I have an asp.net website that is hosted in IIS 7.5
The website has to use windows authentication. The users are added to an AD group. The AD user group has full control on the web folder in which the website is published. Server/IIS_IUSRS has full control on the web folder too.
The data that the website is required to use is stored in another server. The AD group has Full control on the folder in which the data is stored.
I am using Classic mode because Integrated breaks it.
What should be the website authentication and APP Pool settings?
Personally I have become a fan of setting the app pool identity to an AD service account and then allowing the app to access the database and other resources using those credentials. No need to pass the credentials on the connection string or try to impersonate the users (EDIT: Should note that this applies to resources which use windows integrated security). Also no need to try to give the users direct access to the datastore or other resources, just the app credentials need to have access. It is a bit more trouble to set up initially but much easier to manage in the long run.
Here is the checklist I send to our server group whenever I ask them to set up a new site for me: (note this is based on Win Serv2003 and IIS 6, things may be different in the newer versions.)
Set up a separate App Pool for the
application
Configure the App pool to run as the
service account
Add the service account to the
IIS_WPG group on the server
Make sure the IIS_WPG group has Read,
Read & Execute, and List Folder
Contents permissions for the website
directory and Read and List Folder
Contents to the C:\Windows\Temp
folder (or equivalent).
Grant User Rights “Adjust Memory
Quotas for a Process”, “Replace a
Process Level Token”, and “Log On as
Service” to the service account
Don't mix up IIS autorization and ASP.NET autorization :
IIS autorization
IP/DNS Address Restrictions
Web Permissions (Read, Write, Script Source Access...)
NTFS Permissions (non ASP.NET ISAPI extension only : .htm, .jpg...)
ASP.NET autorization
URL Authorization (<authorization> element)
File Authorization (ASP.NET ISAPI extension only : .aspx, .ascx...)
Principal Permissions (Demands)
.NET Roles
Restrict access to your web :
Uncheck anonymous access
Configure NTFS rights
Give access to your data folder, few solutions :
Use a service account for your application pool, allow it on your folder and manage access control in your application
Use default IIS 7 ASP.NET account, and impersonate the user locally in your code when accessing your data folder
System.Security.Principal.WindowsImpersonationContext
impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
//Insert your code that runs under the
security context of the authenticating
user here.
impersonationContext.Undo();
Activate impersonation globally (<identity impersonate="true"/>) ; dont like this one
Related
I have a C# MVC web application that uses the NTML authentication (windows authentication). And I want to access to a shared folder (accessible from the web server).
the shared folder contains a list of sub directories, each directory represents a user personal directory. using windows explorer in the web server, each user is able only to access to its personal folder.
Actually, when I want to access to this shared folder using the application, I have an access denied (As the IIS process doesn't have permission to access to this folders). And I want to know how the user can access to its personal folder via the application.
Is there a way to get user login and password from NTML connection, or a way to access to this shared folder via user NTML token?
I don't have the user login/password.
You can change the thread identity https://msdn.microsoft.com/en-us/library/w070t6ka(v=vs.110).aspx
or use P/Invoke WNetAddConnection2 https://msdn.microsoft.com/en-us/library/windows/desktop/aa385413(v=vs.85).aspx
You can enable ASP.NET user impersonation - https://msdn.microsoft.com/en-us/library/aa292118(v=vs.71).aspx
However, do note that you need to make sure that you only use impersonation when accessing the user's resources - for example, if you simply impersonate the whole request, you may no longer have access to shared data or a database.
I am getting error's saying
Exception Details: System.UnauthorizedAccessException: Access to the
path 'E:\web\aawebapp\Content\events\events.json' is denied.
ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request
identity. ASP.NET has a base process identity (typically
{MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and
the configured application pool identity on IIS 7.5) that is used if
the application is not impersonating. If the application is
impersonating via , the identity will be
the anonymous user (typically IUSR_MACHINENAME) or the authenticated
request user.
To grant ASP.NET access to a file, right-click the file in File
Explorer, choose "Properties" and select the Security tab. Click "Add"
to add the appropriate user or group. Highlight the ASP.NET account,
and check the boxes for the desired access.
