We have 2 servers in DMZ. First one is application server, let's call it APP machine. The other is a file server, let's call it FILE. Web site running on APP machine under IIS is trying to create a file in a shared directory located at FILE server.
When application pool is running with some user in IUSR_IUSRS or NETWORK SERVICE writing to remote location fails. I cant authorize this user in shared folder, because that FILE machine can only see local users.
I created a user X on APP machine (APP/X) and another one with the same username on FILE (FILE/X). Then I added FILE/X user to credential manager on APP machine. When APP/X and FILE/X users have different passwords writing fails again. But when passwords are the same then writing just works.
I cant understand why passwords matter. At the end of the day they are two different users APP/X and FILE/X. Could someone clarify this phenomenon?
When the local user account on APP attempts to connect to the FILE server it passes it's credentials (username and password). If that combination isn't an exact match against a user on the FILE machine then it will fail.
There are multiple ways to do this "correctly". The most common would be to have a domain setup in which the site on the APP server runs under. That way you could just authorize the user to have rights on the FILE server.
If you can't have a domain controller, then the username and passwords must be kept in sync on the two machines.
Related
I am building a intranet application for my company and it uses Form Authentication using active directory. When i run the application on my VS development studio is works fine. There are no issues. But when i deploy the application to a IIS Server which has anonymous access enabled using a local account, my application is reporting it cannot contact the Active Directory. My main aim is to validate the crendtials only. And I do not have administrator account on the AD.
Is this because, the server is not connected to a domain or is it because it has anonymous access turned on.
My workstation is connected to the domain and works fine when i run it on the VS development server.
If this because the server is not connected, than, is there any other ways to validate the user via the AD.
The silly part is that when i remote and try to use the browser to access Google or yahoo, windows will prompt me for username and password. I will enter my domain\username along with my password, and i will be able to access the internet. If this possible, than why I cant use the same way to authenticate my users to my application.
Here are details of my application
IIS and SQL on the same machine.
Server is not connected to the domain.
My personal workstation is connected to the domain.
I have this load balanced asp.net application which needs to upload files to a shared location. The web app is not impersonated, which means it will cross the machine boundry using network service credentials. Now my question is, to which account do I need to assign permissions on the folder where the files are being uploaded? How can I say the network service of these web servers need write permissions?
If your server is part of AD domain, then you can add the Server itself from the security permission dialog to have read/write permission (in fileshare server). Remember to select "Computers" when searching Active Directory. Depending on your setup, might have to search from the root of your Active Directory or select "Entire Directory". You will have to add all of your servers that are part of load-balanced ring to have permission in fileshare server's directory.
If your server is not within an AD domain, then your local server's network service will not have any security context to write on another server; which means only generic permission will work (e.g. giving write permission to "Everyone").
Otherwise you will have to use UNC authentication. An example is posted here.
We have a web application developed for use on the intranet of our client. There is no login page, hence there is no Forms authentication.
The application creates a number of records which have to be stored in the DB along with the name of the currrently logged in user. For this we have enabled windows authentication which works just fine in our development environment - and I assume, that when this is deployed on the envinronment of the client, it will work too.
The problem is, that when we host this on a test server, we need to give public IP access to the clients to check it out - and hence the virtual directory is configured to allow "anonymous access". This obviously causes a problem for us while storing the records since we are not able to capture the login name for the person who is creating/testing this application.
If we enable windows authentication for the test machine, then anyone who tries to access the app through the public IP gets a login window popup which we dont want.
Any ideas on how to capture the logged in user name for this scenario ?
Based on your design, user should log on a windows machine in your network the server is located. For that scenario, VPN would serve best and simulate real environment.
I'm currently implementing a cache mechanisem for our site.
I want to use the SQL Cache dependancy feature.
I am running the following command in management studio and it's not working.
GRANT SUBSCRIBE QUERY NOTIFICATIONS TO "my_server_name\ASPNET"
The error I'm getting is:
Cannot find the user 'my_server_name\ASPNET', because it does not exist or you do not have permission.
I tried signing in with the admin of the specific database I'm setting the notification for, sa, and windows authentication with the machine administrator.
Also tried running management studio as administrator and still not joy.
Can someone please point me in the right direction.
Thank you!
First, it appears you are attempting to grant permissions to the account under which the site is running. In IIS 6 and IIS7 these are control by the account set on the Application Pool. That account used to be ASPNET but no longer by default. Instead, the default (starting with .NET 2.0 I believe) is NETWORK SERVICE. However, if you are using IIS 7, that has changed yet again. By default in IIS7 it uses something called the "ApplicationPoolIdentity" which is its own special credential created for each site. If SQL Server is on a different machine than the web server, you will run into another problem which is the credentials are all local to the machine.
