1) I want to know suppose we are using an ASP.NET web application in debug mode in VS, then, the code runs under which user account?
2) I also want to know, suppose we publish this to the IIS and then, set it up to use WBA/FBA, then, the username/password of logged in user is used to authenticate user to the ASP.NET site, however, the code (SQL query, etc) runs under credentials of apppool account. Further, which credential is used to access resources on server like files? What is your view on this point?
1) I want to know suppose we are using an ASP.NET web application in
debug mode in VS, then, the code runs under which user account?
This is depending on the hosting. VS provides 4 ways to host & debug a web application : VS Dev Server (VS 2012), IIS Express, Local IIS and Custom Host (VS 2013). Devs servers generally runs under your -Administrator- account, and may not be suitable to test security. Working directly with IIS as your development web server lets you work in an environment closer to that of an IIS production web server.
This is configured in the Web Tab in your web project properties.
2) I also want to know, suppose we publish this to the IIS and then,
set it up to use WBA/FBA, then, the username/password of logged in
user is used to authenticate user to the ASP.NET site, however, the
code runs under credentials of apppool account. What is your view on
this point?
Not very clear, but I think your undestanding of IIS security may not be correct. There is only one application pool per web site which runs under a specific account (by default apppool account, but it could be Network Service or Local System). When a user logs in, absolutely nothing is changed in this process. The user is just connected using an authentication provider : Windows Authentatication or Forms Authentication are 2 common providers. User identity is kept in http context, which allow you to use authorization rules later. So every code block always run under the same account (unless you enable delegation but that's another story).
I higly suggest you to read this complete introduction on asp.net security.
Related
In order to keep application secrets out of source code I want to use Integrated Security to connect my ASP.NET MVC application to SQL Server. However, IIS Express uses my development machine's account as the Identity for Integrated Security, which has different permissions from the AppPoolIdentity on production. I want to connect to SQL server using the same permissions in development as in production, which seems like something that should be easy to do, but I have had no luck.
Apparently it is impossible to set the Identity used by IIS Express except using "runas" which I could not get to work: how to run iisexpress app pool under a different identity
Things I've tried:
IIS Express
Create a User in "Edit local users and groups" and add it to "IIS_IUSRS" group.
Create AppPool in IIS Express manager (Jexus manager)
Setting AppPool > ProcessModel > Identity to newly created User, which fails.
(However setting AppPool Identity works in IIS Manager (not express))
Create site and configure path and ApplicationPool
Application successfully launches through Jexus manager, however still using my Windows account like it does launching from Visual Studio
IIS
Create app pool and log in as newly created user (succeeds unlike Jexus manager)
Create and configure site to use https and IIS Express development cert
Get 500 error when trying to launch the same way as with Jexus manager
I would rather launch the app from Visual Studio anyway
Impersonation
Requires credentials in web.config defeating the purpose of Integrated Security
It's important we manage secrets internally so Azure Key vault or other similar 3rd-party solutions are off the table.
It's beginning to seem impossible to configure IIS Express AppPools to use an Identity other than the currently logged in user: Link1 and Link2. The second link describes a method using "runas" from cmd as Admin but using System.Security.Principal.WindowsIdentity.GetCurrent().Name to check the ApplicationPool identity still shows my logged in Identity, not the one I used in the "runas" command.
What are my options? I would like to use Integrated Security for both dev and prod, with the same permissions on each. Is this possible? Is there an equivalent workaround?
I'm working on on-premise web application (front end hosted on IIS) that currently uses traditional form-based authentication. Our client wants the application to support "single sign on", which basically means he wants the users to automatically log in to the application. AFAIK there are two ways I can take to achieve the desired effect:
Most articles that I found suggest using some kind of Identity Provider system (like Active Directory Federated Services), which my application can communicate with over SAML/OIDC in order to obtain user's claims.
On the other hand, I could set up IIS to use Integrated Windows Authentication and get user claims directly from Active Directory through Kerberos/NTLM. This approach seems easier.
Given that my application will not be used outside of intranet, it is hosted in environments using Microsoft products (Active Directory, Windows Server, users using Windows machines), is there any reason I should consider the first approach?
