Windows authentication for Raven
146 views
Skip to first unread message
Robert Labrie
Feb 5, 2015, 11:14:15 AM2/5/15
to rav...@googlegroups.com
2.5.2750 Windows 2012 R1 MSIE 10.0
I followed the instructions here:
http://old.ravendb.net/docs/2.5/server/authentication
and here:
http://ravendb.net/docs/article-page/2.5/csharp/server/administration/configuration#authorization--authentication
I set <add key="Raven/AnonymousAccess" value="Get" />
When I hit the /debug/user-info endpoint I get:
{"Remark":"Using anonymous user","User":null,"IsAdminGlobal":false,"IsAdminCurrentDb":false,"Databases":null,"Principal":null,"AdminDatabases":null,"ReadOnlyDatabases":null,"ReadWriteDatabases":null,"AccessTokenBody":null}
Do I have to configure IIS Authentication for the site?
Thanks,
Rob
I followed the instructions here:
http://old.ravendb.net/docs/2.5/server/authentication
and here:
http://ravendb.net/docs/article-page/2.5/csharp/server/administration/configuration#authorization--authentication
I set <add key="Raven/AnonymousAccess" value="Get" />
When I hit the /debug/user-info endpoint I get:
{"Remark":"Using anonymous user","User":null,"IsAdminGlobal":false,"IsAdminCurrentDb":false,"Databases":null,"Principal":null,"AdminDatabases":null,"ReadOnlyDatabases":null,"ReadWriteDatabases":null,"AccessTokenBody":null}
Do I have to configure IIS Authentication for the site?
Thanks,
Rob
Oren Eini (Ayende Rahien)
Feb 5, 2015, 11:28:53 AM2/5/15
to ravendb
You are _allowed_ to do a Get under this scenario.
Because of that, we don't do any Auth.
In general, Get isn't realy a good option for anything.
Set it to None.
Hibernating Rhinos Ltd
Oren Eini l CEO l Mobile: + 972-52-548-6969
Office: +972-4-622-7811 l Fax: +972-153-4-622-7811
--
You received this message because you are subscribed to the Google Groups "RavenDB - 2nd generation document database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Robert Labrie
Feb 5, 2015, 12:13:14 PM2/5/15
to rav...@googlegroups.com
Thanks, I set it to none, and just started getting a blank page. It did work when I changed the authentication settings on the site from Anonymous to Windows and Digest.
Oren Eini (Ayende Rahien)
Feb 5, 2015, 12:16:14 PM2/5/15
to ravendb
Yes, you need to enable auth on IIS as well for that to work
Robert Labrie
Feb 11, 2015, 9:28:45 AM2/11/15
to rav...@googlegroups.com
Hi,
Ok I'm getting closer, getting the auth challenge now and so far so good. I have a dummy user called "DEV\powerlessuser", it doesn't have any group membership beyond domain users and was not granted any specific rights in Raven, but when I git debug/user-info I get:
{"Remark":"Using windows auth","User":"DEV\\powerlessuser","IsAdminGlobal":true,"IsAdminCurrentDb":false,"Databases":[],"Principal":null,"AdminDatabases":[],"ReadOnlyDatabases":[],"ReadWriteDatabases":[],"AccessTokenBody":null}
Web config:
<appSettings>
<add key="Raven/DataDir" value="C:\RavenData\Data" />
<add key="Raven/AnonymousAccess" value="None" />
<add key="Raven/AllowLocalAccessWithoutAuthorization" value="False" />
<add key="EnvironmentClass" value="Development" />
</appSettings>
Thanks,
Rob
Ok I'm getting closer, getting the auth challenge now and so far so good. I have a dummy user called "DEV\powerlessuser", it doesn't have any group membership beyond domain users and was not granted any specific rights in Raven, but when I git debug/user-info I get:
{"Remark":"Using windows auth","User":"DEV\\powerlessuser","IsAdminGlobal":true,"IsAdminCurrentDb":false,"Databases":[],"Principal":null,"AdminDatabases":[],"ReadOnlyDatabases":[],"ReadWriteDatabases":[],"AccessTokenBody":null}
Web config:
<appSettings>
<add key="Raven/DataDir" value="C:\RavenData\Data" />
<add key="Raven/AnonymousAccess" value="None" />
<add key="Raven/AllowLocalAccessWithoutAuthorization" value="False" />
<add key="EnvironmentClass" value="Development" />
</appSettings>
Thanks,
Rob
Oren Eini (Ayende Rahien)
Feb 12, 2015, 2:13:06 AM2/12/15
to ravendb
Is it an admin user?
