RDWeb asking for credentials on only one of two servers - remote-desktop

I am customizing the RDWeb application for Remote Desktop Service for Windows Server 2012.
I have configured two separate servers for RDWeb, and the RDWeb application is generated for both the servers. I access the remote app of second server using the RDWeb application of first server through single UI. The remote apps from both servers are coming into single UI.
Suppose I have two calculator applications from both the servers, let's call them cal1 and cal2. When I click on cal1, then the calculator application runs from first server without asking for any credentials. When I click on cal2 then it ask for credentials, and if I provide the credentials then the calculator application from second server runs.
When I click on cal2, it should not ask for credentials. The RDWeb application is auto-generated and uses form authentication. For this, I need to share cookies between both the servers. I have use the same machine key in web config of both the applications, but that is not working.

Related

How fetch data from Azure SQL via Xamarin App? Tutorial

I am creating simple application where I need get and fetch data to DB. As I find out from Xamarin app is standard using of HTTP request to DB instead of directly connect to DB.
I create Azure SQL DB, I create application with connection to this DB. But I cant really find out how it now should works.
There is no many tutorials or they are not fully described.
I read this one https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-xamarin-forms-get-started#download-and-run-the-xamarinforms-solution
I find many references on this one but it seems out of date. Everybody recommended download the project from section
Run the Xamarin.Forms solution
On the settings blade for your Mobile App, click Quickstart (under Deployment) > Xamarin.Forms. Under step 3, click Create a new app if it's not already selected. Next click the Download button.
Under this tab I have only references to next tutorials but not any to Project Download. (screenshot below)
https://imgur.com/THCdUE1
Can you give me some advice if I do something wrong? Or link to updated tutorials? I am little desperate from this
Many Thanks
Azure SQL is not an HTTP/s service-- it runs proprietary SQL Server protocol on port 1433, just like on-premise versions of SQL Server.
If you are trying to connect directly to SQL Server from a Xamarin App, you are almost certainly making a mistake. Doing so would require providing credentials to your Xamarin app that can connect directly to your database, which opens your database up for a malicious user to do pretty much whatever they want to. The reason this kind of 2-tier application is dangerous is because the Xamarin app runs on an untrusted device (your user's mobile device), and a malicious user can intercept any data that your application has in memory, including your database credentials. They can then use those credentials to gain access to your database. Unless you were to use unique database credentials for each user (very impractical) and setup very stringent security roles in SQL Server, it'd be impossible to keep a malicious user from accessing the database for all of your other users (which is very, very bad). The other problem is that many networks block traffic on port 1433, or only allow access via an HTTPS proxy server, so your application would not function on many networks if it tried to connect directly to SQL.
This is the answer to your question, but please don't do this:
If you are certain that you have taken care of the security correctly, you should be able to install the System.Data.SqlClient nuget package and use that to communicate with SQL Server as you would with any .NET application. Here's a code example from Microsoft.
This is my opinion on what you should do instead:
The correct way for most Xamarin applications to communicate with Azure SQL database would be via an intermediary application server.
If your application access data specific to a user, should have per-user credentials in it (username and password that get exchanged for an authorization token when the user logs in is a common technique). The Xamarin app would then use HTTPS to make requests to your application server using those user credentials. The application server would validate the user credentials (authenticate that they are legitimate and authorize the data being requested based on who the user is) and make requests to Azure SQL.
If your application only access public data anonymously, then you can make unauthenticated requests to your application server which will blindly request that data from Azure SQL and return it to your client (though it would also return the same data to any attacker on the internet, so be sure if you use this approach you intend all data served to be public to the world).
In both cases, your application server would be the only piece that communicates with Azure SQL. For a .NET application this would typically be done via System.Data.SqlClient or perhaps indirectly through an ORM like Entity Framreworks. The advantage to this 3-tier approach is that the untrusted client tier does not have unrestricted access to your database tier. Only the middle application server tier has the credentials for SQL Server, and it is trusted and runs in a secure environment (a server you manage, not an end-user's mobile device). This means that an attacker cannot intercept the database credentials and misuse them. It also means that your application only requires HTTPS data access to function, so your application will work on almost any network.
This is probably not the answer you are looking for, since it involves authoring an entire application server that has to be hosted by you (Azure App Service would be my recommendation, if you are already using Azure SQL). It also requires you to implement an API on the server, and then write an API client for your Xamarin application. This is no small amount of work.

Do I need to register my SSL certificate in IIS and SQL Server?

