We have completed developing a custom CMS using ASP.NET. The CMS will be setup in IIS hundreds to thousands of times (one per domain). The CMS uses SQL Server to store page content, settings etc.
Should we create a new SQL Server login (using SQL Authentication) for every website or should we use the same login for all websites?
Any thoughts on this would be appreciated
If you are going to the trouble of provisioning a separate CMS and DB for each instance, then you should create a separate sql login for each instance.
This way you add one more layer of security to the design (and incur little more of your already hellish maintenance cost).
It would seem safer to let each site have it's own login.
That way you can't look at the wrong content database by accident (or mischief).
I would advise using Windows Authentication in SQL. It is easier to set up, and doesn't require storing passwords in web.config files.
You can further restrict this user account for security purposes.
Also don't let these user accounts use the same passwords, that screams insecurity.
Related
I have looked at numerous articles and tried a multitude of settings, but I can't seem to achieve what I'm looking for in my intranet site. Even if I don't get a solution, a definitive "you can't do that" will help me move forward. Here is what I'm trying to do:
Web site recognizes the user's network login credentials - ONLY so I can get their user ID without a login
The website uses some generic account (IUSR or something like that) to access a SQL Server that the same network users can NOT access EXCEPT through the website
Users can upload files to a set of folders created on-the-fly by the website to contain their files for later reference by them
The website can construct web pages on-the-fly with links to the users' files - and ONLY theirs - so they can open / download them through the web pages
Users can NOT access the uploaded files through a network share on the web server
All of the folder creation, file upload, and file serving occur under some generic account like IUSR
I currently have things configured to use Windows Authentication and I could probably live with that except I don't want to require a login to the site. Apparently, in order to make this happen, I need to have the server configured as a trusted delegate and IT is dragging their feet on doing that. Also, this config allows the users to access the SQL Server and folders/files through means other than the web site and I don't really want that. I only need to pick off their user ID so I can use it to get information about them out of Active Directory and keep track of their interactions with the web app.
In reviewing your post I must first say "Yes" it seems like what you want to accomplish can be done. However the enormity of your question precludes simple posting answers. From what I gather there are three security issues you want to navigate 1) Windows Authentication, 2) Admin only SQL access, 3) User only Access to files and directories while authenticated using Active Directory.
I have been building ASP.net intranet web applications using Active Directory (Windows logins) for a few months. I would encourage you to explore this article: http://www.mikesdotnetting.com/article/216/windows-authentication-with-asp-net-web-pages for details on setting up windows authentication in an ASP.net web application. You can add elements to your web pages using a section of Visual Studio [Toolbox] called 'Login', which contains elements such as 'LoginName'.
Next I am pretty sure you can control the SQL server query access using authentication parameters of your choosing. In the portion of the connectionString that is normally 'Integrated Security=True;' you will need to switch that to 'Integrated Security=False;username=sqlAdminUserName;password=sqlAdminPassword'. For more information I suggest reviewing this post: Integrated Security = False.
For the third security issue once you have isolated the user's windows login identity you should be able to dynamically build web pages, files, directories, and whatever other resources you require all customized for that individual user. I believe the generation of all those materials can be done with an IUSR account with the only needed ingredient being the Windows login user identity.
Good Luck and I hope my suggestions help move you ahead.
Actually, the answer is not all that complex and it is a real mystery why it is so difficult to find a single source on the web to spell it out. Here is my IIS authentication for an intranet app that acts exactly how I want:
Enable ASP.NET Impersonation and edit to Authenticated User
Enable Windows Authentication
Advanced Settings->Extended Protection->Off
Advanced Settings->Enable Kernel-mode authentication->unchecked
Providers->Available Providers->Negotiate:Kerberos and move that to the top
Disable all other authentications
Most critical: Make the server a 'trusted delegate' in Active Directory
That should do it.
I have a customer enquiry management website with many different websites (on different servers) sending enquiries into it. Currently each website has a contact form on the page and the form creates a database connection with the SQL needed to insert into one central database.
This works but the problem is more and more websites are now sending in enquiries so I am duplicating this database code across many websites. If I needed to change something in the database, I would need to go through all websites and make the same update.
