Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Support for Editing Anonymous Authentication Credentials #241

Open
PlagueHO opened this issue Oct 4, 2016 · 37 comments · May be fixed by #408
Open

Add Support for Editing Anonymous Authentication Credentials #241

PlagueHO opened this issue Oct 4, 2016 · 37 comments · May be fixed by #408
Labels
enhancement The issue is an enhancement request. in progress The issue is being actively worked on by someone.

Comments

@PlagueHO
Copy link
Member

PlagueHO commented Oct 4, 2016

This should be available in xWebApplication and xWebSite. It should allow setting the username/password or setting them to blank which forces it to use the Application Pool credentials.

capture

@mbreakey3 mbreakey3 added the enhancement The issue is an enhancement request. label Oct 4, 2016
@TopperKain
Copy link

+1, this is an issue for us.

@bhmahler
Copy link

+1

1 similar comment
@duk3ofed
Copy link

duk3ofed commented Dec 4, 2017

+1

@cezarypiatek
Copy link

cezarypiatek commented Jan 10, 2018

+1
I would like to help but I am not sure how this additional options should be provided. Currently all information about authentication are defined as follows

AuthenticationInfo = `
            MSFT_xWebApplicationAuthenticationInformation
            {
                Anonymous = $true
                Basic     = $false
                Digest    = $false
                Windows   = $false
            }

Where can I find definition of MSFT_xWebApplicationAuthenticationInformation? Does it contain other properties which could be used to provide user/password information? Or should I introduce another parameter for this functionality, something like that:

AuthenticationInfo =   MSFT_xWebApplicationAuthenticationInformation
            {
                Anonymous = $true
                Basic     = $false
                Digest    = $false
                Windows   = $false
            };
AnonymousAuthenticationInfo = @{
               User="TestUser";
               Password = "secret"
}

Necessary configuration sections are described here:
https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/anonymousauthentication

@johlju johlju added the help wanted The issue is up for grabs for anyone in the community. label Apr 26, 2018
@johlju
Copy link
Member

johlju commented Apr 26, 2018

@cezarypiatek Sorry that nobody answered you for so long. I think you need a new property AnonymousCredential that provides the username and password to use when Anonymous = $true. Also, if that new property AnonymousCredential is not provided, then maybe it can blank out username and password which means Application Pool is used (as per @PlagueHO comment above). Let me know if you want to work on this, then I label this as 'in progress'.

@cezarypiatek
Copy link

I can take it.

@johlju johlju added in progress The issue is being actively worked on by someone. and removed help wanted The issue is up for grabs for anyone in the community. labels Apr 26, 2018
@johlju
Copy link
Member

johlju commented Apr 26, 2018

Awesome! I have labeled this as 'In progress'. Thanks!

@maxgqc
Copy link

maxgqc commented May 31, 2018

Is this a thing yet ? I really need this feature

@cezarypiatek
Copy link

cezarypiatek commented Jun 4, 2018

I've started to implement it on my fork https://github.com/cezarypiatek/xWebAdministration but I haven't had time to manage the UT. Btw I think that xWebApplication and xWebSite require refactoring because there is a massive code duplication which make those modules hard to extend.

In the meantime I've found xIISApplicationPoolIdentityType resource which probably is the missing part.

@johlju
Copy link
Member

johlju commented Jun 5, 2018

@cezarypiatek Agree with that those should be refactored to use helper functions, same goes for the *Defaults resource(s) too.

@cezarypiatek
Copy link

I've got stuck with weird error related to CIM objects. The issue is described in related PR
#408

Can somebody help me with that?

@cezarypiatek
Copy link

@johlju @kwirkykat could you help me?

@regedit32
Copy link
Member

regedit32 commented Jan 9, 2019

@cezarypiatek Thanks for submitting the PR for this issue. Sorry for the delay. I'll take a look at the error you're running into later tonight and reproduce in my environment.

@bartjanson
Copy link

@regedit32 Any progress on the PR yet?

@cezarypiatek
Copy link

Still waiting for a help, no response from @regedit32 so far.

@twerthi
Copy link

twerthi commented Feb 1, 2019

@cezarypiatek I see you have some recent commits, are you close to having a working solution?

@cezarypiatek
Copy link

@twerthi I'm in the middle of adding tests for this feature in xWebSite module. After that I need to repeat everything forxWebApplication because there is a code duplication between this two modules (or find a way to reuse current solution) I'm probably going to split this into two PR.

@bartjanson
Copy link

Any progress to report on?

@bradwilliamson
Copy link

Would be great to have this. Currently using some idempotent powershell to accomplish this.

@cezarypiatek
Copy link

Thanks for the reminder. I will try to get back to this on Saturday.

@cezarypiatek
Copy link

I think I've finished with UT for xWebsite module. I need to only complete non-development task, such as doc update etc.

@cezarypiatek
Copy link

Two things:

  1. I think I've got stuck again with integration tests. Some of them are failing and there is no useful error message. Details in Feature: #241 Anonymous authentication #408. Help needed.

  2. Instead of adding custom CIM type for credentials maybe I should use MSFT_Credential ? What is the proper way of handling passwords in DSC?

@johlju
Copy link
Member

johlju commented Apr 16, 2019

@cezarypiatek I think for item 2 you should have MSFT_Credential for the property Password in MSFT_xWebAnonymousAuthenticationCredentials, otherwise the password will not be encrypted.

Looking at item 1 now.

@johlju
Copy link
Member

johlju commented Apr 16, 2019

For item 1. Could it be that it does not return the correct object on this line AnonymousCredentials = $anonymousCredentials. That this line is $null but should always be the CIM instance MSFT_xWebAnonymousAuthenticationCredentials. For example if the website returns false for this $anonymousAuthentication.enabled then Get-AnonymousCredentials will not return the correct CIM instance.

