I've built an application (asp.net 2010) to allow our employees to update some of their information in Active Directory. Data like website, degree, campus, building, phone extension, etc.
Everything works fine until a user who is a domain admin attempts to use the app. Since the "service account" my .Net application is using is not a domain admin, the update fails for them.
Is there a way I can make this happen without having to make my "service account" a domain admin?
You could give your service account permission to the Domain Adminis object in AD (Read Write).
Related
What risk is a user exposed to if he accesses a .net web application with impersonation enabled?
What impersonation level is ASP.NET impersonation?
This is the documentation of impersonation-levels.
Can I create a website, then lure a sysadmin to open it and do some bad stuff in his name (like adding me to the local sysadmins. I can deploy web applications but I am not an admin)? What are the boundaries of this impersonation? Did not find any precise description in the docs.
First of all you need to understand what is ASP.NET Impersonation. Apart from msdn given definition, in layman language, ASP.Net impersonation is ability to get user information of Active Directory Logged-in user on machine using client side asp.net application.
As you mentioned, there are different impersonation-levels.But before going to that you need to understand that ASP.Net is managed environment. It exist under the scope of IIS application pool. So any application is ability is limited to what an web application in managed environment can do on server.
To directly answer your concerns, these are few considerations:
If you can host an application is IIS having ASP.impersonation, you should be admin of that machine(non-admin users can't even open IIS)
Any IIS application can't do Administrative tasks like Creating, deleting users, changing user permissions without calling any native application for manipulation active directory(need to configured & much work needs to be done, non admin can't think of that). That is almost impossible even somehow possible with some 3rd party unmanaged code then also non-admin user can not install those tool/sdk on server without having direct access to servers.
ASP.Net impersonation is mainly for active directory users and Active Directory exists in securely managed environments in VPN or Office Premises. You need to be active directory user to access impersonation. Even somehow you did that(not possible without admin server access) then also audit/system logs/network logs will find who is insider culprit to did something like that so what that means inside an organisation(apart from getting fired) I leave upto you.
Still you think asp.net impersonation is unsafe, you can ask questions. :)
UPDATE for comments
Impersonation Level link you got above is for desktop/windows application which runs in full trust. ASP.net application impersonation is just a way to get identity of Active Directory User with some defined attributes and it is mainly used for authentication & authorization. I again reiterate, ASP.net is managed application inside App pool which only can perform action which is authorized to Account from which you have hosted application and with that too native/administrative actions like creating or modifying Active Directory User access is not possible without calling some another SDK which is already trusted & installed on that machine.
So summarize, operations like creating files or deleting file on the place where you have given Directory access to Web App is possible(Also on network if permission exists while deploying for User used for hosting not logging in) but deleting everything on server or performing Administrative tasks like AD User creation/modification is not possible via login of Admin impersonation of ASP.net webapp without assist of already installed trusted unmanaged software that can do this.
I had a palaver with my sysadmin yesterday. If the user is authenticated by kerberos, it is possible that the webapplication accesses resources on other servers in behalf of the user (delegation). Kerberos constrained delegation works with a white-list.
If my application needs to read files on a file share with credentials of the logged in user, the security admin has to add an entry that my application (identity of app-pool) accesses this file server in the name of the logged in user. I can not create a malware application that reads all the emails of my boss just because he is visiting my webapp.
See https://blogs.technet.microsoft.com/pie/2017/06/30/credential-theft-made-easy-with-kerberos-delegation/
I'm using webmatrix, razor, c#. I've created a web site for friends, it's on godaddy. I've created web pages to upload or delete images for the gallery, they work ok on webmatrix on my laptop, but get an "access denied" error with godaddy, understandably since I'm an anonymous user.
Godaddy says it is doing windows authentication and the godaddy gui shows me the folders and the user accounts and their permissions.
Can anyone tell me please how to keep the rest of the web site anonymous but to do this with the web pages which amend the gallery:
1. some kind of authentication to get into
2. they also authenticate to godaddy so they have permissions to create/delete files in the relevant folders
I can't see how the WebSecurity class can help. I've read that by default it creates its own database of user accounts, so this could achieve 1, but not 2. I've also read that it can be configured to use windows authentication instead of its own database, but that to do this anonymous access must be disabled.
I'd be grateful for any help, I certainly am stuck. For anyone kind enough to reply, please bear in mind I'm not a web developer, I'm a server admin!
I'm not sure if you're attempting to allow the end users to go to their galleries using GoDaddy AND thru the website. That sounds like a difficult security challenge.
One approach is to only allow the web application to have access to all the files and folders on the server. Then you can forget about Windows authentication. Have the users authenticate using the WebSecurity classes and pages.
