Impersonation issue?

Jun 4, 2010 at 1:44 PM
Edited Jun 4, 2010 at 2:11 PM

Hi all,

I'm taking a look at PoshBoard to provide a web interface to my company build & test platform which is mainly made of some PoSH scripts.

This platform is currently made of:

- W7 Pro 64 bits
- IIS 7.5 + ASP.Net
- .Net 4.0
- Silverlight 4.0
- Powershell 2.0
- VirtualBox 2.0

I did the PoshBoard installation without any problem, but my problem is the web site always asks visitor credentials (login/password) to open the page. I suspect this is a typical IIS7 issue, but I'm far from being a IIS expert, and I find IIS7 sooooo much difficult to learn compared to IIS6.

So, as this is a pure internal web site, I want to allow any visitor by default, and I don't know how to do this. Thanks for the help.

Coordinator
Jun 4, 2010 at 1:58 PM

Hi,

No, it's not a IIS issue. If you want automatic sign-in, you need to set up IE advanced settings : in Security, you have "Enable integrated Kerberos authentication"

Try also to set up your poshboard websiter in the local intranet zone of the browser.

Regarding IIS7, it's a bit different from IIS6, but it's wayyyy easier to manage as soon as you understand it's philosophy :)

In IIS7, the web.config parameters are directly accessible in the website properties, this is a really cool functionnality :)

 

hope this helps !

 

Jun 4, 2010 at 2:14 PM

Ok thanks, I missed one important point, my fault.

I need my Poshboard to run under a specific account of my domain whatever the visitor identity. Is there a way to do that?

Thanks.

Coordinator
Jun 4, 2010 at 4:15 PM

This is the standard poshboard configuration :

Just set your specific account as Application Pool Identity, then set up your poshboard widget as "Impersonate=false", and poshboard user will execute the widget with the Application pool credential.

Jun 7, 2010 at 9:41 AM
Edited Jun 7, 2010 at 2:59 PM

Ok thanks, let me summarise.

My needs are:

- to run Poshboard on a specific account, let say DOMAIN\robot

- to allow all compagny fellows to connect the web site without being asked for credentials

- of course, to be browser agnostic.

 

I have no security concern as this web site is purely internal.

 

What I did:

- My account DOMAIN\robot is in the computer Admin group.

- Poshboard ApplicationPool identity is DOMAIN\robot

- Changed all "Impersonate="True" by Impersonate="False" in the PoshBoardWebConfig.xml file (doesn't work on the interface or I made something wrong).

- Add the computer UNC path in the local IE Intranet zone, something like http://*.<computer>.<domain>

All other settings have been set as described in the PoshBoard install and settings guide.

 

Results:

- Local computer: works with IE, Firefox stills asks for credentials

- on a network computer, connected as a regular domain user: other than IE ask for credentials, tested with Firefox and Opera ; works with IE but always display the username name on the page and not "DOMAIN\robot", I don't know if this is just to show the currently connected user and Poshboard effectively runs under the DOMAIN\robot account, of if this is a signal of a bad config (regarding my needs of course).

Any help? Thanks.

Jun 10, 2010 at 1:27 PM

Hi all and Pilosite (Antoine ?),

I achieved a pretty good configuration but I need some confirmation.

 

First I created a new web site with a new application pool. This pool was created to work under my robot account and to run with the .Net 2.0. This site was Anonymous only. I created a simple web page to display the user account running the web site, and the CLR version. Everything runs fine, whatever the computer, user of browser used. This was my first step.

 

Then, I installed PoshBoard. I had to enable the Windows authentication to be able to display the Silverlight PoshBoard component, its works. I think I can live with the authentication, event if we consider user must be authenticated only with thrid party browsers, with IE it is automatic. Now, my main concern is about the account used. The application pool is set up to use my "robot" account ; the anonymous authentication is enabled and set up to use the application pool identity (so my robot account too). But as the PoshBoard window always shows the client user, I not sure right now PoshBoard runs under my robot account. Is there a way to be sure?

 

Thanks.

Coordinator
Jun 10, 2010 at 3:45 PM

Yes with this configuration you should be using the app pool account credential.

One easy way to see it is this simple script :

 

[Security.Principal.WindowsIdentity]::GetCurrent().Name

 

Type this is a PoshBoard widget, and you should see the identity of the account running the script !

 

Jun 10, 2010 at 3:50 PM

Thanks, perfect, it works !!

Now it's time to code my web interface with PoshBoard. Some news soon.