WiX IIS Authentication mode on subdirectories - asp.net-mvc

I'm trying to install a ASP.NET MVC web application with wix. So far so good.
Unfortunately I came up with a pretty annoying issue I don't know how to implement.
Imagine the following WebSite structure:
Default Web Site (Windows authentication)
MyApplication (Windows authentication)
WebServices (Anoynmous authentication)
As you can see the whole website can only be accessed with valid NT credentials.
But I need to set anonymous authentication on the WebServices directory.
How can I accomplish this with wix?
<DirectoryRef Id="INSTALLDIR_WEB">
<!-- Configuring app pool -->
<Component Id="Cmp_AppPool" Guid="27CE75BF-1118-4E15-9CD5-6FA973A20B45" KeyPath="yes">
<util:User Id="AppPoolUser" Domain="[APPPOOL_IDENTITYDOMAIN]" Name="[APPPOOL_IDENTITY]" Password="[APPPOOL_IDENTITYPWD]" CreateUser="no" />
<iis:WebAppPool Id="CustomAppPool" ManagedPipelineMode="[APPPOOL_PIPELINEMODE]" ManagedRuntimeVersion="[APPPOOL_ManagedRuntimeVersion]" Name="[APPPOOL_NAME]" Identity="other" User="AppPoolUser" />
</Component>
<!-- Create new WebApplication -->
<Component Id="Cmp_CreateApplication" Guid="65591914-46A9-4CB7-BF2E-9F30F4DEE3EC" KeyPath="yes">
<Condition><![CDATA[Installed OR WEBAPP_NAME <> ""]]></Condition>
<iis:WebVirtualDir Id="MyWebVirtualDir" Alias="[WEBAPP_NAME]" Directory="INSTALLDIR_WEB" WebSite="DefaultWebSite">
<iis:WebDirProperties Id="MyWebVirtDirProperties" AnonymousAccess="no" BasicAuthentication="no" WindowsAuthentication="yes" />
<iis:WebApplication Id="MyWebWebApplication" Name="[WEBAPP_NAME]" WebAppPool="CustomAppPool" />
</iis:WebVirtualDir>
</Component>
<!-- Install directly in the IIS ROOT -->
<Component Id="Cmp_SetPermissions">
<iis:WebDir Path="WebServices" DirProperties="EnableAnonymousAuth" WebSite="DefaultWebSite" Id="ServiceDir" />
</Component>
</DirectoryRef>
<iis:WebDirProperties Id="EnableAnonymousAuth" Read="yes" Write="yes" Script="yes" Execute="yes" AnonymousAccess="yes" Index="no" LogVisits="no" />
The above code successfully creates the webapplication but does not set anonymous access on the WebServices directory.
Any ideas?
Regards
Lukas

There is WebDirProperties element for WebDir.
You can set AnonymousAccess="yes" there.
Also you should also provide the user account using the AnonymousUser attribute, and determine what setting to use for the IIsControlledPassword attribute.

