Azure.Identity.VisualStudioCredential with IIS appPoolIdentity - c#

I'm in my way to use Always Encrypted on an existing .Net Framework 4.8 WebApi codebase. The solutions runs locally (for development) on IIS on ApplicationPoolIdentity (Windows 10).
I've set up a sql query which accesses a SQL Server database with an encrypted column.
I'm using VisualStudioCredential locally to access the key vault.
Running the same code from a simple console app works, but when running on IIS VisualStudioCredential cannot access the token provider file under C:\WINDOWS\system32\config\systemprofile\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json.
Indeed this file does not exists, it does exists in C:\Users\<my-username>\AppData\Local.IdentityService\AzureServiceAuth.
It tried running the pool under my own identity, but then it search the file C:\WINDOWS\system32\config\systemprofile\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json which does not exists.
Any suggestion on how to get it to work would be appreciated.
[Edit]
I have tried pretty much all the TokenCredential implementation available under Azure.Identity with no success. I think VisualStudioCredential is the way to go, but I'm open to other suggestions. Even an interactive prompt would be OK for me since it is for development purpose, but InteractiveBrowserCredential fails on the worker process.

The link posted by #LexLi in the comments explains the problem.
Azure.Identity.VisualStudioCredential cannot be used with ApplicationPoolIdentity on IIS. The pool must run under the developer's name.
I ended up configuring an application in azure AD for dev environments and using clientId/clientSecret.

Related

ASP.net: Could not use <database file>; file already in use

I have an ASP.net web application (C#) hosted by IIS on my server that connects with an Access database. It's important that I can have the database open in Access and still use the website at the same time.
I get the "Could not use file; file already in use" error whenever I try this. I've done a ton of research on this topic but nothing really seems to work.
I have modify permissions added for IUSR, NETWORK SERVICE and IIS_IUSRS for the folder containing the database. None of this seems to work.
Oddly enough, I tried hosting the website from my local machine and the solution above solved the issue, but it does not work when hosting the website from my server.
My website also chokes up when trying to do an INSERT statement even when the database is closed. I get the error "operation must use an updateable query"
Any thoughts? Thanks.
In regards to:
but it does not work when hosting the website from my server
I am not sure about the rest of your configuration, but this may shed some light onto why you are getting different behaviors on different systems:
You should enable the same permissions (for the Database folder) for the Identity under which the Application Pool you have configured for your Application in IIS.
Open your Server's IIS Management Console
See what the Application Pool is for your App
right click on the Application node:
'manage Application' >> 'Advanced Settings' >> Application Pool
Open Application Pools View: Find the App Pool
right Click the App Pool >> Advanced Settings
Look for the Identity value
That is the Identity you should replicate the permissions for as you did on your local machine's folders
P.S.: It is usually recommended that you configure/create a dedicated App pool for each of your applications.
Hope this helps resolve your issue.

ASP.NET 5 Identity 3 users get signed out after application restart

We are using ASP.NET Identity 3.
Our users are randomly getting signed out automatically. To reproduce this issue, I tried application restart, all users signed out, even those who had checked Remember me.
It only happens in Production, works fine on development environment.
Update:
We have only one server in production.
You will need to configure data protection in the production server. I assume that in your local machine the website runs as a local user so the registry hives can be created and read. While if you run it as a user without a local profile (default IIS app pool user option), it may not have the permission/s to create or read the keys required. You'll need to run this provisioning script in that case.
Have a good read about their guide on Publishing to IIS. That step is documented there.
The production machine might be using multiple servers. In that case, the server to which a user first connects might not be the same server to which that user later connects. In that case, if you are using session IDs, you must keep user sessions in sync across servers.

