I need to run unit tests and test database connections using integrated security with SQL Server for a domain service account that will be the appPoolIdentity when we push to dev and production. I have been trying to find an answer to this for some time and can't seem to get a handle on it. It seems like it should be possible to impersonate this account given userid and password. Any help would be appreciated.
It's relatively simple. Rather than using the integrated IIS Express, you install the full IIS on your local computer, then you assign the app pool the identity of the service account you are going to use.
You do need to run Visual Studio as Administrator in this scenario to debug a different user.
Make sure that you setup the project to use IIS rather than IIS Express, and you should be good to go.
Related
In order to keep application secrets out of source code I want to use Integrated Security to connect my ASP.NET MVC application to SQL Server. However, IIS Express uses my development machine's account as the Identity for Integrated Security, which has different permissions from the AppPoolIdentity on production. I want to connect to SQL server using the same permissions in development as in production, which seems like something that should be easy to do, but I have had no luck.
Apparently it is impossible to set the Identity used by IIS Express except using "runas" which I could not get to work: how to run iisexpress app pool under a different identity
Things I've tried:
IIS Express
Create a User in "Edit local users and groups" and add it to "IIS_IUSRS" group.
Create AppPool in IIS Express manager (Jexus manager)
Setting AppPool > ProcessModel > Identity to newly created User, which fails.
(However setting AppPool Identity works in IIS Manager (not express))
Create site and configure path and ApplicationPool
Application successfully launches through Jexus manager, however still using my Windows account like it does launching from Visual Studio
IIS
Create app pool and log in as newly created user (succeeds unlike Jexus manager)
Create and configure site to use https and IIS Express development cert
Get 500 error when trying to launch the same way as with Jexus manager
I would rather launch the app from Visual Studio anyway
Impersonation
Requires credentials in web.config defeating the purpose of Integrated Security
It's important we manage secrets internally so Azure Key vault or other similar 3rd-party solutions are off the table.
It's beginning to seem impossible to configure IIS Express AppPools to use an Identity other than the currently logged in user: Link1 and Link2. The second link describes a method using "runas" from cmd as Admin but using System.Security.Principal.WindowsIdentity.GetCurrent().Name to check the ApplicationPool identity still shows my logged in Identity, not the one I used in the "runas" command.
What are my options? I would like to use Integrated Security for both dev and prod, with the same permissions on each. Is this possible? Is there an equivalent workaround?
I am trying to develop a ASP.NET Web API for MYOB that runs within IIS. That will allow me to insert/update/select different pieces of information from a MYOB company file.
At the moment within development everything works perfectly from within VS 2015 using IIS Express. I can successfully execute a insert command on the MYOB ODBC connection in multi-user access mode while the company file is opened by atleast two other users.
However when run from within IIS no errors are displayed. However the ODBC driver returns successfully on the insert query despite no insert being completed and no records of errors in any log files.
Finally, i have given the application pool connected to the IIS Application/Website the identity of the system administrator account. So i am assuming this is not the issue.
Could someone please help me on this! Have I maybe setup the permissions and security protocols in IIS incorrectly? As this application works fine within IIS Express but not in IIS?
Thanks in advance for any help!
You eventually couldn't see an error because you are using Web API. You are just a client. But maybe the API has an error that you've couldn't be seen. is your API has a LOGS? or it has a return value when it might encountered an error?
Try to Double Check it.
I agreed there's a big difference between iis express and IIS itself(Not in VS, means other machine or in server)
Check it too.
1.) framework you are working mostly.
2.) make sure that your Web API is running.
3.) IIS set up.
I am learning ASP.NET MVC 3 from many sources on the internet. I am worrying whether my settings based on the mixed information contains unnecessary things leading to security risks.
In this topic, I need your suggestion or comment pertaining to my settings explained below. I will assign a number to each step to make it easier to be referenced in your comment or suggestion.
STEP 1: Enabling IIS
STEP 2: Installing .NET 4
No image :-)
STEP 3: Installing SQL-Server 2008R2
No image :-)
STEP 4: Installing Visual Studio 2010
No image :-)
STEP 5: Make a project, e.g., NerdDinner
I put my project file (including NerdDinner.mdb) under C:\
NerdDinner.mdb is already populated with dummy data.
STEP 6: Configuring Global Application Pool
STEP 7: Make Virtual Directory using Visual Studio 2010
Shown in IIS Manager, NerdDinner is an application under the default web site.
STEP 8: Configuring Application Pool for NerdDinner web app
STEP 9: Attaching and Configuring NerdDinner.mdb using Sql-Server Management Studio
STEP 10: Configuring Connection String
<add name="NerdDinnerEntities"
connectionString="metadata=res://*/Models.NerdDinner.csdl|res://*/Models.NerdDinner.ssdl|res://*/Models.NerdDinner.msl;provider=System.Data.SqlClient;provider connection string="
Data Source=.\sqlexpress;
Initial Catalog=NerdDinner;
Integrated Security=True;
MultipleActiveResultSets=True
""
providerName="System.Data.EntityClient" />
Testing
Everything works well, but I am not sure whether or not these steps contains security issues.