Related

Get access to Google AdWords API v201506 with ASP.NET MVC

I need to use AdWrods Api v201506 for some simple operations, but i still get authorization error (I will pass it in the bottom of this post). I think the problem is not in the code (I just copy-paste it from googles documentation) but in the account settings, so the best way to find out error is show you what I do in every step.
Create production MCC account here (production-mcc#gmail.com). Notice that I chosen "To manage other people's accounts." as an answer for "How will you primarily use this AdWords manager account?".
Get developer token for production-mcc#gmail.com. It's still "waiting for approve" but it's not a problem because I will use test account.
Create test MCC account here (for To manage other people's accounts., test-mcc#gmail.com).
Create new Project in Console Google Developer as test-mcc#gmail.com (MyProject).
Create app in consent screen (MyProject_App).
Create new Client ID for web application:
JavaScript origins: http://localhost:50194/
Redirect URIs: http://localhost:50194/oauth2callback (autogenerated) and http://localhost:8080/ - without this url I not be able to generate refresh token with OAuthTokenGenerator.exe (from here). Installed application as an "Other" type and generate refresh token with OAuthTokenGenerator.exe (from here).
Go to Google Adwords and add client account (button +Account -> Create New AdWords Account). Save changes and copy his id.
Now get Client ID, Client Secret and successfully generate refresh token.
Install with NuGet Google.AdWords and Google.Ads.Common packages in MVC project.
Edit <AdWordsApi> sections in web.config file as below:
<!-- Settings related to SOAP logging. -->
<add key="MaskCredentials" value="true" />
<!-- Settings related to general library behaviour. -->
<!-- Use this key to automatically retry a call that failed due to a
recoverable error like expired credentials. -->
<!-- <add key="RetryCount" value="1"/> -->
<!-- Set the service timeout in milliseconds. -->
<!-- <add key="Timeout" value="100000"/> -->
<!-- Use this key to enable or disable gzip compression in SOAP requests.-->
<add key="EnableGzipCompression" value="true" />
<!-- Proxy settings for library. -->
<add key="ProxyServer" value="" />
<add key="ProxyUser" value="" />
<add key="ProxyPassword" value="" />
<add key="ProxyDomain" value="" />
<!-- Settings specific to AdWords API.-->
<add key="UserAgent" value="RANDOM_STRING" />
<add key="DeveloperToken" value="DEV_TOKEN_FROM_2_PARAGRAPH" />
<!-- If your application is a simple script that makes calls to only a
single Adwords account, then you can set your customer ID here. If you
have multiple customer IDs to deal with in your account, then you can
comment out this key and set the value at runtime by setting
((AdWordsAppConfig) user.Config).ClientCustomerId = "xxx";
-->
<add key="ClientCustomerId" value="CLIENT_ID_FROM_7_PARAGRAPH" />
<!-- Use the following settings to skip the report header and summary rows
when downloading a report in CSV, TSV or their gzipped formats. -->
<add key="SkipReportHeader" value="false" />
<add key="SkipReportSummary" value="false" />
<add key="SkipColumnHeader" value="false" />
<!-- Use the following setting to include zero impression rows when
downloading a report. If this setting is commented out, then the server
behaves as explained in
