Permissions required by Geocortex Essentials (REST) using custom Application Pool
Hi,
Can someone from Latitude confirm what requirements are for running the Geocortex REST web site under a custom app pool (can we have something similar posted as per (http://support.geocortex.com/permissions-required-by-geocortex-essentials-on-windows-server-2003--) Permissions required by Geocortex Essentials on Windows Server 2003 for ADF)?
I'm assuming its best practice to put the REST site under a custom app pool as per reccomended for ADF configurations as opposed to just running it under default installation parameters (note I utilise AD for my user/app security model)?
Thanks
Brad
-
Hi,
We do not recommend you change the app pools as a security 'best practice' as there is nothing intrinsically wrong with the setup 'out of the box' from this standpoint. There's nothing different about the app pools our post-installer makes that distinguishes them from the ones you might make yourself. They neither provide a secure system on their own, nor do they prevent you from providing one -- security is up to the end user to implement.
However, you are welcome to put your REST apps in a different app pool than the one we set up -- on Server 2008 and later the only requirements are that the app pool is running in 'Classic' Managed Pipeline mode under .NET 4.0 with 32-bit applications enabled, and that the user running the app pool has equivalent permissions to the Essentials user created by the post installer. Simply making the app pool identity a member of agsusers and IIS_WPG should take care of that. None of these settings are a known security liability or will affect your ability to use Active Directory. You may also run the EssentialsAppPool3 as the built in user NetworkService without problem, however the EssentialsAdministrationAppPool3 needs greater permissions, so must be run as a custom user to be secure.
The explicit file system permissions required by web ADF application are not such a concern with REST, as much of this access is handled by the REST endpoint, which is in turn maintained by Geocortex Agent, a system level process with the required permissions. So the above information should be all you need to change the app pool that your REST applications run in.
0 -
Jonathan,
I'm not sure i agree re default app will support an AD security model which i indicated we will be using as our membership & role provider.
See Malcom's comments re (http://support.geocortex.com/Forums/Thread.aspx?pageid=0&mid=2&ItemID=7&thread=45516) Active Directory Integration & this is why we originally went down the path of a custom app pool on ADF client.
I'm yet to apply security on REST API, so apprecaite clarificaiton on the topic.
Regards
Brad
0 -
Brad, Essentials ADF needed to have the application pool identity set because we were using forms authentication only and then had to take care of user authentication after the web traffic had started.
With the REST elements, we must authenticate every time (since there's no session to store login state in), so we must do the authentication earlier. But, this also means that we can use the built-in IIS authentication mechanism instead of connecting to Active Directory. So, in the REST elements you can use the out-of-the-box application pool configuration, set Essentials to use "Windows users and groups" and it will get the user identities from IIS (which will have come from Active Directory).
Earlier in the other thread is a post by Kevin on how to set it up, it should be easy and work just fine.
-Malcolm
0
Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.
Kommentare
3 Kommentare