IIS, Under Application Pool Identity HttpWebRequest class does not works. I use DOMAIN NETWORK and PROXY, but when I use Custom Account (with domain\someuser) it is works, Please help someone, how can it works with ApplicationPoolIdentity?
Related
I have configured a WebAPI web site to use HTTPS with IIS Client Certificate Mapping(ManyToOneMapping ) for client certificate authentication. I disabled all Authentication types on IIS. I did many to one configuration on IIS.
But it is working with any other certificate which added to server's trusted store. I found that it is because of the Owin. I'm using owin(bearer authentication) to manage the token etc. But I think owin overrides the iis many to one configuration. Do you know how to disable it? I need token based authentication so I can not remove it.
Using Owin to self-host WebAPI and hosting WebAPI in IIS are two different hosting models. This means that all of Owin's pipeline logic is no longer valid. Unless we're using Owin hosting in a self-hosting program, here's a simple example of using Owin self-hosting WebAPI.
https://learn.microsoft.com/en-us/aspnet/web-api/overview/hosting-aspnet-web-api/use-owin-to-self-host-web-api
If we want to verify the client certificate by OWIN middleware(a pipe in which a request must come by), we should add a custom validator of the client certificate and apply it by using appBuilder.Use<T> method.
appBuilder.Use<ClientCertificateAuthMiddleware>(new ClientCertificateAuthenticationOptions(), clientCertificateValidator);
Here is an example of how to add a validation client certificate to the OWIN self-hosted WebApi.
https://dotnetcodr.com/2016/02/08/using-client-certificates-in-net-part-9-working-with-client-certificates-in-owinkatana-iii/
Feel free to let me know if there is anything I can help with.
I have Azure App service with SSL.
And mobile app (Xamarin android, ios) consumes service APIs through MobileServiceClient.
There is no option in MobileServiceClient to add certificate.
I googled it but not single document with to solve this problem.
How to achieve SSL pinning with MobileServiceClient?
As you mentioned that it seems not supported to add certificate in MobileServiceClient.
If we try to do that, based on my understanding, we need to override server side authentication flow. More detail please refer to this tutorial. I also find another SO thread related to this.
We also need to override the DelegatingHandler on the client side.
Additionally, here are some useful tutorials:
Code sample AzureWebApiClientCertAuthSample
Azure App Service and Client Certificate Authentication
Besides, we also could give our feedback to Azure App team.
I know I'm way late to this party, but for anyone else looking, I was able to add a client certificate by doing the following:
X509Certificate2 cert = GetCertificate();
HttpClientHandler httpClientHandler = new HttpClientHandler();
httpClientHandler.ClientCertificates.Add(cert);
client = new MobileServiceClient(Constants.ApplicationURL, httpClientHandler);
With asp.net vPrev we was able to separate application pool account and access account for anonymous access ("anonymous user identity", IUSR be default). This is extremely helpful to secure the app: you may sure that no high level access will be provided for anonymous, even if application pool account has high privileges.
Is it any way to do the same for ASP.NET Core application? From my understanding of core's execution model that will not be possible, because IIS act just as a proxy. Am I right?
May be there are some ways to do the same but with an another approach? The main goal is to have ability to switch context between application pool and anonymous context. As simple example: when app starting we can read\write\do whatever with application pool account, but inside request context we will operate with anonymous user identity.
Not a fan of answering own questions, but subject is possible. You can get anonymous user context from IIS SDK:
using Microsoft.Web.Administration // from Microsoft.Web.Administration.dll, nuget microsoft.web.administration
// ....
Configuration config = serverManager.GetApplicationHostConfiguration();
ConfigurationSection anonymousAuthenticationSection = config.GetSection("system.webServer/security/authentication/anonymousAuthentication", siteName);
string userName = (string)anonymousAuthenticationSection["userName"];
string pwd = (string)anonymousAuthenticationSection["password"];
Of course this is not really secure (in have to run your app under account that have access to IIS) and you need to keep site name somewhere in config, but it works.
I have an IIS application server in China, but one of our applications is access Salesforce soap api and it is too slow now. I want make this application access network via http proxy. How can I achieve that?
You would use the WebProxy class from .net
https://msdn.microsoft.com/en-us/library/system.net.webproxy(v=vs.110).aspx
WebProxy proxyObject = new WebProxy("http://proxyserver:80/",true);
WebRequest req = WebRequest.Create("http://www.contoso.com");
req.Proxy = proxyObject;
I have a ASP.NET application that need to access to ANOTHER application, the ANOTHER application expecting Kerberos authentication, it based on the user credential to response to the request. My ASP.NET app is running on a AD service account that is setup to allow delegate to the ANOTHER application (with proper SPN).
So the process is, user requests to the ASP.NET app, the ASP.NET app will impersonate the request to the ANOTHER application by delegation (with kerberos).
When I run the app in local machine (My ASP.NET resides), the request was successful, however, if the request is coming from remote client machine, it failed, from the ANOTHER application's log, it shows the Identity is not presented.
Any clue?
Have a look at the following which appears to be very similar to your situation:
https://serverfault.com/questions/270293/moving-my-website-to-different-server-changes-authentication-from-kerberos-to-ntl/270306#270306
There are some resources that that should help you troubleshoot.