ServicePrincipleName setup for Web Service on IIS 7 - asp.net-mvc

I'm so confused.
Consider the following:
Active Directory environment with a domain called DOM
An IIS 7 box with a NetBIOS name VS1
A DNS record providing an alias for VS1 as pineapple.london.uk.corp
An Application Pool running as DOM\PineappleService
Windows Authentication enabled.
Clients use HttpWebRequest to call the XML/JSON ASP.NET services on the box.
The service calls out to workstations on the network to gather information. This works in development where I use IIS Express which runs as me, since IISX is just an .exe
In production, services work fine, authentication works, but invoking functions that cause the service (running as PineappleService) to access stuff on the network, fails.
I suspect an SPN registration issue but I don't know what SPNs to setup.
Most recently, I've stumbled across this article which seems to say fly in the face of some other articles:
http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx
Note that it says
The SPN requirements remain the same as above. You don't have to add
SPNs like http/ for the Domain1\Username1
unlike in IIS 6.0 (where we had to add an SPN of the form
http/ for the Application Pool identity).
So I don't know what's right anymore. I don't know if I need to register HTTP SPNs or HOST SPNs or use the DNS alias or the NetBIOS name, and set them on the PineappleService account or on the VS1 computer account.
I can't tell if when I try things that there's a slow AD replication issue that means I must wait an hour between trial and error.
It's all so complicated now. I've worked as a sysop and dev for 15 years and I sense the end of domains and workstations and rights and policies. It's all gotten too much.
Thanks for your help.
Luke
This is a cross-post with ServerFault which is getting no answers:
https://serverfault.com/questions/417483/serviceprinciplename-setup-for-web-service-on-iis-

Related

Active directory accounts inside a windows container (server 2016 TP5)

So I have Windows Server 2016 TP5 and I'm playing around with the containers. I am able to do basic docker tasks fine. I'm trying to figure out how to containerize some of our IIS-hosted web applications.
Thing is, we usually use integrated authentication for the DB and use domain service accounts for the app pool. I currently don't have a test VM (that is in a domain) so I can't test if this will work inside a container.
If the host is joined to an AD domain, are its containers also part of the domain? Can I still run processes using domain accounts?
EDIT:
Also, if I specify the "USER" in the dockerfile, does this mean that my app pool will run using that (instead of the app pool identity)?
There are at least some scenarios where AD-integration in Docker container actually works:
You need to access network resources with AD credentials.
Run cmdkey /add:<network-resource-uri>[:port] /user:<ad-user> /pass:<pass> under local identity that needs this access
To apply the same trick to IIS apps without modifying AppPoolIdentity you'll need a simplest .ashx wrapper around cmdkey (Note: you'll have to call this wrapper in run-time, e.g.: during ENTRYPOINT, otherwise network credentials will be mapped to different local identity)
You need to run code under AD user
Impersonate using ADVAPI32 function LogonUser with LOGON32_LOGON_NEW_CREDENTIALS and LOGON32_PROVIDER_DEFAULT as suggested
You need transport layer network security, like when making RPC calls (e.g.: MSDTC) to an AD-based resources.
Set up gMSA by using any guide that suites you best. Note however, that gMSA requires Docker host to be in the domain.
Update: this answer is no longer relevant - was for 2016 TP5. AD support has been added in later releases
Original answer
Quick answer - no, containers are not supported as part of AD so you can't use AD accounts to run processes within a container or authenticate with it
This used to be mentioned on the MS Containers site but the original link now redirects.
Original wording (CTP 3 or 4?):
"Containers cannot join Active Directory domains, and cannot run services or applications as domain users, service accounts, or machine accounts."
I don't know if that will change in a later release.
Someone tried to hack around it but with no joy.
You can't join containers to a domain but if your app needs to authenticate then you can use managed service accounts. Saves you the hassle of having to deal with packaging passwords.
https://msdn.microsoft.com/en-us/virtualization/windowscontainers/management/manage_serviceaccounts

Identity Impersonation with ASP.NET 4 MVC not working as expected

I am in the process of building a Intranet MVC 4 application for our analysts. The goal is to allow internal users access to this application without having to sign on given they are part of our internal network. When they access the application I want to be able to capture their windows user name and check against the active directory using LDAP and retrieve the department they belong to and display the relevant details on the screen. Based on the advice from different fora, I have chosen Windows Authentication for this application and I was able to test the app successfully running from Visual Studio. The trouble I am having is when I deploy this to our UAT server running IIS 7.5.
<authentication mode="Windows">
</authentication>
<identity impersonate="false" />
This is the current state of my Web.config file. Irrespective of whether impersonate is true or false, the application seems to not capture the windows username of the browser from which the application is accessed. Is
impersonate = true
required for this at all? In the Welcome message on the homepage, I always see the windows user name of the computer where the application is hosted/IIS is running. I have tried a wide variety of ways to capture the Windows User name of the incoming user request.
string name = System.Web.HttpContext.Current.User.Identity.Name;
string name = System.Web.HttpContext.Current.Request.LogonUserIdentity.Name;
string name = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
string name = System.Web.HttpContext.Current.Request.ServerVariables["LOGON_USER"].Name;
etc. I also looked into several other posts here like this. But I am unable to get it to work. I am afraid that I am trying to achieve this by accident rather than really understanding what is going on? Could someone please guide me in the right direction?
No, you misunderstand the purpose of impersonation.
First, Impersonation is no longer supported in IIS 7 or greater running in integrated mode.
Second, the purpose of impersonation is to change the "user" the worker process runs under at runtime, specifically to allow access to filesystem or database resources as that user. It has nothing to do with authentication in general, and is not particularly useful for most web applications.
You want to use Windows Authentication, however you should know that this will only work with Internet Explorer. It will also only work with servers that are joined to your domain, and do not have any intermediary Kerberos authentication issues. (these are often known as "double hop" problems). Other browsers do not, by default, provide Active Directory account information automatically, although some may be configured to allow it to do so, others do not.
If you are using a properly configured server with Windows Authentication, and you are using a browser that supports ActiveDirectory Kerberos ticket passthrough, and there are no network issues that would cause problems with this passthrough, then you can use HttpContext.Current.User.Identity.Name to get the users name.
Don't use LogonName or anything like that, as those will just give you the worker process, not the authenticated users name.

