Problems binding to AD LDS from an IIS application - wcf

I have a simple WCF Service Application that I want to connect to an active directory for basic authentication. I can install, configure and add users to my AD LDS instance using my personal credentials (I'm an administrator). However, IIS can't bind to the instance. If I restart IIS using my credentials, everything binds just find and the authentication works as expected.
However, I don't want to run IIS with administrator privs. How do I configure AD LDS so that an app pool in IIS can bind but won't have the kind of elevated privs that can be a security nightmares?

Related

Deploy Azure AD WebAPI to IIS, with Windows Authentication enabled, skips Azure AD Authentication

I have a WebAPI that I have successfully secured with Azure AD. When I run it locally (through Visual Studio), trying to access the WebAPI end point via a browser gives me
Authorization has been denied for this request.
Which is what I would expect. Accessing the WebAPI through a client with ADAL library works as it should. A forms login screen pops up, and authenticates me and passes back a token, which I can then use in my WebAPI requests.
Something I wouldn't expect happens if I deploy the WebAPI to an IIS server, and have Windows Authentication enabled for the site. When I try to hit it the IIS WebAPI end point through a browser, I get a Windows Authentication prompt. If I successfully authenticate the Windows Authentication, the WebAPI serves the response.
I guess I would expect that the WebAPI would return the same "Authorization has been denied for this request". Windows Authentication shouldn't authenticate me to the WebAPI if I've configured the WebAPI to use Azure AD authentication.
My question is, is this expected behaviour, and if so, why?
I can see from one perspective that the WebAPI can accept authentication from any method that I've configured. But part of me thinks that since the Azure AD authentication is configured in the WebAPI application, and not IIS, it should take precedence.

What identities are used for WCF Application running on IIS?

My web appkication has the following set up..
WCF application hosted on IIS7
Basic HTTP binding - SecurityMode = TransportCredentialOnly and ClientCredentialType = Windows.
.Net 4.0
The app runs in a .Net 4.0 Application Pool using "ApplicationPoolIdentity".
IIS connects to the file system using "Application Pass Through" authentication.
The client and service both run under IIS - that is the client is a webste and the service is an IIS hosted WCF service.
What I would like to understand is that what user accounts are used at the various points in authenticating too and using the service.
I understand that ApplicationPoolIdentity is a built in Windows account that is generated for each created application pool - is this the account under which w3wp.exe will run for the website?
No credentials are specified between clent and server - and this is the most interesting point. When my client connects to my WCF application what identity is used to authenticate to the service. I presume the application pool identity of the app pool hosting client website?
If so then what would happen if the two sites use two differnet app pools?
Or does the service just require a valid account on the machine (or domain) and that is good enough to authenticate?
If I changed the application pool to use a specific user account does this change anything? Again I presume as long as the client passes a valid machine account is that ok?
Also,,,
What identity is used for the file system?
What permissions does "ApplicationPoolIdentity" have on the machine and for the file system.
Finally in the case of SQL Server Integrated security what identity is passed through to SQL server if my service talks to an SQL Server database.
Thanks in advance.
I understand that ApplicationPoolIdentity is a built in Windows
account that is generated for each created application pool - is this
the account under which w3wp.exe will run for the website?
Yes it is. That is called a virtual account which allows IIS to create unique accounts for each defined application pool, also a security identifier is created representing the application pool name. Keep in mind that this is not real user account. For more information about it you can check the following link: http://technet.microsoft.com/en-us/library/dd548356.aspx
No credentials are specified between clent and server - and this is
the most interesting point. When my client connects to my WCF
application what identity is used to authenticate to the service. I
presume the application pool identity of the app pool hosting client
website?
Yes, same rule applies as for using Local Service account or Network Service account.
If so then what would happen if the two sites use two differnet app
pools?
Nothing, unless you elevate the rights of those application pools identities.
Or does the service just require a valid account on the machine (or
domain) and that is good enough to authenticate?
Then you are not going to use the default virtual accounts created for your application pools. Instead you will associate those application pools with existing windows accounts. Keep in mind what sort of permissions those windows/domain accounts have.
If I changed the application pool to use a specific user account does
this change anything? Again I presume as long as the client passes a
valid machine account is that ok?
It would work just fine as long as those accounts will have permissions according to your needs.
What identity is used for the file system?
Define with more details what you mean by file system; are you referring strictly at your application directory?
What permissions does "ApplicationPoolIdentity" have on the machine
and for the file system.
ApplicationPoolIdentity is a member of Users and IIS_IUSRS groups so will "inherit" the permissions of the previously mentioned groups.
Finally in the case of SQL Server Integrated security what identity is
passed through to SQL server if my service talks to an SQL Server
database.
ApplicationPoolIdentity or the account you have configured to be used by your application pool.

