2_8:kb2800220

KB2800220 Server Setup Patterns

Applies to: PROJECT in a box Version 2.8

Introduction

The PIAB server is a standard ASP.NET/SQL Server web service and browser application. Because of this, it can be configured in a variety of ways, including using single or multiple servers. This document describes some typical setup patterns. Please note that applying these patterns requires knowledge of Windows system administration and .NET administration.

Key Issues

The main issue when creating and using a setup pattern is how to get the authentication correct between the various components of the system. This is simplest when all the components of the server are on a single PC, and more complex when the components are distributed among multiple PCs.

If you wish to use higher levels of security, with Windows authentication and trusted connections used throughout, then PIAB can be configured in this way. However please be aware that this requires extra technical work to ensure that the system has correct access to all these components. This is especially the case with a distributed system.

The setup issues include:

  1. How the PIAB client authenticates to IIS;
  2. How the web services application authenticates to SQL Server;
  3. The location of the PIAB system folders;
  4. Ensuring that the search function (Microsoft Index Service) can read the correct PIAB system folders.

Authentication Schemes

By default, PROJECT in a Box is configured to use Anonymous Access to IIS. In this mode, any user can connect to the web service but a valid PIAB username/password must be sent with each request to gain access. Credentials are stored in the piab database itself and authentication is perfomed by the application.

Alternatively, Integrated Windows authentication may be used. In this case, IIS is set to use Windows Integrated Authentication, only the user name is stored in the piab database and the user name must match a valid Windows login name. The client's connection settings are switched to use Windows Authentication. This is the preferred mode in an Active Directory environment as it give improved security and simpler user management.

Techniques and Technologies

The patterns described here rely on a number of Windows and .Net techniques and technologies with which the administrator should be familiar:

http or https (TLS)

The piab client can communicate with the server via http or https. Using http, information is transimitted in plain text. Using https, the communications are encrypted. To use https, IIS must have a server certificate installed.

IIS Authentication

IIS can be configured to authenticate the client in a number of ways:

  • Anonymous Access
  • Basic Access
  • Integrated Windows Access

In IIS 6 and 7 you can specify the user that will access system resources, or use the one supplied by the system. This is important when considering permissions to access local and remote resources.

The Web Application User

By default a web application runs in the security context of a local user/group as follows:

OS User
Windows 2008 Server IIS_IUSRS
Windows 2003 Server NT AUTHORITY\NETWORK SERVICE
Windows 2000 Server %machinename%\ASPNET

You may need to change the user e.g. to a network user to allow access to remote resources if you are creating a distributed system. You can either do this by changing the identity in IIS (recommended), or using .NET Impersonation.

Changing the IIS Application Pool Identity

You can change the identity that IIS uses to run the web application from the default to, for example, a valid domain user. This is carried out in the IIS Management Console | Application Pool properties.

On IIS6

  1. Run the IIS admin console, and select the 'Application Pools'.
  2. Select the Application Pool that runs the 'piabws' application.
  3. Right-click and show the 'Properties' for the Application Pool.
  4. On the 'Identity' tab, change the identity to 'Configurable' and enter a domain user and password.

On IIS7

  1. Open the IIS Management Console (INETMGR.MSC).
  2. Open the Application Pools node underneath the machine node.
  3. Select the Application Pool you want to change to run under an automatically generated Application Pool Identity.
  4. Right click the Application Pool and select “Advanced Settings…” l
  5. Select the “Identity” list item and click the button with the three dots.
  6. Choose Custom account and enter a domain user and password

For more information on Application pool setting with IIS 7.x refer here http://learn.iis.net/page.aspx/624/application-pool-identities/

.NET Impersonation

Impersonation allows the web application to run with the credentials of a different user. This is set in the web.Config file for the piab web service using the <identity> element e.g.:

<identity impersonate="true" userName="foo" password ="bar"/>

For increased security, you can hide the credentials so that they are not written in the web.Config file using the Microsoft aspnet_setreg.exe utility, resulting in a web.Config entry like this:

<identity impersonate="true"
  userName="registry:HKLM\SOFTWARE\MY_SECURE_APP\identity\ASPNET_SETREG,userName"
  password="registry:HKLM\SOFTWARE\MY_SECURE_APP\identity\ASPNET_SETREG,password" />

For more information see http://support.microsoft.com/kb/329290

SQL Server Authentication

Connections can be made to SQL Server via:

  • Mixed Mode access (username and password supplied)
  • Trusted Connection (using an authenticated Windows User)

In general, a Trusted Connections is preferred for improved security.