How to publish and host a MVC4 application in your domain?

I have a webdomain www.MyDomain.com and a MVC4 web application MyMVCWebApp.
First I publish the application to a local destination.
For instance: C:\TempLocation
And then I host it to my domain with a FTP-tool (FileZilla??)
The files will be hosted but I can't find the webpage.
Which url do I have to write?
http://www.MyDomain.com/MyMVCWebApp/Home/Index.chtml or something?!
Do I have change the settings in my web.config?
What do I have to do?
You can't host an application on a domain.
An application is hosted on a web server. A domain name is only a way to translate an easy to remember address like "www.google.com" to the web server ip address which looks like 173.194.66.104
It is possible to purchase a domain without a web server.
So before going further:
Check if you actually bought a domain only, or a domain with a server
Your domain should redirect to your server ip address, you can see if he is correctly configured by opening a command prompt and doing
C:\> ping www.yourdomain.com
If this is not the case you will need to update the A record of your domain, and wait for the update to be replicated on DNS server worldwird.
If you have a managed server, you should check your hosting provider website. They usually provide in depth documentation, and they all have a different way to do things. Most of the time indeed you will be able to upload your files using a FTP software such as Filezilla.
However, in order to host a MVC 4 application you need a server with
the IIS web server, which means that you need a Windows server. So if
you have a Linux server, you should contact your hosting provider
support and tell them you made a mistake during your order. (It is
possible to host a MVC 4 application on Linux, but I don't think it
is often provided on managed servers)
If you have a dedicated server you are on your own.
The URL you will have to write to access your application will depends on what you have configured in the RegisterRoutes method of the RouteConfigs.cs file.
I recommend you to watch the last video on this page to have a better overview of the possibilities.

Session state lost in asp.net web farm

I've been busy with this for months now.
I currently have 2 servers for 1 website. Using round robin dns I find that in the beginning everything works (checking the ip of the website it changed but I can go on with my session), but after a while I lose my session, seems like the formsauthentication cookie cannot be read and is being discarded. (assumption) But this does not happen all the time. Only sometimes.
I'm using iis7 shared configuration, I set the machine key and I'm using stateserver pointing to one of the servers and I verified that on both servers the stateserver works.
I read something about the IIS application path, but I don't really know what is meant by that, is it the path of the webapp, or the path where IIS is installed? In both cases they are the same.
Anyone have some ideas?
I'll answer this one myself, for anyone facing the same problem. Everything was set up correct but the machine key should be located in the web.config under system.web. Generating the key via iis 7 didn't work for some reason, I generated it with an online tool: http://aspnetresources.com/tools/machineKey
So, to do load balancing and set up multiple servers on iis7 you should:
Use a stateserver out-proc (stateserver or sql server) and have all
servers point to that stateserver (example: stateConnectionString="tcpip=server1:42424")
Use iis shared configuration so all your servers point to a share where the applicationhost.config resides.
Generate a machine key (not via iis, just use an online tool!)
Set up NLB (or round robin DNS) and test it by flushing your dns on
your client when you're logged in and see if your session doesn't get lost.
Hope this helps someone.
And the machine keys are specific to the .NET version. To check your current version: In the IIS console, at the server level, click "Change .NET Framework Version" in the Actions pane.

Is it possible to restrict access to Reporting Services over HTTP by ip address?

I'm trying to deploy my Reporting Services application to a remote site. I'm using url access and I want to impersonate a user based on an ip address range.
Is this possible?
Maybe by putting some firewall rules between the reports server and the client you could stop deny/allow certain ip addresses, but i've never come across anything like that built into reporting services
There isn't anything like that built into Reporting Services. But I can think of a couple of alternatives.
Usually the Reporting Services website and web service are running under IIS. You can configure IIS to block access by IP address. Depending on what version of IIS you are using, the instruction may vary. I would just google it. This would be the easiest way in my opinion.
First thing to note is that I haven't tested the second way, it is just an idea. Since the Reporting Services website and web service run under Asp.Net, in theory you could create a custom IHttpModule and add it to the web.config. Hanselman has an nice article about coding up such a IHttpModule and configuring the web.config here.
This is an old post, but we are trying to do the same thing. Firewall is the way to do it - SSRS doesn't use IIS, so it isn't possible through IIS.

Resources