hosting wcf service on localhost iis

I am working on an Asp.Net application which will interact with WCF services that will be hosted on local machines on IIS.
In order to make these wcf services be hosted, what rights does user have to have when they log in? Do they have to have Admin rights on the machine?
P.S.: I know that WCF services should not be hosted on individual local machines so please do not start the discussion on that. All i want to know is what rights logged in user needs to have in order to make WCF services available to the application.
It really depends on how you set up the service. You can configure the website to allow anonymous access and set up your WCF binding to basicHttp binding with a security mode of None. That should allow any logged in user to run the site. This would NOT restrict users to only the one(s) logged in to the local machine, if that is what you are looking for.
You are dealing with two levels of security here. You will define your access in IIS to allow users to use the site. Then you will set up WCF service to allow the IIS site to access it. If you are using pass through authentication then you will need to authorize the individual users, perhaps with a local group?? Otherwise you need to authorize the identity that IIS is running the site under. So users do not need to be administrators, unless you specifically demand that role in IIS or WCF.

Can WCF do WindowsAuthentication with username password?

I'm building an wcf service that is meant to run in an intranet environment using Windows Authentication. I have been merrily working along with some kind of default settings on the local computer.
Problem now is that I need to test it installed to an off site demo computer. I just need to get it running with username password used against the wcf service computer's user accounts.
This is my client code:
using (ImportServiceClient client = new ImportServiceClient("ImportServiceSoap12", REMOTE_ADDRESS))
{
client.ClientCredentials.Windows.AllowNtlm = true;
client.ClientCredentials.Windows.ClientCredential =
new NetworkCredential(userName, password, computerName);
result = client.Sync(items.ToArray());
}
Is it possible to configure the wcf service such that it translates the credential to a windows account on it's machine?
I've been reading contradicting posts here and there, but I feel rather sure IIS shouldn't be part of the authentication. I'm unsure wether ASP.Net authentication node applies or if it's all binding configuration.
Ideally I'd like it to be an NTLM type authentication so that I wouldn't need to set up https.
Is it possible to configure the wcf service such that it translates the credential to a windows account on its machine?
No. Integrated Windows Authentication requires that both the server and the client are part of the same domain (or domains with a trust relationship, in any case). You can't usefully run IWA against local computer accounts on the server.
You will have to use some other (potentially custom) form of authentication and then impersonate to the user you want to run as in the server code.

WCF Service - authentication / SSPI error

When I run my WCF service on my local machine, it works fine. When I deploy the same files to our test server, I get this error when my test client tries to connect to the WCF service:
Security Support Provider Interface (SSPI) authentication failed. The
server may not be running in an account with identity 'host/Server01'.
If the server is running in a service account (Network Service for
example), specify the account's ServicePrincipalName as the identity
in the EndpointAddress for the server. If the server is running in a
user account, specify the account's UserPrincipalName as the identity
in the EndpointAddress for the server.
What does this mean and what area should I be looking to fix? I played around with the web.config identity section, but I'm still unsure what is needed.
I got a similar error before but the message is somewhat different
Right click on the application pool the web site is running under, click on Property then go to the Identity tab. Try to put the "host/Server01" identity in and see if that helps.
This error can also happen for Microsoft Dynamics GP Web Services. In our case, it turns out that the person who set up the GP Web Services used his personal user account as the service account. When he changed his password, it broke the web services.
So, check your user identity and password if your web service used to work but no longer works.