What are the pro's and con's of using the built in App Pool Identity in IIS as opposed to specifying a Windows account?
For SQL Server if you want to connect from a .Net application using Windows Authentication I presume that if I use an App Pool Identity, I must associate this with a user in SQL Server or give that App Pool Identity access to by db?
Are App Pool Identities just added as convenience so that you dont have to set up accounts for your App Pools?
The built in account used is specific to the computer. If applications inside the app pool need to connect to other resources on the network (database servers, file shares, etc) then using a (windows) domain account may be a better option. When you specify a domain account you must ensure they have the correct file permissions set on the physical folders that IIS is using. In later operating systems - you can add this account to the IIS_IUSRS group to achieve the default permissions.
We have several application running on our intranet that use windows authentication. The way we handle this in our web.config is to specify our SQL connection string as follows:
<connectionStrings>
<add name="ConnectionStringName" connectionString="Data Source=ServerName;Initial Catalog=DatabaseName;Trusted_Connection=true" providerName="System.Data.SqlClient"/>
</connectionStrings>
Also in the web.config is the following:
<system.web>
<authentication mode="Windows"/>
<identity impersonate="true" username="Domain\Username" password="password"/>
</system.web>
Using a domain account allows you to manage the account in the same way you manage other users accounts. Down side here is that the username and password are included in plain text in the web config.
Hope this helps.
Related
I've got EC2 instance with IIS and mapped FSx file system on AWS. All in one VPC in one subnet.
IIS config works perfectly as long as it's configured with local drive. When I change config to use path from that mapped FSx I've got an error. Even for just a test static page.
All current users have full access to those files. Do I need to set up any special users for IIS on Domain Controller? Any special permissions? I would appreciate any ideas...
First of all, you need to figure out the substatus code of your IIS server and detailed error message. So please enable IIS detailed error message for your website.
I assume this issue happened just because your identity don't have permission to access configuration file.
1.Please Ensure your IIS site->basic settings->connect as..->set your domain account that have permission to accessyour FSX
2.Please set your application pool identity to your domain account that have access to the FSx.
3.Please grant permission for that application pool account.
4.Please set your authentication user to use application pool identity. For example, if you are using anonymous authentication. Then go to->anonymous authentication->edit..->Application pool identity.
If you don't know how to troubleshooting this issue. Prcoss monitor would help.
You only have to create a filter "RESULT=Access denied & Processname="w3wp.exe".
https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
SOLTUION: you can not use the drive letter must be full DNS name for fsx console \DNS_NAME\share
I am having this exact issue. Drive is available on ec2 instance but authorization in IIS fails. Browse directory from IIS workd but can not get authorization to pass test. I have tried admin on EC2 and admin on active directory as users in IIS virtual drive.
It seems that you need to configure the IIS application pool identity to use a domain account that has access to the FSx file system. By default, the application pool identity is a local account that does not have any permissions on the network share.
To change the application pool identity, follow these steps:
Open IIS Manager and select the application pool that hosts your website.
Click on Advanced Settings in the Actions pane.
Under Process Model, click on Identity and then on the ellipsis (...) button.
Select Custom account and enter the domain user name and password that has access to the FSx file system. Click OK to save the changes.
Restart the application pool and the website.
Alternatively, you can use the command line tool appcmd.exe to set the application pool identity. For example, to set the identity to domain\user for the DefaultAppPool, you can run:
appcmd.exe set config /section:applicationPools /[name='DefaultAppPool'].processModel.identityType:SpecificUser /[name='DefaultAppPool'].processModel.userName:domain\user /[name='DefaultAppPool'].processModel.password:password
You can also use PowerShell to set the application pool identity. For example, to set the identity to domain\user for the DefaultAppPool, you can run:
Import-Module WebAdministration
Set-ItemProperty IIS:\AppPools\DefaultAppPool -Name processModel -Value #{identityType="SpecificUser";userName="domain\user";password="password"}
For more information, see this article on how to access FSx file shares from IIS.
I am trying to install Master Data Service MSD on my local machine. Theorically there are 3 steps :
pre-installation tasks
Installation tasks
post-Installation tasks
During the pre-installation tasks we verify the installation requirements.
The Master Data Services web application needs some Windows Web Server roles and role services. Among these services we have the "Windows Authentication" (under Security).
The problem is that I did not find under security node Windows Authentication. Instead I find Basic Authentication.
My OS is Windows 10.
To install (add) the the desired roles I follow the theoritical instructions:
Control panel| Programs and features| turn Windows Featues on or off. I then expand Security under World Wide Web Services but there is no Windows authentication among the check boxes, there is only basic authentication.
Also when I open IIS and double click Authentication pane there are 4 Authentication (basic, anonymous,ASP.net impersonation and formular), so again, I don't find windows Authentication.
I read some suggestions on the internet telling that we can edit the applicationHost.config file. I find 2 file on different paths.
The location of the first one is: C:\Program Files (x86)\IIS Express\AppServer
and the second location is: C:\Windows\System32\inetsrv\config
In those files I replace <windowsAuthentication /> under
<security><authentication> node by :
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
and I also add <add name="WindowsAuthenticationModule" lockItem="true" /> under <system.webServer><modules>
I did this on the 2 files because I was not sure whether it should be done only on the latter one or not (iis and not iisexpess). But even with those changes it does not work and what surprise me is that when I open iis after editing file, I also don't find windows aythentication among the authentication list in Authentication pane. So I conclude that editing did not serve at all and make no change to IIS.
