I have an MVC application that will be running on an IIS 7.5 Server in an application pool running under a service account.
In my application I make a connection to a TFS server, this connection needs to be made by the service account.
My application enforces windows authentication, this is so I can gather usage data about which users use the application. I do this through a custom Action Filter in MVC to collect the username like this: HttpContext.User.Identity.Name
How is it possible for me to impersonate the service account, yet be able to keep the windows username of the original user? I can successfully connect to my TFS server if I use anonymous authentication, while running the application pool under the service account.
Let me know if you need more information.
Related
We are hosting a server side Blazor app on IIS. It's a web portal type app. The application pool running that app is running as a service account that has access to our API.
However, there are some parts of that API that need to be hit by individual users. It's the type of resource that users should have access to only their own resource, and not be able to view everyone else's. Hence why we need to access it via a user account and not the service account.
On the portal side (the blazor app) how can we impersonate the user that is actually running the browser? Right now this code
var user = System.Security.Principal.WindowsIdentity.GetCurrent();
just gets the service account running the app pool.
I created a Blazor Server application (.Net core 3.1). The application uses Windows authentication. The application will need to access some Windows services like file sharing, and database with Integrated security etc. So it has the following impersonation code.
var identity = await IdentityProvider.GetIdentityAsync();
if (identity.IsAuthenticated && identity is WindowsIdentity wid)
{
return WindowsIdentity.RunImpersonated(wid.AccessToken, () =>
{
Fun1(....); // Should be called using the authentication of logged in user
});
The Fun1() should be called using the identity of the Windows users who are using the application, instead of the account which is used to running the website.
For example, the Identity of the application pool for my web site is MyDomain\UserX. And when a user MyDomain\UserY is using the website. I want the function Fun1() is impersonated under MyDomain\UserY instead of MyDomain\UserX.
I created a website on IIS, published the code, disabled anonymous authentication and enabled Windows Authentication. However, the function Fun1() is still called using the identity in the Application Pool? Should any settings in the Active directory be changed?
In order to access database using the logged in user's credentials (the user who is accessing your API and not site's app pool identity), you need to setup Kerberos constrained delegation. Pls refer: https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
https://blogs.uw.edu/kool/2016/10/26/kerberos-delegation-in-active-directory/#:~:text=What%20is%20Kerberos%20Delegation%3F,tier%20is%20the%20web%20site.
this may not be helpful to you, as the question was asked long time ago. but may be useful if someone else is in the same situation.
I installed a MVC 5 web application on a cloud hosted server. It uses Windows authentication. The company itself uses a different domain than the servers in the cloud use.
For example. The company uses xycom as domain and the cloud computers use xycloudcom as domain.
The xycloudcom servers have access to the AD controller of the xycom domain.
Now I installed an application on the cloud server. It has only Windows Authentication enabled and all works fine when accessing from a computer and account in xycom domain.
The only issue is that I am not able to open the website from the server itself. It opens a dialog asking me for my credentials. If I enter them (my xycom account) I get a 401 Unauthorized.
If I enable Anonymous authentication I can open the web site. So it's not a DNS issue.
Can someone help to solve this issue since I need to trigger an action by a console application in ScheduledTasks using a web request.
Server is Windows 2012 R2.
You will not be able to open the site from the server, if that server is not on the same domain.
The integrated windows authentication would work only if there is a trust between your Cloud VM's domain and the xycom comain.
Hope this helps.
I am using Windows Server 2018, IIS 10 and my web application targets .Net Framework 4.5.1. My API, I built using .Net Core 2.1 and Visual Studio 2017. Both the website and the API use windows authentication.
I used this person's tutorial to try and setup Kerberos two hop authentication (https://blogs.msdn.microsoft.com/surajdixit/2018/02/07/kerberos-configuration-manager-for-internet-information-services-server/).
Steps I've taken and tried,
Set the app pool to run under a custom domain account.
Added an SPN to the domain account that points to the website DNS address in the domain
Switched the app pool to classic mode
Turned on Windows Authentication and Impersonation for the website.
Had system admin grant the custom domain account delegation rights.
The current problem I am facing, is now that I made all these modifications to the app pool and the website in IIS, when I try to connect to the website, it prompts for credentials, which shouldn't happen as it should authenticate me through my windows domain account, when I input the credentials, it just refreshes with the prompt for credentials again. When running locally everything works correctly and the HttpClient in my web application successfully calls out to the API.
I have spent hours on this and would appreciate any help. I am out of ideas.
So after trying multiple walkthroughs and working with other developers, I found that the issue was both applications, the web app and the api, running on the same server. Once I moved the api to it's own dedicated server, I had no need for impersonation and was able to just load the user profile credentials from the app pool as it was running as a domain account. HttpClient and WebClient objects were both successful then at making requests to the api by setting UseDefaultCredentials = true.
If anyone ever has this issue, try hosting your api on a different server. I spent a few days thinking it was something I had done wrong in configuring things, and in the end, it was just where I was hosting the applications.
There may be a way to make this work successfully on the same server, but I was unable to make it work. Maybe someone else who is more experienced can add to this post to help show how to do this on the same server. Happy coding everyone.
I have created a self-hosted ASP.NET Web API service (using OWIN) that I am running as a Windows service. I want the user to have the option of using Windows authenticated users in SQL Server and I would like the browser/user-agent accessing the (REST API) web service to pass through the NTLM user info so that they get Windows authenticated access to the SQL Server database.
Is there a standard way of doing this?
Thanks.