• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 422
  • Last Modified:

Can't assign permissions for Web Service hosted inside FormsAuthentication site

I have a working SSL protected site with FormsAuthentication turned on.  It is built in VB.Net Framework 4.  I added a RESTful webservice inside of this which will use a separate authentication scheme. I have a function named "MyFunction" which will validate that the user only accesses their own data and then writes a zip file to a folder (outside of the website's directory structure) and then moves the file onto another process beyond the scope of the function. When I call MyFunctionfrom a web page button, it works fine. When I call this from the web Service, it fails to write the file.  I'm obviously suspecting a permission issue.  The way that the service is exposed is via a location tag:
  <location path="MyFile.svc">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

Open in new window


One of the parameters of the function is an encrypted login token which works in several other functions.  I set up debugging messages to write to the event log and found that the web page executes with Environment.UserName = IUSR as I expected.  I had no problem setting up this user with the permissions to write the file.  However, the service comes in with Environment.UserDomainName = WORKGROUP and Environment.UserName = <MACHINENAME>$.  I tried adding this user to the file permissions, but cannot find a Source of "WORKGROUP" or user of that name.  I think this is not picking up the IUSR because, as far as IIS is concerned, the user is not authenticated.  How do I dentify this anonymous user so that I can assign permissions without disrupting the rest of the site?

I have tried to impersonate the user with:
Dim impersonationContext As System.Security.Principal.WindowsImpersonationContext
Dim currentWindowsIdentity As System.Security.Principal.WindowsIdentity = System.Security.Principal.WindowsIdentity.GetAnonymous
impersonationContext = currentWindowsIdentity.Impersonate()

Open in new window

and
Dim impersonationContext As System.Security.Principal.WindowsImpersonationContext
Dim currentWindowsIdentity As System.Security.Principal.WindowsIdentity = System.Security.Principal.WindowsIdentity.GetCurrent
impersonationContext = currentWindowsIdentity.Impersonate()

Open in new window


I got an error that "An anonymous identity cannot perform an impersonation." I have seen that I can explicitly spell out a user and password to impeersonate in the Web.Config, but I don't want to expose an interactive username / pass in clear text and have to manage it if the user ever changes.  Ideally, I would like to force it to use IUSR so that it is easier to maintain.  I'm open to some degree of refactoring this, but I would prefer not to split up the Web Service and the Asp.Net site for maintenance purposes.  I feel that I would still use the same authentication scheme if the Web Service were standalone.  Please let me know if I can identify and grant the privileges to this "mystery" user, impersonate or assign the user to be IUSR, or assign a bogus low-level user to just the "location" tag.  Thank you in advance!
0
ja928
Asked:
ja928
  • 7
  • 4
1 Solution
 
ja928Author Commented:
I forgot to mention that I tried adding the Windows users and groups "ANONYMOUS LOGON", "<MACHINENAME>\Users", "SYSTEM", "NETWORK SERVICE" (that's on the Application Pool for the site), and "<MACHINENAME>\ASPNET".  None of these seemed to grant the permission I needed on the folder.  The process definitely fails at the point of writing the file.
0
 
Carlos VillegasFull Stack .NET DeveloperCommented:
Well, I think that i can offer a better solution, but this can work for you:
<location path="MyFile.svc">
  <system.web>
    <identity impersonate="true" userName="LocalAccountUserName" password="Password"/>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</location>

Open in new window

0
 
Carlos VillegasFull Stack .NET DeveloperCommented:
Where userName is a local user account that has permission over yours files/folders that you want the WS can access.
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
Carlos VillegasFull Stack .NET DeveloperCommented:
Oh sorry, I see that you dont want to do this...
0
 
Carlos VillegasFull Stack .NET DeveloperCommented:
What IIS version are you using? and Windows Server version?
0
 
ja928Author Commented:
Thank you very much for your responses.  I will keep that in-file impersonation as my fall-back plan (still need to test it tomorrow to be certain).  I am running Windows Server Web Edition SP2 with IIS 7
0
 
Carlos VillegasFull Stack .NET DeveloperCommented:
Hi, please tell me what identity have your application pool, can you reach this screen?
IIS Application Pool
What is the identity of your application pool? (be sure to select the application pool used by your application)
0
 
Carlos VillegasFull Stack .NET DeveloperCommented:
More info can be use full, please copy the attached aspx page to your web application:
Im.aspx

Then give public access to it, example:
<location path="Im.aspx">
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</location>

Open in new window


Visit that page from your web browser, and post here the info displayed.
0
 
ja928Author Commented:
Thank you very much.  The diagnostics here pointed me to the right answer.  As it turns out, the web Page and the Web Service used the SAME identity.  I should have posted some more code   The line that wrote the file gave the error because the path itself was not populated.  I was getting the path to a directory with HttpContext.Current.Server.MapPath("MyFolder").  The Web Site has "native" access to the HTTPContext, but the Web Service does not.  To get access to the HTTPContext.  I got the supporting info here.

He names a few extra steps particular to his implementation, but the changes I needed to make were adding an attribute to serviceHostingEnvironment:
<system.serviceModel>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
</system.serviceModel>

Open in new window


and adding this to my implementation file MyService.svc.vb:
<AspNetCompatibilityRequirements(RequirementsMode:=AspNetCompatibilityRequirementsMode.Required)>

Open in new window

0
 
ja928Author Commented:
Thank you for the quick turnaround and insightful troubleshooting tips!  I also verified the "workaround" solution of adding the Identity Impersonation to the location tag in Web.config, but determining the proper identity was much more useful.
0
 
Carlos VillegasFull Stack .NET DeveloperCommented:
Hi ja928, Im glad to know that you get the problem solved :) thanks for sharing that detailed info!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now