I built a WCF Data Service hosted in an ASP NET App that runs with IIS 7.
I'm able to access this service from other computers across the network just fine.
The thing is that I have DefaultAppPool set to NetwrokService, if I set it to ApplicationPoolIdentity, then the connection between Wpf Applications and the Data Service breaks.
Why?, In SQL Server Express 2012 I'm using "NT AUTHORITY\Servicio de red" ("Servicio de red" is "Network Service" in spanish) mapped to my database.
I understand that NetworkService is present in IIS7 for compatibility with previous versions, and IIS7 introduced ApplicationPoolIdentity to increase security since many applications use NetworkService.
That´s why I´d like to be able to use this ApplicationPoolIdentity but I don't know what setting is necessary for it to work.
My authentication setting is:
Rafael
Did you add IIS APPPOOL\DefaultAppPool to the users in SQL Server? (I assume your SQL Server is on the same machine as the IIS server? If not, then you have to add your computer name from the domain)
Related
In order to keep application secrets out of source code I want to use Integrated Security to connect my ASP.NET MVC application to SQL Server. However, IIS Express uses my development machine's account as the Identity for Integrated Security, which has different permissions from the AppPoolIdentity on production. I want to connect to SQL server using the same permissions in development as in production, which seems like something that should be easy to do, but I have had no luck.
Apparently it is impossible to set the Identity used by IIS Express except using "runas" which I could not get to work: how to run iisexpress app pool under a different identity
Things I've tried:
IIS Express
Create a User in "Edit local users and groups" and add it to "IIS_IUSRS" group.
Create AppPool in IIS Express manager (Jexus manager)
Setting AppPool > ProcessModel > Identity to newly created User, which fails.
(However setting AppPool Identity works in IIS Manager (not express))
Create site and configure path and ApplicationPool
Application successfully launches through Jexus manager, however still using my Windows account like it does launching from Visual Studio
IIS
Create app pool and log in as newly created user (succeeds unlike Jexus manager)
Create and configure site to use https and IIS Express development cert
Get 500 error when trying to launch the same way as with Jexus manager
I would rather launch the app from Visual Studio anyway
Impersonation
Requires credentials in web.config defeating the purpose of Integrated Security
It's important we manage secrets internally so Azure Key vault or other similar 3rd-party solutions are off the table.
It's beginning to seem impossible to configure IIS Express AppPools to use an Identity other than the currently logged in user: Link1 and Link2. The second link describes a method using "runas" from cmd as Admin but using System.Security.Principal.WindowsIdentity.GetCurrent().Name to check the ApplicationPool identity still shows my logged in Identity, not the one I used in the "runas" command.
What are my options? I would like to use Integrated Security for both dev and prod, with the same permissions on each. Is this possible? Is there an equivalent workaround?
We have a web site written in ASP.NET MVC that uses Windows Authentication.
We have a WCF service that we use to connect to the database and reference that service from our MVC site. The web.config for both the site and the service have enabled Windows Authentication and disabled Basic and Anonymous authentication.
Now, the issue is this:
If I restart the IIS and then open a browser in the same computer that has the IIS, everything works fine (even from outside that computer).
If I restart the IIS and then open a browser in an external computer, the WCF service is unable to connect to the database (even from the local machine).
So, if we don't open the site from the host computer before attempting to access it externally it won't work.
We are using impersonation to do the calls to the service from the website.
Any ideas on what can be happening?
your WCF service is impersonating the user of an outside user passed to by IIS passed to by the IE user. You want to hard code your application pool of your IIS we service to use a specific Service Account that has Network Service privileges
its working internally, as its using your identity on the Windows Domain(its in your ie settings in security) but externally this does not work.
I have problem using IIS 7 and SQL Server 2008. When I trying to show my website using IIS as webserver I get the message "[SqlException (0x80131904): Login failed for user..."
When I using the webserver included in Visual Studio 2010 to show same website there is no problem to access the database.
Why is it working with VS2010 webserver but not with IIS?
I will try to guess:
You're using windows authentication to access the SQL SERVER and the user of the site's application pool (if you're not impersonating) doesn't have necessary permissions.
