i have a web application built in ASP.NET MVC 4. that is hosted on shared hosting server. On that servers for each package(domain) there is limitation of 100 MB memory for the application pools, if it goes above 100 MB, causing the application pool to restart and session is lost having all your visitors logged out.
I have two options to sort it out :
SessionState = StateServer
Machine Key (From http://aspnetresources.com/tools/machineKey)
I have tried first with no luck(still user logout in two or three requests).
i have tried second but my problem is that i have 2000-3000 existing user if i put the
the machine key into my web.config file its prevents the existing user to login with there current password.
i am using Microsoft ASP.NET Universal Providers for authentication
any help would be appreciated.
thanks
Related
I have an ASP.NET Application which runs an multiple Web Servers in Azure (these are all virtual machines and not Azure Websites).
If a user logs himself in (currently forms authentication) everything is fine but if he clicks on a link he might get redirected to another server in the server group where the session cookie is not set.
How could that be solved in azure so that a user is logged in on all machines or is there a way to "bind" a user to a specific server so that he won't jump between the servers?
Thanks for your help!
metabolic
You have to change the session state to be saved in an external persistence solution, like SQL Server or Redis, instead of InProc (which means in memory) which is the setting you have now. The steps to do that are described here for SQL Server. Then if someone ends up in a different server, he'll still be authenticated as the session will be loaded from the persistence solution.
I have an IIS6 And II7 servers under my management.
all my application pools are running under a custom account which is a member of the IIS_IUSRS
Some of the websites on the webserver were hacked and malicious asp.net files was uploaded to the server.
Those files were used to act as a medium between the attacker and the OS to execute code
I have noticed that the user under which the application pool was running was able to list all the directories of my server and was actually a part of "Authenticated users" and hence "users" group which by default have permissions to execute files/create folders etc.
The hackers were able, using the application pool credentials, to be authenticated as an authenticated user and since authenticated user is part of the users group they were able to do what they want
you can easily recreate the issue by using process explorer to view a worker process security groups.
My Questions are:
How should I secure correctly my server if I want to run the application pool as custom user and not as the built in identitty pool identity ? ( the reason I need to is because I'm using websitepanel management software )
Is something wrong in my config or is it possible that on every MS server that uses custom user as the identity and has some security flaw in the website, a hacker can cause havoc to the entire server ?
There is a similar question pertaining to my topic here, but it doesn't fully satisfy the issue I'm having. Going off the question in the link, how would the apppool identity get used as the current user? My application actually gets the users out of a SQL db, but the apppool identity is not in the db, yet still gets logged as the current user. Thanks in advance!
Your appPool identity IS the current user, as far as IIS is concerned. IIS has no knowledge of any account that you are storing in your application's SQL database. When you enable Anonymous authentication, you can change the account that IIS uses to access your sites and applications. By default, IIS 7 uses "IUSR" as the user name for anonymous access, however you can change this to "Application pool identity" if you want to restrict access that way."IUSR" user name is created when you install IIS 7.Any clients connecting to the application will be connecting as either "IUSR" or "IIS AppPool/{AppPoolName}". I am guessing that your function to log the current user is reading from the SQL information and not from your HTTPcontext. More information about Application Pool Identity here: http://technet.microsoft.com/en-us/library/cc770966(v=ws.10).aspx
Normally a website process (w3wp.exe) impersonates the identity of the application pool identity (IIS APPPOOL\DefaultAppPool)
Unless you are using Integrated Authentication, in which the website process impersonates the identity of the authenticated user account accessing it (YOURDOMAIN\YourUsername).
What your site does beyond that is separate from IIS authentication and totally up to your application - that is, if you then go and set your users from your database, etc.
Has anyone ever experienced the following situation in .net with forms authentication?
User logs into system.
User is allowed into the "default" page inside of the directory
controlled by forms authentication.
User attempts to click on another link also inside of the directory
controlled by forms authentication.
Application redirects them to the login page again as if they hadn't
already logged in.
It's an ASP.net 3.5 website application, running IIS7, hosted in a Server Farm with just 2 servers. Authentication is managed by cookies on the users system and server affinity is turned on...so "technically" they should arrive at one of the two servers and stay there.
