I'm using IIS Express to host my website, and I would like to do something similar to Directory Security in IIS 6. In IIS 6, I was able to go to the Directory Security tab and allow the anonymous user to be a local windows account.
Is there something equivalent in IIS Express for that? What changes do I need to make in applicationhost.config?
Thanks
IIS Express process runs under the logged on user. With default settings, anonymous requests will execute under the identity of the process.
There is a way to configure explicit user for anonymous authentication, by editing applicationhost.config (in "%userprofile%\documents\iisExpress\config\") and setting your anonymous user and password in anonymousAuthentication section
<anonymousAuthentication enabled="true" userName="foo" password="bar" >
Notes:
the crypto context is not setup for the IIS Express (unless IIS happens to be also installed on the machine), so encrypted settings will not work
you cannot make the above setting programatically because programmatic setting will try to set password encrypted and will fail.
configured user will not have access to the "%userprofile%\documents\My web sites" directory. You will get a confusing authentication/authorization error.
If you want to use explicitly configured anonymous account, it may be the best to copy your IIS Express site directory outside the "%userprofile%\documents" since sharing the files inside your user profile with other users is not a good idea from the security standpoint.
Related
I am trying to access an old fashioned asmx web service hosted in IIS and I am banging my head against a 401.3 error. I know there are lot of resources out there but most of them make use of impersonation and by adding permissions for the authorized user to the file system, which I want to avoid.
My scenario is basically an IIS webservice, running with an AppPool which runs as a specific service account (DOMAIN\username + password). This service account has full control on the folder and the Anonymous authentication is set to use the AppPool Identity.
This is all good and working but now I wanted to secure my webservice by adding Windows authentication. I did that and added a simple <deny users="?" /> to the authorization section. What happens now is that when I connect to the server I get asked for a username and pwd, I provide one and then I get a 401.3 error.
I have tried adding read&execute permissions for myself to the folder and everything works but this is clearly not a proper solution as I would have to keep managing folder permissions.
My question is: why does the authenticated user needs folder access? Isn't the folder accessed as the app pool identity? Impersonation is disabled so I would expect that to be the proper behaviour.
why does the authenticated user needs folder access?
The FileAuthorization module requires the authenticated user to have permissions to the file.
Isn't the folder accessed as the app pool identity
Yes, but the above module also checks the authenticated user. You mentioned that you have Anonymous set to use AppPoolIdentity, so I'd expect in your case, this to be true.
Impersonation is disabled so I would expect that to be the proper behaviour.
This is independent as the FileAuthorization module kicks in anyways.
By recommendation for how to troubleshoot would be grab a ProcMon trace and I suspect you'll see some AccessDenied. Go look and see what permissions are required by what process and see if its doing impersonation (for this check). This will tell you what permission is missing/failing.
Following some internal documentation it says in IIS, go and allow Anonymous Access to some file.
So in IIS I found the folder and file in it, selected the file and clicked on Edit Permissions, but still can't find "Anonymous" to add it. Where can I find Anonymous?
I am on IIS 7.0, Windows 7
Since IIS 7, the user IIS uses to perform actions as when an anonymous user uses a website is the account named IUSR.
That is, unless the account used for anonymous authentication has been changed.
You will need to give read permissions to the same identity that your application's app pool is running under. If you are using the default app pool with the default settings, you can follow the instructions in this post IIS7 Permissions Overview - ApplicationPoolIdentity
i'm developing an asp.net application.
The app will be used mainly in intranet environment, from intranet users.
I've enabled Windows auhtentication and my app works:
In developing environment, it logged me automatically without asking username
In a Windows Server production environment, with Windows authentication, it ask username and password (of active directory) then log correctly user
My question is:
- Is it possible to automatically recognize windows user already logged in Windows, without asking username and password ?
Depending on what your domain is setup like you might need to add the domain name entires for the internal site to the intranet zone.
So if you have http://oursite.company.domain/ you might need to add it to the intranet sites
http://blog.thesysadmins.co.uk/group-policy-internet-explorer-security-zones.html
Note the numbering of the Security Zones. 1 for Intranet Zone, 2
for Trusted Sites, 3 for Internet Zone and 4 for Restricted Sites
Zone.
You can set your application to use Windows authentication in web.config. Have you tried this?
<system.web>
...
<authentication mode="Windows"/>
...
</system.web>
More info can be found here:How To: Use Windows Authentication in ASP.NET
<-- Edit --->
You will also need to configure your website in IIS to use Windows Authentication. In IIS, go to your website, double click on Authentication, disable Anonymous Authentication, Enable Windows Authentication. In Windows Authentication, open Providers...(right hand side), ensure that NTLM is visible and moved to the top of the list. Restart your app pool and now you should be able to automatically get users logged in on the server as well.
Newly installed IIS on a clean windows Server 2008 R2. Installed all security option. Then for the default web site authentication, enabled windows authentication and disabled all others. Then when access the default page iisstart.htm, it should give me a popup for authentication message.
but when I access the test page like: http://localhost/iisstart.htm, there is no popup. same as enabled Anonymous Authentication.
How to fix it?
I think your webservice is accessing files via your app pool identity, remove this user from the security access list on the file.
If you go to "localhost", then IE will see this as part of the "Intranet Zone". In the "Intranet Zone", IE will by default automatically send your current credentials to sites that use "Windows Authentication".
The result is that everything is probably working correctly.
First of all make sure you check if the app pool user can access the files of the website (NTFS security settings). See: IIS7 Permissions Overview - ApplicationPoolIdentity
After that (and double checking that only Windows Authentication is enabled in IIS) take into account that your URL must not contain dots! You can make an extra binding (see: https://technet.microsoft.com/en-us/library/cc731692(v=ws.10).aspx) that contains only letters and numbers and then add that binding to your local hosts file (open a text editor as administrator and then edit the file hosts in C:\Windows\System32\drivers\etc) to check.
This application is using windows integrated authentication in IIS. No anonymous login.
It's also using an application pool defined to log on with a domain user.
If a try to browse any page, it pops up the username and password dialog box and even though I entered a valid user (including the domain administrator) it doesn't log on into the app. I keep getting the username/password dialog. If I logon locally (in the IIS box), it works OK.
Also, if I change the application pool to use Network Services, it works OK.
The domain user is already a member of the local IIS_WPG group in the IIS box.
Am I missing something here?
If you use a domain account for the Application Pool you have to run a series of scripts on the domain controller. So, apparently it's not recommended to use a domain account, rather a local server account. Microsoft has this issue documented on a case:
http://support.microsoft.com/default.aspx/kb/871179
I suspect the NTFS file persmissions on the .aspx files don't allow the users you are logging in as the needed access to read/execute them. What are the file permissions on the files you are trying to view? What do your authorization and authentication elements in web.config look like?
This sounds like it's related to the privilges assigned to the domain user. i.e. whether they, or indeed the server, are permitted to impersonate the user that is logging in. Or, something regarding "Trusted for delegation" in the server's settings in AD. Either way, you'll probably get a better response on serverfault =)
Try entering the same user of the appPool as the anonymous user (Web Site Security tab)
I had the same user/pwd Popup problem in Svr 2003.
I solved it by CHECKING ANONYMOUS ACCESS in directory security of DEFAULT WEB SITE.
It promps you if you want to also affect your sites you click OK.
That did it.