I have a Web solution which different users from different companies logs on to the same web site, they authenticate against AD.
I use RadControls, and their upload component.
I want to be able to make the users upload documents to their folder on the server. I have granted users which belongs to a particular company full access to the corresponding folder. But I get a access permission error when trying to upload.
What is best practice for something like this?
I use IIS7, and ASP.Net 3.5
Paddy probably hit the nail on the head... but if you look at the Event Viewer entry for this exception, you can probably see what user's credentials ASP.NET is actually using to write the file.
BTW... in terms of best practice... You're on the right track. You didn't mention where this directory is located, but it should be OUTSIDE your web root. Other than that, it's all implementation details... like what do you do for name collisions?
Related
I have looked at numerous articles and tried a multitude of settings, but I can't seem to achieve what I'm looking for in my intranet site. Even if I don't get a solution, a definitive "you can't do that" will help me move forward. Here is what I'm trying to do:
Web site recognizes the user's network login credentials - ONLY so I can get their user ID without a login
The website uses some generic account (IUSR or something like that) to access a SQL Server that the same network users can NOT access EXCEPT through the website
Users can upload files to a set of folders created on-the-fly by the website to contain their files for later reference by them
The website can construct web pages on-the-fly with links to the users' files - and ONLY theirs - so they can open / download them through the web pages
Users can NOT access the uploaded files through a network share on the web server
All of the folder creation, file upload, and file serving occur under some generic account like IUSR
I currently have things configured to use Windows Authentication and I could probably live with that except I don't want to require a login to the site. Apparently, in order to make this happen, I need to have the server configured as a trusted delegate and IT is dragging their feet on doing that. Also, this config allows the users to access the SQL Server and folders/files through means other than the web site and I don't really want that. I only need to pick off their user ID so I can use it to get information about them out of Active Directory and keep track of their interactions with the web app.
In reviewing your post I must first say "Yes" it seems like what you want to accomplish can be done. However the enormity of your question precludes simple posting answers. From what I gather there are three security issues you want to navigate 1) Windows Authentication, 2) Admin only SQL access, 3) User only Access to files and directories while authenticated using Active Directory.
I have been building ASP.net intranet web applications using Active Directory (Windows logins) for a few months. I would encourage you to explore this article: http://www.mikesdotnetting.com/article/216/windows-authentication-with-asp-net-web-pages for details on setting up windows authentication in an ASP.net web application. You can add elements to your web pages using a section of Visual Studio [Toolbox] called 'Login', which contains elements such as 'LoginName'.
Next I am pretty sure you can control the SQL server query access using authentication parameters of your choosing. In the portion of the connectionString that is normally 'Integrated Security=True;' you will need to switch that to 'Integrated Security=False;username=sqlAdminUserName;password=sqlAdminPassword'. For more information I suggest reviewing this post: Integrated Security = False.
For the third security issue once you have isolated the user's windows login identity you should be able to dynamically build web pages, files, directories, and whatever other resources you require all customized for that individual user. I believe the generation of all those materials can be done with an IUSR account with the only needed ingredient being the Windows login user identity.
Good Luck and I hope my suggestions help move you ahead.
Actually, the answer is not all that complex and it is a real mystery why it is so difficult to find a single source on the web to spell it out. Here is my IIS authentication for an intranet app that acts exactly how I want:
Enable ASP.NET Impersonation and edit to Authenticated User
Enable Windows Authentication
Advanced Settings->Extended Protection->Off
Advanced Settings->Enable Kernel-mode authentication->unchecked
Providers->Available Providers->Negotiate:Kerberos and move that to the top
Disable all other authentications
Most critical: Make the server a 'trusted delegate' in Active Directory
That should do it.
I am running IIS 7 and ASP.NET 4. It's an online charting application where one folder needs to have read/write access. Users don't upload anything into this folder directly; instead they configure chart settings and then ASP.NET generates the chart on the server and saves it as an image into that read/write folder. Users are redirected to download the image of the chart from that folder.
In order to allow IIS/ASP.NET to save an image into the folder, I give WRITE permission to IIS AppPool/ChartApp account.
But, I am worried to have write access on a folder that's open to HTTP. While there is no direct way to upload a file via my site into that folder, I am concerned that hackers will find a way to upload a script and then execute it. Are these valid concerns? Is there anything else I need to do to secure such a read/write folder?
