I have a requirement where I need to be able to access a list which sits in Central Administration from an Application Page which sits on my Web Front End (WFE). The issue I have is that the Application Pool User for my WFE does not have access to the SharePoint_AdminContent database so I get access denied, they both have their own App Pools
In the logs it shows the following:
Reverting to process identity
Current user before SqlConnection.Open: Name:
SharePointDemo\SPContentPool SID:
S-1-5-20 ImpersonationLevel: None
Current user after SqlConnection.Open: Name:
SharePointDemo\SPContentPool: S-1-5-20
ImpersonationLevel: None
Insufficient SQL database permissions for user 'SPContentPool'
in database
'SharePoint_AdminContent_53169fb3-137c-44b2-b90e-961b656e4275' on SQL Server instance 'SPNSQL'.
Additional error information from SQL
Server is included below. The EXECUTE
permission was denied on the object
'proc_EnumLists', database
'SharePoint_AdminContent_53169fb3-137c-44b2-b90e-961b656e4275',
schema 'dbo'.
I have tried to runwithelevatedprivileges as well as trying Daniel Larsons method (http://daniellarson.spaces.live.com/blog/cns!D3543C5837291E93!1919.entry) which uses the SharePoint\System user token but it only seems to elevate as high as the Application Pool.
I am hoping there is an easy way to impersonate the Application Pool of the Admin Web Application but have been unable to find a way to do so yet... Or change the process identity to one which has access
Any thoughts, ideas or solutions are thankfully received!
Phill
You should try to use the List web service to access the list items. And set the credentials before connecting to the web service.
The problem is that the CA Application Pool and the WFE Application pool most likely run under different accounts, which is best practice though annoying when you are a developer. There is no amount of Elevating Privileges you can do using SPSecurity.RunWithElevatedPrivileges to get around this.
Providing your security policy allows this, you can give the application pool that runs your WFE Web Application the same credentials as the Central Administration Application Pool.
This can be done using the Service Accounts screen at:
http:///_admin/FarmCredentialManagement.aspx
If you go down the web service route, you may want to role your own web service to prevent too much 'chatting' over HTTP.
Have you tried regular windows impersonation? You should probably be able to impersonate the service account and get access to the list that way.
Related
I have viewed and tried dozens of "answers" on StackOverflow, but none work.
I have a pretty simple aspx page with C# code behind.
The web site is on a Windows 2008R2 server.
The web site looks like (actual names changed):
MyServer - set for Anonymous Authentication
Application Pools
ASP.NET v4.0 Classic - .Net 4.0, Classic pipeline, App Pool Identity
MySiteAppPool - .Net 2.0, Integrated, runs under a Domain-wide Service identity (call it "mycompany\domservice")
Sites
MyMainSite - Windows Authentication, uses "MySiteAppPool"
"AutoPrint" - my web app, Windows Authentication, uses "ASP.Net v4.0 Classic" app pool, ASP.NET Impersonation enabled
My "AutoPrint" web app has a start page "AutoPrint.aspx" and code behind ("AutoPrint.aspx.cs", plus several classes).
The server and main site are not alterable, as there are several other applications under this site.
The user currently invokes this app with :
http://MyServer/AutoPrint
Everything I have tried is returning the "mycompany\domservice" result:
Request.LogonUserIdentity.Name.ToString() - returns "mycompany\domservice"
System.Environment.UserName.ToString() - returns "domservice"
System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString() - returns "mycompany\domservice"
What am I missing here? Why is this so hard?
Further clarifications:
"mycompany\domservice" - the "domservice" account is just an ActiveDirectory account in the "mycompany" domain that has permissions to read/write directories needed by the site and other applications. When installing the Site and additional web apps, we use that account as the "connect as" user.
What I am trying to do is to get the ActiveDirectory name of the Windows user account of the person who opened their browser and accessed this app. If user "JJONES" logs into Windows and launches the app with "http://myserver/autoprint", I want to get either "JJONES" or "mycompany\JJONES" as the user name.
If you use anonymous authentication, then the browser does not send any credentials (user id/password) to the server. Therefore if you want the client user id on the server, you have to use non-anonymous authentication, e.g,. Windows or Forms. You can use non-anonymous authentication and then allow or deny access to your web site to specific users or groups of users, or all users.
Thank you for all the helpful comments/suggestions.
