I created a Cloud Service project containing an MVC Application in a Web Role, and a Worker Role. In the MVC project, I am using Windows Authentication...and certain fields are managed based on the user being authorized (no biggie).
When I "Set As Startup Project" to the MVC project, my Windows Identity Principal comes across fine...and everything displays & works as expected (which is good).
Then, it becomes time to work-on & debug the Worker Role. To do so, I must run the Windows Azure Emulator by choosing "Set As Startup Project" to the Cloud Service project itself (and then pressing F5). Doing so fires-up all the Cloud Service roles within the Windows Azure Emulator.
However, when I do this the IsAuthenticated property is false...and all my HTML elements disappear.
QUESTION(S):
- Why does running the Windows Azure Emulator locally prevent Windows Authentication?
- If I need to "setup" the emulator...how?
PORTION OF THE SERCURITY CODE:
Nothing special here...
var identity = filterContext.HttpContext.Request.LogonUserIdentity;
if (!identity.IsAuthenticated)
RedirectToAccessDeniedPage(filterContext);
PORTION OF THE WEB CONFIG:
Nothing special here...
<authentication mode="Windows" />
<identity impersonate="false" />
When you setup the MVC project as the startup project, you are essentially running the project locally on your machine through IIS. IIS will automatically use your current NT credentials as the currently logged in user, which makes sense.
As hinted by Parv Sharma in his comment, when you set the cloud service as the startup project, a separate VM emualtor is started, simulating what would happen in the cloud. Although the VM also runs your application in IIS, it has no idea who you are since you haven't logged in yet. And because your local NT credentials are not stored in that VM (and it doesn't make sense to store user credentials in a VM regardless), IIS doesn't recognize you as being logged in.
So you will need to implement a form of authentication form that will allow users to authenticate against a Directory Store, which is what Azure Directory Services is all about. Here is the MSDN documentation for Azure Directory Services scenarios which contains a link for a sample implementation.
Related
I have two MVC applications using Azure B2C. I have added these two applications to B2C portal. When I use IIS Express, I can log in to one app, and when I refresh the other app, it automatically logs me in. When I use Local IIS, when I log into one app, I refresh the other app, it still thinks that I am not logged in (Request.IsAuthenticated is false). When I log in to the other app, and I refresh my first app, Request.IsAuthenticated is returned as false. I am not sure what I am missing here.
I had to set the machine key and the decryption key same for all the applications using SSO (instead of letting IIS generate a key runtime). Once I did this, SSO works.
Microsoft's Azure Mobile Web Services lets you download a .NET or JavaScript Service and a client that talks to the Service. These are written in C#, or JavaScript. I chose to get one in C#. There is are several parts in the generated solution
A Windows 8.1 desktop client (yourname.Windows)
A windows mobile client (yourname.WindowsPhone)
A Azure Mobile Web Service (yournameService)
A shared .net assembly named (yourname.Shared)
You can right click on yournameService and click Publish and it takes you through a wizard which publishes your application directly from Visual Studio to an Azure server. At some point in the wizard it establishes automatically some rather complex credentials (because you have already logged into an Azure web subscription). Generally you can just click Next, Next, and get it published.
Now you have a webservice, which opens up in your web browser, but which requires you to log in. What I want to know is, how do you know the user name and password used for this login?
http://yourapp123.azure-mobile.net/help
Then you click "Try it out", and a web browser authentication dialog pops up.
Why is this a problem? So far as a user I have input:
My Visual Studio login credentials,
My connection to Azure (perhaps same, perhaps different as visual studio login)
During wizard I've determined login credentials to publish to Azure, using values I have no idea where they came from, and so I left them alone. These seem to be the only credentials I had any opportunity to enter, and any change from the defaults renders the wizard inoperable, so I'm sure that's not where I enter my user and password.
I created a username and password when I created the Mobile WebService, and these do NOT work when I try to log in.
Leave the user name blank. And put in your application key as password. You can find your application key from your Azure portal > Mobile service > manage keys.
The reason being is that AMS uses a Zumo header to decide proper authentication. Which is what the application key is used for. So it's making sure only people or applications which has the application key can access the web service. Hope this helps.
I am trying to add Windows authentication to an existing website that I have created. All information that I have read regarding using Windows authentication in silverlight requires that you start with the Silverlight Business Applicaion template instead of the Silverliight application template. I already have a website that I started writing using the Silverlight Application template. How can I add windows authentication to this existing website?
