I have a ClickOnce application that is installed from the web, configured as a Full Trust application. The application accesses a web service from a different host than the install URL.
If I understand this correctly, the application should not be able to access the web service:
Web Install: Can only access the Web server from which the application was installed.
If your ClickOnce application cannot access a Web server because of security restrictions, the application must assert WebPermission for that Web site. For more information about increasing security permissions for a ClickOnce application, see Securing ClickOnce Applications.
I've been able to install the application on several machines with no issues. Am I misinterpreting the statement above? Or am I not running into this restriction for some other reason (such as my user account being in the admin group or something like that)?
Also, what does it mean to "assert WebPermission for that Web site". If there is a security restriction, does this allow my application to bypass it?
I believe the restrictions you quote on where a ClickOnce application can access data refers to data files. The next section refers to an XML Web Service.
I have several ClickOnce applications that call WCF services for information. They are in the same domain as the ClickOnce deployment, but not on the same server.
What exactly are you trying to accomplish?
Related
Our C# web application on Windows/IIS v10 can access files on network shares without doing anything special. An ISAPI Extension that I wrote in C++ cannot access the same files. I am wondering why one works and not the other.
I found that ImpersonateLoggedOnUser allows me to get to the files. That requires the extension to have access to domain\userid\password for a network account that can get to the server. I am connecting to the database so I could store it in an encrypted column.
It depends on the User account used to run the application. This is set in the App Pool in IIS. The web application is configured the run in an App Pool as an account that has permissions to the appropriate folders. The C++ ISAPI extension is running in a different App Pool configured to use an account like Network Service that does not have permissions granted to the shares.
to controll a windows service (and some other stuff) we use a WebAPI. For the communication between the API and the windows service I used NampedPipe. When I run the code in visual studio, everything works fine. After deploying the api to the IIS it get an IO exception access denied. Is this an configuration issue or is it impossible to access NamedPipes from the IIS API?
What could by a differnt approach? Ip connection?
Thanks for your help!
EDIT:
After some research and try and error I came to the conclusion: for NamedPipes to work both processes have to run under the same user.
So I assigned to both service and iis website the same user an gave it a try and it worked.
Is it safe to run a website on iis on a differnt user?
Application get activated in IIS express When you debug application in development environment. In IIS express, your current login user are used to execute the application.
However, when you deploy the application in IIS, everything get executed by application pool identity and isolated in session 0.
So most of time, you can try to set app pool identity to local system.
Since Local system grant too much permission for an application, use a dedicated account to host your IIS application would be a good idea.
As long as you follow the least permission principle, use a different user for your website can be safe.
I have created a web service using ASP .Net. My web service contains a web config file, which stores security information of our Microsoft Dynamics Axapta AOS server, username and password for Axapta authentication.
My web service calls a Dynamics Axapta web service and exchanges some data. I have deployed my ASP .Net web service to IIS 7.0 which is located in DMZ zone. Now i have to give web service address to a payment service. This payment service should only know the web service address and the methods of this web service. This is my first time, i am developing such a service stored in IIS:
My question is:
How i need to configure IIS? (Authentication)
Which security tips i need to follow?
What should i do, to make my web config file to be secure?
How i need to allow this payment service to my local server?
Any suggestions and explanation will be huge help to me, because i am newbie to this topic.
Thanks a lot, sincerely, Ilkin.
Your IIS Application Pool should run as custom account identity (like domain\svc-ax-payment-user). Then add this Active Directory user to AX users and grant / add it to role with access to required roles. In this scenario password is saved securely in IIS.
Another option is to encrypt password with machine key (eg. your IIS server is not trusted in AX domain).
aspnet_regiis.exe -pef "appSettings" C:\web_app_dir
Run this command as administrator.
Check How To: Encrypt Configuration Sections for more information.
You can also create your own Machine Key for your application. In this case your web.config is portable and not bound to one specific server.
I am trying to add Windows authentication to an existing website that I have created. All information that I have read regarding using Windows authentication in silverlight requires that you start with the Silverlight Business Applicaion template instead of the Silverliight application template. I already have a website that I started writing using the Silverlight Application template. How can I add windows authentication to this existing website?
If your application is hosted in IIS and this is a intranet site, you just need to set the application in IIS authentication method to Windows Authentication, then when the client tries to load the SL App a 401 challenge will trigger asking the user to enter in his/hers credentials. You can also set IE to pass with windows credentials to the server when the site is loaded.
I have had spent quite a bit of time tweaking various properties to get the right functionality that i am looking for (especially with machine names being fully qualifies or not) but basically that's one thing to keep in mind when debugging this is that machines names play a role in how the server interprets a client trying to access the server.
I have a web application set up on our intranet that uses windows authentication (successfully) that I am trying to link to a database running on a separate server.
The problem that I am having however, is that when I try to use a trusted connection to log in to the sql server, instead of passing the domain/username of the person using the website the application is passing NT AUTHORITY\ANONYMOUS LOGON.
I checked that the authentication was working by having the website display a greeting that does identify my username correctly when I log on to the site, so it isn't an anonymous access issue. I think it is an impersonation issue somehow despite the fact that set in the web.config file for the application.
Curiously, the web application works fine when I run it on either my dev machine or even locally through remote desktop on the production server. I'm not sure what's going on here.
Finally, I'm running iis 7.5, windows server 2008 r2 and sql server 2008
This is called Constrained Delegation. Basically what that means is that an impersonated context by default cannot be delegated to authenticate with a resource on the network. If constrained delegation would not be in place anyone could create a web site in the enterprise and expose some benign application. But underneath, once the user authenticated with the site, it could impersonate that user to do anything, like read his mail, sale stock on his behalf, give raises to site developer, *anything. This is why impersonated contexts are not trusted outside the machine that impersonated the user.
To allow an impersonated context to connect to a remote resource (like a file share, or a database server) the domain administrator has to explicitly set up Constrained Delegation, which allows the impersonated context to authenticate with one specific resource.
There are numerous articles describing the problem and the solution:
How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0
Protocol Transition with Constrained Delegation Technical Supplement
How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0
Configuring Servers for Delegation (IIS 6.0)
How to: Use Protocol Transition for Impersonating and Delegating the Original Caller in WCF
it is a known behavior called double-hop issue. See http://weblogs.asp.net/owscott/archive/2008/08/22/iis-windows-authentication-and-the-double-hop-issue.aspx
If your web application tries to access your database it does it with the account under which the IIS w3wp.exe process is running (networkservice by default).
If you want to change this, you will need to use impersonation.
This document explains it pretty good.
As the document also explains depending on your application, you might want to use trusted subsystem instead of impersonation.