Where this happens is in the Controller when I try to do the following.
string eventspathway =
HostingEnvironment.MapPath(#"~/Content/events/events.json");
System.IO.File.WriteAllText(eventspathway, newtext);
When I am running on localhost/debug this works fine, but does not work when webdeployed and thus spews out all the errors above.
What's hard to understand here? That exception means exactly what it says.
Your web app runs in an IIS worker process (w3wp.exe — "world-wide web worker process", get it?) called an app pool (application pool). That process runs under an account. Any process running under those credentials won't be able to read (or write) to a path for which it lacks the prerequisite permissions.
You (or your system adminstrators) need to grant the app pool identity under which your app is running sufficient permissions to do what it needs to do. Or you need to find a place to park your data where your app pool identity has sufficient permissions.
Another alternative — not recommended for a production system! — would be to run the app pool under the local system account.
For more information, see
http://www.iis.net/learn/manage/configuring-security/application-pool-identities
How to set up IIS 7 application pool identity correctly?
http://technet.microsoft.com/en-us/library/cc771170(v=ws.10).aspx
I have a deployed application that is using the Active Directory Membership Provider in order to authenticate users to our domain on an extranet. The application is using the .NET 3.5 framework. If you run the application locally it goes straight to the login page. But if you run the application from its deployed location on the server it first prompts with a Windows Security login prompt and after logging in, you are taken to the login page where you must login again. Why is this?
Your web application seems to be configured to use Active Directory Authentication (and doesn't allow anonymous access). Your users internally are already logged on to the domain and so IIS simply lets them past.
Your login.aspx page is protected by IIS so that you must be a member of the domain in order to even see the login.aspx page. This is a configuration issue in IIS and has very little to do with asp.net or C#.
If you are using forms authentication, you should be able to allow anonymous authentication in IIS and handle authentication using Forms only. However, this entirely depends on the web app and enabling anonymous access may inadvertently expose information you didn't intend to be publicly accessible.
Without knowing more about your application it's difficult to offer any more advice. Good luck.
Please consider this scenario:
I have a web site that host behind IIS 7.0 . Almost every IIS setting are defaulr settings. I have a folder for upload files that ASP.Net user had write access to it.currently IIS manager cancel this write access and he want to add a local user in Windows Server that this user can has write access to that folder. Now my question is how I can Impersonate user in asp.net and if this method is secure? I want all the request execute on server according to default IIS user but I want just impersonate for upload a file.
thanks
What you need is partial impersonation. you don't need all request to be impersonated but only a few call should be impersonated. i think you must have a look at this article.
http://support.microsoft.com/kb/306158
this is how it impersonate a piece of code under logged in user's credentials while rest of the call will be processed using default app Pool identity
System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
//Insert your code that runs under the security context of the authenticating user here.
impersonationContext.Undo();
I have created a sample ASP.NET website and hosted it in IIS 6.0 . It is working fine , if the identity of the defalut app pool is "local system". But when i changed the identity with some other configurable user id then it is showing as "Service Unavailable".
The following message is found in the event viewver.
"The identity of application pool 'DefaultAppPool' is invalid, so the World Wide Web Publishing Service can not create a worker process to serve the application pool. Therefore, the application pool has been disabled."
Either the credentials provided for the user is not valid, or the user does not have the needed permissions.
I believe there is a security group on the machine called IIS_WPG that is created when Asp.net is installed, add the user to this group, it should give them the needed permissions.
Message is self-explanatory. The selected user id isn't valid - probably due to insufficient privaledges to run the service.
The user identity you use needs to have fairly significant rights to operate. At a minimum the user needs to have read/execute permission on the root directory of the folder. This user should also have read/write/execute permission on the Temporary Asp.Net Files folder located within the %SystemRoot%/Microsoft.Net/Framework/ folder.
FYI,
In a development environment you can use the default app pool to create your web applications.
In production environment you want to use lusrmgr.msc (Server 2008/R2/7 Ultimate and Pro) to create new users (and their credentials) on the machine and assign the users to the right group (IIS_IUSRS).
Also once you have created the user, you will want to give it access to your data source back-end (if sql is running on the same machine and using windows authentication to access SQL).
Check Application Pools which assign Site on IIS, probably it is stopped.