If your application is hosted in IIS and this is a intranet site, you just need to set the application in IIS authentication method to Windows Authentication, then when the client tries to load the SL App a 401 challenge will trigger asking the user to enter in his/hers credentials. You can also set IE to pass with windows credentials to the server when the site is loaded.
I have had spent quite a bit of time tweaking various properties to get the right functionality that i am looking for (especially with machine names being fully qualifies or not) but basically that's one thing to keep in mind when debugging this is that machines names play a role in how the server interprets a client trying to access the server.
I have an asp.net website that is hosted in IIS 7.5
The website has to use windows authentication. The users are added to an AD group. The AD user group has full control on the web folder in which the website is published. Server/IIS_IUSRS has full control on the web folder too.
The data that the website is required to use is stored in another server. The AD group has Full control on the folder in which the data is stored.
I am using Classic mode because Integrated breaks it.
What should be the website authentication and APP Pool settings?
Personally I have become a fan of setting the app pool identity to an AD service account and then allowing the app to access the database and other resources using those credentials. No need to pass the credentials on the connection string or try to impersonate the users (EDIT: Should note that this applies to resources which use windows integrated security). Also no need to try to give the users direct access to the datastore or other resources, just the app credentials need to have access. It is a bit more trouble to set up initially but much easier to manage in the long run.
Here is the checklist I send to our server group whenever I ask them to set up a new site for me: (note this is based on Win Serv2003 and IIS 6, things may be different in the newer versions.)
Set up a separate App Pool for the
application
Configure the App pool to run as the
service account
Add the service account to the
IIS_WPG group on the server
Make sure the IIS_WPG group has Read,
Read & Execute, and List Folder
Contents permissions for the website
directory and Read and List Folder
Contents to the C:\Windows\Temp
folder (or equivalent).
Grant User Rights “Adjust Memory
Quotas for a Process”, “Replace a
Process Level Token”, and “Log On as
Service” to the service account
Don't mix up IIS autorization and ASP.NET autorization :
IIS autorization
IP/DNS Address Restrictions
Web Permissions (Read, Write, Script Source Access...)
NTFS Permissions (non ASP.NET ISAPI extension only : .htm, .jpg...)
ASP.NET autorization
URL Authorization (<authorization> element)
File Authorization (ASP.NET ISAPI extension only : .aspx, .ascx...)
Principal Permissions (Demands)
.NET Roles
Restrict access to your web :
Uncheck anonymous access
Configure NTFS rights
Give access to your data folder, few solutions :
Use a service account for your application pool, allow it on your folder and manage access control in your application
Use default IIS 7 ASP.NET account, and impersonate the user locally in your code when accessing your data folder
System.Security.Principal.WindowsImpersonationContext
impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
//Insert your code that runs under the
security context of the authenticating
user here.
impersonationContext.Undo();
Activate impersonation globally (<identity impersonate="true"/>) ; dont like this one
I have created a sample ASP.NET website and hosted it in IIS 6.0 . It is working fine , if the identity of the defalut app pool is "local system". But when i changed the identity with some other configurable user id then it is showing as "Service Unavailable".
The following message is found in the event viewver.
"The identity of application pool 'DefaultAppPool' is invalid, so the World Wide Web Publishing Service can not create a worker process to serve the application pool. Therefore, the application pool has been disabled."
Either the credentials provided for the user is not valid, or the user does not have the needed permissions.
I believe there is a security group on the machine called IIS_WPG that is created when Asp.net is installed, add the user to this group, it should give them the needed permissions.
Message is self-explanatory. The selected user id isn't valid - probably due to insufficient privaledges to run the service.
The user identity you use needs to have fairly significant rights to operate. At a minimum the user needs to have read/execute permission on the root directory of the folder. This user should also have read/write/execute permission on the Temporary Asp.Net Files folder located within the %SystemRoot%/Microsoft.Net/Framework/ folder.
FYI,
In a development environment you can use the default app pool to create your web applications.
In production environment you want to use lusrmgr.msc (Server 2008/R2/7 Ultimate and Pro) to create new users (and their credentials) on the machine and assign the users to the right group (IIS_IUSRS).
Also once you have created the user, you will want to give it access to your data source back-end (if sql is running on the same machine and using windows authentication to access SQL).
Check Application Pools which assign Site on IIS, probably it is stopped.