The problem turned out to be a combination of factors. The App Pool I was using was using App Pool Identity (which has limited rights), so I had to use a specific account (the domain service account) in the "Connect as..." for the physical path credentials in order to access certain files.
Changing to use an App Pool that used an account with sufficient privileges (the domain service account) allowed me to leave the "Connect as..." using Pass-through authentication when converting to application.
Voila - I now get the user credentials using pretty much any of the proposed methods. After way too many hours of beating my head against the keyboard...
Have you looked at using HttpContext.User property ? This will give the current logged on user. After which point you may need to perform some nifty LDAP queries to get the username from AD.
See https://msdn.microsoft.com/en-us/library/system.web.httpcontext.user(v=vs.110).aspx
You may want to see the below link on how to search AD on the link "How can I search Active Directory by username using C#?"
Hope this helps you.
Description of my problem sounds somewhat complicated, what makes me think that my approach is flawed, so I will also appreciate any better idea.
Short description:
Given connection string to MSSQL 2008 DB and website name deployed on IIS6, I want to verify programatically whether website is able to connect to database.
Long description:
I have MSSQL Server database, let's call it portal_db.
I have an application deployed on IIS6, called portal. I can access it by url http://localhost/portal . In Web.config file I specified connection string to my database, which look like: "server=(local)\SQLEXPRESS;trusted_connection=yes;database=portal_db"
Web application is accessing database using System.Data.SqlClient.SqlConnection, without any wrappers, ORMs, mappings, anything.
Website is configured to run in appool PortalAppPool. It's using ApplicationPoolIdentity as a security context.
It is not possible to easily modify web application code (particularly the way it accesses database)
When my web application tries to connect to database it either succeeds or fails, depending on whether user IIS APPPOOL\PortalAppPool is configured in MSSQL database. That's a part which I understand, but when deploying my app I often forget to create new user/login in db for apppool virtual account. So what I want to do, is to verify from separate, standalone, console app (preferably written in C#, but not necessarily), whether my web application can access database, in following way:
Read connection string from Web.config
Read app pool identity settings (managed to do this by Directory Services API)
Impersonate identity with credentials defined on app pool (using impersonation class I found here: http://platinumdogs.me/2008/10/30/net-c-impersonation-with-network-credentials/ which uses ideas found in many other places, including MSDN)
Open SqlConnection with connection string read from Web.config
It boils down to following snippet:
using (new Impersonator("IIS APPPOOL\\PortalAppPool", "", ""))
{
SqlConnection conn = new SqlConnection(databaseConnectString);
conn.Open();
}
Everything works very well, when my app pool security context is set to any other value than AppPoolIdentity - specific user, local system, etc. When I change credentials passed to Impersonator to my user's name and password, I get desired result (exception when I have no login mapping in database, and everything is OK when I add one). But I just seem to not be able to impersonate IIS APPPOOLS\PortalAppPool virtual account - just have no idea what parameters should be passed to LogonUser - I would not be surprised if it would not be even possible. Maybe I am focused on impersonation approach too much (I am using it to access registry keys and services of other users and it works good), and maybe there is some better way.
If you have any other, better ideas, or need some more explanation to this problem, please let me know.
I don't think you can impersonate a virtual account (IIS service account). They are special service accounts setup mainly for IIS security. They are for local services only and cannot be attached to any domains. Virtual accounts in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that provide the following features to simplify service administration:
No password management is required.
The ability to access the network with a computer identity in a domain environment.
You cannot "Log into" a virtual account, they are used by windows for security purposes:
Some light reading if you have time:
This gives a brief overview of MSAs and Virtual Accounts
The differences between MSAs and Virtual Accounts
The dirty details on each and how to manage them
To solve your original problem, you could build an app that could do the same logic but check the sql server if it has the correct users setup instead of simply trying to login with the account.
I've created a custom SharePoint application which extends some of the OOTB functionality of SharePoint. Now I want to license the application and provide trial periods etc. So I want to store the licensing information in the file system/registry and check the validity of the license across the application. But even after I elevate to the application pool identity (who is just a domain user and not a system administrator as advised here http://technet.microsoft.com/en-us/library/cc678863%28office.12%29.aspx) I'm getting access denied for accessing my file.
What is the common practice to read/write/create files in the file system from SharePoint application?
Have you checked thet security logs to see which user is being denied access. I am pretty sure it will be the user who is logged into sharepoint rather than the app pool identity that is trying to access the file. The app poolidentity is usually only used in this way if the web site is using anonymous authentication.