I have purchased an SSL certificate and installed it using IIS on my remote system. So I can therefore access my remote system using https://myremotesite.co.uk. All is fine, it seems to work; users can register and login to my remote site and download my GUI to run my application which stores and retrieves data from my SQL Server database.
When a user runs my GUI to access my application it prompts them for their login-id and password and, if they are authenticated, my application pops up on their screen. All is well, it all seems to work fine.
However, I have read that access to the SQL Server database itself can be restricted with an SSL certificate and to do this I would need "Encrypt=yes" in the connection string which my GUI uses to check authentication.
Is it necessary for me to do this? Or is safe to just rely on the IIS HTTPS service? So my question is ... do I need to register my SSL certificate with BOTH IIS AND SQL Server or just ONE of them, and if so, which ONE?
Thanks for the answers thus far .. to explain further, the GUI connects to an IIS controlled website which has specific handlers written to perform a restricted set of database queries. So my database DOES reside on my server, but it only allows my server's (local) IIS to 'login' and insert, update and extract data.
Once the IIS website service has extracted data, it then returns the same to the GUI. So the GUI has no DIRECT access to the database. What I am concerned about is if - by some malicious means - the database was copied in its entirety ... could/should I use my SSL certificate to encrypt sensitive data in this event?

Is it possible to use windows authentication in SQL Server database in 3-tier architecture with WebAPI service?

We currently have a two-tier enterprise application where a Windows desktop app connects directly to an SQL Server database. Data access permissions are set in the database using standard SQL Server features, sqlserver windows authentication is being used (users use their domain logins).
We would like to introduce an application server layer, but we need the same authentication scenario, i.e. all the queries, initiated by the desktop app, have to be run in the database under user domain account that started the app.
It is also important that users do not enter their credentials in the app, the current domain account is used.
Client application is a WPF .NET desktop app.
Is this possible using ASP.NET WebAPI as an application server?
If you're using Active Directory to authenticate users, once they've successfully authenticated into your application, you will have their domain identity. You could then pass that as a part of the connection string for every user-specific database CRUD operation.
I would recommend that you have a shared SQL login though for core things such as caching, database logging and auditing, error logging, application authentication and authorization, etc.

Why is my Web Application not using AppPoolIdentity to log in to SQL Server on same machine?

Basic Problem:
I have a web application that accesses a SQL Server database on the same machine. The web app runs under its own app pool - let us call it MyAppPool. If I goto advanced settings in IIS Manager, I can see that MyAppPool runs under ApplicationPoolIdentity. When I make requests to the web app, I can open task manager and verify that the username of w3wp.exe is MyAppPool. In SQL Server, I have added a Windows User IIS AppPool\MyAppPool and given it necessary permissions to read from db. The problem is that I am getting a login failed for DOMAIN\MACHINE$ when a logon is attempted to SQL Server. Its beyond me. Why is the app not logging on as IIS AppPool\MyAppPool?
Details:
I know variants of this question have been asked elsewhere, but I am really stuck without a solution. I experimented adding a <identity impersonate="true" /> to the web.config. If I do this, I get a login failed for NT AUTHORITY\IUSR. I have tried accessing the web app from the machine on which it is hosted and get same login error. I am running IIS8, Windows Server 2012, and SQL Server 2012.
Closest question I could find is Why is my MVC app trying to log into my DB as my machine, and not as the App Pool identity?, and the solutions provided do not work. I cannot change Integrated Security to be false (I had this thing running in the past). Quoting https://stackoverflow.com/a/15145488/147530:
ApplicationPoolIdentity uses IIS AppPool\ApplicationPool for local
access, but DOMAIN\MACHINE-NAME$ for remote access
sounds reasonable. Question is why is ApplicationPoolIdentity not using IIS AppPool\MyAppPool identity when db is hosted on same machine??
Quoting another SO post, IIS application using application pool identity loses primary token?:
This application also connects to a SQL Server database using
Integrated Security=true in the connection string. If the database is
local, then we see that IIS APPPOOL\OurAppPoolName is used to connect
to the database; if the database is remote, then the machine account
OURDOMAIN\ourwebserver$ is used.
This is the behavior I want, but not getting it, and that is what I am asking in this question - I don't want to give permissions to DOMAIN\MACHINE-NAME$ to log onto SQL Server. Quoting https://stackoverflow.com/a/15445280/147530:
I think that's a bad idea, however, because it authorizes any program
running as NetworkService to access the database - not just your web
applications.
I tried one more thing, which was to enable Windows Authentication on IIS8 using this link http://www.iis.net/learn/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2#ModulesinIIS85 but this has also not solved the problem.
Fixed this problem. In SSMS, there is a path machine -> security -> logins which contains users who can log onto the machine. I had not added the apppool to this list. I had only added the apppool to machine -> databases -> my database -> security -> users

SQL Reporting Server Authentication Issue

I have one web server & one DB server (running SQL SERVER 2008). Both the servers are in different domains. The web server is allowed to communicate(the communication takes place internally without the intervention of firewall) directly with the DB server, it is given Admin privileges & the DB access through SQL is going on without any problems.But whenever the web server tries to access the Reporting Server & its services, its asking for a separate authentication(Local system account authentication has been configured for SQL Server). I want to know whether is there any way to get rid of this separate authentication for Reporting Services
If you are being prompted for credentials when running a report, then your data source is configured to prompt at run time. You'll need to change the DS to use a SQL login if you don't want this to happen. Your windows credentials cannot be passed from one server to another.
If you are being prompted to log on to the RS site - I've only experienced that on firefox but fixed with a firefox config setting to save the cred for the domain.

Resources