I have an Angular frontend with a .NET framework backend, which has the following web.config file (nothing else about authorization/authentication):
<location path="Tokens">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="false" />
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
I am using AD login, which is the Tokens controller, the rest is secured by JWT tokens.
My current problem is, I wish to test the website with other computers in the domain using IIS and the website works if I use localhost, but as soon as I use my IP, errors start appearing.
My frontend configuration JSON:
{
...
"apiAddress": "https://IP:50505/",
...
}
And the backend web.config also contains this:
<add key="WhitelistedServerUrls" value="https://IP:34622" />
So if the IP in the config files is localhost, then everything works as it should, but if I exchange that for my actual IP, then I get CORS errors as shown in the image below:
None of these errors appear if I use localhost. Below is the list of the things I've tried:
CORS should be correctly set up in the code, but just to make sure, I also configured it in the HTTP Response Headers feature in IIS
this fixed CORS errors, but brought different errors, also signalr had an error that CORS origin is set up twice
I also added the website https://IP to local intranet in settings
prior to this, I was getting a login popup, doing this fixed it
my bindings for both frontend and backend are https with a self-signed certificate
browser notifies, that the certificate is not valid
My guess is that my IIS is not configured correctly, as the website works if I use localhost instead of an IP address.
You enabled Windows authentication, so that when CORS preflight request (anonymous OPTION request) sent by the browser arrives on IIS, 401 is returned by IIS and triggers the errors you see.
You will have to use IIS CORS module to properly process such preflight requests,
https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module
Related
I have a simple MVC web api 2 IIS hosted application which I want to enable windows authentication (initially not using Owin). I am running this on my development machine and running as local IIS.
So, from what I could find, I need to add the following to the web.config
1: to the following section the authentication mode="Windows"
<system.web>
<compilation debug="true" targetFramework="4.5.1"/>
<httpRuntime targetFramework="4.5.1"/>
<authentication mode="Windows" />
</system.web>
2: Then add the following
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true"/>
</authentication>
</security>
When I add the above and run the application (in debug from Dev studio), I get the following error
HTTP Error 500.19 - Internal Server Error
Config Error This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
and then it specifically points to this web config entry
Config Source:
37: <authentication>
38: <windowsAuthentication enabled="true"/>
39: </authentication>
Anyone have any ideas why I would be getting this?
Also, I noticed when I switch to IIS express, that in the project properties, the Windows Authentication is set to disabled, and grayed out so I cannot set it here either.
Thanks in advance for any help!
If you read applicationHost.config, you will see that authentication related sections are locked down and cannot be overridden in web.config,
<section name="windowsAuthentication" overrideModeDefault="Deny" />
Thus, you need to specify that in applicationHost.config, instead of web.config. Both IIS and IIS Express have such restriction.
Alright Stackoverflow, after much fruitless research I've ended up here!
I am attempting to get a .NET Core 2.0 site hosted out of IIS with Windows Authentication and SSL, and no matter what I try I continue to get inconsistent/intermittent 403 Access Denied errors.
If there was something dead-wrong, I would expect it never to work. However, it works maybe ~3/10 times if I restart the site and the app pool. There is nothing useful that I can find in the Event Viewer, Application Logs, or IIS trace logs.
Things I have done in no particular order:
The app pool is running as a gmsa account with rights to my database (prod.service$)
Granted log on as a service, and log on as batch to the gmsa account.
Granted IIS_IUSRS, prod.service$, and Domain Users permissions on the web root folder. Currently at full-control out of despair.
Granted IIS_IUSRS, prod.service$, and Domain Users permissions to the certificate.
Enabled Windows Auth, Disabled Anonymous Auth
Set default document pointing to the front-page.
Set the app pool to "Load Profile"
Set the .NET CLR version to "No Managed Code"
Set ForwardWindowsAuthToken to true in the web.config
NTLM has been moved to the top of the list as the first auth provider under Site > Authentication > Right-Click Windows Authentication > Providers
One more detail is that I am trying to authenticate with users from a different domain, where a one-way trust is set up. I am remoting into the host with credentials from the 'other' domain, so it has visibility.
