Access Denied in IIS 7.5 MVC application - asp.net-mvc

I'm working with an MVC application on a test server that used to work perfectly. It creates accounts on a server that a 2nd application uses for logging in. It uses a credential store and PrincipalContext and UserPrincipal objects to create these accounts.
I haven't used the test version of this app for months or possibly almost a year. Now when I go to create an account with the application, I get the following error:
Access is denied.
ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request
identity. ASP.NET has a base process identity (typically
{MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and
the configured application pool identity on IIS 7.5) that is used if
the application is not impersonating. If the application is
impersonating via , the identity will be
the anonymous user (typically IUSR_MACHINENAME) or the authenticated
request user.
To grant ASP.NET access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add
the appropriate user or group. Highlight the ASP.NET account, and
check the boxes for the desired access.
I looked at anonymous access, but the production version of this app also has a rule to deny anonymous access and it's working fine. This application never used impersonation even when it was working and I've heard that granting explicit access to ASP.NET is not generally recommended. I can make the application work locally through Visual Studio, but the version deployed to test continues to give this error. I would rater not republish the site to test, but perhaps that's the only option left? Is there anything obvious (but not to me) that could have changed in the security settings to cause this? I'm still researching with no luck.
Thank you!

You need to provide a service account to your ApplicationPool Identity that has the appropriate level of access. When you're using the Studio, it uses your user account for access so it's almost a given. When the application is installed onto IIS it uses the lowest possible level of access available, and that simply isn't enough. It isn't recommended that you open it wide up, but establishing a limited access service account for this specific purpose will allow the application to function without having to compromise system or personal accounts.

Related

Using app's identity (Azure AD) in ASP.NET web app to call Microsoft Graph

My ASP.NET MVC web application is currently using on-premise SMTP server to send mails.
To understand, here is the classic scenario:
Users have to sign-in in the web app with a user/password (encrypted and stored in SQL DB)
Users fill in a form
When form is posted 2 mails are sent (one for the user and one for the team)
We have to migrate to an Azure VM (Virtual Machine) based solution. I am asked to use Microsoft Graph to send mails as a replacement of using SMTP server. I found a lot of documentation and tutorials on this subject. The classic solution asks the user to sign in using Open ID Connect and Azure AD is used for the authentication (MSAL). So a new authentication page is showed to the user where he should authorise the application to perform specific actions like sending mails (for example). See picture below.
In my situation, I prefer not force user to authenticate a second time. As explained in scenario above users already sign in with (basic) user/password not related to Azure AD.
So I thought I would use app's identity in place of user's identity. This way the user should not authenticate a second time. I found a quickstart on the Microsoft's website which seems to fit my needs.
Here is the link: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-netcore-daemon
Obviously I thought to integrate this concept in my ASP.NET web app and not in a console app but you get the idea.
So I would like to know if the solution of using app's identity in place of user's identity (authentication in Azure AD) to send mails in my ASP.NET web app is a good approach.
I think this is feasible.
In fact, Microsoft does not recommend users to log in to applications based on username/password, which requires a very high level of trust in the application and may bring certain risks.
In your question, you want to use the application to act as its own entity instead of performing operations on behalf of a specific user, so as to avoid repeated login authorization for users. I think this is a good method, but you have to pay attention, if you need to use the application's own identity request token to access MS graph api, then you must grant application permissions to the application, and then use the client credential flow as the authentication flow.
If you're using a VM you could enable managed identity and avoid dealing with credentials. Take a look to this article.

Single Sign On for Intranet with Vaadin & Springboot - security

We have a Vaadin / Spring Boot application which should be accessible via a browser and without login from intranet only.
We would like to implement SSO with the Windows login (Active Directory).
The goal is high security with least configuration as the application is sold to customers.
I came up with the following scenario:
receive the IP address of the client accessing the Vaadin-Application.
Look up in the Active directory / Domain controller, which is in RW mode and see which user is online with this IP address in this very moment.
check the rights of this user managed by the Active Directory Groups.
make application available with logged in user for the client requesting it.
IP spoofing is not possible (as the connection is bidirectional, also users have no access to network devices.)
this login process is only done once to initiate the session.
Am I correct with these thoughts? Can you see any security issues? Is it really necessary to use certificates?
What would you recommend if so? Kerberos, CAS, x509, SAML?

How does the EnsureAuthenticated in the TFS API Work?

I'm working on a web application that works with the TFS API and I would like to make sure that any users that use it have the proper authentication to use TFS.
To do so I use the following code:
TfsTeamProjectCollection teamProjectCollection = configServer.GetTeamProjectCollection(collectionId);
teamProjectCollection.EnsureAuthenticated;
I'm going to host the website on IIS.
When a user uses the web app, will EnsureAuthenticated use their credentials, or will it use the credentials of the remote desktop I'm hosting the application on?
It depends.
If you have configured ASP.NEt to use impersonation, it will use the account of the logged user.
If ASP.NET is configured with default settings there are a number of things that can happen
If there is a credential stored in the Credentials Manager it will use that
If the application pool is running under a real account it will try to do that
If the application pool is running an application pool account, it will probably try to authenticate with the System's account (COMPUTER$)
I'd say, try it and look at the IIS logs of your TFS server or use something like fiddler to capture the traffic.

System.Web.Mvc.dll was invalid when identity impersonate = true

I am running this MVC 4 site on iis express initiated through visual studio 2012. If I change the impersonate to false it works fine. Any ideas what I could be doing wrong?
Use ASP.NET impersonation when you want to run your ASP.NET application under a security context different from the default security context for ASP.NET application.
If you enable impersonation for an ASP.NET application, that application can run in one of two different contexts: either as the user authenticated by IIS 7 or as an arbitrary account that you set up. For example, if you were using Anonymous authentication and chose to run the ASP.NET application as the authenticated user, the application would run under an account set up for anonymous users (typically, IUSR). Likewise, if you chose to run the application under an arbitrary account, it would run under whatever security context was set up for that account.
By default, ASP.NET impersonation is disabled. If you enable impersonation, your ASP.NET application runs under the security context of the user authenticated by IIS 7.
I don't know how to answer why the message is so useless but I can say that it seems to be a product of the development web host (iis express) not being in the domain of the user you are trying to authenticate.
In my example I was on my home machine (not registered to the domain) connected in via vpn. With impersonate set to false and windows authentication enable in the web.config it will work fine. When you turn on impersonate it gives the invalid message.
If you have impersonate turned on when running from a machine (my workstation in the office) registered to the domain it works with no error message.
Hope this helps someone else.

IIS settings for mvc application using Windows Authentication

I have developed an MVC intranet application which I have successfully deployed to IIS.
I have enabled Windows Authentication and denied access to anonymous users, however, only some accounts on the domain are able to gain access to the application.
I have checked these accounts and there is nothing special about them that I can see.
The first check for security is Domain Users which everyone is a member of.
All other users are prompted to login but it does not recognize their credentials.
I get a 401.1 - Unauthorized Error
Not sure what else to try. Any suggestions would be appreciated.
Solution : Folder permission on my wwwroot - Domain Users did not have read access.
=================================================================================
Check that kernel mode authentication is on:
Site>Authentication>Windows Authentication>Advanced Settings
Check authorization rules are not blocking users:
Site>Authorization Rules
I would test (allow all users) first, does that allow users through?

Resources