Haven't done enough web development, and have searched a bit here, and have not found an answer yet.
I wanted to find out how to configure my website/web.config to allow me to use SUSER_NAME() on my audit triggers in Microsoft SQL Server.
Currently we are connecting to our database with a service account, but other users are authenticating and accessing the web site. When a record is changed, we want to capture the user that made the change, and not the service account used to log into the database.
The App Pool is configured to the service account and the web site is configured using Windows authentication and ASP.NET Impersonation (but this keeps getting turned off somehow).
The web.config has
<identity impersonate="true" />
and Windows authentication.
Any help would be greatly appreciated.
Related
Folk, finding it hard to find information for this particular scenario.
IIS is on one server and the developers are using Forms authentication in ASP.NET 4.5 with the AD as the membership provider.
Reportserver is SS2016 Standard is running as a domain account and has the following authentication types:
<AuthenticationTypes>
<RSWindowsNTLM/>
<RSWindowsNegotiate/>
</AuthenticationTypes>
If the developer has <identity impersonate="true" /> we get "The request failed with HTTP status 401: Unauthorized" and no account listed. Without the impersonate we get rsAccessDenied with the service account of IIS listed.
Any help would be greatly appreciated.
What do your logs say? Check your report logs (https://technet.microsoft.com/en-us/library/cc512029.aspx) as well as Event logs on the report server.
Does the impersonated user have database/data source permissions?
If, after reviewing your logs you can't figure it out, please post them here.
Is it generally possible to have a Microsoft Azure in the background to act as a SSO Authentication server for Apache auth?
The example is:
There are many users inside the Microsoft Azure
I have a Webpage on a Linux server served by Apache2
The webpage should be protected (exactly like basic-auth) by Azure (via SSO)
If the user is signed in into Azure and has rights, he can see the website
If the user is not signed in, he will be redirected back to Azure's login-page and after successful login will back to the webpage.
Is this generally possible?
If so what technologies/modules do I have to use for apache in order to speak with Azure?
Thanks for any hints towards the right direction.
Update
The Azure server is already fully configured. I just need to sort out the end on Apache.
I think what you are looking for is Azure Active Directory. it is an Identity as a Service product that supports modern protocols like OAuth, OpenID Connect. There's a client SDK called ADAL (Active Directory Authentication Library), but since it's standard protocols, you can integrate with other standard based authentication libraries. For example, the node.js tutorial shows how to use passport.
You didn't mention what web stack you are using but it's most likely listed here:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-developers-guide/
On a side note: if you can host your app on Azure Web App Service then it has built in integration with Azure Active Directory, so you can add a layer of authentication on top of your website without modifying your application code.
More info on that here: https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/
I've managed to setup two virtual machines in my local windows 7 laptop. Both of them are Windows server 2008 R2. One acts as Active Directory Domain controller and also as Active Directory Federation Services, and one other as the web app server. This second one is where I've set up my claims aware asp.net mvc web application and I also plan to setup ThinkTecture Identity Server later as my way to authenticate against custom username and password outside AD.
I've successfully implemented the installation and configuration needed for connecting our ASP.NET MVC apps through ADFS. They include :
Configure first server as Domain Controller and add domain account store (add user as testing -> this user belongs to Domain Users Group).
Configure first server also as active directory federation services.
configure relying party trust identifier from federation metadata generated from FedUtil.exe in second server.
Configure group claim mapping and assign Domain Users to this group.
Configure web apps server to be claims aware agent.
The one that's always troubled me is that every time I access my apps, it successfully prompts login dialog box. Once I enter My AD account and password, it always gives me the following error message : "There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: c558ed55-b203-42cc-b6bd-3d66bddb96cd".
Any idea from you guys how to get this to work?? Any suggestion and ideas will be highly appreciated.
Have you looked in the event log?
Open Event Viewer > Go to Applications and Services Logs > AD FS 2.0
You'll see an list of errors which should give you some more guidance.
If you see the ADFS login screen, you can get to ADFS so I suspect it's something to do with your RP configuration.
Just to check - you are using ADFS 2.0 which you downloaded?
I have recently been working on a ASP.NET project for a client. The project was to migrate the database from the old Oracle database to a new SQL Server 2008 database. The migration went well and most of the procedures did not take to long to fix. However we are now having a problem, up until now we have been using SQL Server authentication and using a username and password to access the database from the .NET code. Below shows the connection string:
<add key="DatabaseConnectionString" value="Data Source=DATASOURCE;Initial Catalog=DATABASE;User Id=USERID;Password=PASSWORD;"/>
This was working fine however recently i have recieved an email from the client saying:
"Instead of using a local SQL account for the .NET app to access the database could you please use an Active Directory account. In the web.config it will say <domain name>/<username> rather than just <username>."
What i am confused about is:
Do i have to change the Authentication mode within SQL Server to Windows Authentication?
Does the client mean to change it from <username> to <domain>/<username> or the other way round?
Where abouts in the web.config do i need to make this change to the username? Is it in the connectionstring?
Any help on this would be great.
Also im not sure if you would need to know this but i have added it anyway...
This is the Authentication section of the web.config:
<identity impersonate="true"/>
<authentication mode="Windows"/>
Do i have to change the Authentication mode within SQL Server to Windows Authentication?
No, because Windows Authentication is always enabled. However, disabling Sql Server Authentication is a good practice.
Does the client mean to change it from "username" to "domain/username"
No. This is not only about adding the domain name. You need to authenticate the user against the active directory and use delegation for the sql connection. To use the windows account, you need to decide whether you want a specific account to access the Sql Server, or the web site logged in user account.
I think the first way is almost always better. For that you need to delete the user id and password from the connection string and replace it with "Integrated Security=SSPI", and set the application pool identity to the active directory user account. In Sql Server you need to give this account the right to do what you need.
For the second way, you need windows authentication for users in your web site, and use delegation for the connection. I don't know if impersonation is enough for that.
i've got a stock standard ASP.NET web site, deployed to our development machine (internal machine in our server room).
Now, this dev site can be accessed by both INTERNAL and EXTERNAL users. Now, in IIS6 we used to have it so that Anonymous Authentication was turned off and something else was turned on .. giving the users a popup model box for username and password. I think they had to type some username or password that was defined in a web.config file? (not their website account username/password)/
Now, with IIS7, when i turn Anon Auth off, and turn on Basic or Windows Auth, i get access to the site BUT it's trying to log me in with those credentials .. and not the account the user signed up with (using some stock standard asp.net webform page).
So ... is it possible to 'lock' the entire site and get the testers to get general access to the site .. which is different to their website username and password. Those usernames and passwords are for use in the site instead.
does that make sense?
cheers!
<authentication mode="Forms">
<forms loginUrl="~/Pages/Login.aspx" protection="Validation" timeout="1000000000" requireSSL="false" slidingExpiration="true" defaultUrl="Default.aspx">
</forms>
</authentication>
there is no authorization section.
also, when i add 'Digest Auth' to iis7 and enable that (and disable everythign else), i get the pop up window (kewl!) but i'm not sure what credentials i need to pass in. Where can i define those credentials manually (so they are seperate from the website's users) ??
IIS7 integrated mode does not support the two phase authentication that IIS6 does. Basically, IIS6 would perform its authentication (windows), followed by asp.net performing its authentication (forms). But with IIS7, everything is equal in integrated mode, so you can only have one or the other authentication methods.
You can either convert the app pool to use classic mode or follow this workaround to get it working with Integrated mode.