Sunday, May 5, 2013

How to use Pass-through authentication to Access Resources in different domain environment

Our web application often need to access local or network resources in production environment. For example, our application have to access file server for read/write access in different domain (not in a domain). In the above cases, we can use mirrored local accounts known as "Pass-through authentication". With this approach, you use two local accounts with the same user name and password on both servers (such as web server and file server). For network resources in the same domain, see previous post. Let's start here.

Step 1. Create a New User Account on Web Server

1. Click Start, select Administrative Tools and click Computer Management.
2. In Computer Management, click Local Users and Groups.
3. Double click the Users folder.
4. Right click in the users list and click New User.
5. Fill in the information for the new user (e.g. newacc) and click Create.

6. Make that account a member of the IIS_IUSRS group (In IIS 6, it is IIS_WPG group instead of IIS_IUSRS) as below:

Step 2. Create an Application Pool with a Custom Identity

1. Right click on Applicaton Pools node underneath the Machine node and Click Add Application Pool...
2. Type the name of new application pool (e.g. NewAppPool) on Add Application Pool dialog and press OK.

3. Select new application pool (NewAppPool) under Application Pools node and click Advanced Settings.

4. Advanced Settings dialog will appear and select the "Identity" list item and click the ellipsis (the button with the three dots).

5. Select Custom account option and press Set..

6. Type the new created account information (newacc) and press OK.

Step 3. Configure Your Application to Run in the New Application Pool

1. Go to IIS, click on your web application and click "Advanced Settings".
2. Click the ellipsis (the button with the three dots) on Application Pool item list.

3. Select the new application pool (NewAppPool) on Select Application Pool dialog and press OK.

Step 4. Create a New User Account on File Server

1. Create a local account with the same username and password as the one in Web Server (Step 1).

Step 5. Set permission of folder on File Server

1. Go to the given folder (e.g. FileShare) in File Server
2. Right click the folder and select "Properties"
3. Select the "Security" tab and click Edit

4. Click Add for new user account.

5. Type the created user account (newacc) and click Check Names and OK.

6. Set permission for that created local accout as below:

7. Click OK to finish.

By doing this, the file or directory you selected in file server will now allow the custom account  identity access from your web application in web farm.

Reference :
How To: Create a Service Account for an ASP.NET 2.0 Application
Understanding Built-In User and Group Accounts in IIS 7

No comments:

Post a Comment