I'm built a forms authentication (actually I'm using the new single page application) website using Asp.net MVC 4.0 with LocalDB. I want to create a separated class lib project for service layer which accesses database. And I need to integrate the default Account/authentication tables with my own tables.
Question:
Should I put the Sql server LocalDB files under the service project folder?
If the answer is not for (1), how can the service project access the LocalDB files under the MVC project?
Do I need to modify the system generated code for Account login if I put the LocalDB file under service project. How about let the authentication code access the database via the service layer instead of the default DBContext?
This pattern is very common and the main control and point of understanding is IIS and security there.
It really is worth taking a look at MSDN IIS site to feel confident about this topic.
http://msdn.microsoft.com/en-us/library/aa292471%28v=vs.71%29.aspx
1) It doesnt matter where SQL server DB is located. Where the SQL server instance is , does play a role. If it is in the same domain/AD , then using Windows integrated security to log in to the DB works well.
2) If the userid that connects to SQL is a valid user on the DB instance and has the necessary permissions for the underlying DB, then you can access the data.
3) What is this code ?
There are a number of questions that need to be answered/considered.
a) are you using FORMS logon or Windows Integrated logon in IIS.
b) Do you want to use a service user to access the DB, or have each user allocated the in the Db.
c) What is is your security model for your application.
See also http://leastprivilege.com/category/net-security/ Dominick Baier security blog.
As a sample solution, (not the only one).
you can set the website in IIS to use FORMS authentication
Set the application pool used by the website in in IIS to use a specific Service user. You type the userid and password into IIS app pool. You must first create this user on the domain. Allocate it as little rights as possible.
Add this service user to SQL server and give it sufficient permissions in the DB that should be accessed. (2 steps) So the service user can access the DB but do little else.
So this leaves you with System.Environment.UserName as the System user you set in your app pool behind the website.
Your application security is then managed as you see fit.
Claims principal once you get to .net 4.5 is a "new way".
But you keep as simple as required here.
Thread.CurrentPrincipal.Identity.Name would contain the name of your forms based user.
good luck...
Related
net application on visual studio and i need to make connection with sharepoint costum list to update/insert/delete.
Is there any tutorial or anyone can give some help?
There are multiple things you need to consider.
Code to write
Download and reference SharePoint Client dll's (e.g. SP 2013 -> 15
here)
Check out these samples -> https://msdn.microsoft.com/en-us/library/office/ee539976(v=office.14).aspx
Authentication
'Normal' service account authentication
AddIn Authentication (https://dev.office.com/sharepoint/docs/sp-add-ins/package-and-publish-high-trust-sharepoint-add-ins)
For a test drive i recommend the first authentication option, as the AddIn option requires a lot of configurations steps...
Make sure the service account of your Web Application (IIS Pool Account Identity or any other credentials) has sufficient permissions in SharePoint
Create the ClientContext as seen in the samples above
I am trying to deploy a WCF service that uses a SQLite DB to read some data as well as connecting to another Database (MS SQL). The service itself is consumed by a ASP Web site running on the same server.
The problem is that only my user is able to fully use the website and service. Every other user can't seem to open the sqlite database file.
What kind of permissions or special access do you need to access a sqlite database from IIS?
The Application pool is setup with a domain account so that access to the MS SQL Database can be granted (Integrated Security).
The folder where the database is stored is accessible by the account. And I've even tried to make it accessible by Everyone and all users with no luck.
I feel I'm missing something obvious but I can't figure out what...
Update: The error is as follows:
System.Data.Entity.Core.EntityException
An exception of type 'System.Data.Entity.Core.EntityException' occurred in EntityFramework.dll but was not handled in user code
Additional information: The underlying provider failed on Open.
Inner Exception:
System.Data.SQLite.SQLiteException
Unable to open database file.
I was able to resolve the issue, I'm going to document it here for posterity. I took a few steps to do so, and I currently don't have the environment set up to be able to reproduce the issue consistently and quickly, so I'm not entirely sure which was the actual solution.
Disclaimer aside, here are my changes:
I created a new Application Pool and Website on IIS, on another directory entirely, not on "C:\inetpub\wwwroot". I used "C:\Sites\MySite" to deploy both my WCF service and the website which consumed it.
I changed the application pool identity account to a new AD Service account.
I placed the database inside of the Service Web App directory, within a directory called data. I removed all inherited permissions from the directory and the database file, and gave the both the service account and Everyone Full Control of the directory and database file.
I edited the connection string for sqlite to have the setting "Journal Mode=Off;".
I stopped and started both the Application Pool and the WebSite on IIS.
After this the service worked correctly, and I was able to access both the database file and the connection to SQL Server. If I get the opportunity, I would set up some kind of virtual network to replicate this and see if I could figure out exactly what caused the error in the first place.
1) I want to know suppose we are using an ASP.NET web application in debug mode in VS, then, the code runs under which user account?
2) I also want to know, suppose we publish this to the IIS and then, set it up to use WBA/FBA, then, the username/password of logged in user is used to authenticate user to the ASP.NET site, however, the code (SQL query, etc) runs under credentials of apppool account. Further, which credential is used to access resources on server like files? What is your view on this point?
1) I want to know suppose we are using an ASP.NET web application in
debug mode in VS, then, the code runs under which user account?
This is depending on the hosting. VS provides 4 ways to host & debug a web application : VS Dev Server (VS 2012), IIS Express, Local IIS and Custom Host (VS 2013). Devs servers generally runs under your -Administrator- account, and may not be suitable to test security. Working directly with IIS as your development web server lets you work in an environment closer to that of an IIS production web server.
This is configured in the Web Tab in your web project properties.
2) I also want to know, suppose we publish this to the IIS and then,
set it up to use WBA/FBA, then, the username/password of logged in
user is used to authenticate user to the ASP.NET site, however, the
code runs under credentials of apppool account. What is your view on
this point?
Not very clear, but I think your undestanding of IIS security may not be correct. There is only one application pool per web site which runs under a specific account (by default apppool account, but it could be Network Service or Local System). When a user logs in, absolutely nothing is changed in this process. The user is just connected using an authentication provider : Windows Authentatication or Forms Authentication are 2 common providers. User identity is kept in http context, which allow you to use authorization rules later. So every code block always run under the same account (unless you enable delegation but that's another story).
I higly suggest you to read this complete introduction on asp.net security.
I am trying to accomplish the following:-
To build an Asp.net MVC 4 web application from scratch.
I want to use the current users and groups that are found on our company production active directory server.
In asp.net I know that we can have two types of authentication; Form Based & Windows based.
On my development machine I did the following tests:-
I set the authentication to be “windows based” and I was be able to access the asp.net MVC application without entering my username and password.
I set the authentication to be Form-based and I modify the query string to connect to the Active Directory instead of connecting to the sql databases tables. And I was able to access the application by typing username#domain and the password.
But my questions are:-
When deploying the web application on production, how will “windows authentication” works. Let say the user tries to access the application from external device, then can he still login to the system . Or “windows authentication” will not work for internet application.
Will form-base authentication connected to AD be the best approach to follow in my case?
If “windows authentication” will work when users access the application from external machine. Then what are the differences between having “windows authentication” & Form-based that is connected to an Active directory in this case?
Best Regards
I have an ASP.NET web application that runs on a windows server 2003 server.
there is a form that reads and writes data to an xml file inside the application's directory.
I always grant the NETWORK SERVICE user full control on my application folder so that it can read and write to the xml file.
I put the application on another windows server 2003 server and did the same steps above but i was getting an Access denied exception on the form that reads and writes to the xml.
I did some search and found that if you grant the user ASPNET full control to the directory it would work, I did that and it worked fine.
my question is: what is the difference between granting full control permissions to NETWORK SERVICE and ASPNET users ?
and what can be the difference between the two servers that caused this issue ?
thanks
In all cases, you need to grant the application pool's user account the appropriate access. Application pools were introduced with IIS6. Before IIS6, the .NET application ran under the user account configured in the machine.config file so you would look there to determine the user that needs access.
Network Service is assigned to application pools by default. It sounds like someone set it up differently on one of the servers.
Ideally, you should not be using either account.
You should create a low privilege account that only has access to the resources you need for each web application you have. Add the new account to the IIS_WPG user group. Then create an application pool for each application and set it to run as the user you created specifically for it.
See this article (TechNet) for directions on changing the identity of the app pool.
The configuration I described is now the default in Server 2008 R2/Win 7 (source).
Unfortunately, because someone changed the default configuration on your second server, there is no way for us to tell you what the differences between the two accounts are.
What you will need to do (or have your IT department do) is compare the permissions each account has on the local machine. This will be tedious. However, if you can run powershell, you can use this article to write a script to list out the permissions for each account and compare them.
Good luck finding the differences.