https://developers.google.com/adwords/api/docs/guides/zero-impression-reports#default_behavior.
-->
<!-- <add key="IncludeZeroImpressions" value="true"/> -->
<!-- Settings specific to use OAuth2 as authentication mechanism. You could
run Common\Util\OAuth2TokenGenerator.cs to generate this section of the
config file.
-->
<!-- Provide the OAuth2 client ID and secret. You can create one from
https://console.developers.google.com. See
https://github.com/googleads/googleads-dotnet-lib/wiki/Using-OAuth2
for more details.
-->
<add key="OAuth2ClientId" value="CLIENT_ID_FROM_8_PARAGRAPH" />
<add key="OAuth2ClientSecret" value="CLIENT_SECRET_FROM_8_PARAGRAPH" />
<!-- The following OAuth2 settings are optional. -->
<!-- Provide a different OAuth2 scope if required. Multiple scopes should be
separated by spaces. -->
<!-- <add key="OAuth2Scope" value="INSERT_OAUTH2_SCOPE_HERE" /> -->
<!-- Use the following keys if you want to use Web / Installed application
OAuth flow.-->
<add key="OAuth2Mode" value="APPLICATION" />
<!-- If you are using a single MCC account's credentials to make calls to
all your accounts, then you can run OAuth2TokenGenerator.cs to generate
a RefreshToken for that account and set this key in your application's
App.config / Web.config. If you are making calls to multiple unrelated
accounts, then you need to implement OAuth2 flow in your account and
set this key at runtime. See OAuth folder under Examples folder for a
web and a console application example.
-->
<add key="OAuth2RefreshToken" value="REFRESH_TOKEN_FROM_8_PARAGARAPH" />
<!-- Optional: Specify an OAuth2 redirect url if you are building a
web application and implementing OAuth2 web flow in your application.
-->
<!-- <add key="OAuth2RedirectUri" value="" /> -->
<!-- Use the following keys if you want to use OAuth2 service account flow.
You should comment out all the keys for Web / Installed application
OAuth flow above. See
https://developers.google.com/adwords/api/docs/guides/service-accounts
https://github.com/googleads/googleads-dotnet-lib/wiki/Using-OAuth2
for more details.
-->
<!--
<add key="OAuth2Mode" value="SERVICE_ACCOUNT" />
<add key="OAuth2ServiceAccountEmail"
value="INSERT_OAUTH2_SERVICE_ACCOUNT_EMAIL_HERE" />
<add key="OAuth2PrnEmail" value="INSERT_OAUTH2_USER_EMAIL_HERE" />
<add key="OAuth2JwtCertificatePath"
value="INSERT_OAUTH2_JWT_CERTIFICATE_PATH_HERE" />
<add key="OAuth2JwtCertificatePassword"
value="INSERT_OAUTH2_JWT_CERTIFICATE_PASSWORD_HERE" />
-->
Now, I just copy-paste code from example in Google Developers Documentation.
After running I got exception in:
BudgetReturnValue budgetRetval = budgetService.mutate(
new BudgetOperation[] {budgetOperation});
and it call: [AuthorizationError.USER_PERMISSION_DENIED # ; trigger:'<null>']
According to documentation it means: "User doesn't have permission to access customer.".
My question is: what I'm doing wrong with authorization? Which token or id is invalid?
PS. I described all steps which I done - not less not more.
I found solution for exception ([AuthorizationError.USER_PERMISSION_DENIED # ; trigger:'<null>'] ): the problem was in refresh token - when I generated his I was loggin in my private account not as a test-mcc#gmail.com. So when you will use OAuthTokenGenerator.exe make sure that you sigin in proper account when generator shows new window and ask for permission.

