The site I need to configure on our IIS server (on Win 2019) uses a certificate to communicate with an external service.
The certificate is present in the certificates plugin in category personal and trusted.
It also uses a intermediate certificate.
The correct application pool has full permission on the certificate in /personal. Also the "network service" user.
The private certificate isn't exportable.
The SSL connection works when the application pool is configured with identity "LocalSystem" but it doesn't work with "ApplicationPoolIdentity".
Changing the "Load user profile" of the application pool from false to true doesn't change anything.
The site uses libraries written for it and is only used within the company.
Is using "LocalSystem" the only solution when using libraries?
You can try different user account in Application pool identity.
Built-in user account
Select this option to use one of the predefined security accounts. Then select one of the following accounts:
LocalSystem - The Local System account has all user rights, and it is
part of the Administrators group on the Web server. Whenever
possible, avoid using the Local System account because it presents a
serious security risk for your Web server.
LocalService - The Local Service account is a member of the Users
group and has the same user rights as the Network Service account,
but limited to the local computer. Use this account when the worker
process in your application pool does not require access outside the
Web server on which it runs.
NetworkService - By default, the Network Service account is selected.
It is a member of the Users group and has user rights that are
required to run applications. It can interact throughout an Active
Directory-based network by using the computer account's credentials.
This account provides the most security against an attack that might
try to take over the Web server.
ApplicationPoolIdentity - Starting with IIS 7, application pools can
be ran as the "ApplicationPoolIdentity" account instead of the
"NetworkService" account. This is a dedicated pseudo user account for
the working process of an application pool and is the recommended
pool identity.
Custom user account
Select this option to configure a custom user account for the application pool identity.
Custom user account
Select this option to configure a custom user account for the application pool identity.
Installed user account
You can configure an installed User Account under which you want the worker process to run.
Property-based user
You can dynamically choose a username and a password under which you want the worker process to run, by using references to Windows Installer properties. By using this option you can choose the way the password is selected:
Password property
The password is stored inside a property.
Predefined password
By selecting this option you can define you own password.
Note: If you use a custom identity, make sure that the user account you specify is a member of the IIS_IUSRS group on the Web server so that the account has proper access to resources. Additionally, when you use Windows and Kerberos authentication in your environment, you might need to register a Service Principle Name (SPN) with the domain controller (DC).
Related
In IIS 8, I have disabled Anonymous Authentication so that the user domain identity is passed through to IIS. This allows my application to identify the user and set internal application security appropriately.
I would, however, like the user to still run under the App Pool account to access local resources. Is this possible?
Here are my currents settings
I would like my asp.net web API application to automatically create AD account in my domain.
Which application pool identity should I use? Or maybe I could programmatically use the identity of the IT person, who uses this web application? If yes, then how to do it?
I am not sure what you mean by automatically, but you need to make the user object by code. The Identity the app is running under needs to have the right to make user objects under a specified OU. The code creates user objects in this spesified OU.
If the app runs under "<app-user>", this credential should be given the right to create objects under the "target OU". As a short-time test, you can give the user "Domain Admin" rights.
You can also test if the correct permissions has been granted by starting Active Directory Users and Computer or running a powershell script, with these credentials.
You should NOT use the credentials of a real IT person.
The code you need to create a user object in Active Directory you can easily find here on Stackoverflow.
I'm using azure Active Directory, Client Credential Flow in my organization's Web API access control.
I have the below applications registered in the AD:
backend-app
client1
client2
Now, even if I do not give delegated access in Client1 to backend-api, client 1 is able to acquire a token for the resource "backend-app". Is there anyway I can avoid this from happening? I do not want clients that I've not explicitly given delegated access to be able to acquire the token.
This flow works fine in Native apps, where AAD throws an error indicating the client1 doesn't have required permissions for backend-app.
Under Enterprise applications - Application Name - Properties, there's a setting User assignment required? Setting this will only allow explicitly assigned users to access an application.
Taken from the infobox on the Azure Portal:
If this option is set to yes, then users must first be assigned to this application before being able to access it.
More info on Assign users and groups to an application in Azure Active Directory
Our application store some user information(username, password) in LDAP, and because we cannot change the authenticate code, so we would like to setup a LDAP server in Azure, but I do not see Azure provide such service.
is it possible?
Curently, we have LDAP, DataBase, Application(java,tomcat). DataBase is used to store some business information, LDAP is used to store user credentials.
If user want to use our service, he should sign up, then we will store his credentials to LDAP and when he login, we will compare the credential.
LDAP works within the bounds of a domain, but your browser will not present your credentials to sites out on the internet.
I have two suggestions, I haven't tested either of them.
Option 1:
Use Windows Azure Connect to add the Azure boxes to your own domain, thus allowing users within the domain to authenticate.
Option 2:
Install AD FS 2.0 on your companie's intranet or DMZ, and then add it as an identity provider in the Access Control Service. You then add the Access Control Service as an identity provider in your application. When a user attempts to use your application, they will be redirected to the AD FS server (via the ACS) to authenticate with their local credentials.
I have come across a strange problem in one of our applications on win2k8/Vista x64 with UAC enabled. It is a process which hosts the UI for our service and runs in the context of the logged on user.
When logged in as a domain user who is a member of the "Administrators" group, writing to the registry under HKLM fails due to UAC with access denied.
But when logged in as the local "Administrator" account (non-domain) then writing to the registry succeeds.
Both accounts are adminstrators - is there a distinction between domain and non-domain accounts with UAC? What gives?
Thanks... from further reading it seems that it does affect vista as well:
"Being part of the Local Administrator Group doesn't provide the same access as the Local Administrator Account (the same also applies to Windows Vista). With Windows Server 2K8, the administrator access token is split into 2 tokens when logged into the server. One of these is an administrator token and the other a standard user token. During the logon process, authorization and access control components that identify an administrator are removed, leaving a standard user token. The standard user token is used to start the desktop and, therefore, all applications that start run as a standard user."
not sure if this applies but by holding shift+control you can start applications in admin mode, even if youre logged in with a domain admin account. you can then use the application as a local admin