The enquiry management website is asp.net. The websites which insert enquiries into the database are a mixture of asp.net and php. I thought about just creating an insert page on the main website and each website posting to the that. The only problem with this is each website has its own website specific tasks to as well e.g. sending emails, adding to mail list. Inserting into the enquiry database is the only task which could be done externally/globally.
Is there a cleaner way of doing this?
To centralized your all the logic, you can implement Web Services. All you have to do is,just make a web service having all the business logic.
Then you can use this web service by adding the reference of it into your multiple web sites. It will be a one time job. Suppose,if you need to change some logic,then you can just change it in web service class. All the modifications will be applied to all websites which are consuming the same web service.
I think you can expose the operation through web service. if you are in .net platform, web api is a good way to implement that.
You can issue an ajax call to the web api on all the clients regardless the website platform (asp.net php...). If the form is in a similar/standard format, the javascript block can be centralize as well.
I have a couple of PHP applications that run over WAMP Server, and for management reasons my boss told me to migrate the into an IIS server and ASP.NET so we only have to manage one database of users, in this case the Active Directory Users Group (Windows Server 2008 R2).
So we would create a security group called Delete_Update_Stock_Toolcrib, and only the users inside said group would have access to the web page where the transaction takes place (no need for ultrasecurity, since my users a really really basic users).
So my question is, is it possible to get an automated authentication from the AD user using a .NET API?
Just like Sharepoint, where according to the security groups you are in, you can access certain parts of the information available for your departament.
You could authenticate users using the built in ActiveDirectoryMembershipProvider.
Then, in ASP.Net, the concept that is the nearer of Users Group is Roles. There is a Active Directory Roles Provider on codeproject that should allow you to map Users Group to Roles, but I never tried it.
Here a great tutorial on the subject
I have many pages in web application, i want display some pages to all including anonymous user and some pages should be protected from anonymous user can it is possible through authentication and authorization.. if it is possible then please tell me how......
There is built in functionality in ASP.NET for this. See ASP.NET Authorization on MSDN for an introduction.
You can specify what roles are allowed to access different pages/paths. With a membership and role provider you get a built in handling of users and roles. If you are in a corporate environment you probably want to integrate with Windows authentication, otherwise there is a good SqlMembership provider that handles all the user storage in the database in a secure way.
If you want to keep away from building an authentication system into your application you're best bet is to look at putting the pages that need protection into a separate directory on the webserver, then using : http://httpd.apache.org/docs/2.0/howto/auth.html to protect them.
This of course assumes you're using apache.
It is no longer recommended to use the .htaccess files.
I have been Googling a problem that I have with trying to integrate the web application that I am working on with SharePoint 2010.
The web application is a wiki style tool that allows users to log in via forms authentication or WIA against Active Directory and create content for themselves and others.
What we would like to do is to allow a user have a page with the content they have created in our web application mixed in with content that they have living on the SharePoint server. For example, they may want to see a list of documents that they have on the SharePoint server mixed in with some of their content.
To accomplish this, we would like to take the credentials the user has logged into our web application with (for example MYDOMAIN\jsmith) and be able to query SharePoint for the documents of that same user (MYDOMAIN\jsmith) WITHOUT the user being prompted to re-enter their credentials to access the SharePoint server (we are trying to avoid the double-hop problem)
We have come up with some options for how we want to do this, but we are unsure of what the best approach is.
For example, we could
- Have a global user, shared by all users to get information we need from SharePoint. The downside is that we cannot filter SharePoint content to a particular user
- We could store the users credentials when they log in, but that would only work for users authenticating via forms auth and would be a security issue that some users/clients would not like
- Writing a SharePoint extension using WCF to allow us to access the information we need, however we'd still have the issue of figuring out how to impersonate the user we want.
Neither of these options are ideal and in our investigation we came across the Claims Authentication/STS option which seems like it is trying to solve the problem we are having.
So my question is, based on what I have written, is Claims/STS the best approach for us? We have not been able to find much direction on how to use this method to call into SharePoint from a Web Application and pass along the existing credentials.
Does anyone have any experience with any of these issues?
It sounds like you may be overcomplicating the problem. The reason that the user gets asked for credentials twice is that the two parts of the system are on different servers. The easiest solution is probably to implement your custom web app as custom pages/web parts within SharePoint.
If that isn't an option, a smaller amount of code on the SharePoint server (maybe a custom web service) should give you a few more options for impersonating a particular user.