I need clarification how to apply domain login in my asp.net application.
So I have following architecture: Three machines: at one is working asp.net application, another one is database server, and from last machine I am accessing application.
My application should work like this: I am accessing application from last machine it takes my domain name check if it exists in the user table and it should authenticate me.
But it works only when application is running at one machine and I am accessing application from the same one. It is connected with that impersonation in web.config file give me access only to local resources.
I find some articles at MSDN but they are too complex to apply and understand:
Explained: Windows Authentication in ASP.NET 2.0
How To: Use Protocol Transition and Constrained Delegation in
ASP.NET 2.0
How To: Create a Service Account for an ASP.NET 2.0 Application
Building Secure ASP.NET Applications: Authentication, Authorization,
and Secure Communication
From these articles I know that solution should use kerberos, delegation and impersonation. But I have no idea how to apply it.
What I have to do to implement domain login in my application? Do you have a nice tutorial how to do it? Do I have to modify only my application code or configuration of server (second machine)?
Update 1
I logged some information:
On my machine:
System.Security.Principal.WindowsIdentity.GetCurrent().Name
Returns: [myDomainName][myUserName]
System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationType
Returns: Kerberos
On three machines architecture:
System.Security.Principal.WindowsIdentity.GetCurrent().Name
Returns: [IIS APPPOOL][ApplicationName]
System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationType
Returns: Negotiate
You need to set up ASP.Net to use Windows Authentiation and impersonation (it sounds like you've done this). Then, you need to set up the web server for kerberos delegation and make sure you have the proper spn's configured for IIS and the application server.
It's working in the 2 machine case because there's no delegation involved there. It's the second authentication hop that requires kerberos.
Related
All,
I am using the ASP.Net MVC 4 application.
I have enabled Windows Authentication.
Till now it is working fine.
Now I enhanced the application to connect to TFS via its API.
For this, I need to use the windows authentication credentials.
I have tried using
ICredentialsProvider credential = new UICredentialsProvider();
TfsTeamProjectCollection teamProjectCollection = new TfsTeamProjectCollection(collectionUri, credential);
This works great in the development environment. But when I host the application in IIS 8.5, it is not working at all under "Application Pool Identity" and "Network Service" account.
I tried with Local System and specific user in identity of application pool, it is working.
But I need this to work based on the windows credential (Active directory).
Can anyone suggest a solution?
You can deploy your web application on the TFS App Tier and configuring its app pool to run as the same identity as the TFS web services, and enable ASP.NET impersonation. Check this case: ASP.NET MVC3 Windows Authentication Pass Through to TFS
You are likely hitting a Kerberos double hope issue.
You have two options to resolve it:
Host your mvc web app on the same server as tfs
Configure Active Directory to allow your servers identity to delegate the logged in user credentials to another service.
#1 is easy but #2 will require a bunch of work for your Active Directory domain administrators.
https://support.microsoft.com/en-us/kb/810572
You will need:
At least one Service Principal Name (SPN) configured for your server's account (either a dedicated domain\svc_myaccout or the domain\servername$ account for Network Service).
The account you use needs to be enabled to allow delegation in AD
The server that hosts your application needs to be enabled for delegation
This is not 101 and in my experience, having done this a bunch in enterprise and small business, that most Domain Administrators don't know how Kerberos delegation works, or how to configure it.
You will need to learn how and make explicit requests that they can action. Like "run 'setspn myapp.mydomain.com domain\myserviceaccount'".
I have an ASP.NET WebForms application. In one server, User.Identity.Name returns a string such as "domain/username". In another server, it returns only "username". Which configuration I should look into in server to make them to have the same behavior?
Environment:
.NET Framework 4.5.2 is used
Windows Authentication is enabled. Anonymous is disabled.
ApplicationPoolIdetity is used as application pool ID
Integrated mode is used in application pool
I don't know if this helps, but I have a web app that is also configured for Windows authentication and Anonymous is disabled... just like yours. My web server machine is joined to the same domain as the users who are accessing the web site from their client machines. When I display User.Identity.Name in the website, I'm getting domain\username on the screen. That's what you should be seeing. If one of your servers is showing only "username", that's very strange indeed, and I'm not sure what the issue is, but that's the server I think you need to investigate for configuration problems.
I am working into an organization which uses Active directory for any kind of application authentication.
We recently created a web application on ASP.NET using Sql Server for database connectivity. During development process we used window authentication for connecting to Sql Server 2008. When application got completed it was a time to host this application on IIS.
