I am running a asp .net web service on IIS7. The latter is running on a Windows 2008 R2 Server. IIS7/the web service is configured for asp .net impersonation. The worker process owner is set to NETWORK SERVICE.
The web service invokes sqlplus.exe impersonated with his/her domain account on the server. I can see that through the task manager. However, when sqlplus is started, oracle says the username/password is wrong.
sqlplus.exe is started like this: sqlplu.exe / . This works great if I manually log on the server with the user account and type the statement above, everything works great
I believe you're running into the "double hop" issue here.
Your first hop is using impersonation from the client's computer to the web server. The second hop is from the web server to your database server, where you're attempting to pass those same credentials along to the database.
When you manually log on and run the sqlplus statement, it's only a single hop from the web server to the database server.
The following is quoted from MSDN. Notice the recommendation to use basic authentication from the client to the web server.
The double-hop issue occurs when the
ASPX page attempts to use resources
located on a server that is different
from the IIS server. In our case, the
first "hop" is from the web browser
client to the IIS ASPX page; the
second hop is to Active Directory.
Active Directory requires a primary
token. Therefore, the IIS server must
know the password for the client to
pass a primary token to Active
Directory. If the IIS server has a
secondary token, the
NTAUTHORITY\ANONYMOUS account
credentials are used. This account is
not a domain account and has very
limited access to Active Directory.
The double-hop using a secondary token
occurs, for example, when the browser
client is authenticated to the IIS
ASPX page by using NTLM
authentication. In this example, the
IIS server has a hashed version of the
password as a result of using NTLM. If
IIS turns around and passes the
credentials to Active Directory, IIS
is passing a hashed password. Active
Directory cannot verify the password
so it uses NTAUTHORITY\ANONYMOUS LOGON
for authentication.
If your browser client uses Basic
authentication to authenticate to the
IIS ASPX page, the IIS server has the
client password and can make a primary
token to pass to Active Directory.
Active Directory can verify the
password and authenticate the domain
user.
http://msdn.microsoft.com/en-us/library/ms817871.aspx
Related
I have a Windows 2019 container started with a valid CredentialSpec from a valid working gMSA account. It currently hosts a .NET 4.x application on IIS with Windows Authentication working just great. I can also execute nltest commands successfully and communicate to the domain controller.
I want to run a Job or Process as a domain user (MyDomain\UserABC). All of my attempts have failed:
Execute start-process with a credential object errors out with:
he security database on the server does not have a computer account for this workstation trust relationship.
Using a scheduled job as NT AUTHORITY\NetworkService fails to access the web because it is not using the gMSA credentials but the Network Service credentials.
Create a scheduled job with a Domain User results in the same error as above:
he security database on the server does not have a computer account for this workstation trust relationship.
Any other ideas?
Sounds like cached credentials. Maybe you can take a look on this link:
Site single Domain
I am trying to get a flask app deployed to a windows server (IIS 7.5) that passes the client NTLM Windows Authentication to the SQL Server connection in SQL Alchemy.
At the moment the connections string looks like this:
"DRIVER={SQL Server Native Client 11.0};Server=%s;Database=%s;TDS_Version=8.0;Trusted_Connection=yes;"
And the Trusted_Connection=yes serves to pass the owner of the web server process to SQL Server. This works great when running the development server because I am invoking the server so my access credentials get passed. BUT when IIS runs the server it inherits the application pool identity and sends a bogus non domain user as the auth credentials.
I have tried to use the WindowsAuth setting in the webconfig but SQLAlchemy keeps passing the app pool identity to the sql server.
I've had similar issues with SQL DB Connections, and the workaround that worked was to create a Windows Network User and have IIS run applications with that identity instead of the App Pool identity. This 'real user' identity is then passed on to any downstream invocations (SQL).
This scales well in an enterprise environment and prevents most security change problems because the user is a 'normal user' and only nominally a 'service account'.
I've got a new server build running Windows Server 2012 R2, IIS 8.5 (inc. ClassicASP feature) and SQL Server 2014 Express. I want to use Application Pool Identity to connect to the database. The database is set to "Windows Authentication Mode".
My Application Pool Identity is called activbase.net. I've set up a Security Login in SQL Server called IIS AppPool\activbase.net and user mapped it my database with db_datareader and db_datawriter access.
However when I try to access the database from the website, I get:
Cannot open database "ActivbaseLive" requested by the login. The login failed.
I thought this was enough to get the connection working.
The Application Log (Event Viewer) shows:
Login failed for user 'NT AUTHORITY\IUSR'. Reason: Failed to open the explicitly specified database 'ActivbaseLive'. [CLIENT: ]
So I have added NT AUTHORITY\IUSR likewise to the SQL Server>Security>Logins and Databases>[ActivbaseLive]>Security>Users and this fixes the problem.
