Forms Authentication overrides impersonation in IIS7 - asp.net

I have been searching all over the place for a solution to this.
I have an ASP.NET app which ran fine on IIS6. On IIS 7.5 (Integrated pipeline) I am running into some problems. <identity impersonate="true" /> is set in the web.config as the app needs to access some resources under the IIS IUSR account. If works fine as when a user isn't logged in (i.e. the app impersonates IUSR and accesses the resources fine).
As soon as you logon via Forms Authentication (backed by a DB) impersonation stops working and it reverts to the app pool user identity (which doesn't have access to the required resources, I have verified this with procmon). I understand this is probably a limitation of Forms Authentication in integrated mode.
Is there any workaround which would let me impersonate IUSR while still using Forms Authentication?

Related

Configuring ASP.NET Impersonation Authentication

I developed a webpage on IIS that controls PC volume (using the library - CSCore.CoreAudioAPI ).
I need that the user will be logged in as the current user in the machine.
I tried to configure the web.config file to allow Impersonated Authentication, but still having troubles.
<system.web>
<identity impersonate="true"
userName="Domain\username"
password="XXXX" />
</system.web>
Thank you for your help.
You need to also enable Windows Authentication in order for this to work. Otherwise there's no mechanism to capture the user name.
However, I think the better approach is to create a custom application pool for your application and explicitly set the impersonation (Advanced Settings) to the user you want to set it to. Since the application pool hosts your application (ie. it's the launching EXE) your application then runs under that account and assuming it has full rights on the machine it should be able to access the hardware to control the volume.
ASP.NET Impersonation is a legacy feature that was meant to be used with IIS 6 and older when IIS didn't have proper application isolation. With later versions Application Pools took over the hosting of applications and the user account impersonation with it.

Is it possible for windows authentication to not prompt the user for credentials?

I'm using iis 7, currently deployed on a test machine running windows 7 professional.
The computer is logged into the domain of my company. In the past (at another company) I was able to use integrated authentication in ii6 and it wouldn't prompt the user if they were using IE. It would just absorb their domain credentials.
However, that was initially setup by somebody else before I started. I'm doing this project from scrap, and I'm a software engineer without much IIS experience.
This is the relevant snippit from my web.config file
<authentication mode="Windows" />
<identity impersonate="false" />
I'm also running the app pool in v4.0 integrated.
Any help would be appreciated. Thanks!
On IIS disable anonymous authentication and activate Windows auth:
- select your web application (or root if you app is place as root app)
- select Authentication
- disable Anonymous Authentication
- enable Windows Authentication
Remember: for "automatic" login both your server and client must be in the same AD domanin or trusted domains.

Windows authentication for intranet site pages

I'm building an intranet web site (asp.net 3.5) which has windows authentication. Two questions:
When the code behind makes a trusted connection to the SQL server, will it connect with app pool credentials or current page user credentials?
Right now, with a blank page, when the internal user (logged in to the domain) tries to hit the page they get challenged with windows login screen, and their credentials don't work.
Is there anything else I need to setup in web.config or IIS for the windows authentication to work, other than adding <authentication mode="Windows"/>?
You can configure the Windows identity of your ASP.NET application as the Windows identity supplied by IIS by enabling impersonation. That is, you instruct your ASP.NET application to impersonate the identity supplied by IIS for all tasks that the Windows operating system authenticates, including file and network access.
To enable impersonation for your Web application, in the application's Web.config file set the impersonate attribute of the identity element to true, as shown in the following code example.
<system.web>
<authentication mode="Windows"/>
<identity impersonate="true"/>
</system.web>
Source
You don't want to use imporsonate as suggested by kd7. Because then you will need to give your users rights on the database. Might be okay for SELECT operations, but I don't think your DBAs will go along if you also need to UDATE/DELETE operations. already addressed by kd7.
When you enable "Windows" authentication, you need to not only configure your application to use it, you also need to configure IIS as well.
You also need to make sure that your AppPool user has proper permissions on the File System for your site.
Depending on IIS version, the procedure for enabling windows authentication is different. You can google it.

How do I enable Impersonation in my MVC website?

I've had Windows Authentication working in the Cassini (Visual Studio) web server for some time now but when I changed to run my site in IIS 7 the site no longer works properly.
I have Anonymous Authentication disabled, Windows Authentication enabled, and ASP.NET Impersonation enabled. My web.config file includes:
<authentication mode="Windows" />
<identity impersonate="true" />
The problem is that whenever I try to access the site I am prompted to provide a username and password.
My expectation is that my browser will send my credentials to IIS (via some kind of auth token) and IIS will impersonate my user on all page requests.
Why am I being prompted to login? What must I do to avoid this prompt and have ASP.NET use my impersonated username?
UPDATE:
I added my site to the "Intranet zone" in IE and using IE I no longer get prompted for username and password. There was a setting in IE to Autologin for intranet sites.
However, I don't understand why this was not a problem using the Cassini web server in VS? Any ideas?
Have you tried this against IIS Express?
This is just a stab, but Visual Studio runs both Cassini and IE from the same user account, so perhaps your identity impersonate was passing through from Visual Studio. IIS 7 user account is established by the app pool, which could be a different user than was running VS / Cassini. I believe IIS Express runs as your user account, so identity impersonate might work against it without prompting or changing intranet zone settings.
If that works, you can configure the IIS 7 app pool to run as your user account, and the prompts might go away.
Again, this is just a stab.

Secure files with app pool identity

I have an ASP MVC application installed on IIS 7.5.
I have specified the app pool identity to be a domain service account.
The application has anonymous authentication disabled and windows authentication enabled.
The domain service account has full access to a set of files on the server that I want to access from ASP.
When I try and access the files from the ASP application I get an error, "access to the path ... is denied.".
I can only get this to go away by giving the windows user account access to the files. What I want to do is just give the service account access to the files.
Impersonation is disabled in the web.config via <identity impersonate="false" />
How can this be achieved?
Have you tried disabling ASP.NET Impersonation?
If you are trying to access files locally on the server, try to use the LocalSystem account for your app-pool identity.

Resources