In IIS 8, I have disabled Anonymous Authentication so that the user domain identity is passed through to IIS. This allows my application to identify the user and set internal application security appropriately.
I would, however, like the user to still run under the App Pool account to access local resources. Is this possible?
Here are my currents settings
Related
The site I need to configure on our IIS server (on Win 2019) uses a certificate to communicate with an external service.
The certificate is present in the certificates plugin in category personal and trusted.
It also uses a intermediate certificate.
The correct application pool has full permission on the certificate in /personal. Also the "network service" user.
The private certificate isn't exportable.
The SSL connection works when the application pool is configured with identity "LocalSystem" but it doesn't work with "ApplicationPoolIdentity".
Changing the "Load user profile" of the application pool from false to true doesn't change anything.
The site uses libraries written for it and is only used within the company.
Is using "LocalSystem" the only solution when using libraries?
You can try different user account in Application pool identity.
Built-in user account
Select this option to use one of the predefined security accounts. Then select one of the following accounts:
LocalSystem - The Local System account has all user rights, and it is
part of the Administrators group on the Web server. Whenever
possible, avoid using the Local System account because it presents a
serious security risk for your Web server.
LocalService - The Local Service account is a member of the Users
group and has the same user rights as the Network Service account,
but limited to the local computer. Use this account when the worker
process in your application pool does not require access outside the
Web server on which it runs.
NetworkService - By default, the Network Service account is selected.
It is a member of the Users group and has user rights that are
required to run applications. It can interact throughout an Active
Directory-based network by using the computer account's credentials.
This account provides the most security against an attack that might
try to take over the Web server.
ApplicationPoolIdentity - Starting with IIS 7, application pools can
be ran as the "ApplicationPoolIdentity" account instead of the
"NetworkService" account. This is a dedicated pseudo user account for
the working process of an application pool and is the recommended
pool identity.
Custom user account
Select this option to configure a custom user account for the application pool identity.
Custom user account
Select this option to configure a custom user account for the application pool identity.
Installed user account
You can configure an installed User Account under which you want the worker process to run.
Property-based user
You can dynamically choose a username and a password under which you want the worker process to run, by using references to Windows Installer properties. By using this option you can choose the way the password is selected:
Password property
The password is stored inside a property.
Predefined password
By selecting this option you can define you own password.
Note: If you use a custom identity, make sure that the user account you specify is a member of the IIS_IUSRS group on the Web server so that the account has proper access to resources. Additionally, when you use Windows and Kerberos authentication in your environment, you might need to register a Service Principle Name (SPN) with the domain controller (DC).
I have a web application hosted in IIS and configured with Windows Authentication. It is supposed to be SSO (Single sign-on) and work without prompting users for their credentials. It works in this way if I access it via server name or cname. Example:
https://serverName/applicationName
https://cname/applicationName
However, it asks for user credentials if I access the application via full domain name such as:
https://serverName.domain.com/applicationName
https://cname.domain.com/applicationName
Any ideas what the issue would be?
I have deployed an asp.net MVC web application under IIS 7.0. and as it is an intranet web application , I have disabled, form authentication, basic authentication and anonymous access services from my web site inside IIS. While I only enabled windows authentication service.
But currently users who are defined inside the same domain which contain the asp.net mvc web application can login to the application, while users who are defined under another trusted domain (inside AD on remote machine) are not able to access the application (they will get a prompted username and password from their web browser, but will fail to authenticate).
So my question is whether I can define which domain And/OR which AD the windows authentication service inside IIS server should use to authenticate the login users ?
What about http://msdn.microsoft.com/en-us/library/ff650307.aspx ?
Did you tried declaring the connectionStrings as specified to the different ADs ?
Our application store some user information(username, password) in LDAP, and because we cannot change the authenticate code, so we would like to setup a LDAP server in Azure, but I do not see Azure provide such service.
is it possible?
Curently, we have LDAP, DataBase, Application(java,tomcat). DataBase is used to store some business information, LDAP is used to store user credentials.
If user want to use our service, he should sign up, then we will store his credentials to LDAP and when he login, we will compare the credential.
LDAP works within the bounds of a domain, but your browser will not present your credentials to sites out on the internet.
I have two suggestions, I haven't tested either of them.
Option 1:
Use Windows Azure Connect to add the Azure boxes to your own domain, thus allowing users within the domain to authenticate.
Option 2:
Install AD FS 2.0 on your companie's intranet or DMZ, and then add it as an identity provider in the Access Control Service. You then add the Access Control Service as an identity provider in your application. When a user attempts to use your application, they will be redirected to the AD FS server (via the ACS) to authenticate with their local credentials.
We have a service account defined for anonymous access which is used for several web sites hosted on the web server. This account has access to several network resources like report server, file servers and so on.
While deploying a new web site, we used the same service account for anonymous access. IIS takes the username/password for the account and then a dialog opens for confirm password.
Accidently, we gave a wrong password in both the text boxes, the new site with wrong password is working fine but all other previously hosted sites which were using the service account, started giving the unautorized access error.
Is it possible that when we entered wrong password for the new web site, the password of the account got reset and all sites stopped functioning?
If this was IIS5.x then yes it's possible that the password update you performed did indeed change the anonymous account password.
If this was IIS6 then there are a number of pre-conditions that must be met before changing the password in IIS manager changes the password for the anonymous account. This MS knowledgebase article covers this is detail:
IIS 6.0: HOW TO: Configure IIS to Control the Anonymous Password (MS KB:332167)
In IIS7 this capability was retired.