I have an issue with our ASP.net application not being able to read files from a remote directory. Our users log into our application using Forms Authentication, so no AD accounts are used in logging them in.
I have added the machine accounts the machines to the share, as I have a local service on the machine that can write to it and a SQL server able to read/write to the share with a machine account.
However, our asp.net app, running on the same server as the service above, is is not able to do this. I have tried impersonation set to true, but this does not work unless I provide an AD account. Once provided, the share works fine.
I can't move the share to the IIS server due to size constraints.
Is there anyway to allow easy access or do I need to take the interop approach?
The account the application pool runs under needs access on the remote folder. Add that account to the security tab(not only share tab) of the remote folder.
Or, try running the apppool as the AD account you used for impersonation.
I am having a problem with deploying a multiple tables report into my IIS server. The page shows : "The report you requested requires further information". However, I have tried to set databaselogon at the server-side but it didn't work. (The report is working fine on VS Debugging Mode)
It is confusing that it happens only to a multiple tables report and it is working fine on a single table report.
I am using VS2008 and CrystalReportViewer version 10.
When you get "The report you requested requires further information", are you prompted to log in? I think that is the header message for DB authentication required.
If so, what you need to understand is the concept that the Crystal Reports runtime runs within the security context of the ASP.NET server. Your database connections within the Crystal Report are probably set up to use Integrated Authentication, which means the report will authenticate to the DB server using the credentials of the ASP.NET process.
In debug mode, the ASP.NET development server runs as your user account. Undoubtedly, you have access to the DB. However when you try to run in production mode, the ASP.NET server (by default) is either running as a local account called ASPNET on the IIS server, or as the NetworkService account, depending on what version of IIS you are running.
If you are running IIS 7.x, you need to either give the IIS server's directory object (NtDomainName\ServerName$) access to the DB, or change the security identity of the application pool associated with your ASP.NET application.
Hopefully this sets you on the right track and if you still need more help please post what version of IIS you are running and more information on the error message you are getting.
Response to Comment:
To configure Application Pools, in IIS Manager, select the Site in question, click Basic Settings... and check the Application Pool it is assigned to. Then go into Application Pools, you should see the current Identity of the pool listed. This is the account the application "runs as". This account needs to have access to all the files and resources in your web application, including your MySQL DB.
You can edit the Identity settings in the Advanced Settings dialog for the Pool.
Unfortunately I can't give you any advice on MySQL since I have never worked with it.
I have an ASP.NET web application that runs on a windows server 2003 server.
there is a form that reads and writes data to an xml file inside the application's directory.
I always grant the NETWORK SERVICE user full control on my application folder so that it can read and write to the xml file.
I put the application on another windows server 2003 server and did the same steps above but i was getting an Access denied exception on the form that reads and writes to the xml.
I did some search and found that if you grant the user ASPNET full control to the directory it would work, I did that and it worked fine.
my question is: what is the difference between granting full control permissions to NETWORK SERVICE and ASPNET users ?
and what can be the difference between the two servers that caused this issue ?
thanks
In all cases, you need to grant the application pool's user account the appropriate access. Application pools were introduced with IIS6. Before IIS6, the .NET application ran under the user account configured in the machine.config file so you would look there to determine the user that needs access.
Network Service is assigned to application pools by default. It sounds like someone set it up differently on one of the servers.
Ideally, you should not be using either account.
You should create a low privilege account that only has access to the resources you need for each web application you have. Add the new account to the IIS_WPG user group. Then create an application pool for each application and set it to run as the user you created specifically for it.
See this article (TechNet) for directions on changing the identity of the app pool.
The configuration I described is now the default in Server 2008 R2/Win 7 (source).
Unfortunately, because someone changed the default configuration on your second server, there is no way for us to tell you what the differences between the two accounts are.
What you will need to do (or have your IT department do) is compare the permissions each account has on the local machine. This will be tedious. However, if you can run powershell, you can use this article to write a script to list out the permissions for each account and compare them.
Good luck finding the differences.