I have the following setup:
IIS 8.0
a web handler call it test.ashx
Impersonation & Windows Authentication are both configured. Kerberos is showing as the authentication type.
test.ashx uses the unmanaged API: CreateProcessAsUser() method to run "cmd.exe /c myScript.cmd"
I put statements in myScript.cmd and see that it is running as the requesting user as I need it to. The problem I am experiencing is that the script cannot reference network files (either mapped drives or UNC path)
I need myScript.cmd to run as the requesting user and to be able to access network file resources. How do I get this to work?
I found one item that made a big difference on getting kerberos authentication to work, which is required to do impersonation and delegation. In IIS Manager I had to choose the web site, then run the Configuration Editor. Once it opened I had to choose the as from: DefaultWebSiteWeb.Config, and as the section: system.webServer/security/authentication/windowsAuthentication. Then set: useAppPoolCredentials = True. Note: useKernelMode was already set to true.
Additionally, for the web site I have the following set for Authentication:
ASP.NET: Enabled
Windows Authentication: Enabled, Provider: Negotiate, Kernel mode enabled.
Now my ASHX web handler (in C#) can start a process as the user, run a .cmd file that accesses network resources.
Related
I have used the Visual Studio template for an ASP.NET Webforms app with Azure AD authentication to create a simple web app. It works 100% fine locally. I can sign in, sign out, all good. Whenever I deploy to either AWS or Azure however, the behavior changes. The sign in still comes up fine, no issues at all, but after signing in, instead of taking me to the site, the browser just thinks for ages before dumping me to this error in the browser:
Server Error in '/' Application.
Runtime Error Description: An application error occurred on the
server. The current custom error settings for this application prevent
the details of the application error from being viewed remotely (for
security reasons). It could, however, be viewed by browsers running on
the local server machine.
Details: To enable the details of this specific error message to be
viewable on remote machines, please create a tag within
a "web.config" configuration file located in the root directory of the
current web application. This tag should then have its
"mode" attribute set to "Off".
I have tried adding the web.config setting and redeploying and it makes zero difference. Because I'm using App service on Azure for instance, I can't run the site on the actual web server as I don't have access to it. I tried looking at diagnostic log streaming, and got the below? Please help? Anyone? I have no idea why this isn't working. Interestingly, although I have asked that the site be http and it runs locally as http, once uploaded the url becomes https. Not sure if that' related.
From streaming logs (Azure)
HTTP Error 500.0 - Internal Server Error The page cannot
be displayed because an internal server error has occurred.
Most likely
causes: IIS received the request; however, an internal
error occurred during the processing of the request. The root cause of
this error depends on which module handles the request and what was
happening in the worker process when this error occurred.
IIS was not able to access the web.config file for the Web site
or application. This can occur if the NTFS permissions are set
incorrectly. IIS was not able to process configuration for
the Web site or application. The authenticated user does not
have permission to use this DLL. The request is mapped to a
managed handler but the .NET Extensibility Feature is not
installed. Things you can try:
Ensure that the NTFS permissions for the web.config file are
correct and allow access to the Web server's machine account.
Check the event logs to see if any additional information was
logged. Verify the permissions for the DLL.
Install the .NET Extensibility feature if the request is mapped
to a managed handler. Create a tracing rule to track failed
requests for this HTTP status code. For more information about
creating a tracing rule for failed requests, click here.
Detailed Error Information:
Module __DynamicModule_Microsoft.Owin.Host.SystemWeb.OwinHttpModule,
Microsoft.Owin.Host.SystemWeb, Version=3.0.1.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35_79846f5c-7e22-4a97-8a1c-24bc400cf7db
Notification EndRequest
Handler ExtensionlessUrlHandler-Integrated-4.0
Error Code 0x00000000
Requested
URL https://SimpleADApp:80/
Physical
Path D:\home\site\wwwroot Logon Method Not yet
determined Logon User Not
yet determined
More Information: This error means that there was
a problem while processing the request. The request was received by
the Web server, but during processing a fatal error occurred, causing
the 500 error. View
more information ยป Microsoft Knowledge Base
Articles:
I'm attempting to share .ASPXAUTH cookies between an ASP.NET MVC 4 application (in IIS 7.5) and a service using HttpListener on the same host.
