I have an ASP.NET MVC app running on IIS 7.5 with an app pool which identity is set to "roger01".
I'd like to make sure when I render #User.Idenity.Name it's that identity (roger01) that's displayed.
I tried using ASP impersonation but it's not compatible with Integrated mode. And ASP.NET MVC requires integrated mode.
I also set the Anonymous Authentication identity to "roger01" but it doesn't change anything.
I actually tried lot of things for a few hours I'm not even able to enumerate...
This answer looks like it might accomplish what you're after.
The identity of an application pool in IIS
When creating a new application pool, it’s often convenient to be able to identify the
identity the pool is using. The issue arises usually on IIS 7/7.5
where default application pools use identities of a form IIS
APPPOOL\identityname. And when you grant access to databases/file
system you have to provide the identity name in an exact form.
Usually I tend to use this simple script. Just copy it into a text
file, name it test.aspx and point your browser to it. The
application pool’s identity name will be presented to you in a clear
way.
<%# Page Language="C#" %>
Current user: <%= System.Security.Principal.WindowsIdentity.GetCurrent().Name %>
via Get the Application Pool Identity programmatically
Related
I am Using Sharepoint2019 On-Premise
I am looking to use separate .aspx page for authenticate users for Sharepoint2019,
I tried the Form-Based Authentication(https://learn.microsoft.com/en-us/previous-versions/office/sharepoint-server-2010/ee806890(v=office.14)) and it works for authentication but the user profiles are not getting synced from our current Active Directory, so i would like the go back to the windows authentication but instead of pop-up should i would like the .aspx
I want to Use this page for Windows Authentication :-
I Do Not Want This SIgn in pop-up
can any one please guide me to accomplish this task.
One suggestion to look at would be to use AD FS and Web Application Proxy. This solution would require you to configure Kerberos Constrained Delegation for the SharePoint Web Application. In addition, the WAP server(s) need to be joined to Active Directory. Finally, on AD FS you would set up a non-claims aware relying party.
DNS for your Web Application would be pointed at the WAP server (or load balancer routing to WAP) and users would log in there using an FBA experience but still using Windows auth on the back end.
You need an external system that can pass non-Windows auth and translate it to Windows auth. AD FS + WAP is one example of doing so. Because the back end is still Windows auth, other services that leverage Windows auth will continue to work without any changes to your farm.
See here :- https://learn.microsoft.com/en-us/answers/questions/153678/how-to-use-custom-login-page-aspx-as-link-fba-for.html
See https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-non-claims-aware-relying-party-trust on how to create a non-claims aware relying party.
For TLS setup, see https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn383662(v=ws.11).
it is quite tricky, as Microsoft Designed in that for the windows authentication, but any how if you can use the Form Base Authentication.
Here is the Link where Microsoft posted how to implement the Form Based Authentication.
Configure forms-based authentication for a claims-based Web application
With asp.net vPrev we was able to separate application pool account and access account for anonymous access ("anonymous user identity", IUSR be default). This is extremely helpful to secure the app: you may sure that no high level access will be provided for anonymous, even if application pool account has high privileges.
Is it any way to do the same for ASP.NET Core application? From my understanding of core's execution model that will not be possible, because IIS act just as a proxy. Am I right?
May be there are some ways to do the same but with an another approach? The main goal is to have ability to switch context between application pool and anonymous context. As simple example: when app starting we can read\write\do whatever with application pool account, but inside request context we will operate with anonymous user identity.
Not a fan of answering own questions, but subject is possible. You can get anonymous user context from IIS SDK:
using Microsoft.Web.Administration // from Microsoft.Web.Administration.dll, nuget microsoft.web.administration
// ....
Configuration config = serverManager.GetApplicationHostConfiguration();
ConfigurationSection anonymousAuthenticationSection = config.GetSection("system.webServer/security/authentication/anonymousAuthentication", siteName);
string userName = (string)anonymousAuthenticationSection["userName"];
string pwd = (string)anonymousAuthenticationSection["password"];
Of course this is not really secure (in have to run your app under account that have access to IIS) and you need to keep site name somewhere in config, but it works.
I was trying to register an Application Login Module in Websphere but I don´t find any easy example in web.
There are a lot of IBM documents, but too much complex, and I can´t figure out how to register an Application Login Module.
