Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
In IIS 7, after I specify the physical path for my website and click the "Test Settings" button, I get the following warning:
The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that<domain>\<computer_name>$has read access to the physical path. Then test these settings again.
So what is pass-through authentication? Literally, it should be pass some A through some B? So what are the A and B?
Also, I am actually using the built-in ApplicationPoolIdentity. Why can't IIS verify that this account has proper access rights to the physical path? Why do I need to verify it myself?
Normally, IIS would use the process identity (the user account it is running the worker process as) to access protected resources like file system or network.
With passthrough authentication, IIS will attempt to use the actual identity of the user when accessing protected resources.
If the user is not authenticated, IIS will use the application pool identity instead. If pool identity is set to NetworkService or LocalSystem, the actual Windows account used is the computer account.
The IIS warning you see is not an error, it's just a warning. The actual check will be performed at execution time, and if it fails, it'll show up in the log.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
We are debating on the use of kerberos in big data cluster that we have. Our admin wants to use ldap for authentication and authorization. I looked up into the internet and got mixed response but there was no clear understanding for the reason to use kerberos.
I understand that you can use kerberos along with ldap but I didn't get clear picture of benefits of using kerbors + ldap vs just ldap. Can anyone explain please?
Kerberos is the inside-the-corporate-network industry standard single sign-on protocol. LDAP was always more of a directory look-up protocol. However, LDAP can also do authentication, as the authentication aspect of it was bolted on some years after the protocol itself was conceived. With LDAP authentication, and every authentication attempt is going to cause a load on the Directory authentication server, so in that sense, it could hammer your Directory authentication server often. With kerberos, after the first authentication, the client holds a ticket that will be good for a default of 10 hours so that additional authentication attempts do not have to overload your Directory authentication server again. And the client will take care of getting authentication "tickets" to target resources, rather than the application server doing this on behalf of clients, which is what those application servers have to do if LDAP authentication mechanism is in play. Additionally, LDAP, if not configured correctly, will send authentication attempts in the clear text. Even if you configure to do encrypted authentication over LDAPS, which you'll then need to get an SSL certificate to do that, then you also have to get around the problem of storing the username/password on any application server in plain text, unless someone takes the extra steps to encrypt that. In short, as an authentication protocol Kerberos is far more secure out of the box, is de-centralized, and will put less load on your Directory authentication servers than LDAP will. Kerberos in pure Microsoft Active Directory environments will do both authentication and authorization for you, while directory look-ups is always LDAP. Also, LDAP is not single sign-on. Users must always manually enter username/password while with Kerberos they do not have to do this.
Now if you use Kerberos for authentication and LDAP for directory look-ups, and/or group-based authorization, than that is the Best Practice, as LDAP was originally designed per the RFCs as a directory lookup protocol only. In fact, when you use a tool such as the "Active Directory Users and Computers" utility, what happens when you use it is exactly this: you pass a Kerberos authentication in order to allow yourself to query the AD LDAP service, and then your LDAP query from that point forward is just pure LDAP. In mixed environments consisting of both Windows and say for instance Linux, then you can always use Kerberos for authentication but that takes some more doing on the application side, for instance you'll need a keytab generated for you by the AD admin, but group-based authorization will have to be LDAP and of course directory look-ups is always LDAP.
Your admin probably wants you to use straight LDAP all the way around because that is the easier route to stand up - he just needs to give you an AD user account credentials which you then have to take and configure on your application side to allow users to login and then allow group-based authorization and then query the directory over LDAP.
This question really involves a deep understanding of Kerberos versus LDAP, and there's so much more to say and read about but I'll need to leave it at this for now and provide you with a link: Kerberos vs. LDAP for authentication
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I've got multiple web apps running across multiple domains. I want to implement Single Sign-On, so that a user signs in once to access all apps.
How should I implement this? All apps use NodeJS backend.
General pointers in the right direction are welcome.
As your apps are running on different domains, you can no way share cookies between those APPS running on client machine to validate the user. So somehow information needs to be shared on server end.
Simplest solution that comes to my mind is:
Have a shared session for all servers.
Have a specific authentication domain and redirect users there whenever authentication is needed. Authenticate user there and set a session cookie or token whatever you want.
Whenever any app of yours needs authentication, redirect it to authentication domain. Authentication cookie will be served to authentication domain as well as the referrer domain. On seeing that you are already validated, authentication server can redirect you to original app with proper sessionID, which will be set as cookie for that domain.
If not authenticated, user will be asked to authenticate on authentication server and then the redirection will happen.
With little changes, you can achieve this using tokens and without need of shared sessions.
Validate the states properly before implementing it. More states in your mechanism means more chances of bugs and possible attacks.
Consider moving your apps on same sub-domain. If the authentication mechanism is same then everyone knows that all apps belong to same company. It will be also be easier for people to remember various sub domains on same domain rather than remembering all different domains.
The most used project is http://passportjs.org/ that is pretty much the only one I use, has great connectors to on premise soltions like ADFS and third party ones like google, facebook.
So I have a application that I want to check if a user is in a AD-Group to be able to access.
I checked out passport-kerberos but I could not see how to detect the user's add groups without logging the user in, which he already is on the domain.
On C# .Net solutions we use on IIS this runs just fine, but how can I get this on Node.js with Linux as server not microsoft?
Google isn't being very friendly in terms of this are so I'll just ask the question here instead...
Just wondering are there any disadvantages or perils that I should be aware should I decide to enable Anonymous access on IIS 6 or 7 for a web app that runs internally? (i.e. never exposed to the Internet)
Thanks.
One disadvantage to anonymous access in an intranet is that it prevents you from having any control over user access for the web app.
For example, by using windows authentication, you can allow authenticated users access to your web app, thereby forcing users to be authenticated inside your domain. This is an extra security measure for intranet, and the usual implementation for an intranet web application in an enterprise environment.
It will be hard to audit access using IIS logs, as it will always be the anonymous identity used. This may impact any enterprise auditing requirements that may be in place. Again using windows authentication can allow all domain users to access the web app, while providing accurate auditing and access log information.
I have deployed an application on IIS Server and Servlet Exec configured. I need run the application with windows User Credentials rather than Anonymous User. I tries changing the username and password of annonmous user in properties/Security but the application stops responding changing it back to default Anonymous IIS user account works fine??
Abdul Khaliq
If it is on iis 6 or greater, there is a place you can create application pools. If you don't have a dedicated application pool for your application yet, create one. While creating you can set the default identity it should work with. You can set it to system defaults or a custom identity you've created...
You should change the identity for the application pool (not the website). So it's best to create a specific application pool for every site which needs specific user credentials.
But this question really belongs on serverfault.com