What groups is it a member of?
Robert Labrie
Feb 12, 2015, 7:58:28 AM2/12/15
to rav...@googlegroups.com
Do the file system permissions on the application directory play into this at all? I still have the default read for all users enabled. For authentication on the website, I have basic, digest and windows enabled, everything else disabled.
Powerless user is literally powerless:
C:\RavenCurrent\web>dsquery user -samid powerlessuser | dsget user -memberof
"CN=Domain Users,CN=Users,DC=dev,DC=labs"
My Raven/Authorization/WindowsSettings is:
{
"RequiredGroups": [],
"RequiredUsers": [
{
"Name": "dev.labs\\srvc-website",
"Enabled": true,
"Databases": [
{
"Admin": true,
"TenantId": "*",
"ReadOnly": false
}
]
},
{
"Name": "dev.labs\\srvc-tnw",
"Enabled": true,
"Databases": [
{
"Admin": true,
"TenantId": "*",
"ReadOnly": false
}
]
},
{
"Name": "dev.labs\\rlabrie",
"Enabled": true,
"Databases": [
{
"Admin": true,
"TenantId": "*",
"ReadOnly": false
}
]
},
{
"Name": "dev\\srvc-teamcity",
"Enabled": true,
"Databases": [
{
"Admin": true,
"TenantId": "*",
"ReadOnly": false
}
]
},
{
"Name": "dev\\mcrow",
"Enabled": true,
"Databases": [
{
"Admin": true,
"TenantId": "*",
"ReadOnly": false
}
]
}
]
Powerless user is literally powerless:
C:\RavenCurrent\web>dsquery user -samid powerlessuser | dsget user -memberof
"CN=Domain Users,CN=Users,DC=dev,DC=labs"
My Raven/Authorization/WindowsSettings is:
{
"RequiredGroups": [],
"RequiredUsers": [
{
"Name": "dev.labs\\srvc-website",
"Enabled": true,
"Databases": [
{
"Admin": true,
"TenantId": "*",
"ReadOnly": false
}
]
},
{
"Name": "dev.labs\\srvc-tnw",
"Enabled": true,
"Databases": [
{
"Admin": true,
"TenantId": "*",
"ReadOnly": false
}
]
},
{
"Name": "dev.labs\\rlabrie",
"Enabled": true,
"Databases": [
{
"Admin": true,
"TenantId": "*",
"ReadOnly": false
}
]
},
{
"Name": "dev\\srvc-teamcity",
"Enabled": true,
"Databases": [
{
"Admin": true,
"TenantId": "*",
"ReadOnly": false
}
]
},
{
"Name": "dev\\mcrow",
"Enabled": true,
"Databases": [
{
"Admin": true,
"TenantId": "*",
"ReadOnly": false
}
]
}
]
Oren Eini (Ayende Rahien)
Feb 12, 2015, 8:09:24 AM2/12/15
to ravendb
Are you available on skype?
Robert Labrie
Feb 12, 2015, 11:38:01 AM2/12/15
to rav...@googlegroups.com
Sure, I'll send you an email, it'll be early next week. Thanks!
Oren Eini
Feb 14, 2015, 12:04:26 AM2/14/15
to rav...@googlegroups.com
Very important question, what user is RavenDB is running under?
Robert Labrie
Apr 9, 2015, 12:41:47 PM4/9/15
to rav...@googlegroups.com
Just in case anyone gets here by googling, my user was a local admin on the box. Local admins get isGlobalAdmin=true, and that's what was throwing everything off.
Thanks to Oren and everyone at Rhinos for helping out.
Thanks to Oren and everyone at Rhinos for helping out.
Reply all
Reply to author
Forward
0 new messages