Recommended identity / user for Kestrel + .NET Core (Windows) - asp.net-core

When using Kestrel with IIS you define an Application Pool and identity (user). The default identity is "ApplicationPoolIdentity" but can be one of the following or a custom user:
When the application runs, Kestrel runs under the Identity you defined in IIS:
However, when using Kestrel behind a proxy server such as nginx (or standalone) what is the recommended "identity" (user) to use and how does one go about using it with Kestrel?

When you host Kestrel behind a proxy on Windows it is recommended to host the ASP.NET Core app in a Windows Service. Nginx would be configured to reverse proxy the applications url (e.g. http://localhost:5000) and the ASP.NET application would run under whatever user the service is configured to run as.
If you are hosting on Linux then you are responsible for creating your own service using whatever technology the underlying operating system provides (e.g. systemd, upstart, etc.)
The 'recommended' identity to use depends on what resources the ASP.NET app needs to access. The LocalService account has the same privileges as a member of the Users group.

You seem to be confused here. What you're talking about is the Application Pool Identity (which is what the window is even labeled as). The App Pool is essentially the process that serves your website. Processes run under accounts, be it a system, service, network, or user account. What account the process runs under determines (obviously) it's permissions and access. By default, in IIS, App Pools run under ApplicationPoolIdentity, which is just a local service account, with relatively limited permissions.
None of this has anything to do with Kestrel. Kestrel is just a simple web server. IIS merely acts as a reverse proxy. It accepts requests, hands them off to Kestrel, gets the response from Kestrel, and then sends that response back to the client. IIS gives you your security and administration layer, while Kestrel just handles the grunt work of serving the requests.
As a result, IIS can be interchanged for pretty much any web server than can act as a reverse proxy, such as Nginx. This would work the same way. Again, you don't define anything with Kestrel. It's just grunting along serving the requests the reverse proxy forwards it. It doesn't know or care what that reverse proxy is, and it doesn't matter.
That said, in either scenario there is no such thing as a "recommended identity" to use. This is a security aspect you are responsible for making a decision on. IIS has a default service account and Nginx probably has one as well. (I haven't run Nginx on Windows, but on linux, it literally runs under nginx:nginx.) For some, that's fine. Others decide to use a dedicated network account or a custom local service account. Still others decide to run under an actual user account. There's various reasons for each option and there's no one "right" way to do it, only a "right" way for your app, your server, your network, and your organization. No one can make those decisions for you.

Related

Vue.js + Net Core 3.1 - Redirect API calls

I'm having an issue with a project I'm working on. I have a Vue client which does API calls to my backend which is written in .NET Core 3.1. Both these applications are deployed on diffent servers.
Now the problem is that my backend server does not allow me to do API calls straight from the browser. So I have to do some kind of 'redirect' on the client server to reach my API.
So for example:
If I call backend_server/api/values I get an error (Firewall).
I think I should make like a second API or something, but I'm not sure how to handle this issue.
Does anybody have any experience on this? Any help is welcome!
Kind regards
You can have multiple options here
Remove the firewall rule -
This will allow your API to get hit from browser. If firewall is not managed by you you can't do this
Add IP or Port exception rule in firewall -
Instead of deactivating the entire inbound rule on server, you can allow specific ports or IP on firewall. Again if you have control on firewall
Create Proxy API -
Another way is you can create a middleware API that forwards your request and acts as a proxy. This will suffice performance, resource, time and compromise security. I recommend not to do this, But it's easily possible in .NET Core
Specify CORS policy -
If your Vue.js and API originates from same origin (IP), You can configure CORS in server which will restrict access to API only from same origin. That means only www.google.com can access GoogleAPI, Likewise. This will protect the API from other origins
Tunnel via VPN -
If security is a concern, Use a VPN service to tunnel your API requests. This can't be possible for every client using your web service.
The best way is to open a specific rule on server for your application if possible. Writing a proxy in between will have lot of disadvantages although can be accomplished.

Why would you want to deploy a Web Service as a Web Role on Azure?

I was under the impression that a Web Service that should be run under a worker role. I just found out that a web service can be setup using the web role. What are the advantages to using one role over the other ?
If you use the Web Role, your service will be hosted in a full IIS, and you can for exemple co-host it with your Web site, and use all of IIS features.
If you go for a Worker Role, you will have to new up a ServiceHost to host your service. You will not run within IIS.
I answered a similar question here. Note that, even with a Web Role, you'll have your choice of hosting your web service via IIS or on your own with a Service Host.
Back in March, there was an update to input port handling, so now you can spread your input ports out across your roles in any fashion you like, even having up to 25 in one role. This mitigates issues related to single-role deployments with RDP enabled (since in that case, RDP consumes 2 input ports). See my blog post here for more info about port allocation, as it really opens up options for you when setting up service-hosting.

how to assign read/write access to application pool in IIS

so how can i assign read/write access to this account (Network Service) or should i create a new account? the WCF service will be on public domain
i am using IIS6
What version of IIS are you using is usually a good thing to include in the question.
Older versions of IIS (5) use ASPNET and newer versions use Network Service.
You can adjust permissions as you normally do in Windows or via your Hosting Control Panel.
It's best practice to make this a new account that you can control the direct privileges too, since Network Service can have a bit higher level of permissions. You can change this under the Application Pool in IIS that your website hosting WCF is running as.
Then wherever your website needs the read/write access grant to this new account.

Redirecting connection via Service.svc proxy

I am currently working on a silverlight client, making use of a web server, and an application server.
Most of the users sit within our firewall, so they do not have any problems accessing the WCF service running on the application server (through a Service.svc file).
However, some users will sit outside of our firewall, and only have access to the web server, and not to the application server (Where the WCF service is).
I am hoping someone could tell me if there is a way for the client to use the WCF service on the application server, through the web server, without rewriting the WCF service on the web server, and only relaying the calls through that server.
I hope this is a clear enough description of what I need.
Thanks
Sounds like what you want is a router service. Unfortunately, there's nothing built-in into WCF to do that (at least until .NET 4.0 with its RoutingService.).
You can certainly build it yourself, either by building a specific, one-off routing service (i.e. you implement the same contract and manually forward each operation to the service inside the firewall), or by building a generic, reusable routing service.
If you choose the second option, a couple of articles might help get you started.
Rather than have your Silverlight clients accessing the application server directly, route all the requests through a proxy service on the web server.
An example of this is the "Cross Domain Proxy" pattern.

Difference between ClientCredentialType=Windows and =Ntlm

Can anyone give a clear explanation of the difference between using
clientCredentialType=Windows, and
clientCredentialType=Ntlm
in a server-side Web.config when hosting a WCF service?
I have a SOAP 1.1 (basicHttpBinding) service for interop with existing clients. It uses ASP.NET roles so needs clients to be authenticated.
When I am using the VS2005 (Cassini) server to host the service, I have to specify ClientCredentialType=Ntlm as above, and check the Ntlm authentication box in the project properties in VS2005. ClientCredentialType=Windows doesn't work - clients get a:
401 Unauthorized error
However when I'm running under IIS, it's the other way around: ClientCredentialType=Windows works, and ClientCredentialType=Ntlm fails.
Can anyone explain this, and preferably suggest a way I can have the same web.config file to run the service in Cassini and IIS?
Update
I have .NET 3.5 SP1 on my dev machine, which is XP SP2 running in a domain. Cassini therefore runs under a domain account, and IIS 5.1 under a local account.
I wonder if it could be related to the breaking change in .NET 3.5SP1 described in these articles.
http://www.aspnetpro.com/newsletterarticle/2008/12/asp200812ab_l/asp200812ab_l.asp
http://msmvps.com/blogs/alvin/archive/2008/11/14/net-3-5-sp1-breaking-change-to-wcf.aspx
http://connect.microsoft.com/VisualStudio/feedback/ViewFeedback.aspx?FeedbackID=354236
The situation sounds similar as clientCredentialType=Windows fails when the server is running under a domain account (which is my situation with Cassini - running as my normal domain user account), and works when running under a local account (which is my situation with IIS).
The problem is that the suggested fixes require changes to a WCF client configuration file - but in my case I'm using SOAP 1.1 (basicHttpBinding) with non-WCF clients.
clientCredentialType=Windows uses the built in Windows authentication which can be through Active Directory and NTLM.
Obviously the NTLM type will only use NTLM for authentication.
I'm sure you've seen it already, but here is a link to WCF security:
http://msdn2.microsoft.com/en-us/library/ms734769.aspx
Some more details on your setup would help. Are the IIS and Cassini servers running on the same box? If not do you have the same accounts setup on each box? IIS6 by default supports NTLM, so you shouldn't have a problem getting it to work.