I have hosted WCF service on IIS 6 using a custom AppPool. This AppPool is configured to run under a user who is in IIS_WPG group.
I can access the service from a remote location and can see the wsdl as well, but when I try to access the same service through "WCF Test Client", I got following error
Update: When I run the same service by changing AppPool's identity to "Network Service" group, then service is accessible through test client. So service metadata isn't accessible only when service runs under identity other than "Network Service" (which is default identity for user)
I have experienced this problem in the past and the solution was to authenticate using a service account between client and the server hosting the service.
I have the same issue as described above.. Here are the things I've done while finding solution to this issue.
I will start will my deployment process of WCF to IIS6.
Create a folder into the server and copy the WCF package.
Create an AppPool for your WCF.
Right click the newly created AppPool, select Properties, then go to Identity tab. Select "configurable" then enter your service account credential instead of NETWORK SERVICE.
I didn't created a new web site. For my case, I created a virtual directory under the Default Web Site and point it to the WCF folder that I've copied.
Once the virtual directory is created, right-click on it then select Properties. Below are the settings for each tabs
Virtual Directory Tab
Click Create button to create application name.
Select "Scripts Only" in execute permission.
Select the AppPool that you have created.
Click Apply button to save changes.
Document Tab
Add new content - the name of your WCF .svc file.
Click Apply button to save changes.
Directory Security Tab
Click Edit button in Authentication and access control.
Change the user name and password with your service account credential.
Click OK (enter the password again if reconfirmation is needed).
Click Apply button to save changes.
ASP.Net Tab
Select 4.0.30319 version (if .net framework 4.0 is required)
Click Apply button to save changes.
Now, go to Computer Management > System Tools > Local Users and Groups > Groups
Open the IIS_WPG group and add your service account.
Then go to Start > Administrative Tools > Local Security Policy
Expand Security Settings > Local Policies > User Rights Assignment. Search for Log on as service then add your service account there.
Lastly, Go to C:\WINDOWS\Temp folder. Right click on it then select Properties. Click Security tab then add your service account.
To set a special permission, click Advance button.
Select your service account then click Edit button. In the list of permissions, tick or check only the "List Folder/Read Data" and "Delete" permissions. Click OK and Apply button to apply changes. If message box prompted you, click Yes to apply in sub folders.
Now, the final moment. Make sure the app pool is running. Test the WCF in browser and then in WCF Test client.
In my case it's working, perfectly :)
Hope this will help you...
Related
Trying to implement windows authentication on my published asp.net core 2.2 application.
Hosting server is Windows server 2016 (IIS).
I would like to use the active directory logged in user account to authenticate the user on my application.
I'm getting the user details by these methods:
User.Identity.Name; //return null in local host, worked when IIS
System.Security.Principal.WindowsIdentity.GetCurrent() // local host
I keep getting in the browser, the Sign in dialog box (although I would like to get rid of it, even when entering credentials - <username> + password - it doesn't authenticated).
I would like to get rid of it
Stop getting error 401 - unauthorized
I've configured what ever I was advised - both IIS and browser, but still - keep getting it:
Browser:
Browser security - Entered the host IP address to the trusted sites
IIS:
Set Authentication => enable Windows Authentication to true.
Through web.config - set "forwardWindowsAuthToken" to "true".
Site Configuration:
In the IIS site configuration (applicationHost) - system.webserver -> Security -> Authentication -> windows authentication -> "UseKernelmode" = "true"
ApplicationPool:
.NET CLR Vesrion = "No Managed Code"
Managed Pipeline Mode = " Integrated"
event tried to change in the "advanced settings" the Identity from "ApplicationPoolIdentity" to "NetworkService"
NTFS permissions:
Set basic and defaults Permissions to the account<Server host Name>\IIS_IUSRS on the server published code directory: Read & Execute, List folder contents, Read.
Maybe the problem is here - because the IIS_IUSRS account is defined in the server and not in the domain ?
You can try this method to solve the problem:
Open iis and in Windows Authentication, Right-Click to set the Providers, set the NTLM to be FIRST.
Check that under Advanced Settings... the Extended Protection is Accept and Enable Kernel-mode authentication is checked.
I have IIS 7.5 site:
Authentication = Windows Aythentication enabled
Application Pool = DefaultAppPool
DefaultAppPool Identity = ApplicationPoolIdentity
Load User Profile = True
On the filesystem,
DefaultAppPool has Read and Execute privileges to the entire site.
