- 3 minutes to read

IIS Authentication Settings

If you are reading this page "someone" has usually changed some setting in IIS, this guide helps you get IIS reconfigured with the supported settings

This page describes the IIS authentication settings that must be set on the following Nodinite Web Applications

AppPools Example Nodinite App Pools as seen in the IIS management console

Web Application Anonymous Authentication ASP.NET Impersonation Windows Authentication App Pool Account
Web Client Disabled Enabled Enabled ApplicationPool Identity
Web Api Disabled Enabled Enabled ApplicationPool Identity
Log API Enabled Disabled Disabled Named Account
Update Client Disabled Disabled Enabled Named Account

Basic Authentication and Forms Authentication is always Disabled for Nodinite Web Applications

If the named accounts for configured App Pool accounts are not local administrators then the account must be added to the local 'IIS_IUSRS' group.

Web Client

The Web Client runs with the ApplicationPool Identity (low level of right) and Users must authenticate with IIS. Nodinite has Role-based security and a Nodinite Administrator manage who is granted access.
IISWebClientAuthenticationSettings
IIS Authentication Settings for the Web Client

Web Api

The Web API runs with the ApplicationPool Identity (low level of right) and all Users are impersonated with the user account set during installation.

Due to the password protection for the impersonated user, you cannot easily edit the authentication settings. You must perform manual changes to the Web.Config file first.
IISWebApiAuthenticationSettings

    1. Make a copy of the web.config file
    1. Remove the encrypted section from the web.config file and save
      identity
      Remove identity section
    1. Make sure the Authentication settings are set as provided in the following example image:
      IISWebApiAuthenticationSettings2
      IIS Authentication Settings for the Web API
    1. Replace web.config with your original file from step 1 (or re-encrypt it).

Empty impersonation

If the ASP.NET impersonation is not set or is missing you will get the following error message.

png_ImpersonationIsNotUsingSpecificUser
Example of the error message as seen within the Install and Update Tool

    1. Decrypt the Web.Config file first.
    1. Set account to impersonate as in IIS
      png_ImpersonationSetSpecificUser
      Example in IIS about how to set the account to perform impersonation with
    1. Encrypt the Web.Config file.

Decrypt

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pd system.web/identity -app "/Nodinite/WebAPI" -site "Default Web Site"

Encrypt

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pe system.web/identity -app "/Nodinite/WebAPI" -site "Default Web Site"

Note: You may need to change the actual Site, and name of the Web Api depending on installation/settings in IIS

Note: Passwords with & must be encoded as &

Log Api

The Log API can be called from just about any service. The Log API is not authenticated hence all calls writing Log Events to the Nodinite databases must be performed with an AppPool configured with a named account. See also the prerequisites for:

IISWebClientAuthenticationSettings
IIS Authentication Settings for the Log API

Update Client

The Install and Update Tool runs with an AppPool configured with a named account. Users must be explicitly granted access, read more here.

IIS Authentication Settings for the Nodinite Update Client
IIS Authentication Settings for the Nodinite Update Client


Next Step