This is my connection string, which the web service (hosted in IIS, running under ApplicationPoolIdentity) uses to connect to database
<add name="AdventureWorksEntities"connectionString="metadata=.\AdventureWorks.csdl|.\AdventureWorks.ssdl|.\AdventureWorks.msl;
provider=System.Data.SqlClient;provider connection string='Data Source=TestMachine;Initial Catalog=AdventureWorks;
Integrated Security=True;Connection Timeout=60;multipleactiveresultsets=true'" providerName="System.Data.EntityClient" />
When I try to access the site I am getting an exception: Login Failed for user MyDomain\TestMachine$.
Why is IIS trying to use TestMachine to connect and not my user account (e.g MyDomain\TestUser) ?
The reason I believe could be because its hosted under ApplicationPoolIdentity which uses machine creds.
How do I specify it to use the context of the user that made the request without having to run the application under custom identity (i.e I want it to continue running under ApplicationPoolIdentity)?
If I set <identity impersonate = true/>' in my web.config file then I am able to access the site locally from IIS server machine and access to database works but then accessing the site remotely fails. My Webservice is using Windows Authentication. Any thoughts on this ?
You need to enable Windows Authentication and ASP.NET Impersonation in IIS
Then in your web.config
<system.web>
<authentication mode="Windows" />
<identity impersonate="true" />
</system.web>
Related
How to connect the .net application to the database using service account, my application currently has a connection string which is directly connected to the database.
add below tag into your web.config file -
<identity impersonate="true" />
<authentication mode="Windows" />
create AD group and add group name into app setting -
<add key="as you preferred" value="AD Group name" />
authenticate on login, set Identity of your application pool to that specific user.
I'm new in asp.net world. I'm building asp.net mvc 4 web application. It has basic http authentication. At the beginning it ask user name and password. After authentication it start some view. During debug if successfully authenticated and continue debugging to some other view/controller. If I stop debugging or app crashes. For the next debug run it never prompt me for authentication. It takes to the view which comes after authentication. I suppose it caches my authentication from previous run. I try to find solution from net and found many suggestion such as :-
Restart iis
Remove cache files from c:\Windows\Microsoft.NET\Framework\v4.0.30319 and C:\Users\user\AppData\Local\Temp\Temporary ASP.NET Files
Modify web.config and rebuild, then lunch.
Remove browser cache.
Even restart pc doesn't help-
I tried all nothing is working. As I'm new I'm not sure is my web.config file has right configuration for HTTP basic authentication. Here it is:-
<system.web>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
<identity impersonate="true" />
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" >
</forms>
</authentication>
</system.web>
My environment windows 7, iis 7.5, visual studio 2012. Please advise me how can force authentication every time or start as in initial state. Thanks in advance!
It's the browser cookie that is letting you in as it's still valid for your application. Clear your browser cookies or start an in-private session.
I have developed one MVC application and hosted in server. I used Service Account as app pool identity and provided full access(SysAdmin) on database to that Service Account only. Below are my configurations in Web.config & coding.
Web.config:
<authentication mode="Windows" />
<identity impersonate="false"/>
In my Data Access layer I'm using below coding to get windows identity :
string windowsLogin = HttpContext.Current.User.Identity.Name.ToString();
Now my issue is, when I'm accessing my application it is taking app pool Identity instead of Windows identity.
if I set the identity in Web.config to impersonate="true" I'm able to get windows login but the communication between application and database happening with my windows login instead of app pool identity (service account).
How can I get the identity of the user accessing the application and not the IIS APPPOOL user?
My Issue got resolved with below settings.
Created app pool and run it as with service account and configure it to web site in IIS.
In My Code File:
string windowsLogin = HttpContext.Current.Request.ServerVariables["LOGON_USER"].ToString();
In Web.config file:
<authentication mode="Windows">
</authentication>
<authorization>
<deny users="?" />
</authorization>
<identity impersonate="false" />
Note: It will give you an error if you run from Visual Studio IDE. If you publish and run it from IIS it will work.
Situation:
I have a .NET asmx web service deployed on my web server. This service calls a service on another server (our SharePoint server, if that's relevant). I want to impersonate/delegate the call to the SharePoint service from my web service by using the credentials of the client.
Problem:
I'm getting a 401 response back from the SharePoint service when I call MY Web Service and it calls SharePoint.
Setup:
My web server is running IIS 7. The app pool is running under "Network Service"
On my Windows Server 2003 domain controller the web server has "Trusted for Delegation (Kerberos Only)" enabled.
In ISS my app has Anonymous Authentication Disabled, Impersonation Enabled, and Windows Authentication Enabled with all three providers enabled (Negotiate:Kerberos, Negotiate, and NTLM)
The SharePoint server is set up with Anonymous Enabled, Impersonation enabled and Windows Authentication Enabled with ONLY provider NTLM enabled.