This is more of a production environment tip, but you should practice it on your development machine as well.
IIS7.x by default will create a separate application pool for your website named after the name you give the website.
Instead of running the application pool and the site/application under NETWORK SERVICE, run both the site and the pool as ApplicationPoolIdentity.
In the website or application features pane open the Authentication feature select Anonymous Authentication and do right-click Edit:
Next, ensure your website is running in its own application pool. Sub applications may benefit from their own application pool, but we tend to put them in the same pool as the parent site unless there is a need for a different runtime configuration such as a different version of ASP.NET or Pipeline mode.
When you have configured this grant the requisite permissions to the pool identity on your web folders by doing:
ICACLS c:\dynamic\NerdDinner\NerdDinner /grant "IIS AppPool\site1":(CI)(OI)(M)
Or you can apply these permissions via explorer:
Click Check Names then OK:
In SQL Server the same thing applies, instead of giving permissions on your database to NETWORK SERVICE, give permissions to the ApplicationPoolIdentity instead. As with NETWORK SERVICE this will only work if the SQL database is on the same machine as the web server if you're running a standalone server.
For example:
In the dialogue shown above, don't search and Check Names because this will replace the IIS AppPool\ portion of the username with your machine name. When you click OK SQL will complain that it can't locate [MACHINENAME]\NerdDinner.
Next set the add as a login to the NerdDinner database:
I'm setting as DB Owner here but you can choose the role you see fit for your needs. If this is your development machine then DBO will be fine because you can then do DDL from within Visual Studio. Most shared host production environments will make the first login (which is usually all you get) DBO anyway because many apps such as DotNetNuke etc need full control over their databases.
The connection string you've provided in your example should work as-is without any changes.
For more information on this topic:
Application Pool Identities (IIS.NET)
New in IIS 7 - App Pool Isolation (Ken Schaefer)
I can't see anything obviously wrong here - the only things I would perhaps query are:
Do you really need IIS 6 Metabase
configuration compatibility here, if,
as it looks like, you're building a
server from scratch?
Rather than your
database user the having db_owner
role, could you get away with just
having db_datareader/db_datawriter? (I don't know the NerdDinner database so it could be totally correct, it's just an observation)
My web service needs to open some files located on a remote computer.
From Windows I can do the authentication so I can see those files using the File Explorer.
If I try to open the files from my Web Service while it's running using Visual Studio (ASP.NET Development Server) it also works.
However, if I do everything from IIS it doesn't.
In order to find out where is the problem what I did was to run a network sniffer and I found out that when using IIS, the system will try to use the account 'ASPNET' to login into those remote computers which will obviously fail.
However this doesn't happen if I run from the IDE (Using the ASP.NET Development Server)
I found out that if I use Impersonation for accessing this it will work, the problem is I need to have the same account names on the computer running IIS so I would rather not to do that.
Why is it working from the ASP.NET Development Server and not from IIS? Is there a way to give full access to the ASPNET account?
Thanks and hopefully somebody will be able to help with this. I don't know what else to try...
Any request on IIS is served by the ASPNET user. So the user ASPNET is working. I think you are using XP. On Win2K3 etc, the user is Network Service
But the Cassini (Visual Studio Dev server) runs under the current logged in user.
So the difference is. You need to use impersonation for your need.
I'm trying to use NAnt/NAntContrib build script to build a web application on Windows 2008 (IIS 7.0).
In the build file, there is mkiisdir task, which fails with:
[mkiisdir] The webservice at 'localhost' does not exist or is not reachable.
All the documents/posts I found so far (non for w2k8, only Vista) say to install IIS 6 Compatibility services (all of them, including scripting tools, etc.) So I did, but it still throws this error.
Any idea what else need to be changes, so NAnt be able to create/delete virtual directories on IIS 7.0?
EDIT: New data - when I log in as local administrator to this server, the nant task succeeds, but it fails when I log in as a domain admin. I have added the domain admins group in the local Administrators group, but it still fails. Any idea what other permissions I need to check/change in order to make my domain admin user to be able to execute this task? I can create manually virtual folders without any problems.
In order to get iis nantcontrib tasks to work you need to install IIS6 Management Compatibility Tools. Here is the blog describing how to do it in Vista:
http://thoughtworker.in/2008/01/15/nant-the-webservice-at-localhost-does-not-exist-or-is-not-reachable/
Here is a screenshot of how to do it in Windows Server 2008:
alt text http://img407.imageshack.us/img407/699/iis6tools.png
To answer my own question - I have isolated the part of the code in NantContrib which was causing the problem, and made a sample application to test.
I have posted this as a separate question here, and there is the solution as well.
Cheers