If I'm not wrong, the default application user for application pools on IIS7 is NETWORKSERVICE so 2 valid options would be
You give necessary permissions to this user
You change the app pool's user to any with necessary permissions
Add the IIS Group in the SQL SERVER "IIS_WPG" to have access to the DataBase.
I have a windows service that hosts the main WCF service. The clients for this service are both hosted in IIS 7, the first one is an IIS hosted WCF service and the second is a standard Asp.Net application. Both of the IIS hosted clients communicate with the windows service over named pipes.
The IIS hosted WCF service can communicate with the windows hosted WCF service perfectly, but the Asp.Net service fails with this error:
The pipe name could not be obtained from the pipe URI: Access is denied.
My first reaction is that this is a permissions issue somewhere, but I dont know where. And second, why would the IIS hosted WCF service be able to communicate without issue, but the Asp.Net application fail?
Ok, I solved it, or rather I figured out where the permission issue was.
It turns out the Anonymous Authentication setting was using some weird user created by our client (the physical person, not our WCF client), and not the NetworkService user (the identity the app pool was using).
But this almost begets another question: Why were even newly created sites defaulting to this IUSR and not the system defaults? In anycase, I just hope this gets indexed in google as, there were virtually no articles relating to it.
Check the Identity of the Application Pools that the WCF and ASP.NET services resides in.
Maybe the WCF service's AppPool has an identity that has different rights than the other AppPool?
Also, you might want to note that IUSR is the default IIS7 account for Anonymous accessors. See Understanding the Built-In User and Group Accounts in IIS 7.0 for an explanation of the default accounts.
Hope this is helpful.
I've recently had my PC upgraded to Vista, which means it includes IIS7. The problem is that the ASP.NET website we're working on doesn't work anymore. I get an error because the application is trying to connect to the SQL Server with NT AUTHORITY/ANONYMOUS LOGON instead of my domain user, and anonymous isn't authorized. I've tried several things, but no solution yet:
- install and enable the 'IIS Metabase and IIS 6 configuration compatibility'
- enable Windows Authentication for this website
- created a different Application Pool with managed pipeline mode set to Classic
- enabled IIS6 WMI compatibility and IIS6 management console (getting desperate here)
In our web.config there's and in our machine.config there's . I've tried putting impersonate to false and entering my domain user and password in the machine.config (it used to be like this) but that didn't help either.
Are there things I'm missing? Has anyone else had a similar problem?
How does your application authenticate with SQL Server? Does it use SQL or Windows Auth? I hope you are trying to use Windows Auth. In that case, your IIS worker process should be running under that Windows user account. If not, it should at the least impersonate a Windows user account that has necessary access rights to SQL Server. If you have impersonation enabled and if you are using the right Windows user account and if SQL Server authenticates using Windows auth and if you are still unable to access SQL Server, you may be running into the classic double hop issue. In other words, you are trying to authenticate to IIS once and you are using the same crdentials to authenticate to the SQL Server over a network next(which is your second hop) and Windows does not allow that for security reasons.
I believe I have found a/the solution. At least it's working now. This is what I did:
The website is now running in a seperate application pool with Managed Pipeline mode set to classic, Load userprofile set to False and Identity set to custom and using a domain user (and password) that has access to the database.
Under 'authorization' of the website itself, I have Anonymous set to enabled and ASP.NET impersonate set to disabled.
in the web.config of the site is also set.
Credit where it's due, this site helped me.
I'm sorry to say I can't look into the issue any further. Indeed, it probably is something with the way we connected to SQL Server (Win Auth) because we've changed it now. Now we connect with username and password in the connection string and it's solved.
So I can't really say if you provided the answer, msvcyc, but I did vote on your solution. Thanks for the time and trouble.
Well, I recommend you migrate to Integrated mode if there is not too many troubles to enjoy the innovation it brings. :)
http://mvolo.com/blogs/serverside/archive/2007/12/08/IIS-7.0-Breaking-Changes-ASP.NET-2.0-applications-Integrated-mode.aspx