IIS Authentication Settings
If you are reading this page, "someone" has usually changed some settings in the IIS. This guide helps you get the IIS reconfigured with the supported settings to run Nodinite.
This page describes the IIS authentication settings that you must set on the following Nodinite Web Applications:
Example Nodinite App Pools from within the IIS management console.
Web Application | Anonymous Authentication | ASP.NET Impersonation | Windows Authentication | App Pool Account | |
---|---|---|---|---|---|
Web Client | Disabled | Enabled | Enabled | ApplicationPool Identity | |
Web Api | Disabled | Enabled | Enabled | ApplicationPool Identity | |
Log API | Enabled | Disabled | Disabled | Named Account | |
Update Client | Disabled | Disabled | Enabled | Named Account |
Note
Basic Authentication and Forms Authentication is always Disabled for Nodinite Web Applications
Important
If the named App Pool accounts are not members of the Windows local administrators group, then you must add accounts to the local 'IIS_IUSRS' group.
Web Client
The Nodinite Web Client runs with the ApplicationPool
Identity (e.g. low-level rights). Therefore, end-users must authenticate with the IIS using their Windows credentials. Nodinite has Role-based security, and a Nodinite Administrator manages and grants who gets access.
IIS Authentication Settings for the Web Client.
Web Api
The Web API runs with the ApplicationPool Identity (low-level of right), and Users impersonate with this user account. The information gets set during the first installation of Nodinite.
Due to the password protection for the impersonated user, you cannot easily edit the authentication settings. You must perform manual changes to the Web.Config file first.
Here's an example of an error message managing the permissions when encryption is applied on the web.config file.
-
- Make a copy of the web.config file.
-
- Make sure to set the Authentication settings as in the image below:
IIS Authentication Settings for the Web API.
- Make sure to set the Authentication settings as in the image below:
-
- Replace web.config with your original file from step 1 (or re-encrypt it).
Empty impersonation
If the ASP.NET impersonation is not set or is missing, you will get the following error message:
Here's an example of the error message as seen within the Install and Update Tool.
-
- Decrypt the web.Config file first.
-
- Encrypt the web.Config file.
-
- If you changed the account or password, you must manually replace the encrypted connection string again, this time in clear text. On Application Pool Start, it will be re-encrypted
<connectionStrings>
<add name="NodiniteConfigDatabase" connectionString="Data Source=.;Initial Catalog=NodiniteConfig_Dev;Integrated Security=SSPI;Encrypt=true;TrustServerCertificate=true" />
</connectionStrings>
Decrypt
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pd system.web/identity -app "/Nodinite/%Environment%/WebAPI" -site "Default Web Site"
PROD Example in Default Web Site
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pd system.web/identity -app "/Nodinite/Prod/WebAPI" -site "Default Web Site"
TEST Example in Default Web Site
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pd system.web/identity -app "/Nodinite/Test/WebAPI" -site "Default Web Site"
Note
You may need to change the actual Web Site and the Environment name of the Web Api depending on installation/settings in IIS.
Encrypt
To re-encrypt; replace the -pd
parameter with -pe
PROD Example in Default Web Site
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pe system.web/identity -app "/Nodinite/Prod/WebAPI" -site "Default Web Site"
TEST Example in Default Web Site
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pe system.web/identity -app "/Nodinite/Test/WebAPI" -site "Default Web Site"
Important
Web.Config is an XML file, if you have special characters in the password, then, these must be XML encoded.
Char | XML Encoded |
---|---|
& | & |
" | " |
' | ' |
< | < |
> | > |
Table with special characters that must be XML encoded.
Tip
Use XML Tools in Notepad++ to XML encode the password with special characters.
Log Api
Currently, the Log API can be invoked from just about any service and application. The Log API is not authenticated; hence all the requests to create new Log Events to the Nodinite databases must be performed with an AppPool configured with a named account. See also the prerequisites for:
IIS Authentication Settings for the Log API.
Update Client
The Install and Update Tool runs with an AppPool configured with a named account. The initial installer must explicitly grant Active Directory Users and/or groups; read more here.
IIS Authentication Settings for the Nodinite Update Client.
Other Nodinite Windows Services
Nodinite has multiple other Windows Services where it is possible to run each with a different Windows Active Directory service account. If you want to change the service account currently in use, please review the prerequisites page for each such service.