I have created a web service using ASP .Net. My web service contains a web config file, which stores security information of our Microsoft Dynamics Axapta AOS server, username and password for Axapta authentication.
My web service calls a Dynamics Axapta web service and exchanges some data. I have deployed my ASP .Net web service to IIS 7.0 which is located in DMZ zone. Now i have to give web service address to a payment service. This payment service should only know the web service address and the methods of this web service. This is my first time, i am developing such a service stored in IIS:
My question is:
How i need to configure IIS? (Authentication)
Which security tips i need to follow?
What should i do, to make my web config file to be secure?
How i need to allow this payment service to my local server?
Any suggestions and explanation will be huge help to me, because i am newbie to this topic.
Thanks a lot, sincerely, Ilkin.
Your IIS Application Pool should run as custom account identity (like domain\svc-ax-payment-user). Then add this Active Directory user to AX users and grant / add it to role with access to required roles. In this scenario password is saved securely in IIS.
Another option is to encrypt password with machine key (eg. your IIS server is not trusted in AX domain).
aspnet_regiis.exe -pef "appSettings" C:\web_app_dir
Run this command as administrator.
Check How To: Encrypt Configuration Sections for more information.
You can also create your own Machine Key for your application. In this case your web.config is portable and not bound to one specific server.
Related
We offer services to help local business to gather more reviews on platforms like Google or Facebook. Each customer has a kind of own site, hosted by us. But technically it runs on one Azure Web App. Each customer has for example a url like following: https://portal.your-voting.com/freds-bike-shop. We want go give our customers the opportunity to configure their own domain in the backend. For example : https://review.freds-bike.shop. Also the SSL certificate from Let's Encript for Azure should work with the custom domain.
How do i programmatically add custom domains for my azure web app?
How do i automatically get and install the Let's Encript certificates for the customer domains?
At the moment we use the Let's Encript Site Extension and C# als programming Language.
How do i programmatically add custom domains for my azure web app?
You could leverage Azure Management Libraries for .NET and follow Getting Started with App - Manage Web App With Domain Ssl - in .Net for binding a custom domain name to the Web App as follows:
app1.Update()
.DefineHostnameBinding()
.WithThirdPartyDomain("{yourdomain.com}")
.WithSubDomain("{your-subdomain}")
.WithDnsRecordType(CustomHostNameDnsRecordType.CName)
.Attach()
.Apply();
How do i automatically get and install the Let's Encrypt certificates for the customer domains?
Here is a similar approach for using powershell automation for azure web app with Let's Encrypt certificate, details you could here about the CreateLetsEncryptWebApp.ps1 with the following steps:
a) create an Azure Web App
b) generate a certificate from Let's Encrypt
c) bind the certificate to the Web App with a custom domain name
For using Let's Encript Site Extension, you need to register an Azure AD app and configure the relevant Web App settings, details you could follow here.
In my C# web application hosted in IIS I want to connect to my database with a technical user without any credentials in my web.config (a user AD).
Moreover, my application communicate with a Sharepoint library with a kerberos authentication.
schema
My problem is I don't know how to do it.
Until now, the DB credentials were in the web.config and all worked perfectly but for more security I have to remove credentials from the web.config.
My IIS is configured with a technical user in the application pool, kerberos is correctly configured and the IIS authentication is configured like this:
enter image description here
Could you please help me and say me if it's possible, if yes how to do that.
Thank's a lot
If you use Win Auth with impersonation in IIS to forward the Kerberos token to SharePoint your web process is impersonated.
Your only options are:
use a sql login and encrypt the conneciton string in web.config
use impersonation in C# and use cryptography and a secure Location for
your AD tech. user password.
I have two questions related with using of machine key IIS.
I've generated machine key using IIS and applied it to both my web applications. The first web application (oauth provider) grants access token and I want to apply granted access token to second web application (service provider). If I generate machine key and apply it to both web application should service provider accept access token issued by oauth provider (oauth provider and resource provider are hosted on the same IIS as different web application)?
I have an issue with authorization on service provider using access token.
Maybe I have issue with Windows Registry?
If I generate machine keys on remote IIS, can I use it for my web applications that are run from IIS Express on my local machine?
We have developed a product which is a web application. While configuring it in IIS, we disable all the authentication modes except Windows authentication (app works on Windows authentication only).
We create a service account and provide admin access to that account on all the servers, and on database servers.
We configure the connection string in web.config with username and password of that service account. Everything was working fine till now.
We received a new requirement which says, no service account will be created and individual users will be granted database access. We have to configure our application in such a way that Windows credentials are used to access the app gets passed to SQL Server. Reason for this change: we can log the user accessing the database.
I set Integrated Security=SSPI in the connection string and tried with different App Pool Identity but to no avail.
We are even ready to change the code if same is required to achieve the functionality.
Can someone please help me what am I missing, or how it can be achieved? Please let me know if more information is required and I will be happy to provide the same.
App server and database server are on the same domain and network but different machines. Users accessing the application will be on the same domain and network. This is a intranet based application.
You need to enable and configure constrained delegation. Follow this document: How to Implement Kerberos Constrained Delegation with SQL Server. Your app pool need to be configured to impersonate, see Using IIS Authentication with ASP.NET Impersonation.
Also this will be a hop scenario so you will have to enable delegation for the IIS server and if you intend to pass user credentials then you need to enable delegation for the user accounts too. You can use the tool delegconfig to troubleshoot this.
I have a ClickOnce application that is installed from the web, configured as a Full Trust application. The application accesses a web service from a different host than the install URL.
If I understand this correctly, the application should not be able to access the web service:
Web Install: Can only access the Web server from which the application was installed.
If your ClickOnce application cannot access a Web server because of security restrictions, the application must assert WebPermission for that Web site. For more information about increasing security permissions for a ClickOnce application, see Securing ClickOnce Applications.
I've been able to install the application on several machines with no issues. Am I misinterpreting the statement above? Or am I not running into this restriction for some other reason (such as my user account being in the admin group or something like that)?
Also, what does it mean to "assert WebPermission for that Web site". If there is a security restriction, does this allow my application to bypass it?
I believe the restrictions you quote on where a ClickOnce application can access data refers to data files. The next section refers to an XML Web Service.
I have several ClickOnce applications that call WCF services for information. They are in the same domain as the ClickOnce deployment, but not on the same server.
What exactly are you trying to accomplish?