My recommendation would be to do the following depending on your setup:
Both servers are on a domain and you want to use trusted connections:
Create a domain account and drop it into Domain Users.
On the web server, drop this account into the IIS_IUSRS group.
Go into the Application Pool for the site and change the account under which the site is running to this domain account. You will also want to ensure that this account has the proper NTFS permissions to the site files. If this site only writes to the database, you can given the account read-only access the folder(s) with the site files.
Ensure the connection string used by the site is formed to request a trusted connection. (See www.connectionstrings.com for the syntax)
On the database server execute your grant to this account:
GRANT SUBSCRIBE QUERY NOTIFICATIONS TO "domain name\MyIISAccount"
There may also be other Kerberos issues related to the fact that both servers on the domain and that might require creating a SPN (Service Principal Name).
Neither server is on a domain (i.e., both are member servers) and you want to use trusted connections:
Create a local account on both the web server and the database server with the same username and password. It is critical that they both have the same username and password. This technique involves using NTLM "pass-through" authentication which matches the hash created by the username and password to determine if the user is authenticated between the two desparate servers. On Windows 2008 R2, you may have to jump through a few local policy hoops to ensure that NTLM is enabled between the two servers.
Do steps #2 to #4 above with this account.
On the SQL Server, ensure that this local account has a Login and that this login maps to a User in the database. Then you would execute something like:
GRANT SUBSCRIBE QUERY NOTIFICATIONS TO 'SQLServerMachineName\AccountUsedBySite'
You want to use SQL accounts instead of a trusted connection:
In this scenario, the connection string used by the site to connect to the database will include a username and password which map to a Login on the SQL Server database which maps to a User in the database (typically put in the db_owner role to make it dbo). This
Assuming the credentials are correct, you need only execute your grant against this user:
GRANT SUBSCRIBE QUERY NOTIFICATIONS TO 'SQLUserAccountUsedBySite'
Both IIS and SQL Server are on the same machine and you want to use trusted connections
Create a local user account and drop it into the Users group.
Drop this account into the local IIS_IUSRS group.
Go into the Application Pool for the site and change the account under which the site is running to this local account. You will also want to ensure that this account has the proper NTFS permissions to the site files. If this site only writes to the database, you can given the account read-only access the folder(s) with the site files.
Ensure the connection string used by the site is formed to request a trusted connection. (See www.connectionstrings.com for the syntax)
In SQL Server, create a login for this account then create a user in the appropriate database for this account dropping it into the appropriate roles.
Now execute your grant to this account:
GRANT SUBSCRIBE QUERY NOTIFICATIONS TO 'SQLServerMachineName\MyIISAccount'
Try this:
GRANT SUBSCRIBE QUERY NOTIFICATIONS TO [my_server_name\ASPNET]
I have an ASP.NET website on a Windows 2003 Server, that needs to access files from a network share. The network share is password protected and needs a username and password to be provided.
I use forms based authentication on the website and not windows based.
So my problem is, when I try to read any file from the networkshare using the code below, it throws access denied
DirectoryInfo networkShare = new DirectoryInfo("\\TestServer\Share");
So I tried using Impersonate by providing the username and password of the network share to the impersonate function call, however the call obviously fails since that username does not exists on the ASP.NET webserver. So then I passed the username and password of a login that does exist on the webserver, so this time the impersonate call works however it still can not access the network share 'cuz the network share username and password are different.
So finally, I created the exact same username/password on the webserver which matches the network share. This time impersonate function call works and so does network share. I'm able to successfully read from the share.
So my question is, is there a way I can read the network share without adding the username in the webserver. 'Cuz everytime the network share login changes, I'll have to again make a new username in the webserver too. Which is not ideal.
Any ideas?
The "right" way to do this is to run the webserver's AppPool as the identity that can access the share. That way, the only credential storage is done securely in the IIS config (rather than in your code or in readable config files). Putting the webserver and fileserver in the same Windows domain (or different domains with trust) is the easiest way, but the "same username/password" thing should work there as well.
If you don't care about putting usernames/passwords in your code or config, you can P/Invoke to WNetAddConnection2 and pass the username/password- then you should be able to access the share. This doesn't require the webserver to have a matching account, but you really should secure the password (look into System.Security.Cryptography.ProtectedData for encrypted registry storage).