I'm finishing off an ASP application, and in testing, my sa-enabled account was fine for everything.
However, this is not best practice. I did not want to individually assign permissions to windows groups and users for every database object a given group of users touches through the app. I know application roles are a thing for SQL Server, and that executing sp_setapprole to sign into the app role for permissions is the way I want to manage this, but I'm new to ASP and can't seem to find a way to get the pages to execute this procedure for every time it makes a connection. I feel like I'm missing an event somewhere. I have several pages which will need to behave this way, and one master page. If the code can be centralized, advise on how to do that would also be appreciated.
Related
We have a number of webpages that employees can access. I have a table, in a database, which determines who can access the individual pieces.
I use HttpContext.Current.User.Identity.Name, to get the current username, and then determine whether they are allowed to access the page they are requesting. If not, they are redirected to an access denied page, which has contact details where they can request access.
This is been working for months and is still working for everybody, except me! As well as my usual active directory account, I have what we call a developer account to login to servers et cetera. When I run the webpages on my PC, either through visual studio or IIS, I have determined that it is working because it is using my standard active directory account.
I am not aware of making any changes. I was actually just going through the pages as part of a documentation exercise.
However, as soon as I try to browse the pages on the server, it appears to be using my developer account! How do I know this? Firstly, I have built a test page that displays the current username. Secondly, I have an audit table, which records who try to access what page, when and whether they were allowed access.
Yes I could add my developer account to the users table but that would obviously not be my preferred solution. I have been working on something else for the past few days (nothing to do with this) and based on the audit table, I think this problem started today.
Any ideas?
I'm developing a Content Managment control panel for my (past/future) website clients. The stump that I'm up against is when I allow the user to create/rename a directory in the control panel. Like many others who have discovered this annoyance, it restarts the application, terminating the logged in users. I understand the implications of modifying a directory and I've taken precautions to handle it. Unfortunatly, Asp.net doesnt know this.
Is there any way to automatically log the users back in? With cookies perhaps?
EDIT: I am using the ASP.Net Membership Model.
I have been Googling a problem that I have with trying to integrate the web application that I am working on with SharePoint 2010.
The web application is a wiki style tool that allows users to log in via forms authentication or WIA against Active Directory and create content for themselves and others.
What we would like to do is to allow a user have a page with the content they have created in our web application mixed in with content that they have living on the SharePoint server. For example, they may want to see a list of documents that they have on the SharePoint server mixed in with some of their content.
To accomplish this, we would like to take the credentials the user has logged into our web application with (for example MYDOMAIN\jsmith) and be able to query SharePoint for the documents of that same user (MYDOMAIN\jsmith) WITHOUT the user being prompted to re-enter their credentials to access the SharePoint server (we are trying to avoid the double-hop problem)
We have come up with some options for how we want to do this, but we are unsure of what the best approach is.
For example, we could
- Have a global user, shared by all users to get information we need from SharePoint. The downside is that we cannot filter SharePoint content to a particular user
- We could store the users credentials when they log in, but that would only work for users authenticating via forms auth and would be a security issue that some users/clients would not like
- Writing a SharePoint extension using WCF to allow us to access the information we need, however we'd still have the issue of figuring out how to impersonate the user we want.
Neither of these options are ideal and in our investigation we came across the Claims Authentication/STS option which seems like it is trying to solve the problem we are having.
So my question is, based on what I have written, is Claims/STS the best approach for us? We have not been able to find much direction on how to use this method to call into SharePoint from a Web Application and pass along the existing credentials.
Does anyone have any experience with any of these issues?
It sounds like you may be overcomplicating the problem. The reason that the user gets asked for credentials twice is that the two parts of the system are on different servers. The easiest solution is probably to implement your custom web app as custom pages/web parts within SharePoint.
If that isn't an option, a smaller amount of code on the SharePoint server (maybe a custom web service) should give you a few more options for impersonating a particular user.
Often, out of sheer desperation I will end up enabling "Everyone" access on a folder that a web app is accessing (perhaps for file creation, reading, etc) because I can't figure which user account to enable access on.
Obviously, this is a very bad thing to do.
Is there a way to determine what account IIS is using at that exact moment to access folders (and perhaps other resources like SQL Server, etc)?
Are there logs I can look at that will tell me? Or perhaps some other way?
I usually use Windows Auth without impersonation. Not sure if that information is relevant.
Another more general approach would be to use a tool like Process Monitor and add a path filter for anything that starts with the root of the website (ie c:\inetpub\wwwroot). You then have to add the Username as a column by right clicking on the column headers, but once you do that the w3wp.exe process should show up in whenever you try to access the website and it will show which user account is being used. This technique should work with all file access permission issues.
If you don't use Impersonation, application pool identity is used in most cases, but accessing SQL Server and UNC files are slightly different.
This MSDN article has all information in one place, but you really need to spare a lot of time on it in order to digest every details,
http://msdn.microsoft.com/en-us/library/ms998351.aspx
Use Sysinternals Process Monitor to see what is actually happening.
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
I have an ASP.NET MVC web app and in one of the controller actions I want to start process (exe file). The process needs to run under a domain user, because it accesses other resources on the domain. This can either be a single hard coded user, or the user that is currently on the web page. The web.config is using Windows authentication.
I have tried turning impersonation on and tried turning impersonation on specifying a specific user. Both of these scenarios will cause permission issues.
I have also tried starting the process as a specific domain/user/password, but this will give me an error "Logon failure: unknown user name or bad password". I'm positive that the username/password is correct, and doing a "runas" works fine.
I'm not even sure of the "correct" way to do this. Any help is appreciated.
Thanks.
The correct way is to not launch a process from a Web app. Use something like MSMQ in WCF instead.