Reputation: 15608
Facing problem with ASP.NET hosted in IIS and Windows Authentication
I have an asp.net website that is hosted in IIS 7.5
The website has to use windows authentication. The users are added to an AD group. The AD user group has full control on the web folder in which the website is published. Server/IIS_IUSRS has full control on the web folder too.
The data that the website is required to use is stored in another server. The AD group has Full control on the folder in which the data is stored. I am using Classic mode because Integrated breaks it.
What should be the website authentication and APP Pool settings?
Upvotes: 0
Views: 876
Answers (2)
Reputation: 3107
Don't mix up IIS autorization and ASP.NET autorization :
IIS autorization
- IP/DNS Address Restrictions
- Web Permissions (Read, Write, Script Source Access...)
- NTFS Permissions (non ASP.NET ISAPI extension only : .htm, .jpg...)
ASP.NET autorization
- URL Authorization (
<authorization>element) - File Authorization (ASP.NET ISAPI extension only : .aspx, .ascx...)
- Principal Permissions (Demands)
- .NET Roles
Restrict access to your web :
- Uncheck anonymous access
- Configure NTFS rights
Give access to your data folder, few solutions :
- Use a service account for your application pool, allow it on your folder and manage access control in your application
Use default IIS 7 ASP.NET account, and impersonate the user locally in your code when accessing your data folder
System.Security.Principal.WindowsImpersonationContext impersonationContext; impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
//Insert your code that runs under the security context of the authenticating user here.
impersonationContext.Undo();
Activate impersonation globally (
<identity impersonate="true"/>) ; dont like this one
Upvotes: 1
Reputation: 2020
Personally I have become a fan of setting the app pool identity to an AD service account and then allowing the app to access the database and other resources using those credentials. No need to pass the credentials on the connection string or try to impersonate the users (EDIT: Should note that this applies to resources which use windows integrated security). Also no need to try to give the users direct access to the datastore or other resources, just the app credentials need to have access. It is a bit more trouble to set up initially but much easier to manage in the long run.
Here is the checklist I send to our server group whenever I ask them to set up a new site for me: (note this is based on Win Serv2003 and IIS 6, things may be different in the newer versions.)
- Set up a separate App Pool for the application
- Configure the App pool to run as the service account
- Add the service account to the IIS_WPG group on the server
- Make sure the IIS_WPG group has Read, Read & Execute, and List Folder Contents permissions for the website directory and Read and List Folder Contents to the C:\Windows\Temp folder (or equivalent).
- Grant User Rights “Adjust Memory Quotas for a Process”, “Replace a Process Level Token”, and “Log On as Service” to the service account
Upvotes: 1
Related Questions
- Windows Authentication not working on server
- Issue on Windows Authentication
- Can't Get Windows Authentication to Work
- IIS asking for windows authentication
- Windows Authentication issue in IIS 7.5
- Unable to use Windows Authentication IIS
- IIS 7 - authentication
- ASP.NET Windows Authentication not working in IIS 7.5
- Windows Authentication problem
- Windows Authentication not working with ASP.NET webpage