Could this be the problem?

@cezarypiatek
Copy link

@johlju so CIM fields cannot be null?

@johlju
Copy link
Member

johlju commented Apr 16, 2019

Honestly not sure, but Get-DscConfiguration that is failing in the integration test usually fails if the return value has the wrong type. So I’m guessing it tries to access the object, but there are no objects.
If that is the case, maybe you can return a CIM instance but the properties are null.

To test it, I would hard code an object in the code and manually run Get-DscConfiguration to see what the value can and cannot contain. 🤔

@cezarypiatek
Copy link

thanks, I will try this.

@cezarypiatek
Copy link

cezarypiatek commented May 11, 2019

Ok, I'm trying now to implement it using MSFT_Credential. I model myself on xWebAppPool and application pool credentials. The Get-TargetResource method is returning Credential field with username and password values. Doesn't it violate security? It looks like a way to retrieve credentials from the system.

https://github.com/PowerShell/xWebAdministration/blob/2e1778f42c782e98583368612f692f2af7072b7c/DSCResources/MSFT_xWebAppPool/MSFT_xWebAppPool.psm1#L135

cc: @johlju

@johlju
Copy link
Member

johlju commented May 12, 2019

What I meant it should return an CIM Instance of the instance MSFT_xWebAnonymousAuthenticationCredentials, not MSFT_Credential. The instance of MSFT_xWebAnonymousAuthenticationCredentials that is returned could just contain the user name, and not the password. Or both values in that instance could probably be $null.

We are talking about this line in the schema, right?

https://github.com/PowerShell/xWebAdministration/blob/e665489a92fa64b8e50f31d7f529f39efe504bfd/DSCResources/MSFT_xWebsite/MSFT_xWebsite.schema.mof#L52

@cezarypiatek
Copy link

cezarypiatek commented May 12, 2019

I think that introducing MSFT_xWebAnonymousAuthenticationCredentials is a bad idea and I want to implement this feature in the same way as MSFT_xWebAppPool is handling application pool identity credentials (It uses MSFT_Credential) but I'm not sure if that existing implementation of MSFT_xWebAppPool is secure. Please review Get-TargetResource from MSFT_xWebAppPool and tell me if it's secure or not.

@johlju
Copy link
Member

johlju commented May 12, 2019

Using MSFT_Credential means the credentials (password) get encrypted when the configuration is compile. This is the default, that compiling a configuration containing a MSFT_Credential requires a certificate to protect the password.

Using the other instance would not be secure. So changing the property AnonymousCredentials to a MSFT_Credential would probably be the easiest.
Although, you could probably use a MSFT_Credential instance for the property Password in the MSFT_xWebAnonymousAuthenticationCredentials instance. Though, I have not tested this myself. You can easily see if the password is encrypted by opening the compiled mof-file in a text editor. The file should be readable, but the password property should have been replaced by the encrypted string.

@bartjanson
Copy link

Is there any progress on this issue?

@johlju
Copy link
Member

johlju commented Sep 23, 2019

This was been worked on in Pr #408. If anyone want to send in a new PR to continue this work then please do.

@cezarypiatek
Copy link

After the discussion about security, I was forced to start everything from the begging. Unfortunately, I haven't had time to finish it. My current work is available on my fork. If anyone has a resource to continue it, feel free to use my work,

@johlju
Copy link
Member

johlju commented Sep 23, 2019

@cezarypiatek Thank you for the update! 🙂

@whereisaaron
Copy link

Not a solution to this issue, but a workaround for some: The CIS documentation suggests that the passAnonymousToken = $true setting on every application pool has the same effect. And that is a setting supported by the WebAdministrationDSC WebAppPool. That doesn't change the (appearance of the) Anonymous authentication setting but maybe silently bypasses that?

image

@whereisaaron
Copy link

whereisaaron commented Oct 16, 2022

DSC workarounds for setting the default Anonymous Authentication Credentials username to blank. The WebConfigProperty approach could be a workaround for this issue you since you can set the username/password to any desired values.

Option 1 with WebAdministrationDSC

#
# Set anonymous authentication to use Application Pool Identity
# (Can also set 'passAnonymousToken = $true' on app application pools which has the same effect)
#
# IIS Security: 1.6 (L1) Ensure 'application pool identity' is configured for anonymous user identity (Scored)
#

WebConfigProperty UseApplicationPoolIdentityForAnonymousUserByDefault
{
    Ensure       = 'Present'
    WebsitePath  = 'MACHINE/WEBROOT/APPHOST'
    Filter       = 'System.WebServer/Security/Authentication/anonymousAuthentication'
    PropertyName = 'userName'
    Value        = ''
}

Option 2 with Script/xScript

#
# Set anonymous authentication to use Application Pool Identity
# (Can also set 'passAnonymousToken = $true' on app application pools which has the same effect)
#
# IIS Security: 1.6 (L1) Ensure 'application pool identity' is configured for anonymous user identity (Scored)
#

xScript UseApplicationPoolIdentityForAnonymousUserByDefault {
    SetScript  = {
        &($env:SystemRoot + '\system32\inetsrv\appcmd') set config -section:anonymousAuthentication /username:"" --password
    }
    TestScript = {
        $userName = &($env:SystemRoot + '\system32\inetsrv\appcmd') list config -section:anonymousAuthentication /text:userName
        return ($userName -eq "")
    }
    GetScript  = {
        $userName = &($env:SystemRoot + '\system32\inetsrv\appcmd') list config -section:anonymousAuthentication /text:userName
        return @{
            Result = $userName
        }
    }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement The issue is an enhancement request. in progress The issue is being actively worked on by someone.
Projects
None yet
Development

Successfully merging a pull request may close this issue.