We have moved our .NET web app deployment to Microsoft WebDeploy 3.0, and the transition has gone really well.
We are able to quickly and simply deploy to dev, test, and soon, production. But we'd like to add an extra level of restriction for deployment to production. Partially for security, but mostly to avoid "oops, no I didn't." moments.
The user accounts that deploy to dev and test are domain admins. Is there a way to restrict who has access to connect to the WebDeploy service or who can publish? I'd like to remove Domain Admins from production WebDeploy, and add a deployment account used exclusively for this. But Domain Admins will still need pretty liberal access to the server, I'd just like to restrict them in WebDeploy.
[This seems to be a different question than most are asking, which is how to allow addtional, non-admin users access. I'd like to know how to disallow admins access.]
Since you have tagged with iis 7.5 I am assuming you are on IIS7. In that case you can use WMSvc service on the server for the deployment. [Web Management Service]. This service uses delegation to allow or disallow users. This is how web deployment works in a hosted environment.
You can by default give every dev access to a particular site or app under a site and give read only access to some. You can still have super user permissions to the admins by enabling a setting called dont apply delegation rules for admins. Here is an article that gives detailed description about this can be acheived.
http://www.iis.net/learn/publish/using-web-deploy/configure-the-web-deployment-handler
Related
I have an IIS-hosted website that has 11 web services each running under their own virtual application. For each, the underlying folder is a child of the hosting site's folder. All have existed for a year or more, but web service A may never have been actually tested when deployed, the others have been actively used.
We've recently decided to use Service A, made code changes and deployed. Attempting to reach the service throws a 401.3 authorization error:
You do not have permission to view this directory or page.
I've compared virtually everything I can find in IIS (App Pool settings, ASP.NET, IIS and Management Features, etc.) about Service A and it's peers with nothing seeming different.
Once I added IUSR to Service A's permissions, it responded normally. However, none of the other services have this account among their permissions, yet work fine.
Can someone shed a light on why a single virtual app that very closely mirrors ten others would need IUSR specifically listed among granted users?
The IUSR is used by the anonymous authentication. If you have enabled anonymous auth in the ServiceA, that contents is accessed by IUSR. Is the authentication setting different from ServiceA and other websites.
We have a multi-tenant web app running in Azure App Services. Occasionally, we need to bind a new custom domain. Unfortunately, this causes the app to recycle - as I'm guessing the web.config is altered.
Is there any way to do this without a recycle?
I'm not 100% sure if this will avoid recycle but might be worth giving it a try.
You could associate a traffic manager with your app and then do the domain assignment on the traffic manager.
Traffic manager will work even if you have a single endpoint and might give you the indirection you need.
Windows Azure Web Apps let subscription administrators define custom hostnames for a web-app, these have to be manually listed, but you can also specify wildcard hostnames for subdomains, e.g. *.myapp.com.
So if I have a multi-tenant application where each tenant has their own vanity hostname, they could be "billselectrical.myapp.com" and "megabusiness.myapp.com" - and hostname detection in my application code would handle the rest.
However, is it possible to have arbitrary hostnames in Azure Web Apps? What if my (high-profile) customer megabusiness.com wants my hosted-application to appear as "myapp.megabusiness.com"? Obviously I can support this by explicitly and manually adding myapp.megabusiness.com to the Azure domain list (which does require adding verification TXT records, unfortunately - so this requires cooperation from the customer) - but there doesn't seem to be a way to instruct Windows Azure to allow any hostname.
...or is there?
I note that I know this is achievable using a raw VM with a manually configured IIS website - I imagine the same is possible with a Web Role Worker too.
In our current Production Setup, we have setup SSRS and have been able to successfully use the SSRS reports in our .NET Web Application since years. We have used Impersonation in Web.Config (there might be other solutions available, we had to go with this) as shown below.
<identity impersonate="true" userName="domainname/username" password="password"></identity>
This solution worked well becuase our Active Di
rectory and SSRS server are located in the same Network / domain.
Now, as part of our Azure migration, we have migrated our SSRS server to an Azure VM. and we are able to view the reports using Report Server Manager within the VM. Now, when we access the Web Application (App Service - Web App), we are getting the following error. Below is the updated impersonation attribute that we have used.
<identity impersonate="true" userName="username#ouremailaddressdomainname.onmicrosoft.com" password="password"></identity>
"Could not create Windows user token from the credentials specified in the config file. Error from the operating system 'The user name or password is incorrect"
Obviously, this is because of the fact that we don't have a Active Directory domain setup in Azure. Below are my questions.
Can we utilize the users available in the default Directory that gets created on Azure?
If yes, how do I specify the impersonization?
Thanks,
Prawin
With your planned setup you cannot use identity impersonation. This is because the AppService Web Apps do run in an isolated sand-boxed environment which cannot be part of a Windows Domain.
You have couple of options:
Change the reporting server to use mixed mode Authentication and create local for the SQL Server login and user with appropriate permissions. Then configure your reporting application to provide these SQL Server credentials
Move your Web Application to same VM (will not require Domain environment) as your Reporting Server (or just the part which deals with the reports)
Move your application to a separate VM and utilize the Azure Active Directory Domain Services to make the VMs part of same domain (an overkill IMO)
I would vote for the first option, as it requires least changes and leverages PaaS services (App Service). Everything else is overkill or just an abuse of the cloud platform.
I've got a little server plugging along, with IIS and some other stuff. Is it possible to allow a second user access to the IIS Manager, with the ability to create and edit sites, but keep the two accounts' sites separate?
I'm not worried about security between the two accounts, just separating the two account's sites for neatness and so that one user doesn't accidentally change something tied to the other account. At the moment I have two users part of the administrators group, and if I open IIS Manager with either one they both show all the sites.
A similar question has already been asked: how to create hidden web site on IIS
Can you please expand the answer of that thread?
Update 1
Connecting to sites remotely would allow the other sites to appear hidden as you would only see the connecting site. See: How to use Internet Information Services (IIS) 7 Manager to connect remotely to your website.
Update 0
As for hiding sites and other features, check out: What is administration.config for IIS?
One little known feature of IIS7 is that it's UI is entirely extensible! This means that anyone can write a C# assembly and get it displayed through the IIS Manager UI. The possibilities here are endless, anything from someone writing a new certificate management system, a website provisioning system, etc.
I haven't found documentation stating that the actual sites can be hidden but it sounds like it should be possible.
An Overview of Feature Delegation in IIS 7.0 may also provide the ability to hide sites.
Other links:
How do I hide 'non-delegated' features in IIS 7?
Based on your description, Microsoft's documentation on Configuring Permissions for IIS Manager Users and Windows Users (IIS 7) might prove helpful. For instance:
Allow an IIS Manager User Account to Connect to a Site or an Application (IIS 7)
Note: For IIS Manager users to connect to sites and applications for which you grant permission, you must configure the management service to accept connections from users who have IIS Manager credentials. For more information about how to configure the management service, see Configuring the Management Service in IIS 7.
Configuring Permissions for IIS Manager Users and Windows Users (IIS 7) - Emphasis added.
Use the IIS Manager Permissions feature to allow users to connect to sites and applications in IIS Manager. Remove a user account when you no longer want the user to configure delegated features in a site or an application.
Permitted users can configure delegated features in any sites or applications for which you grant them permission. Users can be either IIS Manager users, which are credentials created in IIS Manager by using the IIS Manager Users feature, or Windows users and groups on the local computer or on the domain to which the computer belongs.