My questions are as follows:
Should I be needing to add NT AUTHORITY\IUSR login/user in addition to IIS AppPool\activbase.net login/user to my SQL Server Instance and database?
Is there a security issue with doing this? (NOTE: this will be a production environment)
Thanks,
Chris
No. You don't need to add an SQL Server login for the NT AUTHORITY\IUSR identity in addition to the IIS AppPool\activbase.net identity. A login for the IIS AppPool\activbase.net application pool identity alone is adequate for connecting to SQL Server using Windows Authentication.
NT AUTHORITY\IUSR is a built-in Windows account that is the default identity used when Anonymous Authentication is enabled for your application. This page describes the rationale for the account.
To connect to your database with the IIS AppPool\activbase.net identity, you need to change the account set up for anonymous users from NT AUTHORITY\IUSR to your IIS AppPool\activbase.net application pool identity. Proceed as follows to make this change:
Open Internet Information Services (IIS) Manager.
In the Connections panel, locate and click to select the website hosting your application e.g. Default Web Site. (If you want to configure a specific application under your website, you can select the application.)
In the Features View in the center panel, double-click Authentication.
Anonymous Authentication will most likely be enabled in your setup. Right-click Anonymous Authentication, and select Edit.
In the Edit Anonymous Authentication Credentials dialog box, click the Application pool identity option, and then click OK.
The question in the link below (and its answer) addresses the same issue:
Login failed for user NT AUTHORITY\IUSR
With regard to your second question, "Is there a security issue with doing this?", the answer is, "Yes". You preferably don't want the NT AUTHORITY\IUSR built-in account having access to your SQL Server database since it is used as the default anonymous account on any other websites (and their applications) hosted on your IIS web server. This means those other websites and applications would be able to connect to your database. If they are compromised in an attack, they could potentially be used to access your data. So it's best not to have an SQL Server login for NT AUTHORITY\IUSR. Instead, limit database access to your website's (or application's) application pool identity.
In my IE, when I want to access a SharePoint site, I'm asked for username/password (obviously).
Is there a way to make IE know that, when I access a domain XXX, it should use certain credentials? Even if I have to use a plugin.
I tried Windows Vault, but that doesn't seem to work with IE.
Add the domain to the "Local Intranet Sites" in security in IE. That will log in the current user that is logged into the PC.
You can set up a ADFS server (an Identity Provider) on the domain where your client is. The SAML or WS-Federation tokens issued from your source domain would be trusted by a second ADFS server (the Service Provider).
Here is what would happen when you would visit the SharePoint site:
You go to the SP site, "naked" (no kerberos, password or client certificate)
You are redirected to your local ADFS server
Your browser authenticates with a Kerberos ticket to the local ADFS server.
Local ADFS server issues a SAML or WS-Federation token and redirects you back to the "remote" SharePoint site
You go to the remote SharePoint site, with a POST containing a WS-Federation token.
Seeing the token, and trusting the signature or the source domain, access is granted.
But it is easier said than done. Things to look out for :
How will you link existing username password based accounts with shiny new ADFS logons ?
What if there are duplicate user names ?
Will that break authentication for remote users who are simply using Kerberos (because for them, it is a local SharePoint) ?
What is the impact should you change the URL so that users go to your ADFS server first ?
+Beware : the ADFS server role in Windows Server 2008 R2 will install ADFS 1.?. Do not use it. Download and install ADFS 2.0 or later.
I'm in the process of rearranging our web-based systems, so that users will be able to log on to our systems through a Sharepoint front-end. Our single sign-on server is an Oracle SSO server that authenticates against the same domain as the sharepoint server does, but these two are currently 2 separate logins.
What I'm looking for is to configure this scenario:
A user logs in to the Sharepoint site, authenticating agains Active Directory through the TMG. This gives the user access to the sharepoint site, and this is all standard OOTB functionality. Then the user should be able to navigate into our other systems without a re-login (because the SSO configured for external authentication with the same AD, and therefore uses the same userbase).
So basically the users currently have to login twice with the same domain\user + password. I would like the SSO server to be able to read the cookie that was established in the first login, and use that instead of presenting the SSO login screen all over again.
Is it possible to share such a cookie between 2 different platforms on the same domain?
I have implemented a kerberos "Zero-sign-on" approach for the Oracle SSO server, but this only works as long as the user comes from a computer inside our domain. When the user logs on from the outside world (www) he will be prompted to login to sharepoint first, and then to the Oracle SSO.
I basically need the Oracle SSO Cookie to somehow read the Sharepoint Cookie that was established. Does this make sense?