Thanks for any help/insight.
If it's a server farm you're load balanced (I assume) so you have no idea what server you're going to end up on, when working in a farm with forms authentication you need to ensure that the encrypt / decrypt keys are the same or the cookie created on server A can not be read by server B. Here's an example of a machine key that can be added to the web config to ensure cookies can be read in the farm:
<machineKey decryption="AES" decryptionKey="3B9E54DB3BB7DC57FF7CFBD8570B7AA21CD71BF63C6A9B48,IsolateApps" validationKey="3A74D6A6BA4C0771232C24FEFF997337F8B9542C255F5EA8EF214918A320362528EDA984A5AA8D0C24FDF50A062718932293496572248668C30DC3FAE2BDA183,IsolateApps" />
Short version:
For IIS 7.5 web applications with Windows Authentication does the end
user need to have Read file access?
Long version:
I have an intranet ASP.NET web app that uses windows authentication. It's installed at dozens of different companies and normally the authentication works fine: users navigate to the site e.g. http://appserver/MyApp, the app recognizes who they're logged in as and displays pages accordingly. I just installed it at a new client and encountered a problem:
When connecting e.g. to http://appserver/MyApp I'm prompted for windows credentials but after entering them I'm repeatedly prompted. After several re-entering credentials I'm shown a 401 error page saying "401 - Unauthorized: Access is denied due to invalid credentials.". So not only is it not passing through my identity but even when entering the username & password it's still denying access.
Giving Read & Execute permissions to the end users of the app solves this problem, but I don't think this should be necessary at all.
In the windows Application Event Log there's a message "File authorization failed for the request" along with Thread account name: NT AUTHORITY\NETWORK SERVICE and User: [the correct workstation users's domain account]. This suggests that the file access is being performed with the User's identity, not the AppPool identity of Network Service. Sure enough if I grant the end user Read & Execute permission (I didn't try Read only) to the application's directory then everything works correctly: when the user browses to the site they're authenticated automatically, not prompted, and the web site correctly recognizes their identity! Therefore my workaround solution is to give Read & Execute permission to Everybody on the application directory...but this is not an ideal solution.
This seems very strange. I've never needed to do this before in IIS 7.5, so far as I recall, and definitely never needed to in IIS 6 or IIS 7. Is this a new IIS7.5 thing? The documentation says that Impersonation is turned off by default. I added a element to the web.config to be sure, removed file permissions other than Network Service, but the problem remained.
Any thoughts? Is it normal for Windows Authenticated sites on IIS 7.5 for end users to need file permissions on the web server files?
Some relevant details:
Network Service
has Full Control file permissions to the app folder.
When connecting from the server itself I was prompted for credentials
but after entering them i'm authenticated and the application works
correctly including displaying my windows login and connecting and
retrieving data from the db. I later determined that it was prompting
for credentials because http://localhost was in the trusted sites
and therefore not recognised as the Intranet Zone and thus not
passing identity through. I also determined that it was working as
this user identity because it's an admin user who has file
permissions.
The web server is running Windows Server 2008 R2 / IIS
7.5. It didn't have IIS on it until I installed it. I installed the default features as well as Windows Authentication, ASP.NET, and
possibly a couple of other items. A separate WCF app I installed that
uses IIS, anonymous authentication & .net 2.0 is working fine on
that web server.
The app install process is a manual copy of files,
creation of IIS App Pools & web apps, updating connection strings,
etc.
I checked the IE security settings. It was recognizing the
server as in the Intranet zone and had the option 'Automatic logon
only in Intranet zone' selected. Also on Advanced Settings the
'Enable Integrated Windows Authentication' option was checked.
After
installing IIS I ran aspnet_regiis -i for .net 2.0 and
aspnet_regiis -iru for .net 4.0.
Anonymous authentication is
disabled for my app and Windows Authentication enabled.
The app is
running on ASP.NET v4 but there's another app I installed
experiencing the same issue running ASP.NET v2.
The app is running
with Identity = Network Service and in 32-bit mode.
