HI all I am developing a web API that will be using identity impersonation (using always the same functional identity valid in my domain) to check the status of configuration files of some servers. To do that, I add this to my web.config file
I also set my IIS server to neglate anonymous authentication and accept windows authentication for web service. However when I try to access the status of the files from a browser I noticed that the API is still using NT AUTHORITY\NETWORK SERVICE as the user and, of course, the access to the remote files is denied. Does anyone have an idea of what am I missing?
Thanks
My fault, forgot to set the Authentication mode to Windows in web.config
Related
Is it possible to run IdentityServer3 in IIS (hosted in IIS) with only Windows Authentication enabled? Is it mandatory to have anonymous authentication also enabled? if so, why anonymous authentication is required?
I am running "MVC OWIN Client (Hybrid)" sample application and try to access the IdentityServer3, which is configured only with Windows Authentication in IIS. I am getting response as unauthorized, looks like "MVC OWIN Client (Hybrid)" sample is trying to access the ../dentityServer3/.well-known/openid-configuration' and failing, because anonymous is disabled.
Any suggestions?
The Microsoft OpenID Connect middleware makes a request to the discovery endpoint to download issuer metadata. This assumes that anonymous access is enabled.
You'd need to statically configure the middleware instead. You try to configure a BackChannelHandler that has Windows authentication enabled. Should work but haven't tried yet.
I have a WebAPI that I have successfully secured with Azure AD. When I run it locally (through Visual Studio), trying to access the WebAPI end point via a browser gives me
Authorization has been denied for this request.
Which is what I would expect. Accessing the WebAPI through a client with ADAL library works as it should. A forms login screen pops up, and authenticates me and passes back a token, which I can then use in my WebAPI requests.
Something I wouldn't expect happens if I deploy the WebAPI to an IIS server, and have Windows Authentication enabled for the site. When I try to hit it the IIS WebAPI end point through a browser, I get a Windows Authentication prompt. If I successfully authenticate the Windows Authentication, the WebAPI serves the response.
I guess I would expect that the WebAPI would return the same "Authorization has been denied for this request". Windows Authentication shouldn't authenticate me to the WebAPI if I've configured the WebAPI to use Azure AD authentication.
My question is, is this expected behaviour, and if so, why?
I can see from one perspective that the WebAPI can accept authentication from any method that I've configured. But part of me thinks that since the Azure AD authentication is configured in the WebAPI application, and not IIS, it should take precedence.
I have a iPad application. In which I am making a proxy object using WCF data services(OData).
While initializing an object I am getting authentication required error. My service is authentication configured as windows authentication on the IIS 7.0.
Can anyone help me, How can I send windows credentials to get access of all the verbs (POST,GET,DELETE and etc.) ?
You must configure your service for anonymous access (or Basic authentication) if you want to access it from iPad. Windows authentication is only for devices which are part of your windows domain (or for local authentication).
I like to use wcf (windows communication foundation) with windows authentication.
Do I need Active directory for this purpose?
How the server knows about the identity of the client?
If someone can found out the pass of the client that is using the wcf services, can he create the same user name on different computer and use the password to access the wcf services ?
Yes, if you want to use Windows authentication, you need Active Directory as the source where the user gets validated.
The way this happens is by means of a user "token" - when your client logs into his PC with his Windows credentials, the login process will check with AD whether the user is legit and issue a "token". This token is then used in calls to a WCF service to determine who it is that is calling the service.
When I run my WCF service on my local machine, it works fine. When I deploy the same files to our test server, I get this error when my test client tries to connect to the WCF service:
Security Support Provider Interface (SSPI) authentication failed. The
server may not be running in an account with identity 'host/Server01'.
If the server is running in a service account (Network Service for
example), specify the account's ServicePrincipalName as the identity
in the EndpointAddress for the server. If the server is running in a
user account, specify the account's UserPrincipalName as the identity
in the EndpointAddress for the server.
What does this mean and what area should I be looking to fix? I played around with the web.config identity section, but I'm still unsure what is needed.
I got a similar error before but the message is somewhat different
Right click on the application pool the web site is running under, click on Property then go to the Identity tab. Try to put the "host/Server01" identity in and see if that helps.
This error can also happen for Microsoft Dynamics GP Web Services. In our case, it turns out that the person who set up the GP Web Services used his personal user account as the service account. When he changed his password, it broke the web services.
So, check your user identity and password if your web service used to work but no longer works.