We are using ASP.NET Identity 3.
Our users are randomly getting signed out automatically. To reproduce this issue, I tried application restart, all users signed out, even those who had checked Remember me.
It only happens in Production, works fine on development environment.
Update:
We have only one server in production.
You will need to configure data protection in the production server. I assume that in your local machine the website runs as a local user so the registry hives can be created and read. While if you run it as a user without a local profile (default IIS app pool user option), it may not have the permission/s to create or read the keys required. You'll need to run this provisioning script in that case.
Have a good read about their guide on Publishing to IIS. That step is documented there.
The production machine might be using multiple servers. In that case, the server to which a user first connects might not be the same server to which that user later connects. In that case, if you are using session IDs, you must keep user sessions in sync across servers.
Related
I'm in my way to use Always Encrypted on an existing .Net Framework 4.8 WebApi codebase. The solutions runs locally (for development) on IIS on ApplicationPoolIdentity (Windows 10).
I've set up a sql query which accesses a SQL Server database with an encrypted column.
I'm using VisualStudioCredential locally to access the key vault.
Running the same code from a simple console app works, but when running on IIS VisualStudioCredential cannot access the token provider file under C:\WINDOWS\system32\config\systemprofile\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json.
Indeed this file does not exists, it does exists in C:\Users\<my-username>\AppData\Local.IdentityService\AzureServiceAuth.
It tried running the pool under my own identity, but then it search the file C:\WINDOWS\system32\config\systemprofile\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json which does not exists.
Any suggestion on how to get it to work would be appreciated.
[Edit]
I have tried pretty much all the TokenCredential implementation available under Azure.Identity with no success. I think VisualStudioCredential is the way to go, but I'm open to other suggestions. Even an interactive prompt would be OK for me since it is for development purpose, but InteractiveBrowserCredential fails on the worker process.
The link posted by #LexLi in the comments explains the problem.
Azure.Identity.VisualStudioCredential cannot be used with ApplicationPoolIdentity on IIS. The pool must run under the developer's name.
I ended up configuring an application in azure AD for dev environments and using clientId/clientSecret.
Question edited to show some new screenshots of my attempt to give DefaultAppPool access to the database...(the rest of the question is the same, and unchanged):
The rest of the question, unchanged:
Database access was not a problem with the built-in IIS Express, because my program was running under the user logged into windows. I am new to Web Development.
With Windows Home, you are not allowed to use Windows Authentication--the option is not even present when you go to add\remove feature, and consensus is that you have to upgrade your OS for this to be available.
Hence, the program runs under the app pool account.
So I tried to go into SQL Server and give IIS APPPool\DefaultAppPool account access, but it would not let me.
So I went ahead and turned on impersonation, so that it will run under IUSR account, and I gave that account access to the database, as per screenshots.
But the program still crashes and reports that, "Login Failed..."
How do I run the program in IIS and not IIS Express?
As far as I know, there is no need to use impersonation to access the sql server. The reason why you get account not found error is you use the wrong application pool name.
If you type in the {yourcomputername}\DefaultAppPool, it is not regarded as the application pool identity.
You should use IIS AppPool\DefaultAppPool instead of the {yourcomputername}\DefaultAppPool.
Details, you could refer to below image:
I have two applications: one is WebAPI REST Service written on .NET 4.5, and another one is its client application written on .NET Core 2. There's a windows authentication enabled on the service side. Client one makes simple GET call using HttpClient with HttpClientHandler loaded with credentials from configuration, it is some service account. Very basic stuff that can easily be googled in tons of examples, there's nothing fancy there at all.
When this call is performed from my local dev laptop to DEV server then everything works as expected: user provided in the client's configuration gets authenticated successfully on the service and is able to perform whatever operations he is allowed to perform.
It also works fine if I perform this call from the browser (Chrome) - it asks me for credentials and then returns result that perfectly correlates with whatever credentials I put there. It works this way with both remote and local services.
However, if I run the service locally on my laptop (local IIS Server, not an Express one) and call is performed using localhost address then I observe strange behavior: windows authentication seems to work as well, but the user that service authenticates is not the one from client's configuration. Instead, it is my AD account with which I have logged on interactively in windows (btw, it's win 10 ent x64).
