I have a windows service that hosts the main WCF service. The clients for this service are both hosted in IIS 7, the first one is an IIS hosted WCF service and the second is a standard Asp.Net application. Both of the IIS hosted clients communicate with the windows service over named pipes.
The IIS hosted WCF service can communicate with the windows hosted WCF service perfectly, but the Asp.Net service fails with this error:
The pipe name could not be obtained from the pipe URI: Access is denied.
My first reaction is that this is a permissions issue somewhere, but I dont know where. And second, why would the IIS hosted WCF service be able to communicate without issue, but the Asp.Net application fail?
Ok, I solved it, or rather I figured out where the permission issue was.
It turns out the Anonymous Authentication setting was using some weird user created by our client (the physical person, not our WCF client), and not the NetworkService user (the identity the app pool was using).
But this almost begets another question: Why were even newly created sites defaulting to this IUSR and not the system defaults? In anycase, I just hope this gets indexed in google as, there were virtually no articles relating to it.
Check the Identity of the Application Pools that the WCF and ASP.NET services resides in.
Maybe the WCF service's AppPool has an identity that has different rights than the other AppPool?
Also, you might want to note that IUSR is the default IIS7 account for Anonymous accessors. See Understanding the Built-In User and Group Accounts in IIS 7.0 for an explanation of the default accounts.
Hope this is helpful.
Related
I've seen a web application running by Classic App Pool with Network Service identity. What should be the reason behind? what issue we face if use Local System/Local Service or other.
Please share your knowledge if anyone knows.
IIS 4.x/5.x used to use Local System/Local Service as default identity for IIS processes, which became a system-wide risk, as web servers like IIS can be hacked. Once hacked, malicious code would be executed under those powerful accounts to hack the whole Windows machine, and possible other resources in the same domain.
Thus, when Microsoft designed IIS 6, they switched to Network Service, which has significantly less permissions than the old options. Further on in IIS 7 and above, Microsoft introduced Application Pool Identities accounts to reduce more permissions. That's what #mason commented as "the principle of least privilege".
However, the whole IIS security story does not end here. Concepts such as DMZ and so on would bring more security to your web environment, which you should spend some time learning via specific materials (IIS security books and so on), not simply via a web forum.
This question seems to be similar to this one: IIS site not using identity specified in app pool IIS 7 +
However, there are no answers there.
There's a tl;dr at the bottom.
A thing to keep in mind is that I'm not the one who set up the server so they may have changed some settings I don't know about.
We have an ASP.NET web service running on IIS 7. The web service is set to use DefaultAppPool, and the app pool's Identity is set to a domain user (let's say it's "localdomain\user1").
The web service was unable to save to a certain network folder, so we gave localdomain\user1 read/write permissions to that folder. It still can't save there, however.
I can't remote debug, and it works fine on my own computer (probably because it's running in Visual Studio's IIS express and my user does have access), so I tried to change the web service so that the error message contains the user name it's running under.
If I use Environment.UserName to get it, the result is "IUSR". If I use System.Security.Principal.WindowsIdentity.GetCurrent().Name, it returns "NT AUTHORITY\IUSR".
Unless the above methods are not reliable, the web service seems to be running under the default user (IUSR) and not the one set in its application pool. I can't figure out why, can anyone explain?
EDIT: The Task Manager on the server, if I log in using RDP, shows that the w3wp.exe process IS being run by user1. I'm not sure which one to believe.
Thank you.
tl;dr: The web service's application pool is set to a domain user, but it seems to be running under IUSR anyway. How do I prevent that?
Impersonation was the issue. I didn't know this was a setting in the web service's web.config.
Changing <identity impersonate="true"/> to <identity impersonate="false"/> allows it to run as localdomain\user1.
1) I want to know suppose we are using an ASP.NET web application in debug mode in VS, then, the code runs under which user account?
2) I also want to know, suppose we publish this to the IIS and then, set it up to use WBA/FBA, then, the username/password of logged in user is used to authenticate user to the ASP.NET site, however, the code (SQL query, etc) runs under credentials of apppool account. Further, which credential is used to access resources on server like files? What is your view on this point?
1) I want to know suppose we are using an ASP.NET web application in
debug mode in VS, then, the code runs under which user account?
This is depending on the hosting. VS provides 4 ways to host & debug a web application : VS Dev Server (VS 2012), IIS Express, Local IIS and Custom Host (VS 2013). Devs servers generally runs under your -Administrator- account, and may not be suitable to test security. Working directly with IIS as your development web server lets you work in an environment closer to that of an IIS production web server.
This is configured in the Web Tab in your web project properties.
2) I also want to know, suppose we publish this to the IIS and then,
set it up to use WBA/FBA, then, the username/password of logged in
user is used to authenticate user to the ASP.NET site, however, the
code runs under credentials of apppool account. What is your view on
this point?
Not very clear, but I think your undestanding of IIS security may not be correct. There is only one application pool per web site which runs under a specific account (by default apppool account, but it could be Network Service or Local System). When a user logs in, absolutely nothing is changed in this process. The user is just connected using an authentication provider : Windows Authentatication or Forms Authentication are 2 common providers. User identity is kept in http context, which allow you to use authorization rules later. So every code block always run under the same account (unless you enable delegation but that's another story).
I higly suggest you to read this complete introduction on asp.net security.
We have a web site written in ASP.NET MVC that uses Windows Authentication.
We have a WCF service that we use to connect to the database and reference that service from our MVC site. The web.config for both the site and the service have enabled Windows Authentication and disabled Basic and Anonymous authentication.
Now, the issue is this:
If I restart the IIS and then open a browser in the same computer that has the IIS, everything works fine (even from outside that computer).
If I restart the IIS and then open a browser in an external computer, the WCF service is unable to connect to the database (even from the local machine).
So, if we don't open the site from the host computer before attempting to access it externally it won't work.
We are using impersonation to do the calls to the service from the website.
Any ideas on what can be happening?
your WCF service is impersonating the user of an outside user passed to by IIS passed to by the IE user. You want to hard code your application pool of your IIS we service to use a specific Service Account that has Network Service privileges
its working internally, as its using your identity on the Windows Domain(its in your ie settings in security) but externally this does not work.
I'm building a windows service but I would like to get some web pages to control some settings, get diagnostics, etc...
How would you go about combining an asp.net web site AND a windows service together ?
I know that WCF can be self hosted into an arbitrary process but can I do the same with asp.net ?
Another option would be to have my service logic in the asp.net web site application_start method to spawn long running threads. But then, I don't get window service built in feature such as auto start on boot up. Another issue might be that IIS might decide to recycle the process. Moreover, my service needs to open a raw tcp socket to accept connections. Can I do that in IIS ?
Thanks
I think the easiest and most robust way to do this is to have an ASP.NET Web Site running under IIS on the same server as the Windows Service. The Windows Service can host a WCF Web Service that will be accessible to the ASP.NET application.
I would have your Windows service self-host a WCF "configuration" service. The WCF service only needs to be exposed locally if the UI is on the same machine. If the windows service needs to open a separate raw socket for communications this can punch a hole through the firewall.
Then the ASP.NET UI can be hosted by IIS as usual, and call the WCF methods to perform the configuration tasks.
It seems like you really need both thingsāa web app hosted in IIS and a windows service hosted as windows service.
Then you can just share data between the two in some way, e.g. via a database.