I have a classic asp website with following IIS settings:
1. windows authentication is enabled
2. Impersonation is disabled, so are anonymous and basic authentication
3. App pool is .Net 4.0, Integrated pipeline with a custom Process model identity. This identityt is given exclusive full access to unc local and network shares, batch files etc
The asp application
1. displays user information of the user logging intot he web application,
2. accesses the above mentioned shares to display reports,
3. creates reports by calling DLLs which POST to an asp file in this web application (uing webrequest) and get XMl and write the XML to the share.
The issue I am facing is all the above calls are being made on the behalf of the application user instead of the Process Model Identity User in the app pool. Because of this, most of requests throw up Permission denied or 401 errors.
QUESTION: How can we configure the web site so that the calls made can be on behalf of the app pool user only?
Related
I am trying to access a SP site outside of my tenant using a guest account provided by the third-part company.
According to them, the access is given using Azure B2B (ExternalAzureAD).
I want to access the SP site using Power Automate to copy files to my tenant. It is a specific list, but not specific files.
I tried performing common HTTP SP Rest requests (the connector using the guest account) and HTTP using AAD, but I keep having "401 UNAUTHORIZED" as a response.
Any ideas on how to perform this call? I have very little room for requests with the third-part company, and a request to register an application user to generate a token for me is almost certain to be denied.
What could I try here?
Thanks!
I have a web application written with spring boot and spring security, deployed on a Windows server.
The application users uses Windows too.
I would like to implement the below:
If a users is a member of a specific AD group, when he/she opens the web app in browser, he can auto login without entering user name and password.
Otherwise, login is denied and error page is shown.
Is this doable ? If yes, what technology stack I should look into?
I have created a new ASP.NET web site using VS 2017 and changed the Authentication mechanism to use "Individual User Accounts". This adds the Claims Principal or WIF class support.I can click on register / log in, and set up user emails and then check for the claims for that user. I will also be using Server Session Authentication Management (SAM) to save claims on the server and do some claims transformation as well.
After Login, this site calls a winform application, and after some activity I return back to the above website.
I want to know how can I use SSO logic here and check if I am already Authenticated and access my claims saved at the server side / website and authenticate the user based on the saved claims.
Is there some project or code example anyone can give which i can use as a start to develop such a STS service (in VS 2017) with SSO and access my claims on website after coming from another domain?
The identity and access tools used to work only with VS 2012, so any way to replicate the above scenario and check for my saved claims after I hit my website from the winform application.
There's a good example here of using WS-Fed with Azure AD.
This is easily adaptable to ADFS.
Your other choice is to use ADAL.
I'm current using this sample as my test bed.
IdentityServer3.Samples/source/MembershipReboot/
I've assigned the correct permissions and read several other posts about this problem but I still get access denied.
My IIS app is running under applicationpoolidentity.
I suggest you to use IIS Local instead of Express to have more control with security. I hope you will get success with this following steps:
Install the certificate in the Personal directory of the Current User. (Help)
Assign a dedicated application pool to the IdSrv3 virtual application or website. (Help)
Assign your user as the identity of the dedicated application pool. (Help)
The user that run IIS must have the read rights on the certificates store where you put it. ApplicationPoolIdentity does not have this rights.
I'm getting the this error when I try to use an ASP.NET WebService through an MSSOAP Client:
"WSDL Reader: Loading of the WSDL file failed HRESULT=0X80040154 Class not registered - Client: An
unanticipated error occured during the processing of this request.HRESULT=0x1812040:Class not registered."
At first I thought the SOAP library was not properly registered. But when I debugged the code I realized the error was being raised at the time of reading the web service definition (The Soap client does get created).
SOAPClient.mssoapinit "wsdl_URL"
Now, the issue only occurs when I execute the code as certain account (as for the rest of the accounts the code works pretty well). The original client is a Classic ASP page but I've reproduced the problem using a vbs script.
I run the script under several accounts, but just one presents the wsdl-reading failure.
I've granted reading permissions to the directory that contains the
asmx file to the failing account.
I've changed the physical path of the virtual directory where the
webservice is hosted to a general non-particular-profile location
like C:.
Ironically the application pool identity of the web application is
the account that presents the failure.
All the accounts can read the wsdl file through a browser just typing
the url (but still one of them can't from client code)
Do I need to grant additional permissions for the account in order to read the web service definition and initialize the soap client?