What is the best practice to protect access to public ASP .NET MVC application in development phase?

What is the best practice to protect access to public ASP .NET MVC application in development phase? I would like to testing the application but deny access for public.
The <ipSecurity> element of the web.config was introduced in IIS 7.0.
Here's how you can deny all, but allow specific IPs or networks through.
<security>
<ipSecurity allowUnlisted="false"> <!-- this line blocks everybody, except those listed below -->
<clear/> <!-- removes all upstream restrictions -->
<add ipAddress="127.0.0.1" allowed="true"/> <!-- allow requests from the local machine -->
<add ipAddress="83.116.19.53" allowed="true"/> <!-- allow the specific IP of 83.116.19.53 -->
<add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/> <!--allow network 83.116.119.0 to 83.116.119.255-->
<add ipAddress="83.116.0.0" subnetMask="255.255.0.0" allowed="true"/> <!--allow network 83.116.0.0 to 83.116.255.255-->
<add ipAddress="83.0.0.0" subnetMask="255.0.0.0" allowed="true"/> <!--allow entire /8 network of 83.0.0.0 to 83.255.255.255-->
</ipSecurity>
</security>

ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry

I am trying to implement a Simple STS web site alongside my MVC application in a development environment. I was able to get this working properly on my local machine. I would navigate to my MVC app, kicked out to the STS web application, I login, then am redirected back to my MVC app. This is not using AFDS by the way.
When I migrated this to my Development environment, I see similar activity but I get the error below when I login. I have checked about 20 times that my thumbprint in the MVC app is the exact same as the cert.
(The login is working fine as I don't get redirected until the authentication succeeds.)
Any guesses?
Error message I recieve:
ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer
web.config from STS website:
<appSettings>
<add key="IssuerName" value="STSTestCert"/>
<add key="SigningCertificateName" value="CN=STSTestCert"/>
<add key="EncryptingCertificateName" value=""/>
</appSettings>
web.config from MVC application:
<microsoft.identityModel>
<service>
<audienceUris>
<add value="http://localhost/" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="http://localhost:57543/mySTS/" realm="http://localhost/" requireHttps="false" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
<applicationService>
<claimTypeRequired>
<!--Following are the claims offered by STS 'http://localhost:57543/mySTS/'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
</claimTypeRequired>
</applicationService>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="‎11111" name="http://localhost:57543/mySTS/" />
</trustedIssuers>
</issuerNameRegistry>
</service>
</microsoft.identityModel>
Copying your thumbprint adds hidden unicode characters. Try typing it in.
As MJCoffman mentioned it is most probably because you copied the thumbprint with hidden character. You can find more details here.
In my case the problem was also that copying the thumbprint and pasting it was adding some characters that a regular text editor do not show. I found the following instructions very useful to remove the special characters (look #4). posted by Edwin Guru Singh
Do this to get rid of the special characters using Visual Studio:
Close the web.config
Right-click on it and open it with binary editor
Find where the thumbprint is and delete additional characters (everything that is not a number, usually dots).
Save and try again, it should work.

How to use J2eePreAuthenticatedProcessingFilter and a custom authentication provider?

I want my Spring application to try two pre-authentication methods (Siteminder and Java EE container authentication).
If either of these filters locates a username - I want to check that username against my database of users and assign roles based on what I see in the database. (I have an implementation of AuthenticationUserDetailsService, which does that for me.)
If not - show a login page to the user. Check the credentials they enter in the form against my database of users.
The Siteminder integration is working. The login form is working too. My problem is with the Java EE pre-authentication. It never kicks in.
My applicationContext-security.xml:
<!-- HTTP security configurations -->
<sec:http auto-config="true" use-expressions="true">
<sec:form-login login-processing-url="/resources/j_spring_security_check" always-use-default-target="true" default-target-url="/" login-page="/login"
authentication-failure-url="/login?login_error=t" />
<sec:logout logout-url="/resources/j_spring_security_logout" />
<sec:access-denied-handler error-page="/accessDenied" />
<sec:remember-me user-service-ref="customUserDetailsService" token-validity-seconds="86400" key="OptiVLM-VaultBalance" />
<sec:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter"/>
<sec:custom-filter after="PRE_AUTH_FILTER" ref="jeePreAuthenticatedFilter"/>
<!-- various intercept-url elements here, skipped for brevity -->
</sec:http>
<!-- Authentication Manager -->
<sec:authentication-manager alias="authenticationManager">
<!-- J2EE container pre-authentication or Siteminder -->
<sec:authentication-provider ref="customPreAuthenticatedAuthenticationProvider" />
<!-- Default provider -->
<sec:authentication-provider user-service-ref="customUserDetailsService" />
</sec:authentication-manager>
<!-- Siteminder pre-authentication -->
<bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="SM_USER" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="exceptionIfHeaderMissing" value="false" />
</bean>
<!-- J2EE pre-authentication -->
<bean id="jeePreAuthenticatedFilter" class="org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<!-- Custom pre-authentication provider -->
<bean id="customPreAuthenticatedAuthenticationProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService" ref="customAuthenticationUserDetailsService" />
</bean>
I have Java 2 security enabled in Websphere, and I am logged in as 'admin5'. (I have a user with this username in my user database.) But when I access the application, there is never a call to the 'customAuthenticationUserDetailsService' bean to verify the username. I know this, because 'customAuthenticationUserDetailsService' does extensive logging which clearly shows what it is doing. When I am using the Siteminder pre-authentication - the 'customAuthenticationUserDetailsService' works just fine, I get some trace output in the log. But not for the J2EE authentication...
My guess is that one of these things is happening:
a) Java EE pre-authentication filter is not locating the username, so it never calls the authentication manager
b) Java EE pre-authentication filter works fine, but my custom authentication provider is never called by the authentication manager for some reason
By the way, the default authentication provider, which uses 'customUserDetailsService' does not kick in either. Again, I can tell that because there is no output from 'customUserDetailsService' in the log.
Can you advise on what could be the problem here? If not a solution, then a suggestion on how to approach this would be greatly appreciated.
OK, I figured this out. The problem is that even though I had J2EE security setup in Websphere and was authenticated, my web.xml contained no security constraints. Because of this, Websphere was not supplying the principal for my requests. This is apparently an intentional feature. If you are not accessing a protected URL, you should not need the pre-authentication information.
To overcome this, I added a security constraint to my web.xml, which allowed ALL users to access the resources. Effectively, the resources were not secured, but still - there was a constraint now.
This is it:
<security-constraint>
<web-resource-collection>
<web-resource-name>All areas</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
This tricks the Websphere into filling in the user principal information in the request.
Thank you #Ralph for his comments on this this question: request.getUserPrincipal() got null

