We have a web site written in ASP.NET MVC that uses Windows Authentication.
We have a WCF service that we use to connect to the database and reference that service from our MVC site. The web.config for both the site and the service have enabled Windows Authentication and disabled Basic and Anonymous authentication.
Now, the issue is this:
If I restart the IIS and then open a browser in the same computer that has the IIS, everything works fine (even from outside that computer).
If I restart the IIS and then open a browser in an external computer, the WCF service is unable to connect to the database (even from the local machine).
So, if we don't open the site from the host computer before attempting to access it externally it won't work.
We are using impersonation to do the calls to the service from the website.
Any ideas on what can be happening?
your WCF service is impersonating the user of an outside user passed to by IIS passed to by the IE user. You want to hard code your application pool of your IIS we service to use a specific Service Account that has Network Service privileges
its working internally, as its using your identity on the Windows Domain(its in your ie settings in security) but externally this does not work.
Related
1) I want to know suppose we are using an ASP.NET web application in debug mode in VS, then, the code runs under which user account?
2) I also want to know, suppose we publish this to the IIS and then, set it up to use WBA/FBA, then, the username/password of logged in user is used to authenticate user to the ASP.NET site, however, the code (SQL query, etc) runs under credentials of apppool account. Further, which credential is used to access resources on server like files? What is your view on this point?
1) I want to know suppose we are using an ASP.NET web application in
debug mode in VS, then, the code runs under which user account?
This is depending on the hosting. VS provides 4 ways to host & debug a web application : VS Dev Server (VS 2012), IIS Express, Local IIS and Custom Host (VS 2013). Devs servers generally runs under your -Administrator- account, and may not be suitable to test security. Working directly with IIS as your development web server lets you work in an environment closer to that of an IIS production web server.
This is configured in the Web Tab in your web project properties.
2) I also want to know, suppose we publish this to the IIS and then,
set it up to use WBA/FBA, then, the username/password of logged in
user is used to authenticate user to the ASP.NET site, however, the
code runs under credentials of apppool account. What is your view on
this point?
Not very clear, but I think your undestanding of IIS security may not be correct. There is only one application pool per web site which runs under a specific account (by default apppool account, but it could be Network Service or Local System). When a user logs in, absolutely nothing is changed in this process. The user is just connected using an authentication provider : Windows Authentatication or Forms Authentication are 2 common providers. User identity is kept in http context, which allow you to use authorization rules later. So every code block always run under the same account (unless you enable delegation but that's another story).
I higly suggest you to read this complete introduction on asp.net security.
I have created a website using asp.net every thing is running fine when i run this using visual studio development server but when i tried to run it by IIS server then Home page of website loads but it couldn't make connection with database server
<add connectionString="Data Source=ASHUTOSH-PC\SQLEXPRESS;Initial Catalog=CloudStorage;Integrated Security=True" name="connectionStr"/>
</connectionStrings>
this works fine on visual studio develoment server but not with IIS.... Please help
Since you are using Integrated Security=True you use the application pool identity to connect to the DB. When you run Cassini, you use your own credentials. You should set up the application pool identity with a user that has permissions to login and query SQL Server.
From MSDN:
When you run a page using the ASP.NET Development Server, the page runs in the context of your current user account. For example, if you are running as an administrator-level user, a page running in the ASP.NET Development Server will have administrator-level privileges. In contrast, in IIS, ASP.NET by default runs in the context of the special user (ASPNET or NETWORK SERVICES) that typically has limited privileges. The ASPNET or NETWORK SERVICES accounts are local to the server computer (not domain accounts), which restricts access to resources on other computers.
Database access
When working with the ASP.NET Development Server, you can typically rely on Windows Integrated authentication to access SQL Server. However, when the same page runs in IIS under the ASPNET or NETWORK SERVICES account, the page is running in the context of a local user, and you often have to configure the page to use a connection string that includes information about a user and password. For details, see Accessing SQL Server from a Web Application and ASP.NET Security Architecture.
