I have a folder in which I store all of my applications. Right now 'Everyone' has read access to that folder, and certain sub-folders grand full access to everyone in order for them to be able to store files through my web-applications.
I am using Windows Authentication in order to retrieve the username which the user is currently logged in with.
I would like to disable the option for users (who are part of the 'Everyone' group obviously) to browse through the content of my applications folder and view my application files (and remove certain files). I was trying to use an Anonymous Authentication and it worked fine, but I was unable to retrieve the username the user is logged in with.
Any suggestions? I am lost.
Try to get widows identity then extract its name property.
WindowsIdentity identity = HttpContext.Current.Request.LogonUserIdentity;
string username = identity.Name;
Related
I have an asp.net application which does the following: loads data about audio files (file name, path and so on) from DB and shows them in table on the page. Application uses windows authentication (this cannot be changed).
I've added html 5 audio controls to my table cells so that users could play audio files without downloading them - actually, I don't want them to be able to download files at all.
Audio files come from two network-shared directories - one is accessible by all domain users, the second one is accessible only to specific user. Audio control requires the src to be a relative url - ok, fine, so I went to IIS manager and created two virtual directories under my application. For the second, highly protected directory, I'd set credentials which should have helped my application to access files.
Result seems quite strange to me: users see audio files from the first (accessible) directory preloaded and can play them; users cannot preload and cannot play files from the second directory with preset credentials.
Problem is definitely not in the audio src itself - it is well-formed. Seems like IIS is trying to access data in the second virtual directory under credentials of current domain user and not the one, whose login and password were set on folder setup.
Is there any way to overcome this problem? Unfortunately, granting access to this directory to all users is not a chance. Changing app pool identity to that same specific user also gave no results. App users and user account for the second folder are all in the same domain.
IIS access file via application pool identity not login user. So when you are running an application with network share directory, please change the app pool identity to a domain user that have permission to access both. Then you can restrict login user permission via authorization rule.
I have looked at numerous articles and tried a multitude of settings, but I can't seem to achieve what I'm looking for in my intranet site. Even if I don't get a solution, a definitive "you can't do that" will help me move forward. Here is what I'm trying to do:
Web site recognizes the user's network login credentials - ONLY so I can get their user ID without a login
The website uses some generic account (IUSR or something like that) to access a SQL Server that the same network users can NOT access EXCEPT through the website
Users can upload files to a set of folders created on-the-fly by the website to contain their files for later reference by them
The website can construct web pages on-the-fly with links to the users' files - and ONLY theirs - so they can open / download them through the web pages
Users can NOT access the uploaded files through a network share on the web server
All of the folder creation, file upload, and file serving occur under some generic account like IUSR
I currently have things configured to use Windows Authentication and I could probably live with that except I don't want to require a login to the site. Apparently, in order to make this happen, I need to have the server configured as a trusted delegate and IT is dragging their feet on doing that. Also, this config allows the users to access the SQL Server and folders/files through means other than the web site and I don't really want that. I only need to pick off their user ID so I can use it to get information about them out of Active Directory and keep track of their interactions with the web app.
In reviewing your post I must first say "Yes" it seems like what you want to accomplish can be done. However the enormity of your question precludes simple posting answers. From what I gather there are three security issues you want to navigate 1) Windows Authentication, 2) Admin only SQL access, 3) User only Access to files and directories while authenticated using Active Directory.
I have been building ASP.net intranet web applications using Active Directory (Windows logins) for a few months. I would encourage you to explore this article: http://www.mikesdotnetting.com/article/216/windows-authentication-with-asp-net-web-pages for details on setting up windows authentication in an ASP.net web application. You can add elements to your web pages using a section of Visual Studio [Toolbox] called 'Login', which contains elements such as 'LoginName'.
Next I am pretty sure you can control the SQL server query access using authentication parameters of your choosing. In the portion of the connectionString that is normally 'Integrated Security=True;' you will need to switch that to 'Integrated Security=False;username=sqlAdminUserName;password=sqlAdminPassword'. For more information I suggest reviewing this post: Integrated Security = False.
