0

I have an asp.net website that is hosted in IIS 7.5

The website has to use windows authentication. The users are added to an AD group. The AD user group has full control on the web folder in which the website is published. Server/IIS_IUSRS has full control on the web folder too.

The data that the website is required to use is stored in another server. The AD group has Full control on the folder in which the data is stored. I am using Classic mode because Integrated breaks it.

What should be the website authentication and APP Pool settings?

Improve this question

2 Answers 2

Reset to default
1

Personally I have become a fan of setting the app pool identity to an AD service account and then allowing the app to access the database and other resources using those credentials. No need to pass the credentials on the connection string or try to impersonate the users (EDIT: Should note that this applies to resources which use windows integrated security). Also no need to try to give the users direct access to the datastore or other resources, just the app credentials need to have access. It is a bit more trouble to set up initially but much easier to manage in the long run.

Here is the checklist I send to our server group whenever I ask them to set up a new site for me: (note this is based on Win Serv2003 and IIS 6, things may be different in the newer versions.)

  • Set up a separate App Pool for the application
  • Configure the App pool to run as the service account
  • Add the service account to the IIS_WPG group on the server
  • Make sure the IIS_WPG group has Read, Read & Execute, and List Folder Contents permissions for the website directory and Read and List Folder Contents to the C:\Windows\Temp folder (or equivalent).
  • Grant User Rights “Adjust Memory Quotas for a Process”, “Replace a Process Level Token”, and “Log On as Service” to the service account
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for your reply. Does that mean anyone who enters the URL of the website will be able to log in automatically? I only want users who belong to a user group to have access to the website.
You still secure access to the web site through whatever means are appropriate. You just don't have to worry about trying to give users access to the backend resources. In most of the apps I work on we have an authorization managment system that we tie into. The app passes the windows user ID and some other info into the security plug in and it responds with what each user is allowed to do. Similar things can be accomplished using security groups.
1

Don't mix up IIS autorization and ASP.NET autorization :

IIS autorization

  • IP/DNS Address Restrictions
  • Web Permissions (Read, Write, Script Source Access...)
  • NTFS Permissions (non ASP.NET ISAPI extension only : .htm, .jpg...)

ASP.NET autorization

  • URL Authorization (<authorization> element)
  • File Authorization (ASP.NET ISAPI extension only : .aspx, .ascx...)
  • Principal Permissions (Demands)
  • .NET Roles

Restrict access to your web :

  • Uncheck anonymous access
  • Configure NTFS rights

Give access to your data folder, few solutions :

  • Use a service account for your application pool, allow it on your folder and manage access control in your application

  • Use default IIS 7 ASP.NET account, and impersonate the user locally in your code when accessing your data folder

    System.Security.Principal.WindowsImpersonationContext impersonationContext; impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

    //Insert your code that runs under the security context of the authenticating user here.

    impersonationContext.Undo();

  • Activate impersonation globally (<identity impersonate="true"/>) ; dont like this one

Improve this answer

2 Comments

(((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();) do I have to do it just once in Global.asax or in every method? Also why don't you like impersonation in web.config?
The impersonation of a whole site can bring autorization/delegation/security problems while impersonating a section of code isolates specific security needs and behaviors.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.