I have a web application (developed in ASP.net 4.0) hosted in IIS 6.0 on Windows Server 2003 R2 machine. Integrated Windows Authentication is turned on for this web application.
I have hosted a web service (developed using WCF) in IIS 7.5 on Windows Server 2008 R2 machine. 'Windows Authentication is enabled for this web application too.
I log on to my local machine using my windows domain account. When I browse the web application, it asks me my domain username and password. In web app, I get my identity correctly.
From my machine (using some other Winform app), if I call the same web application (of a web service), service code executes under my windows identity.
So Integrated Windows Authentication works fine independently for both the web apps hosted in separate IIS on different machines.
Problem comes when the web application is browsed from my local machine and web page calls the service internally. In this case, "service does not run under my windows identity" as expected. It either runs under identity of the application pool of either asp.net web app or the web service's web app.
I don't want my web service to take responsibility of authenticating the user. It would use simple basicHttpBinding. It will just read name of the user using CurrentPrincipal or HttpContext etc. Validating user's identity should be done by the IIS only.
Can someone help me to pass on my windows identity from one IIS to another?
You need to set up kerberos delegation as identity won't be passed to another machine by default.
https://web.archive.org/web/20190419225807/https://blogs.technet.microsoft.com/askds/2008/11/25/fun-with-the-kerberos-delegation-web-site/
I'm building a windows service but I would like to get some web pages to control some settings, get diagnostics, etc...
How would you go about combining an asp.net web site AND a windows service together ?
I know that WCF can be self hosted into an arbitrary process but can I do the same with asp.net ?
Another option would be to have my service logic in the asp.net web site application_start method to spawn long running threads. But then, I don't get window service built in feature such as auto start on boot up. Another issue might be that IIS might decide to recycle the process. Moreover, my service needs to open a raw tcp socket to accept connections. Can I do that in IIS ?
Thanks
I think the easiest and most robust way to do this is to have an ASP.NET Web Site running under IIS on the same server as the Windows Service. The Windows Service can host a WCF Web Service that will be accessible to the ASP.NET application.
I would have your Windows service self-host a WCF "configuration" service. The WCF service only needs to be exposed locally if the UI is on the same machine. If the windows service needs to open a separate raw socket for communications this can punch a hole through the firewall.
Then the ASP.NET UI can be hosted by IIS as usual, and call the WCF methods to perform the configuration tasks.
It seems like you really need both thingsāa web app hosted in IIS and a windows service hosted as windows service.
Then you can just share data between the two in some way, e.g. via a database.
I have a windows service that hosts the main WCF service. The clients for this service are both hosted in IIS 7, the first one is an IIS hosted WCF service and the second is a standard Asp.Net application. Both of the IIS hosted clients communicate with the windows service over named pipes.
The IIS hosted WCF service can communicate with the windows hosted WCF service perfectly, but the Asp.Net service fails with this error:
The pipe name could not be obtained from the pipe URI: Access is denied.
My first reaction is that this is a permissions issue somewhere, but I dont know where. And second, why would the IIS hosted WCF service be able to communicate without issue, but the Asp.Net application fail?
Ok, I solved it, or rather I figured out where the permission issue was.
It turns out the Anonymous Authentication setting was using some weird user created by our client (the physical person, not our WCF client), and not the NetworkService user (the identity the app pool was using).
But this almost begets another question: Why were even newly created sites defaulting to this IUSR and not the system defaults? In anycase, I just hope this gets indexed in google as, there were virtually no articles relating to it.
Check the Identity of the Application Pools that the WCF and ASP.NET services resides in.
Maybe the WCF service's AppPool has an identity that has different rights than the other AppPool?
Also, you might want to note that IUSR is the default IIS7 account for Anonymous accessors. See Understanding the Built-In User and Group Accounts in IIS 7.0 for an explanation of the default accounts.
Hope this is helpful.