For the third security issue once you have isolated the user's windows login identity you should be able to dynamically build web pages, files, directories, and whatever other resources you require all customized for that individual user. I believe the generation of all those materials can be done with an IUSR account with the only needed ingredient being the Windows login user identity.
Good Luck and I hope my suggestions help move you ahead.
Actually, the answer is not all that complex and it is a real mystery why it is so difficult to find a single source on the web to spell it out. Here is my IIS authentication for an intranet app that acts exactly how I want:
Enable ASP.NET Impersonation and edit to Authenticated User
Enable Windows Authentication
Advanced Settings->Extended Protection->Off
Advanced Settings->Enable Kernel-mode authentication->unchecked
Providers->Available Providers->Negotiate:Kerberos and move that to the top
Disable all other authentications
Most critical: Make the server a 'trusted delegate' in Active Directory
That should do it.
I am running IIS 7 and ASP.NET 4. It's an online charting application where one folder needs to have read/write access. Users don't upload anything into this folder directly; instead they configure chart settings and then ASP.NET generates the chart on the server and saves it as an image into that read/write folder. Users are redirected to download the image of the chart from that folder.
In order to allow IIS/ASP.NET to save an image into the folder, I give WRITE permission to IIS AppPool/ChartApp account.
But, I am worried to have write access on a folder that's open to HTTP. While there is no direct way to upload a file via my site into that folder, I am concerned that hackers will find a way to upload a script and then execute it. Are these valid concerns? Is there anything else I need to do to secure such a read/write folder?
Thanks.
The configuration is sound and a normal standard setup. As you point out, there is no way to upload a file unless you add one.
If your particularly paranoid about this, you can setup a new user account and use that account as the 'anonymous user' account (which is the credentials used by the common browsing user on your site), and ensure that account doesn't have write acccess while the AppPool account does. The anonymous user uses the AppPool identity by default.
What are all the user accounts for IIS/ASP.NET and how do they differ? has details on each different account type.
What I ended up doing is to use a different account to write the file. The code from this article worked well for impersionation. The account that writes the file has write permissions, and the "main" AppPool account is still read only.
I have set up an Active Directory Membership provider and can successfully create and log in users into the active directory with an ASP.NET application.
However, the active directory has other fields besides Username/Password such as First Name, Last Name , Telephone Number etc. Is there any way for me to be able to gather this information using my ASP.NET website and store it in the Active Directory?
I understand that I need to use a Profile Provider and I can technically set it up to use an SQL DB to store the extra profile information, but is there any way I can store the information directly in the fields available in the Active Directory? As far as I know there is no ActiveDirectoryProfileProvider.
Thank you,
You could get there -- probably would need to step outside the membership system and use the System.DirectoryServices to write to AD. Now, writing to SQL will be a lot easier, especially at development time. And you won't have to fight a sysadmin who doesn't want your web app having elevated AD privileges.
I have an ASP.Net (2.0) application on an intranet that needs to impersonate the users Windows login, which it does by having
identity impersonate="true"
in the web.config file.
In a couple of places it needs to create a file in the Temp folder of the server (a text file in one instance and a Word doc in another instance) before sending the resulting file to the user, after which it is deleted from the Temp folder.
It runs into a permission problem, because the user that is being impersonated does not have permission to write to the server's hard drive.
I was hoping I could switch to the default IIS (or some other built in account) to do the file access functions.
Is that possible? If so, how? I can't create any new accounts on the server.
It is Windows Server 2003.
Thanks
Yes it is possible using the System.Security.Principal namespace, see http://support.microsoft.com/kb/306158 for an example.
Basically you switch to a context that has permissions by impersonating the appropriate user account, perform your file IO then undo the impersonation.
However the easier solution would be to grant write access to the users (or groups). Grant permissions to the domain account/group so you don't have to create local accounts on the server.
I already had problems like yours, then I changed my mind and started using memorystreams and immediately writing them to the response object (instead writing it to disk and after send to the client). This way I save on being concerned in deleting it after downloaded by user.
The simplest way is probably to give the 'Everyone' group write access to the temp folder