Solved

IIS authentication problem with "Network Service"..

Posted on 2006-11-22
11
463 Views
Last Modified: 2008-01-09
Hi, i have the following setup:
IIS 6.0 on W2K3.
A .NET 2.0 app.
A site with IUSR as anonymous access acount, running in the default app pool.
A sub folder "admin" in this site that has only the access config changed from the parent, using integrated win auth/digest domain auth with the domain in realm. No anonymous access..

I thought this would feed the users domain username to the app, but not so.. The app recieves all requests from the "NETWORK SERVICE"..

I guess this have to do something with the default app pool, and/or the auth methods used.. but i cant find any specifics on this on the web.. Anyone got an idea?

What this should work like is that all users/guest should be anonymous at the root, but the admin folder should require authentication through the domain. The users get the login box as intended now, but is still authenticated as "NETWORK SERVICE"..
0
Comment
Question by:mattisflones
  • 8
  • 3
11 Comments
 
LVL 10

Accepted Solution

by:
AndresM earned 500 total points
ID: 17997488
in asp.net 2.0 you have to specify that the app needs impersonation; by default asp.net does'nt impersonate

To impersonate the Microsoft Internet Information Services (IIS) authenticating user on every request for every page in an ASP.NET application, you must include an <identity> tag in the Web.config file of this application and set the impersonate attribute to true. For example: <identity impersonate="true" />
0
 
LVL 15

Author Comment

by:mattisflones
ID: 17998788
Hi there AndresM, i tried your tip, but got this error:

System.Data.SqlClient.SqlException: User does not have permission to perform this action.

My app is highly SQLE dependent, and this surprised me a bit.. there is no way to give a user acces but on NTFS level.. and thats done!
0
 
LVL 10

Expert Comment

by:AndresM
ID: 17998830
Now your app is impersonating, if you are using integrated authentication with SQL, you have to add the login in SQL Server for each user. Other option, use SQL authentication against SQL Server, with a generic user.
PS: If your SQL Server is in other machine than the web server, integrated authentication to SQL is little bit more complicated.
0
 
LVL 15

Author Comment

by:mattisflones
ID: 17998864
The funny part is that if i use <Page.User.Identity.Name.ToString()> in C# it gives me nothing.. On the devmachine it gives me the right (same) user name..
0
 
LVL 15

Author Comment

by:mattisflones
ID: 17998869
I am using SQL 2005 Express and cant add users.. Its all local, running from the App_Data folder..
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 15

Author Comment

by:mattisflones
ID: 17998904
Btw, this is my connstring:
<add name="ASPNETDB" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\ASPNETDB.MDF;Integrated Security=True;User Instance=True" providerName="System.Data.SqlClient"/>
0
 
LVL 10

Expert Comment

by:AndresM
ID: 17998924
Ok, if you don't impersonate, you can still obtain who is accesing your page, with a variable called 'user' I think. But the entire w3wp.exe process (IIS process) will run under network service (by default) or under the account configured in the IIS app pool. If you impersonate, w3wp.exe will run threads under the context of the user logged on to the website in that moment, that's why when you impersonate you get access denied in SQL.
0
 
LVL 15

Author Comment

by:mattisflones
ID: 17999038
Thats the Page.User in C# that dont give me anything.. :-(

The thought you had about giving a generic user to access the SQL server is a good one, but i must admit i dont know how to do that with a SQLE install.. It seems to be limited what you can do with a attached DB..

Do you know any good tricks?


0
 
LVL 15

Author Comment

by:mattisflones
ID: 17999181
I tried:

<add name="ASPNETDB" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\ASPNETDB.MDF;Database=ASPNETDB;User ID=sa;Password=<password>;" providerName="System.Data.SqlClient"/>

But got:

Cannot create file 'C:\Inetpub\SITES\test\DK2\App_Data\ASPNETDB_log.LDF' because it already exists. Change the file path or the file name, and retry the operation.
Could not open new database 'ASPNETDB'. CREATE DATABASE is aborted.
Could not attach file 'C:\Inetpub\SITES\test\DK2\App_Data\ASPNETDB.MDF' as database 'ASPNETDB'.
File activation failure. The physical file name "U:\Dev\ASP.NET\DataKjeden.no\5\App_Data\ASPNETDB_log.ldf" may be incorrect.

A wee bit of everything i guess.. :-)
0
 
LVL 15

Author Comment

by:mattisflones
ID: 17999189
And thats with <identity impersonate="true" />
0
 
LVL 15

Author Comment

by:mattisflones
ID: 17999658
The solution was:

Use: <identity impersonate="true" /> in web config.

Change the default generated ".\SQLEXPRESS" bit in the connstring to "<SERVERNAME>\SQLEXPRESS", and "User Instance=True" to User Instance=False"

Works like a charm!

The Page.User func in C# still does not work, but <System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString()> does!

The site can now run IUSR or whatever for the root, and use domain security for the admin section..
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Basic Regex for use in webservice 1 58
encrypting section of web.config 1 48
Shared folder access timeout in Remote Web Access 4 58
IIS 7.5 to 8.0 6 98
Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
Lync server 2013 or Skype for business Backup Service Error ID 4049 – After File Share Migration
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now