Database
connection string includes Trusted Connection=True and database
permissions are granted to the web server account [domain]\[server]$
e.g. DGM\MyServer$.
In IIS > Authentication > Windows Authentication > Providers the list was Negotiate first then NTLM. I tried reordering so NTLM is first.
In the Windows Security Event Log there
were a series of Microsoft Windows security auditing events: Logon
and Logoff. They indicated that the Logon was successful and was
displaying the User Id of the workstation user. This are from when
I'm connecting from another workstation and receive a 401
Unauthorized after several attempts.
I see someone has had this problem reported here but with no solution. Originally I posted in the ASP and then the IIS forums with no answers so far.
Update:
This msdn article says
When Windows authentication is enabled but impersonation is disabled, ASP.NET performs file access checks in the file authorization module using the credentials that are sent from the browser (my emphasis). Impersonation does not need to be enabled, because the FileAuthorizationModule module ensures that the requesting user is allowed read access or write access to the resource, depending on the request verb (for example, GET or POST) before executing the request. This behavior applies to any requests that enter managed code. In earlier versions of ASP.NET, accessing files based on URIs such as "Default.aspx" triggered the access check. In ASP.NET MVC applications, where access to resources is typically performed using extensionless URLs, this check typically does not apply, because there is not a physical file to check. In that case, the FileAuthorizationModule class falls back to checking access-control lists (ACLs) for the folder.
This does suggest that the end user needs permissions to the files (in the case of .aspx) or the folder (for MVC) ... although still this seems slightly tucked away and non-definitive. This article about App Pools says they're used as the identity for securing resources, which contradicts the idea of needing to grant privileges to end users. Unless the rules are different for App Pools and NETWORK SERVICE, which could be the case but would be surprising.
Are authenticated users allowed to the app folder?
We were also fighting with this issue, and started setting up security groups so we could give our users file level permissions. Then one of our server admins stumbled across a couple of new properties that allow the app to authenticate to the file system under set credentials, and resolved the need for the users to have access. Here is what he came up with…
There are two IIS settings that control this:
Physical Path Credentials Physical Path Credentials Logon type
By default, Physical Path Credentials is set to Application User
(Pass-through authentication). This means that IIS doesn’t do any
impersonation when handling Windows Authentication requests. This can,
however, be set to a specific user (though not, unfortunately, the
application pool identity, which would be ideal). Physical Path
Credentials Logon Type is set by default to Clear-Text. For my testing
I set this to Interactive (though this may not be the correct value).
Possible values are Clear-Text, Batch, Interactive, and Network.
To set this up I did the following:
Created a local account (IIS-AccessUser)
Granted IIS-AccessUser read and execute access to the /home directory of the site.
Added IIS-AccessUser to IIS_IUSRS group (necessary for accessing .NET temporary files)
Set IIS-AccessUser as the Physical Path Credentials
Set Physical Path Credentials Logon Type to Interactive
Doing the above allowed me to log in to the application directly,
without having to allow Authenticated Users, or me having to be a
member of any of the groups in the /home folder. It also still
preserved .NET Authorization roles, so I still could not access parts
of the site that I was not allowed to.
The short answer is NO. You are not required to grant file access permissions when using Windows Authentication in IIS 7.0 and IIS 7.5.
We were only able to discover this because our server admin smelled the security and management issues that arise from taking the route of granting file level access to users and groups.
For anyone dealing with this issue or if you are setting up a new IIS7/IIS7.5 server and/or moving from IIS 6, here is an article that gives you all of the Windows Authentication options and configurations that need to be modified to avoid granting file level access to individuals or groups.
Please read the two comments in at the end of the POST for some valid critiques of the methods used in this article.
http://weblogs.asp.net/owscott/iis-using-windows-authentication-with-minimal-permissions-granted-to-disk
In addition to the information in the article, please be aware that IIS 7.5 is not using the web configuration tags for system.web (at least not in my MVC 4 application).
It is looking in the system.webserver tags for authorization configuration (where you will need to list the windows domain\groups a user needs to be in to access your application).
-- DSB