0

If you have an asp.net site sending messages to a remote queue, how do you handle authentication. If Windows Authentication is turned off, the network service sends a message to the remote queue. Does that mean that in de security tab of the queue, I need to add the netwerk service of the server sending the message? (by the way, I do not use http or https).

And what if Windows Authentication is enabled, do I need to add all users that will log in using windows authentication to the queue?

Lieven Cardoen
  • 517
  • 2
  • 8
  • 17

2 Answers2

1

If the ASP.NET site is running with the default ASP.NET user (on IIS 7.5 this will be IIS APPPOOL\AppPoolName.

This account (or the different accounts used on earlier versions of IIS) has no access to network resources. But you can change the IIS App Pool to run under a domain account which can then access remote resources.

Note you will need to ensure the account has access to all necessary local resources.

In a workgroup you need a local account on each of the two machines with same name and password.

Richard
  • 5,309
  • 1
  • 22
  • 20
  • Is that safe, running the IIS App Pool under a domain account? – Lieven Cardoen Aug 23 '10 at 09:35
  • Yes. Of course some of the security speed bumps are lost, so if your app is hacked/exploited the damage *could* be worse. Like all security it is a trade off, and I assume you would rather avoid security issues. If the MSMQ queue is writeable without authentication then that also creates its own vulnerabilities. – Richard Aug 24 '10 at 08:38
0

Windows authentication is not much security here - the SID can easily be spoofed in a message. Using certificates is the preferred route if security is a real requirement.

Cheers

John Breakwell

John Breakwell
  • 757
  • 5
  • 11