I have deployed an application on IIS Server and Servlet Exec configured. I need run the application with windows User Credentials rather than Anonymous User. I tries changing the username and password of annonmous user in properties/Security but the application stops responding changing it back to default Anonymous IIS user account works fine??
Abdul Khaliq
If it is on iis 6 or greater, there is a place you can create application pools. If you don't have a dedicated application pool for your application yet, create one. While creating you can set the default identity it should work with. You can set it to system defaults or a custom identity you've created...
You should change the identity for the application pool (not the website). So it's best to create a specific application pool for every site which needs specific user credentials.
But this question really belongs on serverfault.com
Related
With asp.net vPrev we was able to separate application pool account and access account for anonymous access ("anonymous user identity", IUSR be default). This is extremely helpful to secure the app: you may sure that no high level access will be provided for anonymous, even if application pool account has high privileges.
Is it any way to do the same for ASP.NET Core application? From my understanding of core's execution model that will not be possible, because IIS act just as a proxy. Am I right?
May be there are some ways to do the same but with an another approach? The main goal is to have ability to switch context between application pool and anonymous context. As simple example: when app starting we can read\write\do whatever with application pool account, but inside request context we will operate with anonymous user identity.
Not a fan of answering own questions, but subject is possible. You can get anonymous user context from IIS SDK:
using Microsoft.Web.Administration // from Microsoft.Web.Administration.dll, nuget microsoft.web.administration
// ....
Configuration config = serverManager.GetApplicationHostConfiguration();
ConfigurationSection anonymousAuthenticationSection = config.GetSection("system.webServer/security/authentication/anonymousAuthentication", siteName);
string userName = (string)anonymousAuthenticationSection["userName"];
string pwd = (string)anonymousAuthenticationSection["password"];
Of course this is not really secure (in have to run your app under account that have access to IIS) and you need to keep site name somewhere in config, but it works.
I was trying to register an Application Login Module in Websphere but I don´t find any easy example in web.
There are a lot of IBM documents, but too much complex, and I can´t figure out how to register an Application Login Module.
I already have success with a System Login Module bounded to WEB_INBOUND, it works, but affects all my system. I want a Login Module to serve only my applications web, with JAAS authentication.
I´ve tried to bound a login module to existing WSLogin but it doesn´t seems to be working.
Any help ?
tks[]
You need to setup security domains to get the separation you are looking for wrt to the login configurations. The security framework uses the WEB_INBOUND login configuration to authenticate the user for all web applications irrespective of adminConsole or user applications. When you create a security domain and customize the WEB_INBOUND configuration at the server/cluster domain level, it will be used for all the user web applications deployed in those processes. You need to setup the multidomain in a cell topology and assign the domain to the server/cluster where you applications are deployed.
Once you setup the domains, the WEB_INBOUND configuration at the server/cluster domain will be used by the user applications hosted in that server/cluster while the WEB_INBOUND configuration at the admin/global domain will be used for the adminConsole application at the Deploymener Management process where it is deployed.
The application JAAS login configurations are meant to be used by the applications directly. One can create an application login configuration and programmatically use it in the application to perform direct login -
LoginContext lc = new LoginContext("myAppLoginCfg1", callBackHandler);
I asked around and this is the answer that comes from the owner of container security:
The WEB_INBOUND is a JAAS system login that is always configured by default. However, you can specify your own JAAS application login or customize the existing WEB_INBOUND system login. If you want only one application to use a different JAAS login from all your other applications, you can use a security domain that has those different security configurations. The only catch is that application server has to be in a separate server from the other apps. That way, you can map your security domain to that server.
Here's an info center article about security domains:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/tsec_sec_domains_config.html?cp=SS7K4U_8.5.5%2F1-8-2-33-1
And one on application logins:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/rsec_logmod.html?cp=SS7K4U_8.5.5
And system logins:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/usec_sysjaas.html
And here is a much more practical answer that comes from the security dev lead:
So an additional question is - why would you want to do that? Do you want to do anything specific for just one app during login that you do not want for other app logins? (I would think so) You can get the app name in your custom login module and can use that to provide your own app based login requirement in your login module (or skip it) if needed.
Me: Ya, this is what I would do. You can also implement this based on what is in the request. I did one where it would request a SAML token from an STS and put it on the runas subject if I could tell that the request came from WebSeal (and not if it didn't).
If what you need to do for the 'app-specific' case requires skipping what is done in ltpaLoginModule and wsMapDefaultInboundLoginModule (that should run for the other apps), you can't really do that. However, you can modify their behavior.
Read through the task I've given a link to below. Yes, I understand it is a WS-Security task, but its about using APIs. You'll get what I'm talking about if you read closely, particularly the 3rd ("When a caller...") and 5th ("To use a..") paragraphs. The parts that you should be concerned about in the code is the WSCREDENTIAL* stuff.
http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/twbs_config_wssec_caller_no_reg.html
I have a server 2012 box running IIS. I am trying to change the admin password for the OS, but it is breaking permissions/access for IIS. I have since reverted back to the old password and all works. What do I need to change in addition to the OS to make the new password work for IIS sites?
Open IIS
Select Application Pools
right-click on your pool and select Advanced settings...
Edit the Identity setting with your credentials
For mine, I set the Custom Account. I have to update this every time I change my credentials.
Have you tried synchronizing the new passwork in IIS, in the sites thats don't work?
Check site credentials, specially if using a "specific user" (as opposed to pass-through authentication) at:
IIS console-->Click on site-->Click Basic Settings (on the Action panel)-->Connect As
There you can synchronize the password registered in IIS with the current user password, but take note that if this works, then something is wrong with your configuration since the logged on user (the admin as you mentioned) shouldn't be used to access site data/folders. It's way too risky!!
If you're using pass-through authentication, check the configuration of the application pool that the site is using, but I repeat: If changing/synchronicing the admin's passwork solves your problem, then you must have some bad configuration in place.
So I have a application that I want to check if a user is in a AD-Group to be able to access.
I checked out passport-kerberos but I could not see how to detect the user's add groups without logging the user in, which he already is on the domain.
On C# .Net solutions we use on IIS this runs just fine, but how can I get this on Node.js with Linux as server not microsoft?
I have a ASP.NET application that need to access to ANOTHER application, the ANOTHER application expecting Kerberos authentication, it based on the user credential to response to the request. My ASP.NET app is running on a AD service account that is setup to allow delegate to the ANOTHER application (with proper SPN).
So the process is, user requests to the ASP.NET app, the ASP.NET app will impersonate the request to the ANOTHER application by delegation (with kerberos).
When I run the app in local machine (My ASP.NET resides), the request was successful, however, if the request is coming from remote client machine, it failed, from the ANOTHER application's log, it shows the Identity is not presented.
Any clue?
Have a look at the following which appears to be very similar to your situation:
https://serverfault.com/questions/270293/moving-my-website-to-different-server-changes-authentication-from-kerberos-to-ntl/270306#270306
There are some resources that that should help you troubleshoot.