1

In order to keep application secrets out of source code I want to use Integrated Security to connect my ASP.NET MVC application to SQL Server. However, IIS Express uses my development machine's account as the Identity for Integrated Security, which has different permissions from the AppPoolIdentity on production. I want to connect to SQL server using the same permissions in development as in production, which seems like something that should be easy to do, but I have had no luck.

Apparently it is impossible to set the Identity used by IIS Express except using "runas" which I could not get to work: how to run iisexpress app pool under a different identity

Things I've tried:

  1. IIS Express

    • Create a User in "Edit local users and groups" and add it to "IIS_IUSRS" group.
    • Create AppPool in IIS Express manager (Jexus manager)
    • Setting AppPool > ProcessModel > Identity to newly created User, which fails.
    • (However setting AppPool Identity works in IIS Manager (not express))
    • Create site and configure path and ApplicationPool
    • Application successfully launches through Jexus manager, however still using my Windows account like it does launching from Visual Studio

  2. IIS

    • Create app pool and log in as newly created user (succeeds unlike Jexus manager)
    • Create and configure site to use https and IIS Express development cert
    • Get 500 error when trying to launch the same way as with Jexus manager
    • I would rather launch the app from Visual Studio anyway

  3. Impersonation

    • Requires credentials in web.config defeating the purpose of Integrated Security

  4. It's important we manage secrets internally so Azure Key vault or other similar 3rd-party solutions are off the table.

It's beginning to seem impossible to configure IIS Express AppPools to use an Identity other than the currently logged in user: Link1 and Link2. The second link describes a method using "runas" from cmd as Admin but using System.Security.Principal.WindowsIdentity.GetCurrent().Name to check the ApplicationPool identity still shows my logged in Identity, not the one I used in the "runas" command.

What are my options? I would like to use Integrated Security for both dev and prod, with the same permissions on each. Is this possible? Is there an equivalent workaround?

JCasper
  • 21
  • 2
  • Are you in an Active Directory domain environment? What is the authX config of each SQL Server instance you're using? Have you considered sticking with SQL Login-based security but using environment-provided secrets? https://learn.microsoft.com/en-us/aspnet/core/security/app-secrets?view=aspnetcore-6.0&tabs=windows – Dai Sep 22 '22 at 16:39
  • Yes I'm in an active directory domain environment, I'm not sure about SQL server's authX config but I highly doubt changing it is an option. I considered using environment variables but our Network engineer believes it's a security risk. Azure Key Vault and other 3rd-party solutions are off the table too. – JCasper Sep 22 '22 at 17:02
  • You can put your passwords in a custom `web.config` section (configured in ``) that's kept in a separate file (e.g. `web.secrets.config`), and edit your `.gitignore` file to exclude `web.secrets.config` from source-control. You should have an `ONBOARDING` text file that provides instructions for how other team-members can get secrets from your company-wide secret-store (you have one, right?) and copy-and-paste them into the git-excluded `web.secrets.config` file. Also change your app's startup code to fail-fast on startup if the file is missing or not configured properly. – Dai Sep 22 '22 at 17:10
  • Wouldn't this mean that the secrets would end up in plain-text on the server? Is this any more secure than using environment variables? And I've read that Integrated Security is more secure than SQL Server Authentication so if it's at all possible to use Integrated Security while meeting my other requirements that would be ideal. – JCasper Sep 22 '22 at 17:20
  • Might be easier to use the Developer edition of SQL Server for your development work and not the Express edition. – Brian Sep 22 '22 at 18:17
  • @Brian There are no differences between Developer (i.e. Enterprise Edition) and Express edition w.r.t. authX. – Dai Sep 22 '22 at 20:17
  • 1
    Then you can only install IIS on your development machine and switch your project settings from IIS Express to full IIS. IIS Express is so different that it cannot support all features of IIS (especially around application pools and identities). – Lex Li Sep 22 '22 at 23:57
  • 1. Keep you passwords encrypted in the config files for local dev. 2. Keep your encrypted passwords in Azure Key Vault secrets for TEST/PROD environments. 3. Use Azure CI/CD pipelines to download the encrypted secrets from Azure Key Vaults during build and replace the default ones that apply to local ENVs with them. 4. Have some Encrypt/Decrypt methods in your code (libraries) to decrypt passwords from the config files before they are used. This way is safe to keep your passwords in the config files since they are encrypted. – Cristian Rusanu Sep 25 '22 at 10:14

0 Answers0