so how can i assign read/write access to this account (Network Service) or should i create a new account? the WCF service will be on public domain
i am using IIS6
What version of IIS are you using is usually a good thing to include in the question.
Older versions of IIS (5) use ASPNET and newer versions use Network Service.
You can adjust permissions as you normally do in Windows or via your Hosting Control Panel.
It's best practice to make this a new account that you can control the direct privileges too, since Network Service can have a bit higher level of permissions. You can change this under the Application Pool in IIS that your website hosting WCF is running as.
Then wherever your website needs the read/write access grant to this new account.
Related
When using Kestrel with IIS you define an Application Pool and identity (user). The default identity is "ApplicationPoolIdentity" but can be one of the following or a custom user:
When the application runs, Kestrel runs under the Identity you defined in IIS:
However, when using Kestrel behind a proxy server such as nginx (or standalone) what is the recommended "identity" (user) to use and how does one go about using it with Kestrel?
When you host Kestrel behind a proxy on Windows it is recommended to host the ASP.NET Core app in a Windows Service. Nginx would be configured to reverse proxy the applications url (e.g. http://localhost:5000) and the ASP.NET application would run under whatever user the service is configured to run as.
If you are hosting on Linux then you are responsible for creating your own service using whatever technology the underlying operating system provides (e.g. systemd, upstart, etc.)
The 'recommended' identity to use depends on what resources the ASP.NET app needs to access. The LocalService account has the same privileges as a member of the Users group.
You seem to be confused here. What you're talking about is the Application Pool Identity (which is what the window is even labeled as). The App Pool is essentially the process that serves your website. Processes run under accounts, be it a system, service, network, or user account. What account the process runs under determines (obviously) it's permissions and access. By default, in IIS, App Pools run under ApplicationPoolIdentity, which is just a local service account, with relatively limited permissions.
None of this has anything to do with Kestrel. Kestrel is just a simple web server. IIS merely acts as a reverse proxy. It accepts requests, hands them off to Kestrel, gets the response from Kestrel, and then sends that response back to the client. IIS gives you your security and administration layer, while Kestrel just handles the grunt work of serving the requests.
As a result, IIS can be interchanged for pretty much any web server than can act as a reverse proxy, such as Nginx. This would work the same way. Again, you don't define anything with Kestrel. It's just grunting along serving the requests the reverse proxy forwards it. It doesn't know or care what that reverse proxy is, and it doesn't matter.
That said, in either scenario there is no such thing as a "recommended identity" to use. This is a security aspect you are responsible for making a decision on. IIS has a default service account and Nginx probably has one as well. (I haven't run Nginx on Windows, but on linux, it literally runs under nginx:nginx.) For some, that's fine. Others decide to use a dedicated network account or a custom local service account. Still others decide to run under an actual user account. There's various reasons for each option and there's no one "right" way to do it, only a "right" way for your app, your server, your network, and your organization. No one can make those decisions for you.
I currently have a Mobile Application that communicates through a WCF Service to access a Database. The Mobile App can access on the network as well as externally. It connects to the WCF Service which is hosted on one server inside the network. From there the WCF Service is pointing at another server which is hosting the Database that the Mobile Device is accessing.
With the above process how would you setup authentication using Active Directory which would confirm the user of the Mobile Application before it can access the WCF Service to confirm that the user is a member of AD and they can then login after authorization is complete. This would occur as the user opens up the Application. Would this be coded into the App to prompt for the information, then send the information to the WCF Service which would then allow access? If not this then are there any other ways or information/links that can be provided please?
Take a look at the BUILD 2013 videos. Visual Studio 2013 will create a webproject that will automagically do all that for you (I think). Just bare in mind, it uses the Microsoft.OWin.Security beta packages.
Also...you will need to install the AspNetWebTools2013 package first...
http://www.asp.net/visual-studio/overview/2013/creating-web-projects-in-visual-studio#orgauthoptions
I've been working on a WCF service that is currently hosted on IIS. I need to get the WCF service to access a directory outside of the wwwroot folder.
Am I right in assuming that directory access outside of wwwroot is restricted to WCF apps hosted on IIS as it would be restricted for an ASP.Net application hosted on IIS?
If this is the case, what is the safest way of allowing the WCF service to acccess a set folder outside of the wwwroot?
BTW - I'm running in Mixed Transports Mode, not ASP.Net compatibility mode.
File access is going to be limited based on the identify of the application pool that is hosting your service. Your service will be able to access any file the application pool identity has access to whether it is in the root of your IIS website or not. If you want to access files within the root of your website using relative paths with something like Server.MapPath then you'll have to run your WCF service in ASP.Net compatability mode. See the following page for details on WCF with ASP.Net compatability mode:
http://msdn.microsoft.com/en-us/library/aa702682.aspx
I think that the best approach is to create another application pool for your service and assign a specially created account as the identity of your new application pool. Then give the needed permissions of the account to the folders and file you need to access. You can make the external folder a virtual directory of the site if you want to reference it with a relative path.
I was under the impression that a Web Service that should be run under a worker role. I just found out that a web service can be setup using the web role. What are the advantages to using one role over the other ?
If you use the Web Role, your service will be hosted in a full IIS, and you can for exemple co-host it with your Web site, and use all of IIS features.
If you go for a Worker Role, you will have to new up a ServiceHost to host your service. You will not run within IIS.
I answered a similar question here. Note that, even with a Web Role, you'll have your choice of hosting your web service via IIS or on your own with a Service Host.
Back in March, there was an update to input port handling, so now you can spread your input ports out across your roles in any fashion you like, even having up to 25 in one role. This mitigates issues related to single-role deployments with RDP enabled (since in that case, RDP consumes 2 input ports). See my blog post here for more info about port allocation, as it really opens up options for you when setting up service-hosting.
I'm using a WCF service with the NetNamedPipesBinding to communicate between two AppDomains in my process.
How do I secure the service so that it is not accessible to other users on the same machine?
I have already taken the precaution of using a GUID in the Endpoint Address, so there's a little security through obscurity, but I'm looking for a way of locking the service down using ACL or something similar.
See http://blogs.charteris.com/blogs/chrisdi/archive/2008/06/23/exploring-the-wcf-named-pipe-binding-part-3.aspx for one way to do it via ACLs.
you can use WCF authentication. One of the options is to validate against the windows username and password. If you use active directory, you can use that too (harder to set up, put less of a burden). http://blogs.msdn.com/pedram/archive/2007/10/05/wcf-authentication-custom-username-and-password-validator.aspx.
WCF NetNamedPipesBinding has only Transport Security
http://msdn.microsoft.com/en-us/library/ms731699.aspx
Is this a shared PC? Do you have several users logging on locally to the same physical machine?