Of course because I failed to enable Windows Authentication when I open MDS (to do the installation step), I get a warning error telling that IIS is not configured correctly because windows authentication is not installed on this server.
You'll find here how to add it and after that you'll be able to use it:
https://weblogs.asp.net/zroiy/missing-windows-authentication-provider-for-iis-7-on-windows-server-2008
I developed an Intranet application which needs to realize a "git push" from a local repository (on the disk of the web server) to a remote repository.
I launch the git process from the web server, it runs under the IIS pool identity which is a domain account member of the administrators group of the web server machine.
Git needs the user credentials to perform the push action. I integrated a custom version of git-credential-winstore. This program uses the Windows Credential Manager to store generic credentials for a web site. But when the call to the credential's write occurs, I get the error :
Failed to write credential: A specified logon session does not exist. It may already have been terminated
I checked the policy "Network access: Do not allow storage of passwords and credentials for network authentication", it is disabled.
What goes wrong here ?
Pool account needs to gain access to its user profile.
So we need to connect one time to a Windows Session to create user profile (I think it's necessary). Next in the Advanced Settings of the dedicated Application Pool, set "Load User Profile" = true.
Note about credentials : Windows credential target must be changed to manage different users in the same Windows vault. I change "git:https://remote-host" by "git_USERID:https://remote-host".
I set this property to enabled and it works now, maybe it will work for you also:
I've got a new server build running Windows Server 2012 R2, IIS 8.5 (inc. ClassicASP feature) and SQL Server 2014 Express. I want to use Application Pool Identity to connect to the database. The database is set to "Windows Authentication Mode".
My Application Pool Identity is called activbase.net. I've set up a Security Login in SQL Server called IIS AppPool\activbase.net and user mapped it my database with db_datareader and db_datawriter access.
However when I try to access the database from the website, I get:
Cannot open database "ActivbaseLive" requested by the login. The login failed.
I thought this was enough to get the connection working.
The Application Log (Event Viewer) shows:
Login failed for user 'NT AUTHORITY\IUSR'. Reason: Failed to open the explicitly specified database 'ActivbaseLive'. [CLIENT: ]
So I have added NT AUTHORITY\IUSR likewise to the SQL Server>Security>Logins and Databases>[ActivbaseLive]>Security>Users and this fixes the problem.
My questions are as follows:
Should I be needing to add NT AUTHORITY\IUSR login/user in addition to IIS AppPool\activbase.net login/user to my SQL Server Instance and database?
Is there a security issue with doing this? (NOTE: this will be a production environment)
Thanks,
Chris
No. You don't need to add an SQL Server login for the NT AUTHORITY\IUSR identity in addition to the IIS AppPool\activbase.net identity. A login for the IIS AppPool\activbase.net application pool identity alone is adequate for connecting to SQL Server using Windows Authentication.
NT AUTHORITY\IUSR is a built-in Windows account that is the default identity used when Anonymous Authentication is enabled for your application. This page describes the rationale for the account.
To connect to your database with the IIS AppPool\activbase.net identity, you need to change the account set up for anonymous users from NT AUTHORITY\IUSR to your IIS AppPool\activbase.net application pool identity. Proceed as follows to make this change:
Open Internet Information Services (IIS) Manager.
In the Connections panel, locate and click to select the website hosting your application e.g. Default Web Site. (If you want to configure a specific application under your website, you can select the application.)
In the Features View in the center panel, double-click Authentication.
Anonymous Authentication will most likely be enabled in your setup. Right-click Anonymous Authentication, and select Edit.
In the Edit Anonymous Authentication Credentials dialog box, click the Application pool identity option, and then click OK.
The question in the link below (and its answer) addresses the same issue:
Login failed for user NT AUTHORITY\IUSR
With regard to your second question, "Is there a security issue with doing this?", the answer is, "Yes". You preferably don't want the NT AUTHORITY\IUSR built-in account having access to your SQL Server database since it is used as the default anonymous account on any other websites (and their applications) hosted on your IIS web server. This means those other websites and applications would be able to connect to your database. If they are compromised in an attack, they could potentially be used to access your data. So it's best not to have an SQL Server login for NT AUTHORITY\IUSR. Instead, limit database access to your website's (or application's) application pool identity.
This may be a basic question but I'm not very proficient in SQL Server.
I am Using Visual Studio 2008 Professional.
In a ASP .NET MVC 3 project I created a database that resides in 'App_Data'.
The web.config file uses this as the connectionString (partial):
connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;
When I copy the project to a the production server the initial MVC logon page appears ok. When I entire in the login username/password I get a
Failed to generate a user instance of
SQL Server due to a failure in
starting the process for the user
instance
error message.
The SQL Server Express 2008 instance on the production system is set use 'Local System' for authentication.
I think that I'm not configuring SQL Express or my web.config correctly?
UPDATE1
Most of the links found on the internet talk about deleting a folder. In my scenario there is no 'C:\Documents and Settings\YOUR_USERNAME\Local Settings\Application Data\Microsoft\Microsoft SQL Server Data\SQLEXPRESS' folder.
My solution for now (after much ASP .NET/IIS/SQL SErver security review) was to set "User Instance=True" to "User Instance=False" in the production web.config file.
Per your connection string, you're using Windows security to control access to the database. Does the account under which your web server runs have sufficient permissions on your database?
You may wish to test using SQL Server security, just to confirm this is the problem. (Assuming SQL Server was installed with SQL Sercurity enabled.)
Did you try this already? Fix error "Failed to generate a user instance of SQL Server due to a failure in starting the process for the user instance."