We were asked to move our NodeJS app to run under IIS (Windows Server 2012R2) and integrate with an existing Active Directory. We were requested to remove the login page, and instead use Windows Authentication to get the (already authenticated) user's ID, and the use the groups he/she belongs to, to control their authorization level within the app.
I've installed iisnode to run my app under IIS, and figured I'll use either passport-windowsauth, or node-activedirectory to get the group memebership. However, both require user/password to authenticate the user. My user is already authenticated, and I have no access to his password (nor should I).
How do I go about getting an authenticated user's groups from Active Directory?
Here's what I have so far:
Installed and configured iisnode
Enabled Windows Authentication for the web app
Added this to web.config: <iisnode promoteServerVars="AUTH_USER,AUTH_TYPE" />
In my index.js file, I can then console.log(req.headers['x-iisnode-auth_user']); and get the correct user name - but I don't know how to proceed from here to getting his/her groups
Under no circumstances do I want to re-ask the user for his/her password
Well, seems like no one is interested in looking at this question :). I'm assuming IIS + Node.js + Active Directory is an edge case.
Here's how I ended up solving this one:
Add a special user to the Active Directory that can only be logged into from the IIS machine (bonus: limit the IP/process/access of that user).
Add the AD details, user name, and password to config.json file (see snippet).
Make sure you add the file to .gitignore so it won't end up in repo.
Use node-ActiveDirectory to first sign in as the user from step 1, and then ask for the groups of the logged in user (see snippet).
Related
I have a admin website where every url requires some level of permissions. One of these urls is for deleting user's folder via SSH (different machine). Admin with required rights for this url has also access to all informations about every user (except gdpr restricted). Basically, its kind of superadmin. This admin POSTs username which is part of path used in ssh shell cmd(vulnerability). My colleague recently pointed out that permission is not enough and input should be secured (f.e. regexp) as well even for admin. Is that really necessary? Should we count with scenario where admin (with rights to delete all user's folders) wants to hack virtual machine?
i having a problem when i tried to use a domain user as a specified user name in basic settings-> connect as. I want to access a shared folder that located in another server.
The web server always says if the username or password isn't correct and always throw 500.19 error when I started to browse the application.
Error Capture
However when I explore the app from IIS, it can be opened. I even tried a remote login to the server using the same username and password and it's just fine.
Image 2
The server I am using for running the web server is a Workgroup computer and in a DMZ. Is that a reason why IIS can't authecticate domain user?
Sorry for my terrible english here, because i'm in panic situation right now. I hope you can understand what i'm asking about and hope somebody has an answer. Thanks
You're right, if your computer is not joined to the Active Directory domain, you won't be able to authenticate using a Domain account.
Should the site be publicly accessible? If so, you would want to set your authentication to Anonymous and then configure the authentication settings to authenticate either as a built in user (NETWORK SERVICE, AppPoolIdentity) or a local machine user created specifically for the application.
I want to create a web page, that will serve to authenticate users based on credentials I give them (user1, pswd1 etc).
Only after a user authenticated, he should have access to a few other web sites,
on different folders of the web server, but which have no server side code(otherwise it would be simple.)
The user should be allowed access to the other sites, e.g. based on his IP,
for 24 hours or another period, or while he has the authentication site open on his browser.
The purpose if that the user will not have to enter credentials on each site,
and will enter his credentials only once, or once a day.
Restrictions:
I don't want to modify the target web site javascript code at all, e.g. to query a web service.
The user should be granted access using any browser,
so I assume I cannot use cookies.
If I would develop such a mechanism on Apache,I could, for example, have the authentication site PHP code add a line "Allow from ip" to the htaccess file of each target web folder, whenever a user authenticated successfully.
The issue is that I don't want to develop it as I am sure a solution already exists, and also I need a similar mechanism for both Apache and node.js (although i can live with two different solutions)
What information does the user have to identify themselves? How do you guarantee the user is who they say they are?
The whole point of authentication is to establish the user is who they say they are and that may create a session so that users need not reauthenticate.
If you want the user to authenticate in a single location and then reuse that "session" or set of credentials elsewhere, what you are looking for is single-sign-on / identity federation.
For instance, take airbnb.com. I do not need to authenticate there. All I have to do is authenticate with a third-party e.g. Google or Facebook. As a matter of fact, SO works in the same way.
One of the standards behind this technique is called Open ID Connect. Look into that. If you are willing to dish out money, you can look into commercial solutions e.g. Ping Identity. There is an open source implementation provided by Mitre / the MIT. It's available here.
In fact it occurs to me I can use simple routing.
In the top level folder have php code that does the authentication.
If the user is authenticated, route/redirect to the requested target site,
based on the requested url.
The url should be for example http://mysite/site1, where the authentication code is in the folder mysite, and site1 is not directly accessible.
Perhaps I can use something like php-express to reuse the same php code on node.js.
I have a server 2012 box running IIS. I am trying to change the admin password for the OS, but it is breaking permissions/access for IIS. I have since reverted back to the old password and all works. What do I need to change in addition to the OS to make the new password work for IIS sites?
Open IIS
Select Application Pools
right-click on your pool and select Advanced settings...
Edit the Identity setting with your credentials
For mine, I set the Custom Account. I have to update this every time I change my credentials.
Have you tried synchronizing the new passwork in IIS, in the sites thats don't work?
Check site credentials, specially if using a "specific user" (as opposed to pass-through authentication) at:
IIS console-->Click on site-->Click Basic Settings (on the Action panel)-->Connect As
There you can synchronize the password registered in IIS with the current user password, but take note that if this works, then something is wrong with your configuration since the logged on user (the admin as you mentioned) shouldn't be used to access site data/folders. It's way too risky!!
If you're using pass-through authentication, check the configuration of the application pool that the site is using, but I repeat: If changing/synchronicing the admin's passwork solves your problem, then you must have some bad configuration in place.
So I have a application that I want to check if a user is in a AD-Group to be able to access.
I checked out passport-kerberos but I could not see how to detect the user's add groups without logging the user in, which he already is on the domain.
On C# .Net solutions we use on IIS this runs just fine, but how can I get this on Node.js with Linux as server not microsoft?