In order to keep application secrets out of source code I want to use Integrated Security to connect my ASP.NET MVC application to SQL Server. However, IIS Express uses my development machine's account as the Identity for Integrated Security, which has different permissions from the AppPoolIdentity on production. I want to connect to SQL server using the same permissions in development as in production, which seems like something that should be easy to do, but I have had no luck.
Apparently it is impossible to set the Identity used by IIS Express except using "runas" which I could not get to work: how to run iisexpress app pool under a different identity
Things I've tried:
IIS Express
Create a User in "Edit local users and groups" and add it to "IIS_IUSRS" group.
Create AppPool in IIS Express manager (Jexus manager)
Setting AppPool > ProcessModel > Identity to newly created User, which fails.
(However setting AppPool Identity works in IIS Manager (not express))
Create site and configure path and ApplicationPool
Application successfully launches through Jexus manager, however still using my Windows account like it does launching from Visual Studio
IIS
Create app pool and log in as newly created user (succeeds unlike Jexus manager)
Create and configure site to use https and IIS Express development cert
Get 500 error when trying to launch the same way as with Jexus manager
I would rather launch the app from Visual Studio anyway
Impersonation
Requires credentials in web.config defeating the purpose of Integrated Security
It's important we manage secrets internally so Azure Key vault or other similar 3rd-party solutions are off the table.
It's beginning to seem impossible to configure IIS Express AppPools to use an Identity other than the currently logged in user: Link1 and Link2. The second link describes a method using "runas" from cmd as Admin but using System.Security.Principal.WindowsIdentity.GetCurrent().Name to check the ApplicationPool identity still shows my logged in Identity, not the one I used in the "runas" command.
What are my options? I would like to use Integrated Security for both dev and prod, with the same permissions on each. Is this possible? Is there an equivalent workaround?
Related
I need to run unit tests and test database connections using integrated security with SQL Server for a domain service account that will be the appPoolIdentity when we push to dev and production. I have been trying to find an answer to this for some time and can't seem to get a handle on it. It seems like it should be possible to impersonate this account given userid and password. Any help would be appreciated.
It's relatively simple. Rather than using the integrated IIS Express, you install the full IIS on your local computer, then you assign the app pool the identity of the service account you are going to use.
You do need to run Visual Studio as Administrator in this scenario to debug a different user.
Make sure that you setup the project to use IIS rather than IIS Express, and you should be good to go.
Hope you can help.
We have a web application (.NET 2.0) that has some custom code that is used to poke a windows service when a file is uploaded. We issue a command using the following code:
Dim serviceName As String = "Processor Service 1.0"
sc = New ServiceController(serviceName)
sc.ExecuteCommand(200)
Running this code in a standalone app works fine but when running through website throws an access denied error. Code works fine in IIS 6.
We are using an application pool with a user and is in Admin group. I figure it's something to do with IIS but now sure what.
Hoping you guys can help.
Thanks
The permissions that are needed to interact with local services are pretty high. Your asp.net app is likely running as anonymous (local account IUSR), or the "application pool identity". You would have setup your app in IIS (app pool) to use a different account with greater permissions.
In IIS Admin, under the section "IIS", "Authentication", you need to enable a stronger authentication method. If "Anonymous Authentication" is the only one enabled, then check the settings "Edit" to see if it is running as IUSR or "Application pool identity". This is where you determine, or set, the account (and permission set) that your ASP.NET app is using.
I feel that I should strongly warn against elevating the permissions for IIS and anonymous users. This would create a very dangerous back-door into your system. The suggestion from bgs264 is a very good one: make a separate service (or scheduled process) that watches for file uploads, or modify the existing service to use the file-watcher to monitor for uploaded files. It could run under a higher permission set and would be much more isolated from your IIS. Granting admin permissions to IIS or its app pools, is just like begging for trouble.
This question seems to be similar to this one: IIS site not using identity specified in app pool IIS 7 +
However, there are no answers there.
There's a tl;dr at the bottom.
A thing to keep in mind is that I'm not the one who set up the server so they may have changed some settings I don't know about.
We have an ASP.NET web service running on IIS 7. The web service is set to use DefaultAppPool, and the app pool's Identity is set to a domain user (let's say it's "localdomain\user1").
The web service was unable to save to a certain network folder, so we gave localdomain\user1 read/write permissions to that folder. It still can't save there, however.
I can't remote debug, and it works fine on my own computer (probably because it's running in Visual Studio's IIS express and my user does have access), so I tried to change the web service so that the error message contains the user name it's running under.
If I use Environment.UserName to get it, the result is "IUSR". If I use System.Security.Principal.WindowsIdentity.GetCurrent().Name, it returns "NT AUTHORITY\IUSR".
Unless the above methods are not reliable, the web service seems to be running under the default user (IUSR) and not the one set in its application pool. I can't figure out why, can anyone explain?
EDIT: The Task Manager on the server, if I log in using RDP, shows that the w3wp.exe process IS being run by user1. I'm not sure which one to believe.
Thank you.
tl;dr: The web service's application pool is set to a domain user, but it seems to be running under IUSR anyway. How do I prevent that?
Impersonation was the issue. I didn't know this was a setting in the web service's web.config.
Changing <identity impersonate="true"/> to <identity impersonate="false"/> allows it to run as localdomain\user1.
1) I want to know suppose we are using an ASP.NET web application in debug mode in VS, then, the code runs under which user account?
