We have a Sitecore solution in which all of the users belong to Active Directory. We have enabled the Active Directory module for Sitecore. We need need to call a WCF service which uses Kerberos for delegation. I need to call the service as the logged in user in Sitecore.
Is there any clever way to get a windows identity to use for delegation?
Should I log in the user into windows auth when they log into sitecore and store the token somewhere?
Related
Its on win server 2012 R2 and researching says its IUSR_MACHINENAME which doesn't even come up when I try to add that to the folder's security list.
The error i'm getting is Access to the path denied.
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via , the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
About the access error you mentioned, you can try this:
Make specific folders being accessed read/write for users who need it,
this can be done by a unique user or a group of users within an
organization. ex: right click and security tab, give IIS_IUSRS setting
read and write permissions on the folder. Or another way is that set
.Net Framework V4 in "Application Pool" to "Integrated" instead of
"Classic".
You can refer to this thread for the similar issue: ASP.NET is not authorized to access the requested resource when accessing temp folder
HI all I am developing a web API that will be using identity impersonation (using always the same functional identity valid in my domain) to check the status of configuration files of some servers. To do that, I add this to my web.config file
I also set my IIS server to neglate anonymous authentication and accept windows authentication for web service. However when I try to access the status of the files from a browser I noticed that the API is still using NT AUTHORITY\NETWORK SERVICE as the user and, of course, the access to the remote files is denied. Does anyone have an idea of what am I missing?
Thanks
My fault, forgot to set the Authentication mode to Windows in web.config
I'm developping an application, where the users can connect via Active Directory.
I searched but apparently i have to use a web service.
It is not a problem, because in the futur users from differents active directory will use this application (If the list of domain is on the webservice, i will not have to update the windows phone application)
So i have to implement a generic way, to connect with Active Directory via a WCF.
It is possible to implement a generic way to use Active Directory on a WCF?
Assuming that you are talking about user authentication, you might want to read these two articles:
Authentication, Authorization, and Identities in WCF
Using Active Directory Federation Services 2.0 in Identity Solutions
I like to use wcf (windows communication foundation) with windows authentication.
Do I need Active directory for this purpose?
How the server knows about the identity of the client?
If someone can found out the pass of the client that is using the wcf services, can he create the same user name on different computer and use the password to access the wcf services ?
Yes, if you want to use Windows authentication, you need Active Directory as the source where the user gets validated.
The way this happens is by means of a user "token" - when your client logs into his PC with his Windows credentials, the login process will check with AD whether the user is legit and issue a "token". This token is then used in calls to a WCF service to determine who it is that is calling the service.
What user account does my .Net WCF service run under when I am hosting it in IIS 7?
Is it the IUSR_machine account?
What is the easiest way for me to run under a different account? (Just for this service, I don't want other things hosted in my IIS to be affected).
To change just the single application, you'll need to create a new application pool and change the identity for that pool. That way, every other application will continue to run as-is, as the applications that use your new app pool will use that new identity.
To set the account used by anonymous users for a particular site, open the properties for that web site. Then, go to the Directory Security tab. Click the "edit" button in the authentication and access control box. In the window that appears you can specify the user account which will be used for anonymous access to the site. This will control the account used to access files, but may not apply to ISAPI applications (in which case a new application pool will be needed with its own permissions as already mentioned).