stackoom
  简体   繁体   中英

Need help on configure IIS authentication for C# web application to make sure it impersonate user NT login access

 原文  2020-01-15 04:53:01       c#/ iis/ active-directory/ windows-authentication/ windows-server-2016

Question

I have developed a set of C# code using VS2017 which will add remove user to active directory group. It run well on my local machine ( IIS express) where windows smart enough to impersonate my current NT login access and added\\removed user from AD group.

same code move to windows server 2016 ( server ver 1607) IIS version 10.0.14393 , when i run the web application , my c# code start throw "Access is denied." error.

I already configure my IIS authentication model as "Windows Authentication" and disable rest of method but still does not work , what is going wrong and where can i start trouble shoot the access issue ?

在此处输入图片说明

3 answers

solution1
 0  

Do you mean you'd like to modify folder of windows file system? User named IIS needs modification permission to that folder. You can edit this in folder properties => security tab

solution2
 0  2020-01-15 09:41:51

When you host your application in IIS express. Your application pool are executed under your windows login user.

When you host your web application in IIS. Then your could will be activated under IIS Apppool\\ and file will be reached via your windows authenticated user. So Please try to modify your application pool identity to your windows user.

Besides, you could try to modify both app pool identity and useAppPoolCredential=true . 在此处输入图片说明

The first part we need to do is figure out where is the access is denied error thrown. Then we would know what's the root cause.

In addition, you could use process monitor to trace the "access is denied error".

https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

solution3
 0  2020-01-22 08:33:54

I found the reason why IIS server does not impersonate windows login access..

By default when IIS pool created , it come with default parameter of "ApplicationPoolIdentity"

在此处输入图片说明

which mean IIS server will run the custom C# application under machine account to access target network resources.

To fix this , we can either (1) grant IIS computer account own read\\write access to target network resources ( in my case was AD , same issue happen on SQL server as well ) OR (2) set the App pool to run as specify services account which owned access to target network resources. ( 2nd approach is less effective as need to managed 1 more service account password )

在此处输入图片说明

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Configure IIS for internal c# web application How to impersonate windows authenticated login user without password in c# Please help me — c# web application I need to load 3 user controls at the same time Need help to create date picker in c# web forms application C# Razor Resource - NT Authentication c# Impersonate user after forms authentification Impersonate user programmatically on Sharepoint 2013 (C#) C# web application without IIS need help with date in C# + access C# need help for method access?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM