Secure files with app pool identity - asp.net

I have an ASP MVC application installed on IIS 7.5.
I have specified the app pool identity to be a domain service account.
The application has anonymous authentication disabled and windows authentication enabled.
The domain service account has full access to a set of files on the server that I want to access from ASP.
When I try and access the files from the ASP application I get an error, "access to the path ... is denied.".
I can only get this to go away by giving the windows user account access to the files. What I want to do is just give the service account access to the files.
Impersonation is disabled in the web.config via <identity impersonate="false" />
How can this be achieved?

Have you tried disabling ASP.NET Impersonation?

If you are trying to access files locally on the server, try to use the LocalSystem account for your app-pool identity.

Related

Configuring ASP.NET Impersonation Authentication

I developed a webpage on IIS that controls PC volume (using the library - CSCore.CoreAudioAPI ).
I need that the user will be logged in as the current user in the machine.
I tried to configure the web.config file to allow Impersonated Authentication, but still having troubles.
<system.web>
<identity impersonate="true"
userName="Domain\username"
password="XXXX" />
</system.web>
Thank you for your help.
You need to also enable Windows Authentication in order for this to work. Otherwise there's no mechanism to capture the user name.
However, I think the better approach is to create a custom application pool for your application and explicitly set the impersonation (Advanced Settings) to the user you want to set it to. Since the application pool hosts your application (ie. it's the launching EXE) your application then runs under that account and assuming it has full rights on the machine it should be able to access the hardware to control the volume.
ASP.NET Impersonation is a legacy feature that was meant to be used with IIS 6 and older when IIS didn't have proper application isolation. With later versions Application Pools took over the hosting of applications and the user account impersonation with it.

How to set the authentication in asp.net application

We have to manipulate the iis in our application,and we meet the Access denied error.
Then we add this to the web.config:
<identity userName="username" password="pass" impersonate="true"/>
It works,we can manipulate the iis(create virtual application and etc..).
However we have to access the shared folders in the application too,after add the above line,we can only access the shared folders on the machine which server our application.
If I remove the line from the web.config,we can access the shared folders from other servers.
So it seems that we can not manipulate the iis and access the shared folders at the same time.
How to fix it?
Give access to shared folders to the user that you have specified in the identity line in web.config because your web application is using those credentials to access the shared folders and it will only be possible if user specified there has access.
Or you can switch to windows authentication see How To: Use Windows Authentication in ASP.NET 2.0
There is another alternative to achieve the same.
Go to iis and set your application pool identity to user which has permissions to folder.
hope it will resolve your issue.

Windows authentication for intranet site pages

I'm building an intranet web site (asp.net 3.5) which has windows authentication. Two questions:
When the code behind makes a trusted connection to the SQL server, will it connect with app pool credentials or current page user credentials?
Right now, with a blank page, when the internal user (logged in to the domain) tries to hit the page they get challenged with windows login screen, and their credentials don't work.
Is there anything else I need to setup in web.config or IIS for the windows authentication to work, other than adding <authentication mode="Windows"/>?
You can configure the Windows identity of your ASP.NET application as the Windows identity supplied by IIS by enabling impersonation. That is, you instruct your ASP.NET application to impersonate the identity supplied by IIS for all tasks that the Windows operating system authenticates, including file and network access.
To enable impersonation for your Web application, in the application's Web.config file set the impersonate attribute of the identity element to true, as shown in the following code example.
<system.web>
<authentication mode="Windows"/>
<identity impersonate="true"/>
</system.web>
Source
You don't want to use imporsonate as suggested by kd7. Because then you will need to give your users rights on the database. Might be okay for SELECT operations, but I don't think your DBAs will go along if you also need to UDATE/DELETE operations. already addressed by kd7.
When you enable "Windows" authentication, you need to not only configure your application to use it, you also need to configure IIS as well.
You also need to make sure that your AppPool user has proper permissions on the File System for your site.
Depending on IIS version, the procedure for enabling windows authentication is different. You can google it.

How do I enable Impersonation in my MVC website?

I've had Windows Authentication working in the Cassini (Visual Studio) web server for some time now but when I changed to run my site in IIS 7 the site no longer works properly.
I have Anonymous Authentication disabled, Windows Authentication enabled, and ASP.NET Impersonation enabled. My web.config file includes:
<authentication mode="Windows" />
<identity impersonate="true" />
The problem is that whenever I try to access the site I am prompted to provide a username and password.
My expectation is that my browser will send my credentials to IIS (via some kind of auth token) and IIS will impersonate my user on all page requests.
Why am I being prompted to login? What must I do to avoid this prompt and have ASP.NET use my impersonated username?
UPDATE:
I added my site to the "Intranet zone" in IE and using IE I no longer get prompted for username and password. There was a setting in IE to Autologin for intranet sites.
However, I don't understand why this was not a problem using the Cassini web server in VS? Any ideas?
Have you tried this against IIS Express?
This is just a stab, but Visual Studio runs both Cassini and IE from the same user account, so perhaps your identity impersonate was passing through from Visual Studio. IIS 7 user account is established by the app pool, which could be a different user than was running VS / Cassini. I believe IIS Express runs as your user account, so identity impersonate might work against it without prompting or changing intranet zone settings.
If that works, you can configure the IIS 7 app pool to run as your user account, and the prompts might go away.
Again, this is just a stab.

Forms Authentication overrides impersonation in IIS7

I have been searching all over the place for a solution to this.
I have an ASP.NET app which ran fine on IIS6. On IIS 7.5 (Integrated pipeline) I am running into some problems. <identity impersonate="true" /> is set in the web.config as the app needs to access some resources under the IIS IUSR account. If works fine as when a user isn't logged in (i.e. the app impersonates IUSR and accesses the resources fine).
As soon as you logon via Forms Authentication (backed by a DB) impersonation stops working and it reverts to the app pool user identity (which doesn't have access to the required resources, I have verified this with procmon). I understand this is probably a limitation of Forms Authentication in integrated mode.
Is there any workaround which would let me impersonate IUSR while still using Forms Authentication?

Resources