I've got a web method set up on SERVER A and need to connect to the file system on SERVER B.
Currently I have a wide array of web services that already run on SERVER A where the identity on the application pool is set to NETWORK SERVICE. The issue is that I cannot seem to give the NETWORK SERVICE on A access to the file system on B. Changing the user on the app pool isn't really an option as there are too many possible train wrecks that could materialize on the outgoing web service calls.
So the solution I am trying to come up with is temporarily changing the Web Method identity user from NETWORK SERVICE to DOMAIN/SOMEUSER when the web method is called.
The property I need to change is System.Web.HttpContext.Current.User.Identity.Name
Can anyone tell me how I can go about doing this? Many of the solutions online seem to refer to Windows Azure - which I'm not using, so the approaches outlined don't work.
Thanks!
Try using impersonate in your service.
<system.web> ....
<identity impersonate="true" userName="accountname" password="password" />
You might have to play with the tag in the web.config. Our is normally set to <identity impersonate="false" /> and the application pool uses a domain user for permissions.
Related
I have an ASP.NET website (in C#) that takes in user data and then attempts to create a windows scheduled task. Of course, this works great on the DEV machine, but fails to run on the server. I'm trying to figure out what permission(s) are required on the ASPNET user (or anonymous web user) to create tasks.
The error is:
Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Stacktrace:
at MyScheduler.NewWorkItem(String TaskName, Guid& rclsid, Guid& riid, Object& obj)
at MyScheduler.CreateTask(String name)
I've done some searching, and the suggested resolution is to use the web.config 'impersonate' flag to force the application to run as a user with sufficient permissions, as opposed to the ASPNET account which may not have those permissions.
Example:
<system.web>
<identity impersonate="true" />
</system.web>
Unfortunately, this does not seem to resolve the issue. From the documentation I read, this should run as the anonymous web user, but it seems that user does not have enough permissions.
I altered the setting to specify a specific domain user that happens to be an administrator on the machine. Example:
<system.web>
<identity impersonate="true" userName="WindowsDomain\YourUserName" password="YourPassword" />
</system.web>
Doing this allowed the application to successfully create the Windows Scheduled Task. So, obviously, with the correct set of Windows 2003 permissions I can get the app to perform as it does in the development environment. However, I'm not about to place the network or machine administrator account's user credentials in plain text on a Web.config file.
Does anybody happen to know what permissions exactly need to be set in order to get the ASPNET account to behave as desired?
EDIT: The Win32 API is being used to create scheduled tasks.
Instead of worrying about the ASPNET user permissions, would your internal process allow you to create a machine specific account and supply the credentials there?
I have been able to solve my particular problem, though not completely. I have still not identified the exact rights needed to create and run scheduled tasks, but the following seems to work:
Add the <identity impersonate="true" /> to the Web.config
Add the IUSR user (which is the user the app will run as using impersonate) to the "Backup Operators" group.
This gives the application access to the Scheduled Tasks folder so that they can create and run the task.
We had an additional issue, which was that the tasks were attempting to run as the Local System Account. Unfortunately, only administrators seem to be able to assign the Local System Account as the running user, so we needed to impersonate as an Administrator account, not as a Backup Operator in order to get our code functioning correctly.
Are you writing something to the eventlog ?
It is possible that your component (which is hosted in IIS i presume ? ) has no access to the write something in the eventlog.
This is merely a guess ~ a while ago, I've been faced with a similar problem, and I've solved it in this way:
Click
Another option is to flash the bios on the server
I have created 2 webapplication in Visual Studio 2013 using C#.
I have registered 2 new users in both the applications.
Now if I run both the application in Google Chrome. I am getting the following;-
1) If I login in one website and if I refresh the other website page. It is also logged in.
How can i make it seperate, so that both can have there seperate users?
Has it someting to do with Context.User.Identity, are both site using same cookies??
Please help me in understanding it.
Thanks
Assuming you haven't explicitly changed the authentication configuration in the web.config across both websites, then the behaviour you are seeing is by design.
To configure forms authentication across applications, you set attributes of the forms and machineKey sections of the Web.config file to the same values for all applications that are participating in shared forms authentication.
...Unless otherwise noted, the name, protection, path, validationKey, validation, decryptionKey, and decryption attributes must be identical across all applications.
So, if you want an independent ticket for each site, the easiest solution would be to give each site it's own distinct ticket name
<forms name=".ASPXFORMSAUTH_SITEA" ... />
<forms name=".ASPXFORMSAUTH_SITEB" ... />
For security purposes, you might also want to consider using different encryption/decryption keys as well.
You can make the logins seperate by doing the following (my guess is that you want the sessions seperate as well), which Microsoft advise to do if running multiple websites from a web server, most likely to avoid this cross cookie issue...
In your web.config give the session and the authentication cookies unique names, e.g.