Are you using SharePoint 2010 or 2007? What kind of Authentication? NTLM, Forms or Claims based?
If application is running under NTLM, then as Ben suggested, application will run under NTLM account and you should be able to access the resource.
If running under forms the application will run as anonymous user (local account), which will fail to access the shared resource.
I would suggest using ProcMon, it will capture the underlying access denied error and what user is being used to access that.
I guess there is no other solution apart from storing it in a custom database or a custom folder which is configured with full access for the application pool account.
I have an ASP.NET application that runs under Classic .NET AppPool.
I'm trying to render a report hosted in Reporting Services in another machine, with the correct address and everything. But I keep getting the following error, which I just can't solve:
Cannot create a connection to data source 'MYDATASOURCE'. (rsErrorOpeningConnection) ---> Microsoft.Reporting.WebForms.ReportServerException: Login failed for user 'NT AUTHORITY\IUSR'.
I won't post any code, I'm simply calling the .Render() method through Microsoft.Reporting.WebForms.
Could it be a configuration or some special permission I have to grant to my code?
Any Help?
When I created something similar we set up a service account for the app pool the asp.net application to run as/under. Then gave that service account permissions to run the reports we wanted to display. I had to work with our DBA and System Engineers to set up the service accounts and permissions on the reporting server. But once that was all done it worked out slick. I am not sure it was all necessary, but that is how we did.
I am not a very experienced web developer, so I hope my terminology is correct and makes sense.
cheers
in your report manager grant sufficient permissions to this : NT AUTHORITY\NETWORK SERVICE
Granting permission directly on the database to the user NT AUTHORITY\IUSR solved the problem. I'm not very sure about security issues doing this, but thats another question.
Thanks.
I'm trying to access an oracle database using
using System.Data.OracleClient;
from a console application, accessing the database is fine. however from an ASP.NET web site i get the error:
ORA-12640: Authentication adapter initialization failed
I've googled around and found that changing sqlnet.ora file would solve the issue
//before
SQLNET.AUTHENTICATION_SERVICES= (NTS)
//after
SQLNET.AUTHENTICATION_SERVICES= (NONE)
Later I found another application on the same server, that uses other database of Oracle as well, is requiring the value of SQLNET.AUTHENTICATION_SERVICES to be "NTS". This would cause my web site to fail accessing the database with the error ORA-12640. I have tried "ALL" as value but still it didn't work.
How can I configure my website to access the oracle database while sqlnet.ora is configured as "SQLNET.AUTHENTICATION_SERVICES= (NTS)" ?
P.S. the website uses Windows Authentication and impersonate as follow:
<authentication mode="Windows"/>
<identity impersonate="true"/>
This looks like the multi-hop impersonation issue to me.
If it's an option for you, I suggest having your application run under a single identity when accessing the database (this should also allow connection pooling to occur as a beneficial side-effect).
To do this, you would need to configure an app pool to run under an account that has access to Oracle. Once the application is running under that app pool, turn impersonation off in your application so that the database calls occur using the app pool identity.
If you have to impersonate the calling users over the network, the method used will depend on your environment. For more information, see How to Use Impersonation and Delegation in ASP.NET 2.0.
I was also facing the same issue, but finally got it working. Created a service account(named kerb_user in the active directory) and changed the app pool authentication to run as "kerb_user".
First I tried with this, but it was failed.
Please check the request log in oracle database, where you can verify the OS_USERNAME carefully. In my case it shows kerb_user, where as for other kerberos user requested OS_USERNAME was suffixed with domain name, which was missing in my case.
Then I did two changes.
Modified the app pool identity with domain name: kerb_user#xyz.com
Modified the sqlnet.ora file on app server and changed authentication to "ALL"
//before - not working
SQLNET.AUTHENTICATION_SERVICES= (NONE)
//after - worked
SQLNET.AUTHENTICATION_SERVICES= (ALL)
Debugging
Check the oracle log, if requested OS_USERNAME is suffixed with domain name(here kerb_user#xyz.com) or not. If suffixed, will work for sure.
Please verify service user on both side(app- AD User and db- Service User) server, user should have same name.
Verify the service user access at db server and ensure, user must have kerberos access to that database.
Check the SPN settings
Ref: https://www.codeproject.com/Articles/27554/Authentication-in-web-services-using-C-and-Kerbero