS, which can be either the identity of the request authenticated user or the anonymous Internet user account (IUSR_machinename). Seems to me that in the scenario 1. above ASP.NET is getting the anonymous user token, which would explain the failure. You can try disabling anonymous access to your web service to force the WIndows authentication to kick in.