I'm trying to use IIS 7 management API but stuck with a security issue. My application is regular ASP.NET site running on .NET 4 (integrated pipeline). The machine is Windows 7 x64 (the app pool is default, running under ApplicationPoolIdentity, x64). The site uses the following settings:
<identity impersonate="true" />
<authentication mode="Windows" />
<customErrors mode="Off" />
<authorization>
<deny users="?" />
</authorization>
My site tries to read other site's details via IIS management API (at localhost). I'm logged in as a member of local Administrators. In IE i try to open my page but get this:
Site 'mysite' at 'myhost' is unknown.System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at Microsoft.Web.Administration.Interop.IAppHostProperty.get_Value()
at Microsoft.Web.Administration.ConfigurationElement.GetPropertyValue(IAppHostProperty property)
at Microsoft.Web.Administration.Site.get_State()
I don't understand why. I'm damn sure the code runs in impersonation context of my account (can see this is debugger watching System.Threading.Thread.CurrentPrincipal). What am i doing wrong?
p.s.
UAC is on, but i believe that's not important.
Checked NTFS permissions on C:\Windows\system32\inetsrv\config folder - full access for Administrators.
UAC is indeed the root of all evil. Impersonation behavior is broken when it's on. Something is really over-complicated here :(
When UAC is enabled and the current security context is impersonated, the principal reports he's not a member of local Administrators group. But he is. It has something to do with interactive/non-interactive sessions.
Try set temp directory into web.config to folder with full permissions.
<compilation tempDirectory="c:\temp" ... ></compilation>
Related
At work we were forced into a hardware refresh where we went from a Windows 7 box with VS 2013 and IIS Express 6 to a Windows 10 box with VS 2017 and IIS Express 10. The problem is that Windows Authentication refuses to work. I get a 401.2 - Unauthorized with the explanation of "Invalid Authentication Headers".
I've checked the web.config and the properties for the web project and they are correct. I've modified the applicationhost.config file in the .vs folder in the project to enable windows authentication. I even checked the permissions of the files to make sure authenticated users had the right permissions. None of this has worked.
This all worked fine in IIS Express 6. What did Microsoft change in IIS Express 10 that screws this all up?
Edit: have to manually type this stuff in, since I can't move code from the dev machine.
web.config:
<system.web>
<customErrors mode="off"/>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
If you want any other sections of the web.config, ask me.
As for ApplicationHost.config, it is basically whatever VS2017 creates, since this is a fresh machine and there wasn't an existing one with the project. Changes I tried making:
<windowsAuthentication enabled="true">
<anonymousAuthentication enabled="false" userName="">
<section name="windowsAuthentication" overrideModeDefault="allow">
One additional datapoint: The application runs on Firefox. I can log on fine to our test servers, running IIS 8.5, but can't access the application on IIS Express.
I've since created a new MVC application and just ran that. It runs fine in IE, but it won't authenticate users from Firefox and Edge.
Edit: Found out that Edge doesn't support Windows Authentication on localhost: https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/4776775/
Still need to get it to work with Firefox.
Edit again: So, I think I know what is going on. I have two user accounts: the regular user account and an admin account with more privileges. What I did under Windows 7 was that while I logged into my regular account, I ran VS under my admin account. Then I could run my web application and log into the web site with my admin account. This doesn't seem to work anymore. The only way I could get my application to work is to run it all under my admin account. Otherwise, Windows authentication won't work. Security-wise, this is broken as hell and I'd like to find a better solution.
you only need to change some properties in your project as mentioned in below link!
enable windows authentication
I'm going to mark this one as answered and I'll follow up with a new question. The current solution is to run everything on our admin account to get windows authentication working. Not ideal.
I have the application pool of a web application set to run as a user called WebUser.
I have the following sections in my web.config:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<identity impersonate="false" />
I have created a file called a.txt and given only WebUser permissions on it. If I navigate to this file then I get a 401 error. However if I give my own user account access to this file then I can access it.
So it seems that the application is impersonating my identity. How can I make it run as the application pool user instead?
EDIT: Also - if I enable impersonation and make it impersonate WebUser then I still get a 401 error.
Thanks,
Joe
Ok I solved this by going to the site's advanced settings and changing the Physical Path Credential Logon Type to Interactive. I also had to set Physical Path Credentials to Specific User and enter WebUser's credentials, this stopped it from impersonating the authenticated user when accessing files.
Joe
I am trying to setup an asp.net website in localhost. Fitst, I enabled IIS server and created website in
C:\inetpub\wwwroot folder and ran to ensure IIS is properly setup. In this case I used a existing website I created from visualstudio IDE. Everything was perfect. In this case I heavily used the following article.
http://forums.asp.net/t/1689133.aspx
Now the problem is I have a web site I downloaded from a remoteserver and I want to host it in localhost.
When I compare the site I downloaded and the working site, I noticed that some files are missing. Howevere, the site in remote sever is working properly.
I didnt see a bin folder and there is no much information on web.config file.
Here is the code in web.config file
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<staticContent>
<mimeMap fileExtension=".json" mimeType="application/json" />
</staticContent>
</system.webServer>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
When I try to do the same process I did for the previous website and tried the browser then I get following erro.
Access is denied.
Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.
Where is the error ? How to fix this issue? If you want more information let me know?
I would suggest you to first allow all users in WebConfig
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
EDIT : As Mentionned by David Thompson, this is highly insecure. Use this only to unblock your test sample code scenario. Never in Production, please.
This is an old question but the answer is seriously insecure, you should add and enable the authentication provider that you require rather than giving anyone authorization.
To add the provider:
https://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication/providers/add
To enable the method:
Open the IIS Management Console on the web server
Expand the Sites folder
Double-Click the IIS - Authentication option
Under Authentication, select the Anonymous Authentication and click 'Disable' in the Actions pane on the right
For Windows Authentication: Select the Windows Authentication and click 'Enable' in the Actions pane on the right
For Basic Authentication: Select the Basic Authentication and click 'Enable' in the Actions pane on the right
What solved this for my was enabling 32-bit applications in the app pool's advanced settings.
Open IIS
Expand server and click Application Pools in the Connections pane
Select your application pool and click Advanced Settings...
Under General switch Enable 32-Bit Applications to True
I've worked at this quite a bit, but cannot seem to find a good solution.
I have a ASP.NET app (.Net 3.5) with IIS which pulls the user machine name and username from the account. This works on my local machine, but when uploading using IIS it gives null or IIS APPPOOL/appname. On IIS I have "Integrated Windows Authentication" and "Anonymous" set and in my Web.config file
<authentication mode="Windows"/>
<identity impersonate="true"/>
And I am trying to access the user information a number of different ways, some are:
HttpContext.Current.User.Identity.Name
System.Threading.Thread.CurrentPrincipal.Identity.Name
System.Security.Principal.WindowsIdentity.GetCurrent().Name
Environment.UserName
Each of these work on my local machine, but when uploaded to the IIS server, everything gives invalid information. The app is internal, but I still need it to grab the Username without giving a login screen. Ideas?
Update: I've changed IIS to Anonymous Authentication Disabled and Windows Auth Enabled. And my web.config file I've tried the following
<authentication mode="Windows"/>
<!-- <identity impersonate="true"/> -->
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
Sorry about the update, but are there any ideas?
For anyone following this and needing an answer, the problem lies in IIS. In the Authentication area in IIS only have ASP.NET Impersonation and Windows Authentication enabled, the others should be disabled. And in Windows Authentication, go to Advanced Settings and UNCHECK the Enable Kernel-mode authentication. The Authorization Rules area should allow for all users (note this is done in IIS, not in the config file) And the following code in config is necessary.
<system.web><authentication mode="Windows"/><identity impersonate="true"/></system.web>
Hope this helps someone, here's a couple links that helped me. Good luck!
http://msdn.microsoft.com/en-us/library/aa302377.aspx
http://www.eggheadcafe.com/tutorials/aspnet/1f12cd61-6bb3-4ffd-bac1-124d40837006/aspnet-request-identity--an-analysis.aspx
Summary: One of our web applications requires write access to C:\Windows\Temp. However, no matter how much I weaken the NTFS permission, procmon shows ACCESS DENIED.
Background (which might or might not be relevant for the problem): We are using OLEDB to access an MS Access database (which is located outside of C:\Windows\Temp). Unfortunately, this OLEDB driver requires write access to the user profile's TEMP directory (which happens to be C:\Windows\Temp when running under IIS 7.5), otherwise the dreaded "Unspecified Error" OleDbException is thrown. See KB 926939 for details. I followed the steps in the KB article, but it doesn't help.
Details:
This is the output of icacls C:\Windows\Temp. For debugging purposes I gave full permissions to Everyone.
C:\Windows\Temp NT AUTHORITY\SYSTEM:(OI)(CI)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
BUILTIN\IIS_IUSRS:(OI)(CI)(S,RD)
BUILTIN\Users:(CI)(S,WD,AD,X)
BUILTIN\Administrators:(OI)(CI)(F)
Everyone:(OI)(CI)(F)
However, this is the screenshot of procmon:
Desired Access: Generic Read/Write, Delete
Disposition: Create
Options: Synchronous IO Non-Alert, Non-Directory File, Random Access, Delete On Close, Open No Recall
Attributes: NT
ShareMode: None
AllocationSize: 0
Impersonating: MYDOMAIN\myuser
PS: When logged in as MYDOMAIN\myuser, I can create files in C:\Windows\Temp using Windows Explorer without any problems.
EDIT: Relevant parts of web.config:
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
Authentication seems to work, i.e., System.Security.Principal.WindowsIdentity.GetCurrent().Name (which is shown on my custom error page) returns MYDOMAIN\myuser.
Have you tried following the steps on this:
loadUserProfile and IIS 7 temporary directory failures