I have an ASP.NET MVC web app and in one of the controller actions I want to start process (exe file). The process needs to run under a domain user, because it accesses other resources on the domain. This can either be a single hard coded user, or the user that is currently on the web page. The web.config is using Windows authentication.
I have tried turning impersonation on and tried turning impersonation on specifying a specific user. Both of these scenarios will cause permission issues.
I have also tried starting the process as a specific domain/user/password, but this will give me an error "Logon failure: unknown user name or bad password". I'm positive that the username/password is correct, and doing a "runas" works fine.
I'm not even sure of the "correct" way to do this. Any help is appreciated.
Thanks.
The correct way is to not launch a process from a Web app. Use something like MSMQ in WCF instead.
Related
I have a web application on a public facing web site that requires a username and password to log into. Users log in from locations in many different countries and depending on their login location different settings are applied.
Certain users have asked for integration from this web application to another running on the same machine as they are using. They require an XML file to be saved down to a specific folder whenever a transaction occurs on the web application. They don't want the user to have to click any button or have a save dialog appear.
Obviously this is not possible using normal browser functionality for security reasons. What I want to know is this: is it possible to write some application or service that runs on those users' computers that could somehow take the transaction information from the browser and generate the file? I can modify the web application to know when it needs to do this so there can be work on both ends.
One way of doing this that I was thinking of was to have a web service running locally on all PCs where this is required, and the application will call this service when required.(e.g. a localhost url that would be setup on all required pcs ) Has anybody any other suggestions?
I’m not an expert on programming but I don’t think that would be possible. It would create a security risk and if it were possible then anyone could have it download a virus to your computer.
I am hoping this will be a simple question. I am using IIS 7.5 / Visual Web Dev 2010 Express.
I know why this error appears :) it's a security/user issue. The problem is, I don't know what account/permissions this intranet is using that's causing the issue.
I use a simple authentication method that detects the user ID. If they're on that list, they are allowed to look at the page. This is done through:
[allow users] and [deny users]
(Brackets substituted for arrows.)
Authentication mode is set to Windows.
There is another intranet site that users can access- I have read and write permissions on that database that this web site uses. That intranet site works for me, but this gives me a security error.
I'm thinking that by using this authentication method, that it switches to a system profile which tries to access it and gets denied. Is there a generic system profile you guys know of that would cause such an error? Is that even a right assumption or is it a security setting that's related to my username?
Thanks in advance...
Well, maybe this could be helpful for someone in the future who is also facing the same problem. I am not sure where to find this, but apparently I had left out or there was not a tag called identity impersonate. By just having the authentication mode set to Windows, I thought it would take care of everything.
I am assuming that if you use Windows authentication, a system account will try and access the SQL database. Because that system account (whatever it may be, there is one defined somewhere but I forgot the name of it) does not have access, that permission error gets thrown.
What will make the web page use the user permission is with this tag:
[identity impersonate="true"/]
Substitute brackets with arrows.
I am building a simple intranet site and I want to get the user's Active Directory.
What steps do I need to take on the IIS side for this to work?
Are any changes required to my web config?
I would appreciate a detailed explanation, as this is giving me a hard time.
I have tryed things like this
Request.LogonUserIdentity.Name.ToString
also
HttpContext.Current.User.Identity.Name
the users will not login the page should be able to get the credentials without them typing their username and password
windows authentication in my web config throws an error and causes my page not to work
This might be a good starting point for you:
Recipe: Enabling Windows Authentication within an Intranet ASP.NET Web application
or this:
Active Directory Services: PrincipalContext — What is the DN of a “container” object
As #Joel Ehterton said, more details of exactly what you're trying to do would be helpful.
We have a web application and it uses System.Web.UI.Page.User.Identity to determine who the current user is. We are experiencing an intermittent problem, where a user is not recognized (their identity is blank or empty). Anonymous authentication is disabled so I don't see how they can fully access the web application without it recognizing who they are. This happens like once a month for half a day, and then it fixes itself. So it's really hard to diagnose but I would really like to track down the issue. Any suggestions? Thank you!
Make sure you have anonymous authentication turned off & windows authentication enabled for the application in IIS.
Often, out of sheer desperation I will end up enabling "Everyone" access on a folder that a web app is accessing (perhaps for file creation, reading, etc) because I can't figure which user account to enable access on.
Obviously, this is a very bad thing to do.
Is there a way to determine what account IIS is using at that exact moment to access folders (and perhaps other resources like SQL Server, etc)?
Are there logs I can look at that will tell me? Or perhaps some other way?
I usually use Windows Auth without impersonation. Not sure if that information is relevant.
Another more general approach would be to use a tool like Process Monitor and add a path filter for anything that starts with the root of the website (ie c:\inetpub\wwwroot). You then have to add the Username as a column by right clicking on the column headers, but once you do that the w3wp.exe process should show up in whenever you try to access the website and it will show which user account is being used. This technique should work with all file access permission issues.
If you don't use Impersonation, application pool identity is used in most cases, but accessing SQL Server and UNC files are slightly different.
This MSDN article has all information in one place, but you really need to spare a lot of time on it in order to digest every details,
http://msdn.microsoft.com/en-us/library/ms998351.aspx
Use Sysinternals Process Monitor to see what is actually happening.
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx