Seems like I missing something basic here. I deployed a ASP.NET Core WebApi application to IIS. It's working fine. But have issues connecting to database.
I am using integrated security = true in my ConnectionString. I expect it to load the identity from ApplicationPool and use that to connect with DB. But it's not loading the identity. The error is that login failed for user ''
Wondering if .NET Core works differently.
Update
I found that "Enabling Windows Authentication" conflicts with app pool identity. As soon as I disabled windows authentication on the API and allow anonymus access. It started working fine.
Now the issue I have is that, how do I make both work together.
Regards,
Gaurav Sharma
1) I want to know suppose we are using an ASP.NET web application in debug mode in VS, then, the code runs under which user account?
2) I also want to know, suppose we publish this to the IIS and then, set it up to use WBA/FBA, then, the username/password of logged in user is used to authenticate user to the ASP.NET site, however, the code (SQL query, etc) runs under credentials of apppool account. Further, which credential is used to access resources on server like files? What is your view on this point?
1) I want to know suppose we are using an ASP.NET web application in
debug mode in VS, then, the code runs under which user account?
This is depending on the hosting. VS provides 4 ways to host & debug a web application : VS Dev Server (VS 2012), IIS Express, Local IIS and Custom Host (VS 2013). Devs servers generally runs under your -Administrator- account, and may not be suitable to test security. Working directly with IIS as your development web server lets you work in an environment closer to that of an IIS production web server.
This is configured in the Web Tab in your web project properties.
2) I also want to know, suppose we publish this to the IIS and then,
set it up to use WBA/FBA, then, the username/password of logged in
user is used to authenticate user to the ASP.NET site, however, the
code runs under credentials of apppool account. What is your view on
this point?
Not very clear, but I think your undestanding of IIS security may not be correct. There is only one application pool per web site which runs under a specific account (by default apppool account, but it could be Network Service or Local System). When a user logs in, absolutely nothing is changed in this process. The user is just connected using an authentication provider : Windows Authentatication or Forms Authentication are 2 common providers. User identity is kept in http context, which allow you to use authorization rules later. So every code block always run under the same account (unless you enable delegation but that's another story).
I higly suggest you to read this complete introduction on asp.net security.
We have a web site written in ASP.NET MVC that uses Windows Authentication.
We have a WCF service that we use to connect to the database and reference that service from our MVC site. The web.config for both the site and the service have enabled Windows Authentication and disabled Basic and Anonymous authentication.
Now, the issue is this:
If I restart the IIS and then open a browser in the same computer that has the IIS, everything works fine (even from outside that computer).
If I restart the IIS and then open a browser in an external computer, the WCF service is unable to connect to the database (even from the local machine).
So, if we don't open the site from the host computer before attempting to access it externally it won't work.
We are using impersonation to do the calls to the service from the website.
Any ideas on what can be happening?
your WCF service is impersonating the user of an outside user passed to by IIS passed to by the IE user. You want to hard code your application pool of your IIS we service to use a specific Service Account that has Network Service privileges
its working internally, as its using your identity on the Windows Domain(its in your ie settings in security) but externally this does not work.
I am trying to accomplish the following:-
To build an Asp.net MVC 4 web application from scratch.
I want to use the current users and groups that are found on our company production active directory server.
In asp.net I know that we can have two types of authentication; Form Based & Windows based.
On my development machine I did the following tests:-
I set the authentication to be “windows based” and I was be able to access the asp.net MVC application without entering my username and password.
I set the authentication to be Form-based and I modify the query string to connect to the Active Directory instead of connecting to the sql databases tables. And I was able to access the application by typing username#domain and the password.
But my questions are:-
When deploying the web application on production, how will “windows authentication” works. Let say the user tries to access the application from external device, then can he still login to the system . Or “windows authentication” will not work for internet application.
Will form-base authentication connected to AD be the best approach to follow in my case?
If “windows authentication” will work when users access the application from external machine. Then what are the differences between having “windows authentication” & Form-based that is connected to an Active directory in this case?
Best Regards
I'm using a Windows 2008 server with IIS 7.0 and am able to Enable ASP.NET Impersonation on my Web Application in IIS. My problem is that I'm only able to enable it for one account (from what I can tell). How can I add multiple accounts to the ASP.NET Impersonation?
Thanks