I can see on the SharePoint logs that when I run locally in Visual Studio a username is getting passed through (and the service works correctly) but when I run it on the web server NO username is on the log file and I get a 401 error
What an I setting up wrong to make the Kerberos delegation work?
Ideas? Thanks!
Platform:
Using IIS7 this is what I did on BOTH servers. The first server and the second that we want the Kerberos authentication to "hop" to.
Step 1:
For the IIS site that has the services in it that you are calling (on each server) go into IIS manager, click on the site on the left under Connections and open up the "Authentication" section under IIS. Set "ASP.NET Impersonation" to Enabled and 'Windows Authentication" to Enabled. All other options under Authentication (Ananymous, Forms, etc.) should be be set to Disabled.
Under "Windows Authentication" right click and select "Providers". Set the only provider to be "Negotiate:Kerberos" (This forces Kerberos. If you want, after you get Kerberos working you can use both the "Negotiate" and "NTLM" providers and remove "Negotiate:Kerberos" so that clients unable to do Kerberos can connect. Note: I currently have mine set to "Negotiate" and "NTLM" and it seems to work)
Under "Windows Authentication" right click and select "Advanced Settings". Uncheck the "Enable Kernal-mode" box. (My Extended Protection option was set to off, didn't try anything else)
Step 2:
For each server you have to set up SPNs. The SPNs would be the following (either A OR B):
A:
If your app pool is running under an IDENTITIY that is a DOMAIN ACCOUNT add the following SPNs to THAT DOMAIN ACCOUNT on the domain controller
http/COMPUTER_NETBIOS_NAME
http/COMPUTER_NETBIOS_NAME.FULLY_QUALIFIED_DOMAIN_NAME
http://COMPUTER_NETBIOS_NAME.FULLY_QUALIFIED_DOMAIN_NAME
(if your not running on the default port, also add an additional 3 entries with the port name attached: http/COMPUTER_NETBIOS_NAME:PORT etc.)
B:
If your app pool is running under the IDENTITY "NetworkService" then add the same SPNs as above except replace "http" with "HOST" BUT ADD THEN TO COMPUTER_NETBIOS_NAME on your domain controller.
I'm still working to implement this in production, but this is what works for me in my Test environment. I'll keep this updated as I find out more.
Note:
This works if you are using the COMPUTER_NETBIOS_NAME directly in the url when you connect. If you are using a alias (www.mysite.mydomain.com) or the IP address directly this will not work. I believe, although I have not fully tested it, that you would have to folle the steps above but replace COMPUTER_NETBIOS_NAME with the alias or IP address when adding the SPNs. (or add it with both the netbios and the alias/ip, not really sure)
Also, if you get an error about a setting not being valid for integrated... after you turn on the "ASP.NET Impersonation" then you might need to add
<validation validateIntegratedModeConfiguration="false" />
to your web.config in the system.webServer section
Try this:
Move Negotiate to the top of the Providers' list. And, in the applicationHost.config file usually under C:\Windows\System32\inetsrv\config, add useKernelMode="true" useAppPoolCredentials="true" to the <windowsAuthentication> tag under the <location> tag for your application, like below:
<location path="YOUR_APPLICATION_PATH">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">
<providers>
<clear />
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
</location>
Delegation requires Kerberos. You'll have to make the SharePoint server support authentication with Kerberos.
What is the best way to set up username and password authentication in a Silverlight-Enabled WCF web service?
The best way for me has been forms authenication...using ASP.NET application services.
Basically you expose 3 *.svc files in your WCF service that handle authenication, roles, and profiles. There is no code behind because it's built into the .net assemblies. You will have to do some configuration in the .config (see link) to enable them.
Details here: http://blogs.msdn.com/brada/archive/2008/05/03/accessing-the-asp-net-authentication-profile-and-role-service-in-silverlight.aspx
Side Note on ASPNETDB.MDF
Normally all the user accounts and profiles will be in ASPNETDB.MDF which is located on a local file in the APP_Data folder but I find this clumsy especially with permissions so I kept it in my primary WCF database but you can choose another if you have the connection string. To initialize it I ran "C:\Windows\Microsoft.NET\Framework\v2.0.50727\a
spnet_regsql -C *Data Source=localhost;Initial Catalog=MYDB;Persist Security Info=True;User ID=**;Password=****;" * -A all" to include the ASP.NET membership tables and sprocs into the db of my choice. If you do you this..ensure you override the default LocalSQLServer connectionstring or it won't find the db like this in web.config of your asp.net website
<connectionStrings>
<clear/>
<add name="LocalSQLServer" connectionString="Data Source=localhost;Initial Catalog=MYDB;Persist Security Info=True;User ID=**;Password=****;" providerName="System.Data.SqlClient" />
To actually add user accounts and roles
1) from Visual Studio
2) Click on your ASP.NET website
3) There should be a menu above called Website that shows up...select ASP.NET Configuration and your browser will start with the configuration website that will edit your config and update the configured database with accounts and roles
I hope this helps