I'm trying to understand the IIS windows and anonymous authentications. is there any difference between below options,
Anonymous
Anonymous + windows
Anonymous authentication gives users access to the public areas of your Web or FTP site without prompting them for a username or password. By default, the IUSR account, which was introduced in IIS 7.0 and replaces the IIS 6.0 IUSR_computername account, is used to allow anonymous access
Windows authentication, Identifies and authorizes users on the server's user list. Access to resources on the server is then granted or denied on the user account's privileges. Windows authentication is best suited for intranet web applications. The advantage of Windows authentication is that the web application can use the exact same security that applies to your corporate network. username, passwords, and permissions are the same for network resources and web applications
If both anonymous and windows authentication is enabled in IIS, and if we don't have a deny entry or anonymous in the web config then the resources on the web server are accessed using anonymous authentication
As long as anonymous authentication is enabled, IIS uses it, no matter whatever else you configure.
Related
We are using Identity Server 3 in our tool that has the following structure. One (AngularJs) Spa with 10 Web APIs . We use the WindowsAuthWebHost mini project to do the windows handshake to get the windows(domain) identity of the user, based on which we build a complex(with custom claims) token that it's used by the client Web APIs. All the 10 Web APIs have anonymous authentication set in the IIS. And it works smoothly.
Now, we are trying to expose this tool outside the company network and a perquisite is to have windows authentication on all the Web APIs in the IIS. If we set this time of authentication, now all the calls are unauthorized.
Do you know if there is a way to keep the same flow, but also validated the windows authentication?
Windows authentication will not work outside of the network. The user needs to have a valid user account in your domain (username/password), or even a local account on your IIS server.
Note that NTLM doesn't work through some proxy servers, so this is one reason that Windows AuthN isn't used so much on the public internet.
To achieve your requirement you could use the form authentication with active directory.you may need to enable both form and anonymous authentication. then create deny authorization rule for anonymous users and allow rule for all users.
How To: Use Forms Authentication with Active Directory in ASP.NET 2.0
SQL Server Windows authentication uses application's process identity or thread identity to connect. So for an ASP.NET application, which identity will be used to connect
Current User Identity
Application Pool Identity
Process Identity
or another identity?!
It really depends of your IIS Website configuration.
By default it will use the application pool's identity if you disabled the anonymous access. But if you configure your application with Impersonation=true, then it will use your user's identity as described:
The configuration illustrated in the example enables the entire application to run using the contoso\Jane identity, regardless of the identity of the request. This type of impersonation can be delegated to another computer. That is, if you specify the user name and password for the impersonated user, you can connect to another computer on the network and request resources, such as files or access to SQL Server, using integrated security. If you enable impersonation and do not specify a domain account as the identity, you will not be able to connect to another computer on the network unless your IIS application is configured to use Basic authentication.
See all details in this MSDN article.
I've seen other answers saying how to secure virtual folders for Windows Authentication only. I would like to allow both anonymous AND Windows Authentication in IIS, but prioritise Windows Authentication over Anonymous Authentication. The reason for this is that the web app I am building needs to support anonymous access as well as privileged.
Is this possible? I.e. if Windows Authentication cannot authenticate against the domain, it will fall back to a generic identity, as opposed to the way it works out of the box by favouring anonymous access.
Developing on W7 with IIS.
You could do the steps in this article: http://msdn.microsoft.com/en-us/library/ms972958.aspx
And then just don't redirect to a login page. Basically you trap the authentication error and keep going.
On our production servers, the admins created a WebUser active directory account which is users for anonymous access to IIS and is also used to authenticate database access with our SQL Server instances using Integrated Security=SSPI in the connection string and identity impersonate="true" in the web.config.
I've often come across situations where I would like to or even need to use forms authentication. However, I using forms authentication, Integrated Security seems to use the logged in user's credentials to authenticate against the database. In these cases I have changed the connection string to use the credentials of a SQL Server users instead. I would prefer to not have a hard coded username and password in the connection string or rather worse in code.
Is it possible to use forms authentication just for user authentication for users and windows authentication with the IIS user for database access? What would be the best practice in such a situation?
Yes, turn off impersonation (ie: impersonate=false) and the forms auth will be used for the web authentication and authorization, but remote calls will use the asp.net process identity.
Please explain impersonation for non-technical users.Then please explain it in the context of ASP.NET. Is Impersonation good or evil? Do we use it in the case of Forms-based Authentication?
You should check out Keith Brown's description of impersonation. It is really a Windows concept.
When you have an application using forms authentication (FA) the IIS process is running under the credentials of a specific user setup in IIS.
Example: If you have a user called Bob logged on using FA and IIS setup to run as Network Service. Bob accesses a page which makes a web service call to another computer, the other computer will see the IIS user and not Bob. You can use impersonation to allow Bob to access the web service as a real Windows user and not Network Service.
Impersonation is not evil but it can be misused. You really need to understand the impact on your overall security model. It is also something that creates a lot of work for a developer to debug. This is especially the case if you do not have admin rights to the resource (eg. web service) you are trying to access.
Web applications run through a web server. That web server runs as a user with different permissions than yourself. Impersonation allows the application to run as you (or any other user with different priveledges on the cmoputer), as if you were logged in to the computer running it itself.
It actually makes things quite good. It allows you another way to grant/restrict access to protected files on the computer.
And yes, you can apply it using Forms Authentication (but you don't have to).
ASP.NET applications can execute with the Windows identity (user account) of the user making the request. Impersonation is commonly used in applications that rely on Microsoft Internet Information Services (IIS) to authenticate the user.
ASP.NET impersonation is disabled by default. If impersonation is enabled for an ASP.NET application, that application runs in the context of the identity whose access token IIS passes to ASP.NET. That token can be either an authenticated user token, such as a token for a logged-in Windows user, or the token that IIS provides for anonymous users (typically, the IUSR_MACHINENAME identity).