What user account does my .Net WCF service run under when I am hosting it in IIS 7?
Is it the IUSR_machine account?
What is the easiest way for me to run under a different account? (Just for this service, I don't want other things hosted in my IIS to be affected).
To change just the single application, you'll need to create a new application pool and change the identity for that pool. That way, every other application will continue to run as-is, as the applications that use your new app pool will use that new identity.
To set the account used by anonymous users for a particular site, open the properties for that web site. Then, go to the Directory Security tab. Click the "edit" button in the authentication and access control box. In the window that appears you can specify the user account which will be used for anonymous access to the site. This will control the account used to access files, but may not apply to ISAPI applications (in which case a new application pool will be needed with its own permissions as already mentioned).
Related
I need to know what user of my Active Directory has started session in his machine because depending on which user is he can see a number of things or others.
The web app is hosted in an IIS server part of the domain
Any idea, please?
Regards
You can't get this information from the client side only.
you should activate "windows authentication" on your site in the IIS, then you will have the user data available in your server.
you will have to expose a method on one of your controllers that will return the user information that you need.
I've managed to setup two virtual machines in my local windows 7 laptop. Both of them are Windows server 2008 R2. One acts as Active Directory Domain controller and also as Active Directory Federation Services, and one other as the web app server. This second one is where I've set up my claims aware asp.net mvc web application and I also plan to setup ThinkTecture Identity Server later as my way to authenticate against custom username and password outside AD.
I've successfully implemented the installation and configuration needed for connecting our ASP.NET MVC apps through ADFS. They include :
Configure first server as Domain Controller and add domain account store (add user as testing -> this user belongs to Domain Users Group).
Configure first server also as active directory federation services.
configure relying party trust identifier from federation metadata generated from FedUtil.exe in second server.
Configure group claim mapping and assign Domain Users to this group.
Configure web apps server to be claims aware agent.
The one that's always troubled me is that every time I access my apps, it successfully prompts login dialog box. Once I enter My AD account and password, it always gives me the following error message : "There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: c558ed55-b203-42cc-b6bd-3d66bddb96cd".
Any idea from you guys how to get this to work?? Any suggestion and ideas will be highly appreciated.
Have you looked in the event log?
Open Event Viewer > Go to Applications and Services Logs > AD FS 2.0
You'll see an list of errors which should give you some more guidance.
If you see the ADFS login screen, you can get to ADFS so I suspect it's something to do with your RP configuration.
Just to check - you are using ADFS 2.0 which you downloaded?
I have a Sharepoint 2010 application with mysites, therefore I use User profile sync service.
I changed the authentication method from windows to claims based ( choosing forms), and made necessary updates on web.config and run the commands on powershall, so I am using LDAP.
My application works with forms based authentication now, no issues, but I can not authanticate to mysites as my user name format has changed from domain/username to
One option is to somehow map new ldap formatted user and windows ad users (do not know how??), or I need to create a new connection on the user profile sync service to connect to ad with forms authantication and import users with new format too (failed to do so, any idea what needs to be configured on domain controllers to do that? ). Although, this will cause that users would get 2 different mysites if they login with windows or forms based auth.
Any idea is appreciated.
Thanks.
You need to use Move-SPUser command to make that work. For more info check the MSDN Documentation.
My web appkication has the following set up..
WCF application hosted on IIS7
Basic HTTP binding - SecurityMode = TransportCredentialOnly and ClientCredentialType = Windows.
.Net 4.0
The app runs in a .Net 4.0 Application Pool using "ApplicationPoolIdentity".
IIS connects to the file system using "Application Pass Through" authentication.
The client and service both run under IIS - that is the client is a webste and the service is an IIS hosted WCF service.
What I would like to understand is that what user accounts are used at the various points in authenticating too and using the service.
I understand that ApplicationPoolIdentity is a built in Windows account that is generated for each created application pool - is this the account under which w3wp.exe will run for the website?
No credentials are specified between clent and server - and this is the most interesting point. When my client connects to my WCF application what identity is used to authenticate to the service. I presume the application pool identity of the app pool hosting client website?
If so then what would happen if the two sites use two differnet app pools?
Or does the service just require a valid account on the machine (or domain) and that is good enough to authenticate?
If I changed the application pool to use a specific user account does this change anything? Again I presume as long as the client passes a valid machine account is that ok?
Also,,,
What identity is used for the file system?
What permissions does "ApplicationPoolIdentity" have on the machine and for the file system.
Finally in the case of SQL Server Integrated security what identity is passed through to SQL server if my service talks to an SQL Server database.
Thanks in advance.
I understand that ApplicationPoolIdentity is a built in Windows
account that is generated for each created application pool - is this
the account under which w3wp.exe will run for the website?
Yes it is. That is called a virtual account which allows IIS to create unique accounts for each defined application pool, also a security identifier is created representing the application pool name. Keep in mind that this is not real user account. For more information about it you can check the following link: http://technet.microsoft.com/en-us/library/dd548356.aspx
No credentials are specified between clent and server - and this is
the most interesting point. When my client connects to my WCF
application what identity is used to authenticate to the service. I
presume the application pool identity of the app pool hosting client
website?
Yes, same rule applies as for using Local Service account or Network Service account.
If so then what would happen if the two sites use two differnet app
pools?
Nothing, unless you elevate the rights of those application pools identities.
Or does the service just require a valid account on the machine (or
domain) and that is good enough to authenticate?
Then you are not going to use the default virtual accounts created for your application pools. Instead you will associate those application pools with existing windows accounts. Keep in mind what sort of permissions those windows/domain accounts have.
If I changed the application pool to use a specific user account does
this change anything? Again I presume as long as the client passes a
valid machine account is that ok?
It would work just fine as long as those accounts will have permissions according to your needs.
What identity is used for the file system?
Define with more details what you mean by file system; are you referring strictly at your application directory?
What permissions does "ApplicationPoolIdentity" have on the machine
and for the file system.
ApplicationPoolIdentity is a member of Users and IIS_IUSRS groups so will "inherit" the permissions of the previously mentioned groups.
Finally in the case of SQL Server Integrated security what identity is
passed through to SQL server if my service talks to an SQL Server
database.
ApplicationPoolIdentity or the account you have configured to be used by your application pool.
In my code I'm running under elevated privileges, to access other Web applications. But I get a security error when the web application user can't access the database (when ever I try to access a SPWeb object).
Is there a way to make sure (in code) that a user has access to the Content database of a web application before trying to access sites in a site collection on that web application?
No, you can't make sure of this in code. If you're having your web app pools running as different accounts then you need to impersonate the other web app pool accounts.