- 0 minutes to read

IIS Authentication Settings

If you are reading this page, "someone" has usually changed some settings in the IIS. This guide helps you get the IIS reconfigured with the supported settings to run Nodinite.

This page describes the IIS authentication settings that you must set on the following Nodinite Web Applications:

IIS Application Pools
Example Nodinite App Pools from within the IIS management console.

Web Application Anonymous Authentication ASP.NET Impersonation Windows Authentication App Pool Account
Web Client Disabled Enabled Enabled ApplicationPool Identity
Web Api Disabled Enabled Enabled ApplicationPool Identity
Log API Enabled Disabled Disabled Named Account
Update Client Disabled Disabled Enabled Named Account

Note

Basic Authentication and Forms Authentication is always Disabled for Nodinite Web Applications

Important

If the named App Pool accounts are not members of the Windows local administrators group, then you must add accounts to the local 'IIS_IUSRS' group.

Web Client

The Nodinite Web Client runs with the ApplicationPool Identity (e.g. low-level rights). Therefore, end-users must authenticate with the IIS using their Windows credentials. Nodinite has Role-based security, and a Nodinite Administrator manages and grants who gets access.
IIS Web Client Authentication Settings
IIS Authentication Settings for the Web Client.

Web Api

The Web API runs with the ApplicationPool Identity (low-level of right), and Users impersonate with this user account. The information gets set during the first installation of Nodinite.

Due to the password protection for the impersonated user, you cannot easily edit the authentication settings. You must perform manual changes to the Web.Config file first.
IIS Web Api Authentication Settings Here's an example of an error message managing the permissions when encryption is applied on the web.config file.

    1. Make a copy of the web.config file.
    1. Remove the encrypted section from the web.config file and save (or decrypt the web.config file).
      Encrypted configuration
      Remove the identity section.
    1. Make sure to set the Authentication settings as in the image below:
      IIS Web Api Authentication Settings2
      IIS Authentication Settings for the Web API.
    1. Replace web.config with your original file from step 1 (or re-encrypt it).

Empty impersonation

If the ASP.NET impersonation is not set or is missing, you will get the following error message:

Bad configuration
Here's an example of the error message as seen within the Install and Update Tool.

    1. Decrypt the web.Config file first.
    1. Set account details for the impersonation, either using the IIS MMC or editing the web.config file using a text editor.
      Edit ASP.NET impersonation details
      Here's an example in IIS about how to set the account to perform the impersonation with.
    1. Encrypt the web.Config file.
    1. If you changed the account or password, you must manually replace the encrypted connection string again, this time in clear text. On Application Pool Start, it will be re-encrypted
<connectionStrings>
    <add name="NodiniteConfigDatabase" connectionString="Data Source=.;Initial Catalog=NodiniteConfig_Dev;Integrated Security=SSPI;Encrypt=true;TrustServerCertificate=true" />
</connectionStrings>

Decrypt

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pd system.web/identity -app "/Nodinite/%Environment%/WebAPI" -site "Default Web Site" 

PROD Example in Default Web Site

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pd system.web/identity -app "/Nodinite/Prod/WebAPI" -site "Default Web Site" 

TEST Example in Default Web Site

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pd system.web/identity -app "/Nodinite/Test/WebAPI" -site "Default Web Site" 

Note

You may need to change the actual Web Site and the Environment name of the Web Api depending on installation/settings in IIS.

Encrypt

To re-encrypt; replace the -pd parameter with -pe

PROD Example in Default Web Site

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pe system.web/identity -app "/Nodinite/Prod/WebAPI" -site "Default Web Site" 

TEST Example in Default Web Site

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pe system.web/identity -app "/Nodinite/Test/WebAPI" -site "Default Web Site" 

Important

Web.Config is an XML file, if you have special characters in the password, then, these must be XML encoded.

Char XML Encoded
& &amp;
" &quot;
' &apos;
< &lt;
> &gt;

Table with special characters that must be XML encoded.

Tip

Use XML Tools in Notepad++ to XML encode the password with special characters.

Log Api

Currently, the Log API can be invoked from just about any service and application. The Log API is not authenticated; hence all the requests to create new Log Events to the Nodinite databases must be performed with an AppPool configured with a named account. See also the prerequisites for:

IISWebClientAuthenticationSettings
IIS Authentication Settings for the Log API.

Update Client

The Install and Update Tool runs with an AppPool configured with a named account. The initial installer must explicitly grant Active Directory Users and/or groups; read more here.

IIS Authentication Settings for the Nodinite Update Client
IIS Authentication Settings for the Nodinite Update Client.

Other Nodinite Windows Services

Nodinite has multiple other Windows Services where it is possible to run each with a different Windows Active Directory service account. If you want to change the service account currently in use, please review the prerequisites page for each such service.

How to set Logon as a Service right


Next Step