Is it possible, using a classic ASP application hosted in IIS 7.5, to use Windows Authentication on the page (so I can access LOGON_USER) but use the app pool identity to connect to the database? If I turn on Anonymous Authentication and set it to run as the app pool identity, I can connect to the database, but I can't get the LOGON_USER. If I disable Anonymous Authentication, I can get the LOGON_USER, but I can't connect to the database.
Coworker found this: Apparently setting Physical Path Credentials under Advanced Settings on the app will also translate to the network communications with the database. So, anonymous auth off, windows auth on, physical credentials set to service account.
Not really sure why that works, since I would have expected Physical Path Credentials to affect only interactions with disk..
Related
Is there an advantage in using a trusted connection vs a sql login for web application? Is there any pros/cons from one to another?
I usually use Windows Authentication, which is more secure, with a service account. If you are doing an internal application within your own domain and you want to authenticate your users to the database server, you will need to set up delegation on that service account along with the IIS and SQL services. If it is outward facing or you aren't concerned with authenticating users to the database, you simply need to give the relevant permissions to the service account login in SQL. In either case, assuming your webserver is IIS, you would change the web application to run under the service account. This will encrypt and store the credentials on the webserver.
The main reason windows authentication is more secure is it makes use of the Active Directory infrastructure to authenticate users using encrypted messages between the servers. With SQL Authentication the credentials are passed across the network. If you do use SQL Authentication, you should make sure to encrypt the connection string portion of your web config, as you would embed the credentials including the password.
The Azure sample active-directory-dotnet-native-desktop shows how to use ADAL to sign in for accessing a Web API from a WPF app. In the call to authContext.AcquireToken it's passing the Resource URL of the web service as a parameter. What if I just want to prompt the user to sign in to the desktop client itself and there's no Web API? Isn't there any sample for that?
Can you define what do you mean in practice with "sign in to the desktop client itself"?. A native app will prompt you only when you need to access remote resources, because they are the only ones that the user cannot access directly. If a resource is already on your local PC, and you have access to the windows session, what are you going to protect with the login? In other words, what is the resource or operation that a user cannot perform unless they go through a login? Having access to the windows session means that the user can do pretty much whatever he/she wants. Doing a login without accessing a remote resource would largely amount to theater.
My web appkication has the following set up..
WCF application hosted on IIS7
Basic HTTP binding - SecurityMode = TransportCredentialOnly and ClientCredentialType = Windows.
.Net 4.0
The app runs in a .Net 4.0 Application Pool using "ApplicationPoolIdentity".
IIS connects to the file system using "Application Pass Through" authentication.
The client and service both run under IIS - that is the client is a webste and the service is an IIS hosted WCF service.
What I would like to understand is that what user accounts are used at the various points in authenticating too and using the service.
I understand that ApplicationPoolIdentity is a built in Windows account that is generated for each created application pool - is this the account under which w3wp.exe will run for the website?
No credentials are specified between clent and server - and this is the most interesting point. When my client connects to my WCF application what identity is used to authenticate to the service. I presume the application pool identity of the app pool hosting client website?
If so then what would happen if the two sites use two differnet app pools?
Or does the service just require a valid account on the machine (or domain) and that is good enough to authenticate?
If I changed the application pool to use a specific user account does this change anything? Again I presume as long as the client passes a valid machine account is that ok?
Also,,,
What identity is used for the file system?
What permissions does "ApplicationPoolIdentity" have on the machine and for the file system.
Finally in the case of SQL Server Integrated security what identity is passed through to SQL server if my service talks to an SQL Server database.
Thanks in advance.
I understand that ApplicationPoolIdentity is a built in Windows
account that is generated for each created application pool - is this
the account under which w3wp.exe will run for the website?
Yes it is. That is called a virtual account which allows IIS to create unique accounts for each defined application pool, also a security identifier is created representing the application pool name. Keep in mind that this is not real user account. For more information about it you can check the following link: http://technet.microsoft.com/en-us/library/dd548356.aspx
No credentials are specified between clent and server - and this is
the most interesting point. When my client connects to my WCF
application what identity is used to authenticate to the service. I
presume the application pool identity of the app pool hosting client
website?
Yes, same rule applies as for using Local Service account or Network Service account.