<sessionState cookieName="UNIQUESESSION1" timeout="20"/>
and
<forms timeout="2880" name="UNIQUEAUTH1" />
I am working on a hosted ASP.Net application, with Windows Authentication, and I need to get the username for various personalisation tasks. The directory on the host machine is set to have Windows Authentication and the web.config file also has:-
<authentication mode="Windows">
</authentication>
in it. I have tried various methods within the application to get the user name with the following results:-
Source Result
System.Web.HttpContext.Current.Request.LogonUserIdentity.Name 'EZ\urlname_a'
System.Environment.UserName 'NETWORK SERVICE'
System.Web.HttpContext.Current.User.Identity.Name ''
this.Request.ServerVariables["LOGON_USER"] ''
this.Request.ServerVariables["AUTH_USER"] ''
this.User.Identity.Name ''
thanks to the answers here, here, and here, among others. None of these distinguish between the various usernames that were entered.
Is there anything else I can try in code to get the name (or some proxy for the name)? Is there anything I can check for in web.config? Or if I need to take the matter up with the host, is there any intelligent question I can ask?
Edit I have set the application directory and .Net version using the host's IIS Dialogue.
You need to set IIS to use Windows Authentication only, then use Page.User.Identity.Name or similar to fetch the windows user name.
From the Authentication pane, set the Windows Authentication to Enabled and Disable anonymous authentication.
We have a WCF Service, using WSHttpBinding and security mode set to Transport, as we are using SSL. We have also been asked to make sure the service can only be called by the 1 web application that uses it, is there any way to block other applications from talking to it?
The application and service are all running within a company intranet, but there would be other applications on that intranet as well, so they want us to block them out. we tried setting the transport's clientCredentialType ="Windows" but that keeps bringing up a prompt to login whenever accessing the site, the users do not want that, as they are already logging in once the site comes up.
start here to get an overview
http://wcfsecurityguide.codeplex.com/
Some light reading...
the quick answer lies in how can you uniquely identify the Web application ?
Does it have its own APP pool on an IIS server ? And therefore could have its own user.
IS this user on The same Active directory. Then your can base the security on the Application user.
You could potentially use a firewall to make sure the traffic only comes that Web server.
You could uses an X.509 cert issued to that server and change the Binding to required X.509.
Without knowing more about the environment its hard to know what to recommend.
The guide is good. Start at solutions at a glance(page 13) to get a feel about your options and jump around from there. Unless you are patient enough to read the guide ;-)
I'm trying to access an oracle database using
using System.Data.OracleClient;
from a console application, accessing the database is fine. however from an ASP.NET web site i get the error:
ORA-12640: Authentication adapter initialization failed
I've googled around and found that changing sqlnet.ora file would solve the issue
//before
SQLNET.AUTHENTICATION_SERVICES= (NTS)
//after
SQLNET.AUTHENTICATION_SERVICES= (NONE)
Later I found another application on the same server, that uses other database of Oracle as well, is requiring the value of SQLNET.AUTHENTICATION_SERVICES to be "NTS". This would cause my web site to fail accessing the database with the error ORA-12640. I have tried "ALL" as value but still it didn't work.
How can I configure my website to access the oracle database while sqlnet.ora is configured as "SQLNET.AUTHENTICATION_SERVICES= (NTS)" ?
P.S. the website uses Windows Authentication and impersonate as follow:
<authentication mode="Windows"/>
<identity impersonate="true"/>
This looks like the multi-hop impersonation issue to me.
If it's an option for you, I suggest having your application run under a single identity when accessing the database (this should also allow connection pooling to occur as a beneficial side-effect).
To do this, you would need to configure an app pool to run under an account that has access to Oracle. Once the application is running under that app pool, turn impersonation off in your application so that the database calls occur using the app pool identity.
If you have to impersonate the calling users over the network, the method used will depend on your environment. For more information, see How to Use Impersonation and Delegation in ASP.NET 2.0.
I was also facing the same issue, but finally got it working. Created a service account(named kerb_user in the active directory) and changed the app pool authentication to run as "kerb_user".
First I tried with this, but it was failed.
Please check the request log in oracle database, where you can verify the OS_USERNAME carefully. In my case it shows kerb_user, where as for other kerberos user requested OS_USERNAME was suffixed with domain name, which was missing in my case.
Then I did two changes.
Modified the app pool identity with domain name: kerb_user#xyz.com
Modified the sqlnet.ora file on app server and changed authentication to "ALL"
//before - not working
SQLNET.AUTHENTICATION_SERVICES= (NONE)
//after - worked
SQLNET.AUTHENTICATION_SERVICES= (ALL)
Debugging
Check the oracle log, if requested OS_USERNAME is suffixed with domain name(here kerb_user#xyz.com) or not. If suffixed, will work for sure.
Please verify service user on both side(app- AD User and db- Service User) server, user should have same name.
Verify the service user access at db server and ensure, user must have kerberos access to that database.
Check the SPN settings
Ref: https://www.codeproject.com/Articles/27554/Authentication-in-web-services-using-C-and-Kerbero