I would like to use integrated authentication to access a SQL database from a web part. It should use the IIS Application pool identity.
By default you will get the error:
System.Data.SqlClient.SqlException: Login failed for user 'SERVER\IUSR_VIRTUALMACHINE'.
Because in web.config impersonation is set to true:
<identity impersonate="true" />
I can set this to false and the database code will work. Anonymously accessed sites will also work. Any SharePoint site that uses authentication will fail however so this is not really a solution..
To solve this would I have to encapsulate all my database access code to run with elevated priviliges, is that how SharePoint does it internally? Somehow that doesn't seem like the most performant solution.
Is that still the way to go, just use SQL security to access databases from SharePoint custom web parts?
The <identity /> and <authentication /> elements in the web.config file will together determine the account that is used in to connect to SQL Server when using integrated authentication.
When <authentication mode="Windows" /> is configured, you're deferring to IIS to authenticate users. I'm guessing that your your web.config contains:
<authentication mode="Windows" />
<identity impersonate="true" />
and that IIS is configured to allow anonymous users. Setting <identity impersonate="true" /> causes IIS to pass the identity of the IIS anonymous access account to SQL Server.
As Lars point out, using SPSecurity.RunWithElevatedPrivileges will achieve what you want. I don't believe you'll see any noticeable impact on performance but that's something you can test :-)
Use SPSecurity.RunWithElevatedPrivileges to run your code in the context of the app pool identity.
This is incorrect. Because <identity impersonate="true" /> is set to true ASP.NET / IIS will run the thread as the user that is currently logged in (so not the app pool account but the actual user logged into the website).
Something else is going on here. Could you post your connection string for the custom database? (minus the private data off course)
Related
I know that this has been asked before here, but I couldn't find a way to fix this. I'm using VS 2022/MVC 5/IISExpress and these are my configs:
web.config:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
And these lines in my vbproj file:
<IISExpressAnonymousAuthentication>disabled</IISExpressAnonymousAuthentication>
<IISExpressWindowsAuthentication>enabled</IISExpressWindowsAuthentication>
According to the approved solution in this post the above should work, but doesn't. I am logged in to Windows using my domain account and have been added to local administrators group (Of course I'm not a domain admin, just a standard user). I can login to my web app using my own domain account, but not with other domain accounts (I have tried two different accounts). Any credentials other than mine is rejected by application. How can I fix it?
I am developing a WebForms project in VS 2017 and I would like to add Forms Authentication so that anonymous users cannot access a specific page (called Resources). So far, my Login page is logging in users as it should, authenticated users have access to Resources, and all users can browse my non-protected pages.
Here's my problem: Whenever an anonymous user attempts to access Resources, a server error occurs instead of being redirected to the Login page. In IIS Express the error message is "HTTP Error 401.0 - Unauthorized. You do not have permission to view this directory or page". In Local IIS it says "Error message 401.2: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server.
I believe the browser and server are trying to authenticate using different methods, but I can't figure out how to fix this.
In IIS manager, I've enabled both forms and anonymous authentication and disabled the other methods for my website. For anonymous auth, I've tried setting the user to IUSR as well as Application pool identity while running on DefaultAppPool with full security permissions - neither worked. And for Forms auth, the parameters match my web.config file, aka same name and login url (not sure if that matters).
Here is the authentication and authorization code in my web.config:
<authentication mode="Forms">
<forms name=".ASPXAUTH" defaultUrl="Index.aspx" loginUrl="Login.aspx" />
</authentication>
</system.web>
<location path="Resources.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
Am I missing something obvious? Are there other settings I should check out? Any help is immensely appreciated!
I have a static site (i.e all html files, no .Net project) that is being hosted in Azure. I'm trying to password protect this site. I've read that I could create a custom authorisation module, which I've done, but I can't install this as I need to run a appcmd.exe command to allow the correct bit of the web.config to be edited.
Either; how can I password protect a static azure site, or how can I take advantage of the features of the ServiceDefinition.csdef without having a visual studio project?
On the management portal, you can configure that your site needs to use credentials. Credentials are managed via the Azure portal if you use this method.
You could use Forms Authentication which should be pretty straightforward to implement and won't require any startup task (necessary to run appcmd.exe).
Set your application to use forms authentication in your web.config.
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="/myadminlogin.aspx" protection="All" path="/" timeout="120" />
</authentication>
Define the protected folders in your web.config.
<location path="secure">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Within your login area check a condition and set the auth cookie:
'SET AUTH COOKIE
FormsAuthentication.SetAuthCookie(sessionID, False)
response.redirect(/secure/securearea.html)
This unfortunately is the one page where you will need some server side code.
I have a console application which connects to two different SQL databases. I'm using the "impersonate" tag within the config file to force the application to login as "APP_USER". The APP_USER account utilizes windows authentication & has been granted permissions in both databases.
The first DB connection works fine, but the second one fails as it is trying to log in as my account which does not have access.
System.Data.SqlClient.SqlException: Login failed for user 'DOMAIN\CURRENT_USER'.
What do I need to change in my config to make the application login to both databases as another user?
<configuration>
<connectionStrings>
<add name="Connection1" connectionString="metadata=res://*/Models.Model1.csdl|res://*/Models.Model1.ssdl|res://*/Models.Model1.msl;provider=System.Data.SqlClient;provider connection string="data source=DB1;initial catalog=DBcat1;integrated security=True;multipleactiveresultsets=True;App=EntityFramework"" providerName="System.Data.EntityClient" />
<add name="Connection2" connectionString="metadata=res://*/Models.Model2.csdl|res://*/Models.Model2.ssdl|res://*/Models.Model2.msl;provider=System.Data.SqlClient;provider connection string="data source=DB2;initial catalog=DBcat2;integrated security=True;MultipleActiveResultSets=True;App=EntityFramework"" providerName="System.Data.EntityClient" />
</connectionStrings>
<system.web>
<identity impersonate="true" userName="DOMAIN\APP_USER" password="password"/>
</system.web>
</configuration>
Apparently the config-setting route can only be used in asp.net projects. In order to accomplish this within a console application, you have to write code that utilizes LogonUser within the advapi32.dll library.
Similar question: StackOverflow: Windows Impersonation from C#
I based my final code off of the following project: Code Project: A small C# Class for impersonating a User
Everything seems to be working fine now.
I am trying to authenticate with the sharepoint authenticate web service in an account I have.
I get an error saying NotInFormsAuthenticationMode.
How do I change it from forms to none or windows?
I tried with:
myReference.Authentication auth = new myReference.Authentication();
myReference.AuthenticationMode = myReference.AuthenticationMode.None;
but it says myReference.AuthenticationMode is a type. which is not valid in the given context.
Suggestions?
Any help is appreciated.
Your sharepoint server needs to be modified...
See steps 5, 6 and 7 here:
simple-talk.com/dotnet/windows-forms/configuring-forms-authentication-in-sharepoint-2007/
This is all done in central administration.
Normally in other asp.net applications you would do this through the web.config to look something like this:
<!-- Web.config file -->
<system.web>
<authentication mode="Forms">
<forms forms="401kApp" loginUrl="/login.aspx" />
</authentication>
</system.web>
Edit:
Alright, if you cant change windows authentication then you need to change the way you're authenticating. If impersonate is enabled in the authentication of the sharepoint site than you can programatically impersonate a user.
See http://msdn.microsoft.com/en-us/library/ms998351.aspx ("Impersonating by using LogonUser")