1

I published a Blazor (Server side) application with Windows Authentication to IIS. I disabled "Anonymous Authentication" and enabled "Windows Authentication".

The application can display the login information ("Hello, Domain\Username!") correctly. The application connects to SQL Server using Windows integrate mode.

"ConnectionStrings": {
  "MyDatabase": "Server=DBServer;Database=DB1;Trusted_Connection=True"
}

However, it uses the system account (which is used to run IIS?) to connect the SQL Server.

Login failed for user 'Domain\IISMachineName$'.

I tried to enable "ASP.NET Impersonation" for the IIS site and it gets the 500.24 error.

HTTP Error 500.24 - Internal Server Error

An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode.

Most likely causes:

• system.web/identity@impersonate is set to true.

Community
  • 1
  • 1
ca9163d9
  • 27,283
  • 64
  • 210
  • 413
  • Did you try setting app pool's pipeline mode to classic? – Eldar Nov 29 '19 at 17:13
  • I didn't do anything about pipeline mode. Where can I set the pool mode? – ca9163d9 Nov 29 '19 at 17:15
  • In IIS Manager Application pools snap in -> Basic Settings -> Managed Pipeline Mode dropdown th – Eldar Nov 29 '19 at 17:20
  • Well i have to state impersonation is totally a pain. If you managed to pass this step there will be more errors. And the question is why you need to connect to db on behalf of users? Basically you have to grant access to every user that uses your application or entire AD Group that contains users of your application. – Eldar Nov 29 '19 at 17:24
  • 1
    hmm. Maybe I shouldn't impersonate user and control the permission in the application. – ca9163d9 Nov 29 '19 at 17:28
  • 1. For a Blazor (.NET Core) app on IIS, the application pool should disable ASP.NET. Therefore, ASP.NET impersonation (not for .NET Core) should be avoided as well. 2. Use a domain service account as pool identity so your web app can connect to database with proper permissions set. Then the tricks in the answer below won't be needed. – Lex Li Nov 29 '19 at 17:42
  • Might as well be a duplicate https://stackoverflow.com/questions/33086165/asp-net-delegation – rfcdejong Nov 29 '19 at 17:46

1 Answers1

2

It depends on your hosting and the location of your SQL server, as you say you host in IIS it takes the application pool like any other webservice hosted in IIS.

If SQL Server is on the same server then you can assign the application pool. You can add the application pool to your SQL Database as a Login and user.

CREATE LOGIN [IIS APPPOOL\MyBlazorAppPool] FROM WINDOWS;
CREATE USER MyBlazorAppPool FOR LOGIN [IIS APPPOOL\MyBlazorAppPool];

On a different machine you can simply create the machine hosting your blazor app as a user.

CREATE LOGIN [computername$] FROM WINDOWS;
rfcdejong
  • 2,219
  • 1
  • 25
  • 51
  • And you can also impersonate by configuring the application pool to a known user... https://learn.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities – rfcdejong Nov 29 '19 at 17:16
  • The SQL Server is a different server. – ca9163d9 Nov 29 '19 at 17:16
  • Then you have two options.. create a login on SQL Server for the machine as I wrote above or configure the application pool to a user and grant the user in sql server access – rfcdejong Nov 29 '19 at 17:19
  • Or don't host in IIS, use kestrel or something for the server side. You can also go for a desktop client side only.. for example with Electron: https://maherjendoubi.io/blazor-electron/ – rfcdejong Nov 29 '19 at 17:21
  • I cannot create a login for all users because each user has different permissions. I need it being a web application. Is Kestrel the only option now? – ca9163d9 Nov 29 '19 at 17:26
  • Seems you want to delegate the user identity to make a connection to sql server. I don't think that is recommended at all. Connection pooling won't be optimal. I would rather implement an policy-based authentication in the server app. Then grant the server app all rights on the database. – rfcdejong Nov 29 '19 at 17:43
  • And control the permissions by users in the application? – ca9163d9 Nov 29 '19 at 18:25