What is the difference between these two lines of web.config code
1.
<identity impersonate="true" />
2.
<identity impersonate="true" userName="MyUserName" password="MyPassword"/>
Where MyuserName and MyPassword are my windows credentials. If you have IIS setup to use windows credentials shouldn't "1." pass in my windows credentials and hence be the same as "2."?
My app is dying when I use "1" with an authentication error when trying to connect to my WCF service. There is obviously nothing wrong with the code in my service and the code that calls my service as "2" works just fine and passes the client credentials to my WCF service.
the IIS config for the website is setup for windows authentication and the user it runs under is trusted for delegation.
So how can I get my windows credentials passed through without hard coding them?
What you're seeing is a problem with delegation. If you use
<identity impersonate="true" />
then what happens is your ASP.NET pages will run under the credentials of the user logged in (assuming Windows authentication). However these credentials are not passed onto any calls made outside of your application such as a connection to SQL or a connection to a WCF service. You need to use the credentials passed to ASP.NET and then use impersonation before calling your web service;
using (((WindowsIdentity)HttpContext.Current.User.Identity).Impersonate())
{
WCFTestService.ServiceClient myService = new WCFTestService.ServiceClient();
Response.Write(myService.GetData(123) + "<br/>");
myService.Close();
}
There's more details on the WCF Security Patterns and Practices site.
If you read the MSDN page about the ASP.NET identity impersonation, you will notice that if the <identity> element does not include credentials, ASP.NET will impersonate the token passed to it by IIS, which can be either the identity of the request authenticated user or the anonymous Internet user account (IUSR_machinename). Seems to me that in the scenario 1. above ASP.NET is getting the anonymous user token, which would explain the failure. You can try disabling anonymous access to your web service to force the WIndows authentication to kick in.
Related
I have created an ASP .NET Web Application with MVC and Authentication as Individual User Accounts.
I have populated the app with some controllers, actions and views. Some of them are [AllowAnonymous] and other [Authorize].
It works perfectly in IIS express. I can create multiple accounts. And logging. And see the pages I have access to.
When I deployed the app to my local IIS, the authentication stopped working. I can create accounts. But I cant log in. When I try to log in it only redirects me toward the home page and I cant see the pages. When i try to put fake access it detects that they are incorrect.
I tried to fiddle around in the IIS settings but a don't know what to do.
Please, help me.
In IIS, for the site search for Authentication feature and enable windows authentication and disable Anonymous.
You need to keep your application to run anonymous authentication instead of windows authentication. Otherwise, you login page will get into infinite loop.
Besides,are you trying to connect a localdb with individual user account template in IIS?
Have you tried to set applciation pool like this in applicationhost.config and remove "AttachDbFilename=....." from your web.config connection string? If I take the steps above, I can get both register and create work in my IIS.
<add name="my app pool" autoStart="true">
<processModel identityType="ApplicationPoolIdentity" setProfileEnvironment="true" />
</add>
I am wondering if it's possible, and if so, how to have an ASP.net website on IIS use the windows credentials of the currently logged in user for Directory.CreateDirectory and File.Copy commands.
Currently my application works when running locally, however it doesn't work when hosted on the server using IIS.
It is set to only allow Windows Authentication and ASP.Net Impersonation on the server.
Directory.Exists() always returns false, I'm assuming because it is using the IIS user instead of the windows user which doesn't have permissions to access the server I am checking files on (other calls above fail too). I don't want to supply user credentials as I would like each logged in user to only have permissions to preform what their credentials give and not what an admin credentials have permissions to.
Web.config authentication setup
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<identity impersonate ="true"/>
EDIT:
Ended up creating a service account with access to the folder and using that for the Application Pool. When I get some more free time I might come back and try to figure out the issue (have a feeling it might have to do with a double-hop as I am going from IIS to another server not the IIS server itself. But don't currently have permission to setup IIS Server as a delegate and test if that does anything).
Is it possible to have the c# code for my asp website to run as the user who is authenticated through windows authentication?
After spending a bit of time researching I understand I would need impersonation, but when I configure impersonation for example like this: <identity impersonate="true" /> I get an error from IIS about how the web config is setup wrong for integrated pipeline. Bypassing the error with: does work but the code is not executed as the authenticated user but instead as the defaultAppPool and so the IIS user.
I know this is probably not the best question, I just can't wrap my head around impersonation with windows authentication.
You can verify user with LDAP/AD combination. This means user enters username and password from his own windows account and sends this data t server that can check if this data right. Of course this will work for Local networks with single LDAP server.
