I have a website hosted in IIS and RavenDb is running as a service on another box. The WebSite is running an application pool as a domain service account user.
I am trying to restrict all access to the Raven server such that only users in a domain user group can have any access to to Raven Studio. I have successfully seen Raven throw a 401 response from the the website code when I used a local machine account. All other access to the Raven server via Raven Studio has been permitted no matter what I've tried.
I have RavenDb build 2750 and the license status is Commercial Standard.
The RavenDb.Server.exe.config file:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<add key="Raven/Port" value="8080"/>
<add key="Raven/DataDir" value="D:\data\Raven.Data\System"/>
<add key="Raven/Authorization/Windows/RequiredGroups" value="Raven_Administrators_Group" />
<add key="Raven/AnonymousAccess" value="None" />
</appSettings>
<runtime>
<loadFromRemoteSources enabled="true"/>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<probing privatePath="Analyzers;Plugins"/>
</assemblyBinding>
</runtime>
</configuration>
The example above is one of dozens of iterations or trial and failures so far. The Raven_Administrators_Group is a local machine group on the box where the Raven server is running. There are no members that have been added to that group.
The Raven/Authorization/WindowsSettings document looks like this at the moment:
{
"RequiredGroups": [
{
"Name": ".\\Raven_Administrators_group",
"Enabled": true,
"Databases": [
{
"Admin": true,
"TenantId": "*",
"ReadOnly": false
}
]
}
],
"RequiredUsers": []
}
I have tried many different combinations of things.
It is unclear weather or not the Raven.Bundles.Authoriztion.dll bundle must be in the plugins folder or not.
It is unclear weather or not the Raven.Server.exe.configuration is independent of the Raven/Authorization/WindowsSettings document settings.
Related
I have created a simple ASP.NET Core 3.1 WebAPI project in Visual Studio 2022.
I want to log any errors. I have been following this post https://github.com/MicrosoftDocs/azure-docs/issues/31380.
First I added a webconfig.config to the project and added the following to enable logging:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<remove name="aspNetCore"/>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified"/>
</handlers>
<aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="true" stdoutLogFile="\LogFiles\stdout"></aspNetCore>
</system.webServer>
</configuration>
I then created a folder on my FTP server to store the LogFiles in the publish folder and set the write permissions to 644.
I have also added the following to the Program.cs class:
Host.CreateDefaultBuilder(args)
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.UseStartup<Startup>();
webBuilder.CaptureStartupErrors(true)
.UseSetting("detailedErrors", "true");
});
I did edit the WebAPI.csproj file to enable the OutOfProcess hosting model to allow more than one project to run on separte subdomains.
<PropertyGroup>
<TargetFramework>netcoreapp3.1</TargetFramework>
<AspNetCoreHostingModel>OutOfProcess</AspNetCoreHostingModel>
</PropertyGroup>
When I access the API in the browser the log files are not created even if there is a startup error.
Does anyone have any experience of getting this working on 1&1 IONOS Windows Hosting packages?
I am using windows authentication on an intranet that has been duplicated for two different environments with different servers being accessed. I am using a domain without periods rather than IP so it should log in automatically but it prompts for a login on site 1. On site 2 it prompts for a login, but regardless of which user logs in, WindowsIdentity.GetCurrent().Name always returns my login which was the very first login rather than the current user.
Here is my configuration:
Anonymous authentication: disabled
Windows authentication: enabled
web.config:
<system.web>
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
Why is it prompting for a login and why is one instance logging in properly and the other not?
Made the mistake of setting a user when the application was created. It is working now.
I want to have a web page on my website on Windows 2012 R2 server that only John.Doe can access. The page is on the test folder and I assigned John.Doe to have Read and Execute permission but I cant access the page with John.Doe credentials on the web browser.
This type on configuration was working on Windows 2003 server. Why it didnt work on Windows 2012? Please help!
TIA
when you run the iis site it runs under the application pool identity, not user the specific user. if you want to run as a specific user you have to assign the custom account in iis application pool identity.
try to use a process monitor to troubleshoot the issue:
https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
code to restrict user:
<configuration>
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="" roles="Administrators" />
</authorization>
</security>
</system.webServer>
</configuration>
https://learn.microsoft.com/en-us/iis/configuration/system.webServer/security/authorization/
https://learn.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities
I have an asp.net mvc project. I installed imageresizing nuget packages. It's working in local.
When I published to my hosting then it's not working.
I set IIS situation integrated and classic but still didn't work.
I couldn't solve, can you help please? Thanks.
The following definitions are exist in web.config
<resizer>
<plugins>
<add name="MvcRoutingShim" />
<add name="DiskCache" />
<add name="SimpleFilters" />
<add name="PrettyGifs" />
</plugins>
</resizer>
<modules runAllManagedModulesForAllRequests="true">
<add name="ImageResizingModule" type="ImageResizer.InterceptModule" />
</modules>
The self-diagnostics page at /resizer.debug explains the configuration issues present on your hosting environment
Image resizer diagnostic sheet 24.11.2014 22:15:04
2 Issues detected:
(Critical): Grant the website SecurityPermission to call UrlAuthorizationModule.CheckUrlAccessForPrincipal
Without this permission, it may be possible for users to bypass UrlAuthorization rules you have defined for your website, and access images that would otherwise be protected. If you do not use UrlAuthorization rules, this should not be a concern. You may also re-implement your security rules by handling the Config.Current.Pipeline.AuthorizeImage event.
DiskCache(ConfigurationError): Not working: Your NTFS Security permissions are preventing the application from writing to the disk cache
Please give user read and write access to directory "D:\inetpub\adafirin.com\www\imagecache" to correct the problem. You can access NTFS security settings by right-clicking the aformentioned folder and choosing Properties, then Security.
I was playing around on my local machine with getting RavenDb to use SSL running in server mode. It worked, after a while.
I am now trying to role back to before SSL, and am having a weird issue. Under http, I was using port number 123 (for example). I changed this to use port 443 (in order to use https).
After uninstalling the SSL cert and rolling back the Raven.Server.exe.config file (so Raven/Port is now set to 123 again), and load the studio, I get a 503 Service Unavailable error. The weird bit is, if I now change the port number to 122 (or anything not 123), the studio loads fine under http. It's as if that port number has been destroyed or something.
My question is this: What the flip is going on and how can I fix it?
By the way, I can't just change the port number, that would involve getting my whole team to change it on their dev environments.
An example of my Raven.Server.exe.config file:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<add key="Raven/Port" value="123"/>
<add key="Raven/DataDir" value="~\Database\System"/>
<add key="Raven/AnonymousAccess" value="Admin"/>
<add key="Raven/HostName" value="ravendb.mydomain.com" />
</appSettings>
<runtime>
<loadFromRemoteSources enabled="true"/>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<probing privatePath="Analyzers;Plugins"/>
</assemblyBinding>
</runtime>
</configuration>
You need to do:
Raven.Server.exe --uninstallSSL