I already have success with a System Login Module bounded to WEB_INBOUND, it works, but affects all my system. I want a Login Module to serve only my applications web, with JAAS authentication.
I´ve tried to bound a login module to existing WSLogin but it doesn´t seems to be working.
Any help ?
tks[]
You need to setup security domains to get the separation you are looking for wrt to the login configurations. The security framework uses the WEB_INBOUND login configuration to authenticate the user for all web applications irrespective of adminConsole or user applications. When you create a security domain and customize the WEB_INBOUND configuration at the server/cluster domain level, it will be used for all the user web applications deployed in those processes. You need to setup the multidomain in a cell topology and assign the domain to the server/cluster where you applications are deployed.
Once you setup the domains, the WEB_INBOUND configuration at the server/cluster domain will be used by the user applications hosted in that server/cluster while the WEB_INBOUND configuration at the admin/global domain will be used for the adminConsole application at the Deploymener Management process where it is deployed.
The application JAAS login configurations are meant to be used by the applications directly. One can create an application login configuration and programmatically use it in the application to perform direct login -
LoginContext lc = new LoginContext("myAppLoginCfg1", callBackHandler);
I asked around and this is the answer that comes from the owner of container security:
The WEB_INBOUND is a JAAS system login that is always configured by default. However, you can specify your own JAAS application login or customize the existing WEB_INBOUND system login. If you want only one application to use a different JAAS login from all your other applications, you can use a security domain that has those different security configurations. The only catch is that application server has to be in a separate server from the other apps. That way, you can map your security domain to that server.
Here's an info center article about security domains:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/tsec_sec_domains_config.html?cp=SS7K4U_8.5.5%2F1-8-2-33-1
And one on application logins:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/rsec_logmod.html?cp=SS7K4U_8.5.5
And system logins:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/usec_sysjaas.html
And here is a much more practical answer that comes from the security dev lead:
So an additional question is - why would you want to do that? Do you want to do anything specific for just one app during login that you do not want for other app logins? (I would think so) You can get the app name in your custom login module and can use that to provide your own app based login requirement in your login module (or skip it) if needed.
Me: Ya, this is what I would do. You can also implement this based on what is in the request. I did one where it would request a SAML token from an STS and put it on the runas subject if I could tell that the request came from WebSeal (and not if it didn't).
If what you need to do for the 'app-specific' case requires skipping what is done in ltpaLoginModule and wsMapDefaultInboundLoginModule (that should run for the other apps), you can't really do that. However, you can modify their behavior.
Read through the task I've given a link to below. Yes, I understand it is a WS-Security task, but its about using APIs. You'll get what I'm talking about if you read closely, particularly the 3rd ("When a caller...") and 5th ("To use a..") paragraphs. The parts that you should be concerned about in the code is the WSCREDENTIAL* stuff.
http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/twbs_config_wssec_caller_no_reg.html
I have a project which has a asp.net mvc based portal which manages user authentication/authorization using Asp.net Identity API.
The project also consists of a windows service/EXE which would poll an MSMSQ queue to get new users information and would save them into the Asp.net Identity Database(used by web project mentioned above).
so my question is - "Can we use Asp.net Identity API in desktop applications too?". The requirement only arises, because user's password hash has to be created, and I am using the default one which is provided by .net framework. So if I am creating a new user into the Asp.net Identity database, then I would need to create the password hash there too.
Any ideas guys?
Identity does not take dependency directly on MVC, but it relies on OWIN to set the cookie and authentication. But if you need to check user password against stored hash, manipulate user records, etc. Why not?
You might experience a big pile of dependent packages (ASP.Net) added to your desktop project, but if you don't mind this - there is a possibility you can make it work.
On the other hand, there is Identity Server which can work with MVC project and with Desktop project - without having to add Identity directly into your desktop application - also have a look into that.
I have deployed an application on IIS Server and Servlet Exec configured. I need run the application with windows User Credentials rather than Anonymous User. I tries changing the username and password of annonmous user in properties/Security but the application stops responding changing it back to default Anonymous IIS user account works fine??
Abdul Khaliq
If it is on iis 6 or greater, there is a place you can create application pools. If you don't have a dedicated application pool for your application yet, create one. While creating you can set the default identity it should work with. You can set it to system defaults or a custom identity you've created...
You should change the identity for the application pool (not the website). So it's best to create a specific application pool for every site which needs specific user credentials.
But this question really belongs on serverfault.com