The browser presents the cookies to both correctly, but my service receives System.Web.HttpException: Unable to validate data. at FormsAuthentication.Decrypt, which I would expect if the two applications were using different machine keys.
So: how do I find out if my machine is configured to use different machine keys?
the default setting of IIS is autogenerate machine-key and isolate per application
you can change this setting globaly in your machine.config or localy (per application) in your web.config
for details please see
http://technet.microsoft.com/en-us/library/cc772287(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc754909(v=ws.10).aspx
You can see the current setting for machine-key in IIS manager. For details, see http://blogs.msdn.com/b/amb/archive/2012/07/31/easiest-way-to-generate-machinekey.aspx
I can access the elmah.axd file, to view errors, when browsing using the localhost host name (i.e. http://localhost:24425/admin/elmah.axd).
I created a different host name and added it in my host file (to mirror production domain name). When I browse the site, and force an exception, the exception does get logged (SQL Server) using the prod host name. However, I am not able to view the elmah.axd file (i.e. http://www.foo.com/admin/elmah.axd). I get "HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable."
When I force an exception, using the localhost url, the exception still does get logged in SQL and I am able to browse this file: http://localhost:24425/admin/elmah.axd. However, I only see exceptions that occur under the localhost url (not the www.foo.com url).
After reviewing SQL, I see errors that happen using localhost with Application "/" and User set to the account I am logged in with. The errors generated when using www.foo.com have Application set to "/LM/W3SVC/6/ROOT" and the User column is blank.
I just need to be able to access the elmah.axd file when using www.foo.com/admin/elmah.axd. I have set security allowRemoteAccess to "1" in my web.config and have also added the elmah stuff to system.web and system.webServer nodes in my web.config.
I am using Windows Server 2008R2, IIS7.5 and it is a ASP.NET site (set up as a Web Application).
Thanks for any advice given.
By default elmah.axd can only be viewed on the local machine (whicj is why using localhost works).
You need to configure the web application to allow remote access.
I have an ASP.NET application that executes a WMI call to a remote system. The application Web.config contains <identity impersonate="true"> and <authentication mode="Windows"> options which, as I understand, should force the application code to be executed on behalf of the application user.
The problem is that I get "Access is denied" error, despite the fact I can successfully execute the my WMI request from PowerShell console on the same host under the same user to the remote server in question.
// this doesn't work
ManagementScope scope = new ManagementScope();
scope.Path.NamespacePath = "root\\virtualization";
scope.Path.Server = "vs01";
scope.Connect(); // <-- here comes exception
# this works just fine
Get-WmiObject -Namespace 'root\virtualization' -Class Msvm_ComputerSystem -ComputerName vs01
Dumping HttpContext.Current.User.Identity.Name, System.Security.Principal.WindowsIdentity.GetCurrent().Name, System.Threading.Thread.CurrentPrincipal.Identity.Name properties suggest that impersonation works as expected.
Ideas? Could the issue be some kind of .NET or IIS security?
You need to have a domain administrator enable Delegation for your web server machine. This is a security feature of Kerberos. By default an intermediate server (in this case your web server) is not allowed to pass the impersonation context of a client to the remote server unless it has been given Delegation permission. If you don't do this the remote target server will see the request coming in as Anonymous User... which if its properly secured will be denied access.
Note its a common policy to only allow an intermediate server to delegate to specific target servers (called constrained delegation), so if your web app needs to be able to call WMI on any server in your network you may have problem. Talk to your domain admin.
Our code relies on checking the Context.User.Identity value in the Global.asax Application_AuthenticateRequest(...) method to retrieve some information about the logged in user. This works fine in classic mode but when I flip IIS to use the Integrated Pipeline "Context.User" comes back as null, but only intermittently. Any ideas why?
I have < authentication mode="Windows"> and only Windows Auth enabled in the Virtual Directory.
Integrated mode means that the pipeline events of ASP.NET run at the same time as the IIS pipeline, what it means is that:
1) In Classic Mode - AuthenticateRequest in ASP.NET runs way after IIS already did the authentication (using Windows auth maybe or basic, etc) and so you will get the User Identity set to it.
2) In IntegratedMode - AuthenticateRequest will run at the "same time" in both which will cause it to have a null there. You should consider using PostAuthenticateRequest if you want to reliably get a User Identity (of course provided you have an authentication module enabled)