Error on AddWebPart (Sharepoint 2007)

I am trying to use the AddWebPartToZone web service call within Sharepoint 2007 to add a webpart programmatically to a webpart page. We get a soap exception (Microsoft.Sharepoint.SoapServer.SoapServerException).
The webpart i am trying to add is the original version of the Chatterbox app found on codeplex. When i try and add a content editor webpart to the same page it works perfectly.
We can add the webpart manually (Chatterbox) to the webpart page and it works fine. We have checked and the web part is added appropriately to the safe controls list in the webconfig (as it should be). So the next step is to have a quick look in the logs. The messages we get are:
Monitorable Usage: Security - Web Services: AddWebPart
Monitorable Error importing WebPart. Assembly Microsoft.SharePoint.SampleParts.ChatterBox, Version=12.0.0.0, Culture=neutral, PublicKeyToken=48e046c834625a88, TypeName. Microsoft.SharePoint.SampleParts.ChatterBox
I've tried amending the webpart XML we use on the webservice call and we get the same error message everytime. Now this looks like a permissions problem with the webpart but seeing as we have added it correctly to the safecontrols listing in the webconfig i can't see what else i can do?
Here is the webpart XML that we used:
<?xml version="1.0" encoding="utf-16"?>
<WebPart xmlns:xsd="http://schemas.microsoft.com/WebPart/v3" xmlns:xsi="http://microsoft.com/sharepoint/webpartpages" xmlns="http://schemas.microsoft.com/WebPart/v2">
<IsIncluded>true</IsIncluded>
<ZoneID>Full Page</ZoneID>
<PartOrder>1</PartOrder>
<FrameState>Normal</FrameState>
<Height />
<Width />
<AllowClose>True</AllowClose>
<AllowRemove>true</AllowRemove>
<AllowZoneChange>true</AllowZoneChange>
<AllowMinimize>false</AllowMinimize>
<IsVisible>true</IsVisible>
<NumComments>10</NumComments>
<UpdateInterval>5</UpdateInterval>
<AllowConnect>True</AllowConnect>
<ChromeType>Default</ChromeType>
<TitleIconImageUrl />
<Description />
<Hidden>False</Hidden>
<BackingListName>Potato</BackingListName>
<UserName />
<AllowEdit>True</AllowEdit>
<DetailLink />
<HelpLink />
<Title>ChatterBox 101</Title>
<Dir>Default</Dir>
<PartImageSmall />
<MissingAssembly />
<PartImageLarge>/_layouts/images/mscontl.gif</PartImageLarge>
<IsIncludedFilter />
<Assembly>ChatterBox, Version=12.0.0.0, Culture=neutral, PublicKeyToken=48e046c834625a88</Assembly>
<TypeName>Microsoft.SharePoint.SampleParts.ChatterBox</TypeName>
<ChromeState>Normal</ChromeState>
<HelpMode>Navigate</HelpMode>
</WebPart>
We have a sharepoint 2007 (MOSS) box running on Win 2003. Any help would be really appreciated as this is slowly but surely doing my head in!
thanks,
Kev
Does the user the webservice is called under (NetworkCredentials) have the permission to add the webpart to that particular page?

Resources