I am using a WCF call to update my database with any changes from ActiveDirectory.
I call this WCF functin via client browser and the function trys to get details from AD within the servive itself. However the issue is AD needs UserName and Password to get any records.
Please advise how can I overcome this problem so that Windows looged in credentials are automactically accepted and AD is read.
I am using wsHttPBinding,Security: message and clientCredentials="Windows".
Thanks
Vikram
The call to Active Directory is going from the service.
The default settings for the service is impersonate=false and the identity of the application pool is NETWORK SERVICE.
Therefore, the call to AD is going in the security context of Network Service, which does not have the correct access, and cannot be given them, since it is a machine local account.
There are 3 ways to fix this.
Set Authenticate=true in the web.config to allow access to AD to be done in the security context of the calling user.
Change the identity of the application pool to that of a domain user that is allowed to access AD. Be sure to add this user to the local IIS_WPG group.
Store the username and password of a user that is allowed to access AD, in the web.config file, and use these credentials to access AD.
Related
My web application uses SSO authentication through Azure AD. From within my application, the user can access a network folder by providing required credentials. I would like to use the same SSO authentication that was done at login instead of manually entering the credentials to access the network folder. Is there a way to achieve this?
You cannot use the same token because Azure AD will Authorize only for initial login.
If you want to use the SSO solution for your network folder access which is accessed inside your web application, you need to create a new instance for your network folder access.
Ultimately you need to create two instances in Azure AD for your application to get the token to access both application sign in and network folder access with single set of credential.
You can create a new application with different name.
Now you no need to enter the credential twice in your application (SSO happen).
I have an API that is hosting on IIS 7.5. The application pool is configured use a domain service account. Then, I grant the account full permission on the default site.
The API and the database are on different server.
I create a SQL Server login for the account and associate it with a user. The user is granted db_onwer to the database. SQL Server service is configured to run using that service account as well. However, The API can't connect to the database. The database log shows this error message "Login failed for user host\servername$. If host\servername$ is given access to the server, it would work fine. However, IT said no way.
Majority of the solutions that I have found online so far either gave permission to host\servername$ to the database or change the apppool to use network or local service, or use a username and password where the username is not a domain account user.
I have to use a domain name account, so I am struggling to find a solution.
There was an issue with the way the domain account was created. IT had to create another service account. Once I set up the app pool with the new server account, I had no issue.
I'm having trouble getting the user credentials to be delegated over to our Sql Server DB. I'm pretty sure I have my configuration for the WCF set up correctly because everything works on my local IIS where there is only one hop, the problem is getting the double hop to work in a real environment.
The first Error I was getting was a Sql Exception when trying to login with Network Service/anonymous Login. From reading blogs I think the service was falling back to NTLM which cannot perform the double hop.
First question, am I correct in thinking the only way to perform a double hop is with Kerberos?
I switched the config to not allow NTML and got a 'The requirement for mutual authentication was not met by the remote server' error.
I read that I needed to set up a user for delegation. This is where I get lost. The user of the AppPool is NetworkService, what do I need to do to get delegation to work for this? Do I go into the Domain Controller and enable Delegation somehow? What do I need to add to the client config to tell the service about delegation?
I did try adding a new domain user to active directory, enabling delegation for the user, and making the user for my app pool, and added an identity section in the config to speciy this user, but got this error: 'The target principal name is incorrect'.
If possible I would like to keep the network service as my app pool identity. Does anyone know what steps I need to take to get this work?
I am writing a WPF application, and one feature I want to implement is the ability to display a list of computers in the domain. I have found some useful Active Directory code here:
http://www.codeproject.com/Articles/90142/Everything-in-Active-Directory-via-Csharp-NET-3-5-.aspx
Typically code examples dealing with AD seem to require the user's credentials to make requests. But it occurs to me that if you are running the application from a computer that is part of the domain, the user has already provided user credentials sufficient to access AD on that domain controller, when logging on to the system.
Is there some way that the user can access AD via my application without the app having to ask the user to reenter the same credentials again? I mean is there some kind of token that I can forward that indicates the user is already authenticated? I am concerned about the risks of having to store and transmit credentials securely when I don't have to.
Thanks for any advice.
I later discovered that if you are logged on to the domain, that is sufficient for you to access the active directory store, without having to supply further credentials or impersonate an admin. And in some cases you can also access it without being logged in at all.
I want to let remote administrators (with local or domain credentials) control my Windows service via a WCF TCP binding. To do this, I need to authenticate the remote user as an administrator. I can check the principal user/roles, but I don't know how to prompt the remote user for the correct user details/token.
This is related to my previous question on Restricting WCF TCP endpoint to Administrators. Instead of adding [PrincipalPermission(SecurityAction.Demand, Role = "Administrator")] to my restricted service method and catching a SecurityException, it seems I can check for it with:
if (!System.Threading.Thread.CurrentPrincipal.IsInRole("Administrators"))
return MethodResult.AccessDenied;
// haven't tested if it's the service thread or the remote user yet.
How do I prompt the remote user for Windows authentication if a Access Denied result was returned so I can reinitiate the connection as a different principal?
Of course, the change would need to be effected on the remote user's client application. Perhaps there is a cleaner WCF way to do it?
Edit: Searching for ".net impersonation" led me to this on CodeProject. Haven't had a chance to look, but this may be the way to go.
You need to pass in the user's credentials with your WCF call. Normally the client application just "captures" the currently running user's credentials. Alternatively you can specify a username and password explicitly. So you could prompt the user for an alternative set of credentials if you wish.
Either way, the client app needs to prompt the user. Your WCF call should return an error (code or exception) upon authorization failure and your client should capture that return and display a prompt to the user and retry with the new credentials. WCF by itself cannot handle prompting the user.
Here is an article on various means of passing credentials:
http://blogs.msdn.com/b/sonuarora/archive/2007/04/21/setting-client-credentials.aspx
Assuming this is hosted in IIS you need to turn off anonymouse authentication in the IIS Manager. This should force the user to login to the machine using a Windows account. You may also need to enable ASP.NET Impersonation.
Here is how you can prompt the user using the standard windows dialog using pInvoke How to show authentication dialog in C# .Net 3.5 SP1