Also added a security group with Read and Execute privileges to the entire site.
With these settings, only users in the security group are able to access the site. All others get a AD login window, which has no affect. I'm not understanding this behaviour.
From research, it looks like I don't need to add the DefaultAppPool to the filesystem, if users are only executing, but still doesn't explain why they get the login challenge.
I'm also unclear if i need to set the AuthenticatedUserOverride (in Config Editor) from UseAuthenticatedUser to UseWorkerProcessUser if i want to use the filesystem security of DefaultAppPool. When i set this, i get an access error, not even the login challenge.
Note: site is not in the Default Web Site, but on a specific port number.
I'm unclear why i seem to need users listed in an ACL rather than using the generic DefaultAppPool.
Windows authentication determines how you determine who is who. Impersonation means which user account the security context runs under. Because you are loading the user profile, the context is taking on the AD user's security. Your DefaultAppPool identity is now out of the picture which is why you need ACL's on your files / folder.
Users will continue to receive the login prompt who are not cleared at the ACL level because IIS doesn't know what to do until an account that can access the files is provided. Watch in fiddler and you'll continue to see challenge messages from the server.
I have a classic ASP app that I want to run under specific windows account/identity, e.g, "MEME". The asp app virtual root authentication is anonymous only (other types of auth are disabled) as the app will be doing form authentication. The filter needs to force app identity to MEME (IUSR dont have permissions to do all things I need, like open service manager etc...).
I have isapi filter and registered the SF_NOTIFY_AUTHENTICATION event. The event is firing and the filter sets pszUser = "MEME" (most of the time and other times other "MEME2" account) and the pszPassword = "memepass". But the app runs under IUSR identity. IIS7 ignores settings of pszUser/pszPassword.
I can set the app identity statically, editing virtual root, adv properties, Physical Path Credentials = "MEME"/"memepass" and that works but this is static and I need to determine MEME or MEME2 at run time.
If I enable Basic Auth then the pszuser/pszpassword set in the filter works correctly but I cannot have any auth dialogs popup on client side.
So how do I make isapi filter set the app identity to MEME (or any other win account)?
I have other events firing like SF_NOTIFY_PREPROC_HEADERS.
In the IIS Manager you can set the anonymous access on the root folder of your site to MEME and pw.
Do this by right clicking on your site name and select properties. Select the Directory Security Tab and then Edit the "Authentication and access control". Make sure the "Enable anonymous access" is checked, and write the credentials to be used in the fields below. Click ok etc etc..
Now if you only run this site on the IIS-server here is one solution that might work for the Isapi filter.
You can set the Isapi filter on a global level instead of site level. Do the same thing as above but do this on the "Web sites" map in the IIS Manager. Here change the Anonymous user to MEME2 and then set your ISAPI filters.
Might work...
I'm getting the following error when I try to browse a web service that i added on IIS 7.
When I go to content view i can browse the end points."HTTP Error 403.14 - Forbidden The Web server is configured to not list the contents of this directory".
If it is related to giving user permissions to an III user, how do I go about doing that?
This just means you have tried to browse the WCF service without the service file.
You need to browse to MyService.svc, for example, not just to the directory that contains it.
I have an asp.net web application in an internal windows domain which calls a wcf-service. In the wcf-service I use the SecurityContext.Identity.Name, so it needs impersonation.
Our task is that the web application can be accessed from anywhere.
The first step was that the administrators published the web application throught ISA server 2006. The main problem with this solutions is that the browser doesn't save the user's loginname and password in the ISA authentication form. In addition the users want to access the webapp from Nokia Mobile with Opera Mini.
What can I do in a simple way that the browser saves the loginname/password in order to the user can use the application without reentering the login data in every 30/60 minutes?????
Any best practise?
The standard is to store the username/password in a cookie and have the login page pull the login info from the cookie to auto-login. You can have this cookie expire in a month if you want to.
Here are some examples using different languages to add a "remember me" type functionality to save username and password in a cookie.
Cookies
php example
asp.net example
asp example
Response to creator's comments:
In order to modify the ISA login page, look at this article. You should be able to add the code top handle cookies by editing the login page file located in the directory C:\Program Files\Microsoft ISA Server\CookieAuthTemplates\ISA\HTML (assuming you installed ISA to that location).
I do not think there is an out of the box configuration that allows you to set this up, but I did see some configuration for setting trust level (#18 from the article) that you might want to play with.