Try following links for info: https://www.codeproject.com/Articles/18742/Simple-Active-Directory-Authentication-Using-LDAP
https://msdn.microsoft.com/en-us/library/ff649227.aspx
I would not want elevated rights in IIS. I would hand all data needed to do the job to another service that really does this work (as the right user).
I have a SharePoint 2013 WebService and want to use SSO (Single Sign On). The service has been deployed in IIS 15 hive and converted to an application.
IIS
Then I configured web.config
<authentication mode="Windows" />
<identity impersonate="false" />
Web Service is an asmx file
[ScriptService]
public class Services : WebService
{
[WebMethod]
public void DoAction() {
...
}
}
So…Now I´m logged in windows as an user (let´s say sp\user1). When I run Internet explorer (IE), the IE should run under the same user credentials and when accessing the web service this also should by executed as sp\user1, but there always comes a Login Authentication Required window.
How can I achieve SSO and prevent extra login?
Environment Win2008R2, IIS 7.5, SP2013, C#
Asked same question on sharepoint.stackexchange
You need to configure the SharePoint 2013 Authentication provider to handle the kerberos token . This can be done from the central admin of SharePoint. Also, You site must send the kerberos token when request by the SHarePoint during authentication.
This link will give high level idea about the Windows authenticatication (kerberos) of SHarePoint.
Also, refer http://blog.blksthl.com/2012/09/26/the-first-kerberos-guide-for-sharepoint-2013-technicians/
In this MSDN article on "How to implement impersonation in an ASP.NET application" they list 4 different ways to change the account that's used to execute the web request. Unfortunately, it doesn't describe the differences between these alternatives.
I'm trying to impersonate the IIS authenticated user to copy some files off their local machine. It works when I use the WIN32 api LogonUserA and impersonate a specific user. But I need the webapp to work with many users (I don't have an account that can access everyone's files).
I thought simply setting Impersonate = "true" and configuring IIS should work but something is different. When I check Environment.UserName it appears to be impersonating the correct account but I am getting "Access is denied" errors.
Anyone know the difference between these impersonation methods? Is it possible to impersonate the IIS authenticated user and then do some file operations with it?
Update: From the feedback I've been getting I need to be more clear about what I'm facing.
Environment setup:
IIS: disable anonymous authentication, enable integrated windows authentication
ASP.Net's web.config: authentication mode = "windows", impersonate = true, deny anonymous users
Suppose I'm accessing the page as "userA":
Scenario 1: impersonate the IIS Authenticated user
try{
File.Copy(srcFile, destFile); // Access Denied even though userA has access to srcFile.
} catch(Exception ex) {
...
}
Scenario 2: impersonate userA with LogonUser
try{
// Impersonater is a wrapper around the WIN32 LogonUser API
using(Impersonater imp = new Impersonator("domain", "userA", "pwd"))
{
File.Copy(srcFile, destFile); // Works
}
} catch(Exception ex) {
...
}
In both cases, I'm impersonating "userA".
Q: Anyone know the difference between these impersonation methods?
A: First some background on how IIS handles request.
There is a specific system user called IUSR_computername (default in IIS6) which the IIS-server uses to handle file access. And there is a process running on the IIS server called Aspnet_wp.exe which runs under an account called ASPNET or NetworkService.
So when a request is made to the server, the IIS reacts and if the request is to a ASP.NET application it passes the request to that process.
This means that if the IIS-server is setup to use the IUSR_computername (anonymous) access method. The server will use that account to process the request, and if it sees that it is an ASP.NET application it will transfer the request to the ASP.NET process.
By default impersonation is disabled, this means that the request will run under the ASPNET or NetworkService account when the ASP.NET process handles the request.
Now to the difference between the impersonation methods:
Impersonate the IIS authenticated account or user
Uses an account that the IIS is setup to use. Usually IUSR_computername.
Usage: <identity impersonate="true" />
Impersonation enabled for a specific identity
Uses a specific account that is specified.
Usage: <identity impersonate="true" userName="accountname" password="password" />
The third option is the default state, which is to disable impersonation.
Q: Is it possible to impersonate the IIS authenticated user and then do some file operations with it?
A: Depends on the priviliges of the IIS authenticated user. If the account has permission to manipulate files (NTFS permission in Windows), the answer would be yes.
Read more here:
IIS Authentication
ASP.NET Authentication
I believe you've run into the "double hop" issue described here. Basically, the connection between the client and IIS is one hop, the connection between IIS and the network share is the second one and with impersonation double hops are not allowed by default. That means in your first example the user should be able to access resources local to the IIS machine but not remote ones.
When the credentials are entered on the IIS programmatically, there's no second hop. That's the difference you're looking for.
To support your requirements, you need to implement delegation rather than impersonation. Please have a look at MSDN for more info.