0

I have a nodejs server s1 running on IIS (using iisnode). I'm using http-proxy-middleware to forward an http request to another server s2 (can't access that server from client because of cors).

s2 needs windows credentials. Someone told me that credentials tha are send to s2 aren't the windows credentials from the http request but the credentials of the user that running s1. He says I need to use impersonate in order to forward the http credentials.

Is it right ? How can I do it?

IsraGab
  • 4,819
  • 3
  • 27
  • 46
  • s1 run as application pool identity if you don't use impersonate. Then the credential is application pool identity when forward http request to s2. But if you use impersonate, the identity is the account used to login s1. – Bruce Zhang Dec 28 '21 at 06:15
  • OK. that's what my friend said. How can I use impersonation in iisnode? – IsraGab Dec 28 '21 at 10:50
  • I'm not an expert on iisnode. But you can configure it on web.config. ` ` – Bruce Zhang Dec 29 '21 at 06:05
  • Which usernme and password should i give? – IsraGab Dec 29 '21 at 22:02
  • The credentials that s2 need. s1 will run application and forward request with identity of this account. – Bruce Zhang Dec 30 '21 at 02:54
  • Problem is that I don't know how to do it?.. – IsraGab Jan 01 '22 at 21:21
  • Server s2 is owned by you. Others cannot know anything about it. – Bruce Zhang Jan 03 '22 at 05:16
  • S2 is not owned by me. In the client request to s1 I should have the user's credentials in my nodejs code because the request is done with useCredentails. How can I forward it to s2? – IsraGab Jan 03 '22 at 05:22
  • 1
    I'm not an expert on nodejs, you can wait for other nodejs members. But settings on IIS are these all. – Bruce Zhang Jan 03 '22 at 06:41
  • thank you for your help. I don't really understand the settings in iis which credentials should I set ? Is it safe to expose credentials like this? – IsraGab Jan 03 '22 at 15:40
  • The simplest credential is account you used to login s2 such as administrator. It is unsafe to expose adminstrator, so it's better to create a custom user or group on s2 group policy and set some restriction for it. Then you can expose it and no need to worry about security. – Bruce Zhang Jan 05 '22 at 05:23

0 Answers0