Cannot programmatically access network path through VPN

I'm trying to use a network path (create directory, write and read files) from a Web Service in ASP.NET.
Everything works fine from my office where the network path is in the same LAN of my laptop, but when I try to connect to the network path through a VPN, the creation of a directory fails with "Access to path is denied" error.
The strange thing is that from Windows Explorer I can perfectly access such path, given my VPN credentials, that I stored in Windows Credentials Wallet.
I also tried to set my IIS App Pool Identity to 'Network Service' but no luck.
Can you help me please?
Thank you very much
EDIT:
When I try to execute a statement like
Directory.CreateDirectory(#"\\my\network\path");
from a simple console application project in my Visual Studio 2010 it works perfectly and the directory is created.
The problem is when I hit such a statement inside the business logic of my web service that is running under local IIS (and which I'm connected to via "Attach Process..." debug tool in VS2010)
I may not have all the details of what you're asking straight, but if you're running this service via Visual Studio and VPN, take a look at this great article, at CodeBetter.
runas /netonly /user:domain\username “C:\ProgramFiles\Path\to\your\visualstudio”
I don't have the computer I have this on in front of me, but I recall that I created a batch file and ran it to start VS and Sql Server Management Studio, and it works like a charm.
If I've misunderstood the issue, sorry for the noise.
Sounds like when you are running locally, your local domain account is the context under which everything is being ran. When running the console app, it is still running under your user context since you initiated the application. When running in IIS, you are correct in that the app-pool account is being used, and the networkservice account has some pretty low privileges.
Instead of using a highly privileged account (such as yours), would impersonation solve your issue? Any work that needs to be done over the VPN can "wrapped" in a context the appropriate permissions. Here is another SO article on using impersonation, which I have implemented for related things:
How do you do Impersonation in .NET?
See Matt Johnson's answer where he creates a custom Impersonation class. Use that in a using block, then do your network stuff. It uses the advapi32.dll with p/invoke to do this kind of user account voodoo. He put together a NuGet package as well which may save you some time:
https://www.nuget.org/packages/SimpleImpersonation

How to restarting server from an IIS process running on Azure?

We're running a WCF service on Azure and we want to be able to restart the machine from code.
I've attempted the following methods:
Method 1 - Using Process.Start("shutdown.exe")
http://msdn.microsoft.com/en-us/library/vstudio/system.diagnostics.process.start
Problem with this method - IIS 7 has security by the application pool, and manually changing permissions/etc on Azure resets and can't be trusted.
I've attempted using icacls (http://technet.microsoft.com/en-us/library/cc753525.aspx) to give IIS permission to run shutdown.exe but unfortunately it seems that it doesn't work on files inside the system32 folder.
Method 2 - Calling RoleEnvironment.RequestRecycle
http://msdn.microsoft.com/en-us/library/microsoft.windowsazure.serviceruntime.roleenvironment.requestrecycle.aspx
We've used this function, it works well - however we require a full server restart and not just a role instance recycle.
Method 3 - Using Azure's REST API
http://msdn.microsoft.com/en-us/library/azure/gg441298.aspx
This so far looks the most promising method of achieving this, I was able to get this to work from my dev machine by generating a certificate, uploading it as a management certificate on the Azure portal, however, for the life of me I couldn't get the management certificate from the Azure instance itself.
So - If anyone can think of a way to make method 1 or 3 work is great, or if you can think of another option - it would be greatly appreciated.
Another option would be to use Azure Powershell cmdlets(http://azure.microsoft.com/en-us/documentation/articles/install-configure-powershell/).
You can then run Restart-AzureVM(http://msdn.microsoft.com/en-us/library/dn495199.aspx) + many other other management commands
I ended up using Method 3 (Using Azure's Management Libraries), and I used the base64 encoded management certificate inside the Publish settings file (which can be downloaded here https://windows.azure.com/download/publishprofile.aspx).
Inside there was the base64 string of the management certificate attached to my subscription.
Not the prettiest solution, but it works.

Reading Files On Network From IIS7.5

I have a WCF Service running on Windows Server 2008 R2 Enterprise. The IIS Version is 7.5. One of the methods in the service reads from a file on the network. It's failing when it tries to do this, but I can't log a proper error to find out why. My guess is that this is a permissions issue, but not being savvy with IIS, I don't know where to start.
The site running my service is using an App Pool with NetwrokService as the Identity. I have tried other built-in accounts, but I get the same problem. When looking at the running processes in Task Manager, I see w3wp.exe is running under the NetworkService account - which is how the App Pool is configured.
I'm trying to reach a share such as: \Machine1\SharedFiles\MyFile.txt. I can access this same share easily from file explorer so I know it's valid. Every other part of the service runs as expected which leads me to believe my IIS configuration is fine - other than possibly a permission setting that allows reading of files on other machines.
Anyone have any idea what I am doing wrong?
Thanks,
Start here:
http://learn.iis.net/page.aspx/624/application-pool-identities/
It is a permission issue. The share, and the files within it, need to grant access to the IIS servers machine account.

Categories