- 4 minutes to read

IIS Authentication Settings

If you are reading this page, "someone" has usually changed some settings in the IIS. This guide helps you get the IIS reconfigured with the supported settings to run Nodinite.

This page describes the IIS authentication settings that you must set on the following Nodinite Web Applications:

IIS Application Pools Example Nodinite App Pools from within the IIS management console

Web Application Anonymous Authentication ASP.NET Impersonation Windows Authentication App Pool Account
Web Client Disabled Enabled Enabled ApplicationPool Identity
Web Api Disabled Enabled Enabled ApplicationPool Identity
Log API Enabled Disabled Disabled Named Account
Update Client Disabled Disabled Enabled Named Account

Basic Authentication and Forms Authentication is always Disabled for Nodinite Web Applications

If the named App Pool accounts are not members of the Windows local administrators group, then you must add accounts to the local 'IIS_IUSRS' group.

Web Client

The Nodinite Web Client runs with the ApplicationPool Identity (e.g. low-level rights). Therefore, end-users must authenticate with the IIS using their Windows credentials. Nodinite has Role-based security, and a Nodinite Administrator manages and grants who gets access.
IISWebClientAuthenticationSettings
IIS Authentication Settings for the Web Client

Web Api

The Web API runs with the ApplicationPool Identity (low-level of right), and Users impersonates with this user account. The information gets set during the first installation of Nodinite.

Due to the password protection for the impersonated user, you cannot easily edit the authentication settings. You must perform manual changes to the Web.Config file first.
IISWebApiAuthenticationSettings Example of an error message managing the permissions when encryption is applied on the web.config file.

    1. Make a copy of the web.config file.
    1. Remove the encrypted section from the web.config file and save (or decrypt the web.config file).
      Encrypted configuration
      Remove the identity section.
    1. Make sure to set the Authentication settings as in the image below:
      IISWebApiAuthenticationSettings2
      IIS Authentication Settings for the Web API.
    1. Replace web.config with your original file from step 1 (or re-encrypt it).

Empty impersonation

If the ASP.NET impersonation is not set or is missing, you will get the following error message:

Bad configuration
Example of the error message as seen within the Install and Update Tool.

    1. Decrypt the Web.Config file first.
    1. Set account details for the impersonation, either using the IIS MMC or edit the web.config file using a text editor. Edit ASP.NET impersonation details
      An example in IIS about how to set the account to perform the impersonation with.
    1. Encrypt the Web.Config file.

Decrypt 

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pd system.web/identity -app "/Nodinite/%Environment%/WebAPI" -site "Default Web Site"

PROD Example in Default Web Site

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pd system.web/identity -app "/Nodinite/Prod/WebAPI" -site "Default Web Site"

TEST Example in Default Web Site

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pd system.web/identity -app "/Nodinite/Test/WebAPI" -site "Default Web Site"

NOTE: You may need to change the actual Web Site and the Environment name of the Web Api depending on installation/settings in IIS.

Encrypt

To re-encrypt; replace the -pd parameter with -pe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pe system.web/identity -app "/Nodinite/WebAPI" -site "Default Web Site"

NOTE: Web.Config is an XML file, if you have special characters in the password, then, these must be XML encoded.

Char XML Encoded
& &
" "
' '
< &lt;
> &gt;

Table with special characters that must be XML encoded.

TIP: Use XML Tools in Notepad++ to XML encode the password with special characters.

Log Api

Currently, the Log API can be invoked from just about any service and application. The Log API is not authenticated; hence all the requests to create new Log Events to the Nodinite databases must be performed with an AppPool configured with a named account. See also the prerequisites for:

IISWebClientAuthenticationSettings
IIS Authentication Settings for the Log API

Update Client

The Install and Update Tool runs with an AppPool configured with a named account. The initial installer must explicitly grant Active Directory Users and/or groups; read more here.

IIS Authentication Settings for the Nodinite Update Client
IIS Authentication Settings for the Nodinite Update Client

Other Nodinite Windows Services

Nodinite has multiple other Windows Services where it is possible to run each with a different Windows Active Directory service account. If you want to change the service account currently in use, please review the prerequisites page for each such service.

How to set Logon as a Service right

Next Step