_PageStart.cshtml is a file whose code runs everytime a page is opened by a user. In there you can put code which controls who has access including anonymous activity. For example, users are always allowed to go to the account pages in the account folder, because that's where they sign in. So they are still anonymous before signing in. The code is simple:
// You're always allowed to go to the login pages
if ( Request.RawUrl.StartsWith( "/Account") )
{
return;
}
If the code returns from here and doesn't take any other action, the page will open normally.
I have looked at numerous articles and tried a multitude of settings, but I can't seem to achieve what I'm looking for in my intranet site. Even if I don't get a solution, a definitive "you can't do that" will help me move forward. Here is what I'm trying to do:
Web site recognizes the user's network login credentials - ONLY so I can get their user ID without a login
The website uses some generic account (IUSR or something like that) to access a SQL Server that the same network users can NOT access EXCEPT through the website
Users can upload files to a set of folders created on-the-fly by the website to contain their files for later reference by them
The website can construct web pages on-the-fly with links to the users' files - and ONLY theirs - so they can open / download them through the web pages
Users can NOT access the uploaded files through a network share on the web server
All of the folder creation, file upload, and file serving occur under some generic account like IUSR
I currently have things configured to use Windows Authentication and I could probably live with that except I don't want to require a login to the site. Apparently, in order to make this happen, I need to have the server configured as a trusted delegate and IT is dragging their feet on doing that. Also, this config allows the users to access the SQL Server and folders/files through means other than the web site and I don't really want that. I only need to pick off their user ID so I can use it to get information about them out of Active Directory and keep track of their interactions with the web app.
In reviewing your post I must first say "Yes" it seems like what you want to accomplish can be done. However the enormity of your question precludes simple posting answers. From what I gather there are three security issues you want to navigate 1) Windows Authentication, 2) Admin only SQL access, 3) User only Access to files and directories while authenticated using Active Directory.
I have been building ASP.net intranet web applications using Active Directory (Windows logins) for a few months. I would encourage you to explore this article: http://www.mikesdotnetting.com/article/216/windows-authentication-with-asp-net-web-pages for details on setting up windows authentication in an ASP.net web application. You can add elements to your web pages using a section of Visual Studio [Toolbox] called 'Login', which contains elements such as 'LoginName'.
Next I am pretty sure you can control the SQL server query access using authentication parameters of your choosing. In the portion of the connectionString that is normally 'Integrated Security=True;' you will need to switch that to 'Integrated Security=False;username=sqlAdminUserName;password=sqlAdminPassword'. For more information I suggest reviewing this post: Integrated Security = False.
For the third security issue once you have isolated the user's windows login identity you should be able to dynamically build web pages, files, directories, and whatever other resources you require all customized for that individual user. I believe the generation of all those materials can be done with an IUSR account with the only needed ingredient being the Windows login user identity.
Good Luck and I hope my suggestions help move you ahead.
Actually, the answer is not all that complex and it is a real mystery why it is so difficult to find a single source on the web to spell it out. Here is my IIS authentication for an intranet app that acts exactly how I want:
Enable ASP.NET Impersonation and edit to Authenticated User
Enable Windows Authentication
Advanced Settings->Extended Protection->Off
Advanced Settings->Enable Kernel-mode authentication->unchecked
Providers->Available Providers->Negotiate:Kerberos and move that to the top
Disable all other authentications
Most critical: Make the server a 'trusted delegate' in Active Directory
That should do it.
I have a situation where I have to autheticate SharePoint user to another website that is not part of the sharepoint domain without asking user to login again.
I have sharepoint part of domain1. I have users in domain1 that log into sharepoint using NTLM by authenticating to domain1. I don't have any control over this domain and sharepoint configuration. I am working on a ASP.net application which needs to authenticate users from domain1 without prompting users for login if they have already logged into sharepoint server.
Is it possible to do? If yes please let me know how I can do this. I may be able to install a webpart on the Sharepoint if this allows me to do single sign on between sharepoint and my application.
If your web side (asp pages) are in domain 2, you can do it as follows:
Configure domain 2 to trust domain 1.
Create a group with all users in domain 1 that you want to give access to your asp pages
Configure your site to use windows authentication
Grant the user group access to your site
In this case it will not actually matter if they have logged into SharePoint first or not.
My application does not have any roles.
However I use windows authentication to stop anonymous users from accessing the webpages.
I need to test different users using the system.
I do not want to know different users passwords and I cannot set up dummy users in Active Directory.
So how do I do this?
Set up a virtual server with Active Directory Domain Services and IIS on it. Build yourself a domain for your testing and create your dummy users there. Then you can put your ASP.NET application on it and test your app using the different users, but it'll be completely sandboxed from your live Active Directory setup.