Example connection strings, set in the piabws.config file via the 'PROJECT in a box Server' program:

Mixed Mode:

Data Source=(local);Initial Catalog=piab;User ID=foo;Password=bar;

Trusted Mode:

Server=(local);Database=piab;Trusted_Connection=True;''

Credentials for Trusted Connection

When Anonymous Access is used in IIS, the Windows credentials used for a Trusted Connection to a Local SQL Server are the user set to run the web application (see the table above). When accessing a remote SQL Server instance, the credentials used are:

<domainname>\<machinename>$

e.g.

MYDOMAIN\SERVER1$

Searching

PIAB can use a 'Simple' built-in search, that doesn't use Windows Services, or 'Windows Search' or 'Indexing Service' that do.

Windows Search

When using 'Windows Search', the PIAB 'doc' folder must be included in the local search, or if using a remote 'doc' share on another Windows server, then this must be indexed remotely and a reference set to the remote index, using appropriate permissions. Setting up remote searches requires Windows Sysadmin expertise and is beyond the scope of this document.

Indexing Service

When using Indexing Service' to perform document searches, the service must contain a catalog called 'piabdoc' that includes the PIAB 'doc' folder (which contains all the project files). If the folder is stored on a file share, then the Indexing Service must be modified to include that share as a UNC path, and appropriate permissions set up to access it.



Pattern 1: Single Server

A single server PC with Windows Server, Anonymous IIS Authentication

This pattern is the default for PIAB installed on single Windows Server. All the files/folders and the SQL Server instance are on the server itself. The PIAB client accesses the web service using anonymous IIS access, and the default local account is used to access file resources and to communication with SQL Server.

Pattern 1

1. PIAB Client

Set the client to use anonymous Access to IIS. Use HTTP or HTTPS in the URL to connect to the server.

2. IIS

If HTTPS is used, a server certificate must be applied. The directory security settings for the piabws virtual directory are set to allow anonymous access. The web application runs under the default web application credentials.

3. web.config

Use the default supplied.

4. piabws.cfg

Use the default supplied. The DB connection string is set to used a trusted connection on the local SQL Server instance, and the folder locations are local to the server.

5. Folders

System folders, e.g. the template paths and the doc folder (which stores all the version of files) are in their default locations. The web application user must have r/w permissions on the these folders.

6. MS Search Services

Use the PROJECT in a box Server Management tool (piabserver.exe) to set up the different search types.

Simple

This is a built-in search that does not use Windows services. It searches filenames and version descriptions, but not file content.

Windows Search

Configure 'Windows Search' to include the PIAB 'doc' folder the search locations.

Indexing Service Modify the Windows Indexing Service to include a catalog called 'piabdoc' that contains the PIAB 'doc' folder. The catalog is stored in the PIAB 'idx' folder.

7. SQL

Add the web application user to the SQL Server instance, with at least 'data reader/writer' privileges on the 'piab' database.



Pattern 2: Separate SQL Server

This pattern allows for the SQL Server database to be stored on a separate server. All other resources are local.

Pattern 2

1. Piab client

Set the client to use anonymous Access to IIS. Use http or https in the URL to connect to the server.

2. IIS

If HTTPS is used, a server certificate must be applied. The directory security settings for the piabws virtual directory are set to allow anonymous access. The web application runs under the default web application user (see the table above). However, a special account is used for connection to SQL, see below.

3. web.config

Use the default.

4. piabws.cfg

Set the database connection string in the piabws.config file to access the remote SQL Server with a trusted connection e.g.

