mattisflones
asked on
IIS authentication problem with "Network Service"..
Hi, i have the following setup:
IIS 6.0 on W2K3.
A .NET 2.0 app.
A site with IUSR as anonymous access acount, running in the default app pool.
A sub folder "admin" in this site that has only the access config changed from the parent, using integrated win auth/digest domain auth with the domain in realm. No anonymous access..
I thought this would feed the users domain username to the app, but not so.. The app recieves all requests from the "NETWORK SERVICE"..
I guess this have to do something with the default app pool, and/or the auth methods used.. but i cant find any specifics on this on the web.. Anyone got an idea?
What this should work like is that all users/guest should be anonymous at the root, but the admin folder should require authentication through the domain. The users get the login box as intended now, but is still authenticated as "NETWORK SERVICE"..
IIS 6.0 on W2K3.
A .NET 2.0 app.
A site with IUSR as anonymous access acount, running in the default app pool.
A sub folder "admin" in this site that has only the access config changed from the parent, using integrated win auth/digest domain auth with the domain in realm. No anonymous access..
I thought this would feed the users domain username to the app, but not so.. The app recieves all requests from the "NETWORK SERVICE"..
I guess this have to do something with the default app pool, and/or the auth methods used.. but i cant find any specifics on this on the web.. Anyone got an idea?
What this should work like is that all users/guest should be anonymous at the root, but the admin folder should require authentication through the domain. The users get the login box as intended now, but is still authenticated as "NETWORK SERVICE"..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Now your app is impersonating, if you are using integrated authentication with SQL, you have to add the login in SQL Server for each user. Other option, use SQL authentication against SQL Server, with a generic user.
PS: If your SQL Server is in other machine than the web server, integrated authentication to SQL is little bit more complicated.
PS: If your SQL Server is in other machine than the web server, integrated authentication to SQL is little bit more complicated.
ASKER
The funny part is that if i use <Page.User.Identity.Name.T oString()> in C# it gives me nothing.. On the devmachine it gives me the right (same) user name..
ASKER
I am using SQL 2005 Express and cant add users.. Its all local, running from the App_Data folder..
ASKER
Btw, this is my connstring:
<add name="ASPNETDB" connectionString="Data Source=.\SQLEXPRESS;Attach DbFilename =|DataDire ctory|\ASP NETDB.MDF; Integrated Security=True;User Instance=True" providerName="System.Data. SqlClient" />
<add name="ASPNETDB" connectionString="Data Source=.\SQLEXPRESS;Attach
Ok, if you don't impersonate, you can still obtain who is accesing your page, with a variable called 'user' I think. But the entire w3wp.exe process (IIS process) will run under network service (by default) or under the account configured in the IIS app pool. If you impersonate, w3wp.exe will run threads under the context of the user logged on to the website in that moment, that's why when you impersonate you get access denied in SQL.
ASKER
Thats the Page.User in C# that dont give me anything.. :-(
The thought you had about giving a generic user to access the SQL server is a good one, but i must admit i dont know how to do that with a SQLE install.. It seems to be limited what you can do with a attached DB..
Do you know any good tricks?
The thought you had about giving a generic user to access the SQL server is a good one, but i must admit i dont know how to do that with a SQLE install.. It seems to be limited what you can do with a attached DB..
Do you know any good tricks?
ASKER
I tried:
<add name="ASPNETDB" connectionString="Data Source=.\SQLEXPRESS;Attach DbFilename =|DataDire ctory|\ASP NETDB.MDF; Database=A SPNETDB;Us er ID=sa;Password=<password>; " providerName="System.Data. SqlClient" />
But got:
Cannot create file 'C:\Inetpub\SITES\test\DK2 \App_Data\ ASPNETDB_l og.LDF' because it already exists. Change the file path or the file name, and retry the operation.
Could not open new database 'ASPNETDB'. CREATE DATABASE is aborted.
Could not attach file 'C:\Inetpub\SITES\test\DK2 \App_Data\ ASPNETDB.M DF' as database 'ASPNETDB'.
File activation failure. The physical file name "U:\Dev\ASP.NET\DataKjeden .no\5\App_ Data\ASPNE TDB_log.ld f" may be incorrect.
A wee bit of everything i guess.. :-)
<add name="ASPNETDB" connectionString="Data Source=.\SQLEXPRESS;Attach
But got:
Cannot create file 'C:\Inetpub\SITES\test\DK2
Could not open new database 'ASPNETDB'. CREATE DATABASE is aborted.
Could not attach file 'C:\Inetpub\SITES\test\DK2
File activation failure. The physical file name "U:\Dev\ASP.NET\DataKjeden
A wee bit of everything i guess.. :-)
ASKER
And thats with <identity impersonate="true" />
ASKER
The solution was:
Use: <identity impersonate="true" /> in web config.
Change the default generated ".\SQLEXPRESS" bit in the connstring to "<SERVERNAME>\SQLEXPRESS", and "User Instance=True" to User Instance=False"
Works like a charm!
The Page.User func in C# still does not work, but <System.Security.Principal .WindowsId entity.Get Current(). Name.ToStr ing()> does!
The site can now run IUSR or whatever for the root, and use domain security for the admin section..
Use: <identity impersonate="true" /> in web config.
Change the default generated ".\SQLEXPRESS" bit in the connstring to "<SERVERNAME>\SQLEXPRESS",
Works like a charm!
The Page.User func in C# still does not work, but <System.Security.Principal
The site can now run IUSR or whatever for the root, and use domain security for the admin section..
ASKER
System.Data.SqlClient.SqlE
My app is highly SQLE dependent, and this surprised me a bit.. there is no way to give a user acces but on NTFS level.. and thats done!