WebAdministrationDsc
WebAdministrationDsc copied to clipboard
dsccommunity
Add Support for Editing Anonymous Authentication Credentials
This should be available in xWebApplication and xWebSite. It should allow setting the username/password or setting them to blank which forces it to use the Application Pool credentials.
+1 I would like to help but I am not sure how this additional options should be provided. Currently all information about authentication are defined as follows
AuthenticationInfo = `
MSFT_xWebApplicationAuthenticationInformation
{
Anonymous = $true
Basic = $false
Digest = $false
Windows = $false
}
Where can I find definition of MSFT_xWebApplicationAuthenticationInformation? Does it contain other properties which could be used to provide user/password information? Or should I introduce another parameter for this functionality, something like that:
AuthenticationInfo = MSFT_xWebApplicationAuthenticationInformation
{
Anonymous = $true
Basic = $false
Digest = $false
Windows = $false
};
AnonymousAuthenticationInfo = @{
User="TestUser";
Password = "secret"
}
Necessary configuration sections are described here: https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/anonymousauthentication
@cezarypiatek Sorry that nobody answered you for so long. I think you need a new property AnonymousCredential that provides the username and password to use when Anonymous = $true. Also, if that new property AnonymousCredential is not provided, then maybe it can blank out username and password which means Application Pool is used (as per @PlagueHO comment above). Let me know if you want to work on this, then I label this as 'in progress'.
I've started to implement it on my fork https://github.com/cezarypiatek/xWebAdministration but I haven't had time to manage the UT. Btw I think that xWebApplication and xWebSite require refactoring because there is a massive code duplication which make those modules hard to extend.
In the meantime I've found xIISApplicationPoolIdentityType resource which probably is the missing part.
@cezarypiatek Agree with that those should be refactored to use helper functions, same goes for the *Defaults resource(s) too.
I've got stuck with weird error related to CIM objects. The issue is described in related PR https://github.com/PowerShell/xWebAdministration/pull/408
Can somebody help me with that?
@cezarypiatek Thanks for submitting the PR for this issue. Sorry for the delay. I'll take a look at the error you're running into later tonight and reproduce in my environment.
@cezarypiatek I see you have some recent commits, are you close to having a working solution?
@twerthi I'm in the middle of adding tests for this feature in xWebSite module. After that I need to repeat everything forxWebApplication because there is a code duplication between this two modules (or find a way to reuse current solution) I'm probably going to split this into two PR.
Would be great to have this. Currently using some idempotent powershell to accomplish this.
I think I've finished with UT for xWebsite module. I need to only complete non-development task, such as doc update etc.
Two things:
-
I think I've got stuck again with integration tests. Some of them are failing and there is no useful error message. Details in #408. Help needed.
-
Instead of adding custom CIM type for credentials maybe I should use
MSFT_Credential? What is the proper way of handling passwords in DSC?
@cezarypiatek I think for item 2 you should have MSFT_Credential for the property Password in MSFT_xWebAnonymousAuthenticationCredentials, otherwise the password will not be encrypted.
Looking at item 1 now.
For item 1. Could it be that it does not return the correct object on this line AnonymousCredentials = $anonymousCredentials. That this line is $null but should always be the CIM instance MSFT_xWebAnonymousAuthenticationCredentials. For example if the website returns false for this $anonymousAuthentication.enabled then Get-AnonymousCredentials will not return the correct CIM instance.
Could this be the problem?
Honestly not sure, but Get-DscConfiguration that is failing in the integration test usually fails if the return value has the wrong type. So I’m guessing it tries to access the object, but there are no objects. If that is the case, maybe you can return a CIM instance but the properties are null.
To test it, I would hard code an object in the code and manually run Get-DscConfiguration to see what the value can and cannot contain. :thinking:
Ok, I'm trying now to implement it using MSFT_Credential. I model myself on xWebAppPool and application pool credentials. The Get-TargetResource method is returning Credential field with username and password values. Doesn't it violate security? It looks like a way to retrieve credentials from the system.
https://github.com/PowerShell/xWebAdministration/blob/2e1778f42c782e98583368612f692f2af7072b7c/DSCResources/MSFT_xWebAppPool/MSFT_xWebAppPool.psm1#L135
cc: @johlju
What I meant it should return an CIM Instance of the instance MSFT_xWebAnonymousAuthenticationCredentials, not MSFT_Credential. The instance of MSFT_xWebAnonymousAuthenticationCredentials that is returned could just contain the user name, and not the password. Or both values in that instance could probably be $null.
We are talking about this line in the schema, right?
https://github.com/PowerShell/xWebAdministration/blob/e665489a92fa64b8e50f31d7f529f39efe504bfd/DSCResources/MSFT_xWebsite/MSFT_xWebsite.schema.mof#L52
I think that introducing MSFT_xWebAnonymousAuthenticationCredentials is a bad idea and I want to implement this feature in the same way as MSFT_xWebAppPool is handling application pool identity credentials (It uses MSFT_Credential) but I'm not sure if that existing implementation of MSFT_xWebAppPool is secure. Please review Get-TargetResource from MSFT_xWebAppPool and tell me if it's secure or not.