2) I also want to know, suppose we publish this to the IIS and then, set it up to use WBA/FBA, then, the username/password of logged in user is used to authenticate user to the ASP.NET site, however, the code (SQL query, etc) runs under credentials of apppool account. Further, which credential is used to access resources on server like files? What is your view on this point?
1) I want to know suppose we are using an ASP.NET web application in
debug mode in VS, then, the code runs under which user account?
This is depending on the hosting. VS provides 4 ways to host & debug a web application : VS Dev Server (VS 2012), IIS Express, Local IIS and Custom Host (VS 2013). Devs servers generally runs under your -Administrator- account, and may not be suitable to test security. Working directly with IIS as your development web server lets you work in an environment closer to that of an IIS production web server.
This is configured in the Web Tab in your web project properties.
2) I also want to know, suppose we publish this to the IIS and then,
set it up to use WBA/FBA, then, the username/password of logged in
user is used to authenticate user to the ASP.NET site, however, the
code runs under credentials of apppool account. What is your view on
this point?
Not very clear, but I think your undestanding of IIS security may not be correct. There is only one application pool per web site which runs under a specific account (by default apppool account, but it could be Network Service or Local System). When a user logs in, absolutely nothing is changed in this process. The user is just connected using an authentication provider : Windows Authentatication or Forms Authentication are 2 common providers. User identity is kept in http context, which allow you to use authorization rules later. So every code block always run under the same account (unless you enable delegation but that's another story).
I higly suggest you to read this complete introduction on asp.net security.
I am asking about the account of the user which run the ASP.NET/IIS (or Cassini or IIS Express) application. I am asking about the defaults. There is very much confusion out there. Googling shows me lot of types of users, for example,
my-computer-name\myname user,
IIS APPPOOL\ASP.NET v4 user,
IIS_WPG,
IIS_IUSRS user,
Network service user,
AspNet user,
IUSR_MachineName user,
IIS_IUSRS user,
IUSR user,
IIS_WPG user,
IWAM_computername user,
IIS APPPOOL\DefaultAppPool user.
These are quite confusing.
Cassini runs under account that started VS. So default would be currently logged windows user, runas will run under specific user account.
Application on IIS runs using application pool. Here is snipp from default site:
Every Application pool can be configured using Advanced settings:
I should also point out possible impersonation, where context runs under impersonated user. This user can be provided by IIS or using code. Here is sample how to configure IIS impersonation (Authentication tab for specific app):
Hope this helps!
Well, for one this is different based on the version of Windows that you are running. And second, you are asking about 3 different servers. So that is probably what is making it confusing.
Development servers
First, the easiest one: Cassini. This server runs under the same account and with the same privileges as the Visual Studio instance that it's started from. Usually, this is just your own Windows account.
IIS Express uses the exact same code-base as IIS, but it will run under your own Windows account as well, the same account that started Visual Studio (or Web Matrix for that matter).
IIS 6.0
Now for IIS proper. Here you may find many accounts. First of all, the 'old' IIS 6.0 that you will still find on Windows Server 2003 machines would use the following accounts:
Network Service (default and recommended worker processes identity for application pools in IIS 6.0 and above)
Local Service (pretty limited access)
Local System (used for the worker process when running in 'IIS 5.0 isolation mode', member of Administrators and has full access)
IIS_WPG (short for Worker Process Group, not an account, but a group, worker process identities should be member of this group, to get minimal required permissions)
IUSR_ComputerName (not used for a worker process, but rather to map anonymous visitors to a Windows account)
IWAM_{ComputerName} (for IIS 5.0 isolation mode, you'd typically use application pools for isolation nowadays)
ASPNET (also for IIS 5.0 isolation mode, it looks like the ASP.NET account, but in most cases it isn't)
(This list is based on the TechNet article IIS and Built-in Accounts (IIS 6.0).)
IIS 7 and above
For IIS 7, some of these listed above are no longer relevant, and some are replaced. Since these accounts are built-in to Windows, they have the same SSID everywhere, which may come in handy now and then.
If you upgraded a server from Windows 2003 to Windows 2008, of if you install IIS 6.0 compatibility features or older IIS components, you may have the old and the new accounts on one machine.
IUSR (*replaces IUSR_{ComputerName}, so used to map anonymous users by default*)
IIS_IUSRS (*replaces the IIS_WPG group, and so is not an account but rather a group*)
(This is based on the article Understanding Built-In User and Group Accounts in IIS 7.)
AppPool identities (since IIS 7.0)
This list is now almost complete, but we still need to understand a special type of account: the 'dynamic' AppPool identities. These are not actual accounts on the machine like the others, e.g. you can't find them listed as users in Windows. But they are virtual accounts created on the fly for the application pools, if you choose the ApplicationPoolIdentity option.
If you need to give such an account access privileges to a file or folder, you can still search for the account by typing: IIS AppPool{DefaultAppPool} (replace {DefaultAppPool} with the name of the application pool that you created).
(You can read more about this in Application Pool Identities on iis.net.)
When you install .NET 4.0, then IIS adds a new application pool to be able to run new .NET 4.0 web applications alongside the existing .NET 2.0 web applications. The installer gives this application pool the name ASP.NET v4.0, and uses the option ApplicationPoolIdentity. Hence a dynamic account is created for this new application pool, whether you use it or not.