<dbconstring>Server=SVR2;Database=piab;Trusted_Connection=True</dbconstring>

5. Folders

System folders, e.g. the template paths and the doc folder (which stores all the version of files) are in their default locations. The web application user must have r/w permissions on the these folders.

6. MS Search Services

Use the PROJECT in a box Server Management tool (piabserver.exe) to set up the different search types.

Simple

This is a built-in search that does not use Windows services. It searches filenames and version descriptions, but not file content.

Windows Search

Configure 'Windows Search' to include the PIAB 'doc' folder the search locations.

Indexing Service Modify the Windows Indexing Service to include a catalog called 'piabdoc' that contains the PIAB 'doc' folder. The catalog is stored in the PIAB 'idx' folder.

7. SQL

This user must be added to SQL Server, and given r/w permissions on the 'piab' database.

<yourdomain>\<yourserver>$

e.g.

MYDOMAIN\SVR1$ 



Pattern 3: Three Servers

In this pattern, the application is split over three servers with some application folders stored on a remove server (e.g. another Windows Server or NAS or SAN) of some kind. Integrated Windows Authentication is used between the PIAB client and IIS. The identity running the web application is changed to that of a domain user to allow authentication to remote resources (SQL Server and remote folders).

Pattern 3

1. PIAB client

  • Set the PIAB client 'Options/Connection' to use 'Integrated Windows Access to IIS'.

2. IIS

  • Set the IIS security settings for the 'piabws' application or website to allow 'Integrated Windows Authentication' only.
  • Use the 'PROJECT in a box Server Management Tool' (piabserver.exe), 'Hub' tab, to set the 'Hub Authentication' to use 'Use IIS Authentication'.
  • If HTTPS is used, a server certificate must be applied.

3 Modify the Application Identity

  1. Create a new domain user e.g. 'MYDOMAIN\piabuser'
  2. Put the new user in the following groups: 'Domain User', 'IIS_WPG' (IIS_WPG) is a group that allows the user to run the .NET worker process.
  3. Set permissions on the remote share and local folders (rw on the remote share 'doc' file, rw on the local install folder).
  4. Set IIS to use the new user, either using the IIS Application Pool identity or using .NET Impersonation (see above for both).

4. piabws.cfg

Set the database connection string in the piabws.config file to access the remote SQL Server with a trusted connection e.g.

<dbconstring>Server=SVR2;Database=piab;Trusted_Connection=True</dbconstring>

Set the required folder references to have UNC paths (see 5. Folders, below) e.g.

<templatepath>\\SVR3\piabshare\template2.0</templatepath>
<docpath>\\SVR3\piabshare\doc</docpath>''

5. Folders

The PIAB document folders, typically 'doc' and 'template2.0', also possibly the 'clientsupportfiles' folders, are stored on SVR3. These folders are shared on the network and available as UNC paths to SVR1.

Our YOURDOMAIN\piabuser user is set to have modify permissions on this share and the folders.

The piabws.cfg file contains UNC path references to these folders (see 4. piabws.config above).

6. MS Search Services

Use the 'PROJECT in a box Server Management Tool' (piabserver.exe) on the server to configure the Search interface.

Simple

This search is built-in and does not use any Windows Search services. We recommend that you use thi for initial set up, and can provide default search functionality if you have problems setting up remote searches. Note that it searchs filenames and descriptions, but not the file content.

Windows Search

The PIAB 'doc' folder must be made availble to Windows Search. Either the remote 'doc' folder can be included in the local search locations as a UNC path, or PIAB can be set to query a remote Windows Search index.

Indexing Service

The MS Indexing Service contains a catalog called 'piabdoc' that contains the PIAB 'doc' folder. By default, this is set up with local folders. The location of the doc folder must be set to a UNC patch using the MS Indexing Service control panel (from the Computer Management console). Note that the catalog normally remains local in the PIAB 'idx' folder.

7. SQL

The web app authenticates to SQL Server using our YOURDOMAIN\piabuser Set this user to have r/w data privileges on the 'piab' database.

2_8/kb2800220.txt · Last modified: 2017/06/22 13:13 (external edit)

Page Tools