Challenges
We have been asked to use window servicing account to host this application on server. We are not supposed to use any kind of username passwords anywhere. It should be active directory driven and window authentication driven.
Now I don't have any idea how to proceed with this. Do I need to make any changes to web config to configure impersonation, or I need to change my connection string.
I only know we have to use Window authentication.
Any guidelines would be a big help
This is what I've always done:
Create an application pool for the site to use. You can use a pool that is already created if you want.
Set the Identity of the application pool to the AD service account your IT staff wants you to use.
Ensure that service account also has access to the database resources
Configure your connection string to use Integrated Security.
Configure Windows authentication & impersonation in your web.config.
For #4 & 5: http://msdn.microsoft.com/en-us/library/bsz5788z(v=vs.100).aspx
Inside connection string use trusted connection, other configuration can be found here:
WindowsIdentity and Classic .Net App Pool
Just make sure you set Impersonation to Enabled.
I was wondering when using Windows Authentication mode in a connection string from a web application. Application itself is using Windows Authentication for authorization. Which account will be used to login to SQL Server.
Is't the web application pool account?
User account who logged in to web application using windows auth?
Any other account?
Application is running under Win Ser 2008 64 bit and IIS 7. Application pool account is Network Service.
It depends on how you configure it. From http://msdn.microsoft.com/en-us/library/ms998292.aspx and http://msdn.microsoft.com/en-us/library/bsz5788z.aspx ...
ASP.NET applications do not impersonate by default. As a result, when they use Windows authentication to connect to SQL Server, they use the Web application's process identity. With this approach, your front-end Web application authenticates and authorizes its users and then uses a trusted identity to access the database. The database trusts the application's identity and trusts the application to properly authenticate and authorize callers. This approach is referred to as the trusted subsystem model.
The alternative model referred to as the impersonation/delegation model uses the original caller's Windows identity to access the database. This approach requires that your ASP.NET application is configured to use impersonation. See the section "Impersonation / Delegation vs. Trusted Subsystem" in this document.
So depending on how you have configured it, it could use either the app pool account (not when not using impersonation) or the account of the logged-in user that is using the web application (when using impersonation).
See http://msdn.microsoft.com/en-us/library/134ec8tc.aspx for impersonation information.
It's the application pool user who connects to the database, if you specified Integrated Security in your connection string.
The problem that i was having was that my application pool account in SQL Server needed to be set to the db_owner role before it worked. I spent a long time trying to figure this out.
I was using Windows Authentication, Windows 7 home premium, and IIS all on the same computer. I'm posting this in case someone else run into a similar problem. The book i used did not say to use db_owner but the reader and writer accounts instead.
I have an asp.net web app which works fine in Windows XP machine in a domain. I am porting it to a Windows 7 stand alone machine. The app uses a web service which makes a call to sql server. The web server (IIS 7.5) and SQL Server are on the same stand alone machine.
I enabled Windows authentication for the website and web service. The web service uses a trusted connection connection string. The web service credentials uses System.Net.CredentialCache.DefaultCredentials. I noticed username, password and domainname are blank after the call! The webservice and web site use the 'Classic .NET AppPool' with NetworkServices identity.
I am getting an exception "NT AUTHORITY\ANONYMOUS LOGON" in the database call in the web service. I am assuming it's related to the blank credentials.
I am expecting ASPNET user to be the security token to the database. Why is this not happening? Did I miss a setting?
(Usually this happens when sql server and web server are on two different machines in a domain, delegation & double hopping, but in my case everything is on a dev box)
It sounds like you're experiencing the "double hop" problem. It basically means that you're not allowed to forward the clients privileges to a third party, usually a sql server on another machine.
I've answered this before, perhaps that answer will help you further.
Your problem seems to be related to the web service passing the correct credentials to SQL server.
There are a few layers of security for you to check. But the first and easiest is to make sure you have disabled any security other than Windows Integrated. IIS will always use the simplest security protocol. So if you have Anonymous and Windows Integrated enabled then you web site will always choose Anonymous.
Next each site in IIS7+ runs under an app pool which can have separate security. Then under all that the IIS Windows Service runs under a specific account.
Buy default you shouldn't really have much problem with app pool and IIS security as it pretty much works out of the box, but it's worth checking.
One more thing I would check is the named pipes in SQL. My knowledge isn't vast but I know that named pipes can be used for communication on the same server between various applications, IIS and SQL being two of them.
If names pipes is disabled through the SQL configuration manager then I would have expected a different error, but it's worth enabling.
Hope this helps.
Mike