Of course, I've verified five times every single config setting and runtime value in my applications, all settings on local and dev server's IIS, on web application and IIS Server level and app pools used for apps. Everything I see looks good - except it behaves differently when on localhost. Also, I googled every question that I could imagine but still can't seem to find an explanation to this behavior.
So, why HttpClient uses my account on the localhost instead of explicitly provided credentials? What am I missing here?
I have an ASP.net web application (C#) hosted by IIS on my server that connects with an Access database. It's important that I can have the database open in Access and still use the website at the same time.
I get the "Could not use file; file already in use" error whenever I try this. I've done a ton of research on this topic but nothing really seems to work.
I have modify permissions added for IUSR, NETWORK SERVICE and IIS_IUSRS for the folder containing the database. None of this seems to work.
Oddly enough, I tried hosting the website from my local machine and the solution above solved the issue, but it does not work when hosting the website from my server.
My website also chokes up when trying to do an INSERT statement even when the database is closed. I get the error "operation must use an updateable query"
Any thoughts? Thanks.
In regards to:
but it does not work when hosting the website from my server
I am not sure about the rest of your configuration, but this may shed some light onto why you are getting different behaviors on different systems:
You should enable the same permissions (for the Database folder) for the Identity under which the Application Pool you have configured for your Application in IIS.
Open your Server's IIS Management Console
See what the Application Pool is for your App
right click on the Application node:
'manage Application' >> 'Advanced Settings' >> Application Pool
Open Application Pools View: Find the App Pool
right Click the App Pool >> Advanced Settings
Look for the Identity value
That is the Identity you should replicate the permissions for as you did on your local machine's folders
P.S.: It is usually recommended that you configure/create a dedicated App pool for each of your applications.
Hope this helps resolve your issue.
Using a Library I found from Microsoft, I have been attempting (with C#) to provision email accounts for my users with Live#Edu and the library uses remote PowerShell sessions to do this. I have wrapped the PowerShell calls with a using() { } block that impersonates a local administrator account. When I run the code on my own development machine it works great and provisions the account on Live#Edu, yet when I run the same code on the production server I get an Access is Denied error from PowerShell.
What I just noticed is if I change the IIS Application Pool user on the server to my own domain account everything works fine on the production server, but leaving it as ApplicationPoolIdentity does not work. So it appears that even though in my code I impersonate a local administrator, those credentials are not being passed on to the PowerShell session. Oddly enough, when the scripts run on my own machine, also under ApplicationPoolIdentity, there is no problem and that leads me to believe that the script is actually running under my own account on my machine (and I am a local administrator).
I did have the code spit out the value of $env:username and it gave me the machine name and I was expecting it to give me the actual username it runs under since that is what I get when I type that command directly into a PowerShell window.
When logged in to the remote server interactively using the credentials that I have been impersonating in code, I can manually type all of the PowerShell cmdlts into a PowerShell window and they work fine.
I don't want to have my IIS Application Pool always running under an administrator account as that sees foolish so is there a way of running the PowerShell script as an administrator that goes further than the current impersonation that I am doing?
UPDATE:
There was an odd thing that happened that sees to work as a solution for me. After deploying my code to the server I created added a local administrator account. I then went to the IIS Application Pool and changed the owner from ApplicationPoolIdentity to the admin account I just created. After that the page would work fine to run the PowerShell script. I already knew this from before, but didn't want to have IIS using an admin account. I then proceeded to set the Application Pool back to ApplicationPoolIdentity and removed the Local Admin account and the page still works!? I restarted IIS, and the Web Server itself, and everything works. All I can think is that moving the Application Pool over to an Admin account changed some attribute in the App pool permanently. I have now put a modified question on ServerFault.
Turns out the issue had to do with the Load User Profile option in the IIS App Pool for my app being set to False on the server (False is the default for Windows Server 2008). After reading up on this property I am not entirely sure why this matters for my scenario, but that was the one setting different in IIS on my local machine from what the Web Server had. Now all the PowerShell calls work flawlessly on the server.