I am trying to run a django website which connects to a SQL Server, using IIS with Windows authentication.
IIS server and SQL server are on different machines under the same domain i.e., iis_machine.example.com and sql_machine.example.com
What I'm trying to achieve:
Impersonate the remote user accessing the django website hosted on
IIS, so his Windows credentials are passed to SQL Server for
authentication.
What I tried so far:
Added this to my web.config file for impersonation
<system.web>
<identity impersonate="true" />
</system.web>
Enabled Windows authentication and set up Application Pool (django_web) for django website as shown below
This is what my Authentication for django website looks like in IIS
This is what my Application Pool for django website looks like in IIS
Added IIS APPPOOL\django_web to SQL Server Security\Logins
Result:
When I access the django website, IIS prompts the user for his
Windows credentials and I can successfully login
If user tries to access SQL Server after logging in
Case a. IIS, SQL Server are on the different machines: SQL server authentication fails with
"Login failed for user 'domain\MACHINENAME$'
Case b. IIS, SQL Server are on the same machine, SQL server authentication is successful but authentication credentials used are IIS APPPOOL\django_web not domain\remote_user
I understand that there is some Kerberos trickery involved with this setup. Unfortunately, I'm only a programmer and not very familiar with how Kerberos works. If someone experienced in this domain, could shed some light on how this setup would work, that'd be really appreciated. Thanks!
I am using:
IIS 10 SQL
Server 2014
django 2.0.7
Python 3.6.5
Windows 8/10
Related
I'm trying to host my website in Windows Server 2012, I've configured everything and placed my site folder in wwwroot, when I launch from the IIS as a localhost I get this error at start,
Cannot open database "rental_db" requested by the login. The login failed.
Login failed for user 'IIS APPPOOL\mysitename.com'.
I've used Windows Authentication to login in sql server and I can access it properly. I'm not sure what is actually causing the problem. Here is the connection string code of web.config,
<add name="rental_dbEntities" connectionString="metadata=res://*/Models.rentalModel.csdl|res://*/Models.rentalModel.ssdl|res://*/Models.rentalModel.msl;provider=System.Data.SqlClient;provider connection string="data source=MYSERVER2012\SQLINSTANCENAME;initial catalog=rental_db;integrated security=True;MultipleActiveResultSets=True;App=EntityFramework"" providerName="System.Data.EntityClient" />
Note: I've shifted my published project folder from my desktop to server. Why is this happening?
You need create on your IIS App_Pool with the same name, and create in your SQL Server the user with all privileges.
I'm using iis 7, currently deployed on a test machine running windows 7 professional.
The computer is logged into the domain of my company. In the past (at another company) I was able to use integrated authentication in ii6 and it wouldn't prompt the user if they were using IE. It would just absorb their domain credentials.
However, that was initially setup by somebody else before I started. I'm doing this project from scrap, and I'm a software engineer without much IIS experience.
This is the relevant snippit from my web.config file
<authentication mode="Windows" />
<identity impersonate="false" />
I'm also running the app pool in v4.0 integrated.
Any help would be appreciated. Thanks!
On IIS disable anonymous authentication and activate Windows auth:
- select your web application (or root if you app is place as root app)
- select Authentication
- disable Anonymous Authentication
- enable Windows Authentication
Remember: for "automatic" login both your server and client must be in the same AD domanin or trusted domains.
I'm building an intranet web site (asp.net 3.5) which has windows authentication. Two questions:
When the code behind makes a trusted connection to the SQL server, will it connect with app pool credentials or current page user credentials?
Right now, with a blank page, when the internal user (logged in to the domain) tries to hit the page they get challenged with windows login screen, and their credentials don't work.
Is there anything else I need to setup in web.config or IIS for the windows authentication to work, other than adding <authentication mode="Windows"/>?
You can configure the Windows identity of your ASP.NET application as the Windows identity supplied by IIS by enabling impersonation. That is, you instruct your ASP.NET application to impersonate the identity supplied by IIS for all tasks that the Windows operating system authenticates, including file and network access.
To enable impersonation for your Web application, in the application's Web.config file set the impersonate attribute of the identity element to true, as shown in the following code example.
<system.web>
<authentication mode="Windows"/>
<identity impersonate="true"/>
</system.web>
Source
You don't want to use imporsonate as suggested by kd7. Because then you will need to give your users rights on the database. Might be okay for SELECT operations, but I don't think your DBAs will go along if you also need to UDATE/DELETE operations. already addressed by kd7.
When you enable "Windows" authentication, you need to not only configure your application to use it, you also need to configure IIS as well.
You also need to make sure that your AppPool user has proper permissions on the File System for your site.
Depending on IIS version, the procedure for enabling windows authentication is different. You can google it.
I've had Windows Authentication working in the Cassini (Visual Studio) web server for some time now but when I changed to run my site in IIS 7 the site no longer works properly.
I have Anonymous Authentication disabled, Windows Authentication enabled, and ASP.NET Impersonation enabled. My web.config file includes:
<authentication mode="Windows" />
<identity impersonate="true" />
The problem is that whenever I try to access the site I am prompted to provide a username and password.
My expectation is that my browser will send my credentials to IIS (via some kind of auth token) and IIS will impersonate my user on all page requests.
Why am I being prompted to login? What must I do to avoid this prompt and have ASP.NET use my impersonated username?
UPDATE:
I added my site to the "Intranet zone" in IE and using IE I no longer get prompted for username and password. There was a setting in IE to Autologin for intranet sites.
However, I don't understand why this was not a problem using the Cassini web server in VS? Any ideas?
Have you tried this against IIS Express?
This is just a stab, but Visual Studio runs both Cassini and IE from the same user account, so perhaps your identity impersonate was passing through from Visual Studio. IIS 7 user account is established by the app pool, which could be a different user than was running VS / Cassini. I believe IIS Express runs as your user account, so identity impersonate might work against it without prompting or changing intranet zone settings.
If that works, you can configure the IIS 7 app pool to run as your user account, and the prompts might go away.
Again, this is just a stab.
I have an ASP MVC application installed on IIS 7.5.
I have specified the app pool identity to be a domain service account.
The application has anonymous authentication disabled and windows authentication enabled.
The domain service account has full access to a set of files on the server that I want to access from ASP.
When I try and access the files from the ASP application I get an error, "access to the path ... is denied.".
I can only get this to go away by giving the windows user account access to the files. What I want to do is just give the service account access to the files.
Impersonation is disabled in the web.config via <identity impersonate="false" />
How can this be achieved?
Have you tried disabling ASP.NET Impersonation?
If you are trying to access files locally on the server, try to use the LocalSystem account for your app-pool identity.