If so then what would happen if the two sites use two differnet app
pools?
Nothing, unless you elevate the rights of those application pools identities.
Or does the service just require a valid account on the machine (or
domain) and that is good enough to authenticate?
Then you are not going to use the default virtual accounts created for your application pools. Instead you will associate those application pools with existing windows accounts. Keep in mind what sort of permissions those windows/domain accounts have.
If I changed the application pool to use a specific user account does
this change anything? Again I presume as long as the client passes a
valid machine account is that ok?
It would work just fine as long as those accounts will have permissions according to your needs.
What identity is used for the file system?
Define with more details what you mean by file system; are you referring strictly at your application directory?
What permissions does "ApplicationPoolIdentity" have on the machine
and for the file system.
ApplicationPoolIdentity is a member of Users and IIS_IUSRS groups so will "inherit" the permissions of the previously mentioned groups.
Finally in the case of SQL Server Integrated security what identity is
passed through to SQL server if my service talks to an SQL Server
database.
ApplicationPoolIdentity or the account you have configured to be used by your application pool.
I am trying to call a Sharepoint Web Service via WCF from inside a .ASHX on a different server. My code works if I run inside of Visual Studio's debug web server, but not from IIS. The working server works in various authentication modes (Kerberos, NTLM), and the non-working one doesn't work in any. I am impersonating the same user in both cases.
Using NTLM, I recorded a working session and non-working session in Wireshark. In the working one, Wireshark parses the NTLM data and reports a DOMAIN and USER NAME that I expect. In the non-working one, it shows
DOMAIN: NULL
USER NAME: NULL
I have debugged in IIS and impersonation is definitely working at the point of the service call. If I check WindowsIdentity.GetCurrent(), it's the user I expect.
If I inspect the WCF service proxy on the working and non-working servers, they look identical -- the part that deals with ClientCredentials is set to "" for Username and Password for both versions.
Any ideas on what else to check? Why would the NTLM data have DOMAIN and USER NAME set to NULL -- where does it pick that up from?
According to this:
http://support.microsoft.com/kb/207671
When IIS services an HTTP request, IIS performs impersonation so that access to resources to handle the request is limited appropriately. The impersonated security context is based on the kind of authentication performed for the request. The five different types of authentication available from IIS 4.0 are:
Authentication Type Impersonation Type
------------------------------------ ---------------------
Anonymous Access (no authentication) Network
Auto Password Synchronization is
ON (ON=default)
Anonymous Access (no authentication) IIS Clear Text
Auto Password Synchronization is OFF
Basic Authentication IIS Clear Text
NT Challenge/Response Authentication Network
Client SSL Certificate Mapping Interactive
In my case, I have a Network Token, but
Network tokens are "NOT" permitted to access network resources. (Network tokens are named so because this kind of token is traditionally created by a server when a user is authenticated across the network. To allow the server to use a network token to act as a network client and access another server is called "delegation" and is considered a possible security hole.)
The KB has many possible ways to avoid the problem
I'm building an wcf service that is meant to run in an intranet environment using Windows Authentication. I have been merrily working along with some kind of default settings on the local computer.
Problem now is that I need to test it installed to an off site demo computer. I just need to get it running with username password used against the wcf service computer's user accounts.
This is my client code:
using (ImportServiceClient client = new ImportServiceClient("ImportServiceSoap12", REMOTE_ADDRESS))
{
client.ClientCredentials.Windows.AllowNtlm = true;
client.ClientCredentials.Windows.ClientCredential =
new NetworkCredential(userName, password, computerName);
result = client.Sync(items.ToArray());
}
Is it possible to configure the wcf service such that it translates the credential to a windows account on it's machine?
I've been reading contradicting posts here and there, but I feel rather sure IIS shouldn't be part of the authentication. I'm unsure wether ASP.Net authentication node applies or if it's all binding configuration.
Ideally I'd like it to be an NTLM type authentication so that I wouldn't need to set up https.
Is it possible to configure the wcf service such that it translates the credential to a windows account on its machine?
No. Integrated Windows Authentication requires that both the server and the client are part of the same domain (or domains with a trust relationship, in any case). You can't usefully run IWA against local computer accounts on the server.
You will have to use some other (potentially custom) form of authentication and then impersonate to the user you want to run as in the server code.