Thanks.
The configuration is sound and a normal standard setup. As you point out, there is no way to upload a file unless you add one.
If your particularly paranoid about this, you can setup a new user account and use that account as the 'anonymous user' account (which is the credentials used by the common browsing user on your site), and ensure that account doesn't have write acccess while the AppPool account does. The anonymous user uses the AppPool identity by default.
What are all the user accounts for IIS/ASP.NET and how do they differ? has details on each different account type.
What I ended up doing is to use a different account to write the file. The code from this article worked well for impersionation. The account that writes the file has write permissions, and the "main" AppPool account is still read only.
My question is preaty simple. Is there any way to give current user (IIS User, in this case, ASP NET USER) permission to write to a specific folder location (folder inside our web application) using web.config? Because, it's getting boring to ask to the web hoster to gain access to a specific folder each time we want to do a file uploader on a website.
I know it's maybe preaty simple to find an answer using google, but it keeps returning me how to write INTO web.config instead of permission to write into web.config FOR a specific folder. In addition, I'm french so my english is not at the top.
No. If that was possible, you could write an application which, when deployed on a server, would allow you to write to any directory on the disk despite write access being denied by the administrator.
You can easily grant permissions for a local user (e.g. the user that the IIS worker process/app pool is running as) to a folder anywhere on your filesystem actually through rights permissions in Windows itself but this does not allow for doing this through the web.config file itself. Please give us a description of what you're trying to do specifically and there may be a better solution. The solution I mentioned above could be a bit of a security risk but it depends on the needs and situation.
So, from what I understand .NET (and web.config) don't really control write permissions.
You'll need to either expose the folder from a filesystem and/or webserver level to allow people access (though this may be somewhat of a security issue depending on your scenario). Or another possibility would be to create a simple web-page that allows uploading files to the directory.
Often, out of sheer desperation I will end up enabling "Everyone" access on a folder that a web app is accessing (perhaps for file creation, reading, etc) because I can't figure which user account to enable access on.
Obviously, this is a very bad thing to do.
Is there a way to determine what account IIS is using at that exact moment to access folders (and perhaps other resources like SQL Server, etc)?
Are there logs I can look at that will tell me? Or perhaps some other way?
I usually use Windows Auth without impersonation. Not sure if that information is relevant.
Another more general approach would be to use a tool like Process Monitor and add a path filter for anything that starts with the root of the website (ie c:\inetpub\wwwroot). You then have to add the Username as a column by right clicking on the column headers, but once you do that the w3wp.exe process should show up in whenever you try to access the website and it will show which user account is being used. This technique should work with all file access permission issues.
If you don't use Impersonation, application pool identity is used in most cases, but accessing SQL Server and UNC files are slightly different.
This MSDN article has all information in one place, but you really need to spare a lot of time on it in order to digest every details,
http://msdn.microsoft.com/en-us/library/ms998351.aspx
Use Sysinternals Process Monitor to see what is actually happening.
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Does anyone know a web based editor for the web.config? I want to offer the possibility of changing and adding settings through a nice web interface.
Update: I am aware of the security issues but still i want to make it possible. The application is an internal app which is not available for outside. I configure authorization within web.config and want be able to administer the users who are able to access the app. Furthermore I have some app settings which i want to be updateable. E.g. mailserver, Connectionstring, etc..
I tend to agree with GregD on this point... Exposing the web.config is not a good idea at all. If you really want the user to be able to configure some settings, provide an interface for it, which allows the user to set the values as per requirement. Check out the built-in ASP.NET website administration tool if you need an example.
There is a good reason why the web.config is not readable from the internet. Don't do it.
Edited to add
What is it that you wish to accomplish by opening up the web.config? The web.config is where you store database connection strings, turn debug off/on, show error messages locally or remotely, etc., etc. Opening up your web.config to "editing" via a web interface, is really asking for someone to hack it, thus gaining full access to your application.
I agree you probably shouldn't do this.... but in going against the grain since we are all adults here...
It is possible to modify the web.config if your website is running in full trust mode. If you're hosted on GoDaddy for example then you are probably out of luck.
That being said you could leverage an admin page I wrote for BlogEngine which will allow you to edit any file you have granted the AppPool service permission to edit. You would probably want to remake this into a user control and then add it to a protected url address and/or folder.