Here is my web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\MCP.MVP.dll" stdoutLogEnabled="true" stdoutLogFile=".\logs\stdout" forwardWindowsAuthToken="true" startupTimeLimit="3600" requestTimeout="23:00:00" />
<defaultDocument>
<files>
<add value="/home/index" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
<!--ProjectGuid: [REDACTED] -->
From Startup.cs:
services.AddAuthentication(IISDefaults.AuthenticationScheme);
services.Configure<IISOptions>(options =>
{
options.AutomaticAuthentication = true;
});
From Program.cs
public static IWebHost BuildWebHost(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseIISIntegration()
.UseStartup<Startup>()
.Build();
Using Authorize attributes everywhere:
[Authorize(Policy = "RequireViewerRole")]
Authorization Glue, where Configuration["RequireViewerRoles"] is a comma delimited list of domain groups:
services.AddAuthorization(options =>
{
options.AddPolicy("RequireViewerRole", policy => policy.RequireRole(Configuration["RequireViewerRoles"].Split(',')));
});
Have I entered .NET Core 2.0 bug territory, or am I missing something?
It turned out to be a massive red herring!
It was a 401.2 "invalid server configuration" error. I finally noticed a pattern where the application would work if I opened up the folder security permissions dialogue, which would forcibly hit the domain-controller and cache the group names from the user domain. The application would work fine for about 5 minutes, before refusing to authenticate again with no other changes made.
The issue was solved by configuring the domain name on the group, which is obvious in retrospect. (DomainName\\Domain Users). The fact that it worked at all without the domain name led to a lot of confusion. There was nothing to indicate this error from the IIS logs, and ultimately it was solved by trial and error.
I inherited a project that I was asked to look at. It's an ASP.NET website that is deployed on a clients intranet server. They gave me VPN access and the source code. They are using Active Directory for authentication.
So here's my setup: Code running locally, connected to their db on their db server.
In the web.config I see that authentication mode=Windows and identity impersonate is true. However, when I run the project I get this error:
Could not create Windows user token from the credentials specified in
the config file. Error from the operating system 'The security
database on the server does not have a computer account for this
workstation trust relationship.
The username for the identity line (web.config) is a service account. All this runs fine in production. Any ideas as to why this app is not authenticating? Thanks!
If your dev machine is not joined to their domain, then it might not work. But maybe it's possible.
As a start, try disabling Kerberos and forcing NTLM using this in the web.config:
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true">
<providers>
<clear />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
If you are hosting locally in IIS, then you can do the same in IIS Manager. Select the site -> Authentication -> Right click Windows Authentication -> Providers -> Remove 'Negotiate' from the list, leaving only NTLM.
I am using Windows Authentication for the first time in a C# MVC web project and i have run into some issues. If i am accessing the website from localhost, the browser will prompt for windows credentials. This only happens with a new browser session. After that the site is opened.
When i try to access the site from a remote machine on the same network the browser does not prompt for credentials and I receive a 403 error. Viewing the page is declined. I created a login page to redirect unauthorized users to. Their credentials will be approved via Active Directory. In order to do this i had to enable Anonymous Authentication in IIS which i thought shouldn't be done when using Windows Authentication instead of Forms.
Could some one please help me with the 403 error and best practices/configurations for Windows Authentication? Thanks
This did the trick for me:
web.config:
<appSettings>
<add key="autoFormsAuthentication" value="false" />
<add key="enableSimpleMembership" value="false" />
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
<authentication mode="Windows" />
<identity impersonate="false" />
<authorization>
<deny users="?" />
</authorization>
I did have to keep Anonymous Authentication enabled in IIS which i'm still not sure is correct. Windows Authentication also enabled in IIS
I came up with a necessity to work with my asp.net mvc site from a remote pc while developing. So, I configured it to use IIS Express.
At first, a problem raised with windows authentication. My site is supposed to work in windows domain intranet, so I wanted to use integrated windows authentication. I managed to make it work on firefox with How To: Firefox and Integrated Windows Authentication from IIS Express Windows Authentication (answer by bees73). But IExplorer still asks to print login/password, even if I open it locally, specifying my ip instead of localhost.
The issue with IE is still not resolved, but let it be - if I print in my credentials, it does work locally.
My question is: when I open my site on a remote PC (both in firefox (no need to print login/password) and IE (I do have to print login'n'password)) my page is rendered without applying styling. It looks like no css is available. But I don't get any errors.
In the source code of the loaded page I do have line
<link href="/Content/Site.css" rel="stylesheet" type="text/css" />
but when I try to see the Site.css, it says, there was some internal server error.
I think I did not configure IIS Express properly and that's the problem. If it was OK, the integrated windows authentication had to work without asking login and password on IE at least I guess.
So, my config:
The project itself - to IIS Express, windows authentication - on, anonymous - off.
netsh http add urlacl url=http://myip:myport user=domainname\mylogin
netsh http add iplisten ipaddres=myip
in applicationhost.config:
Bindings:
<site name="MySite" id="2">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="D:\..." />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:myport:localhost" />
<binding protocol="http" bindingInformation="*:myport:myip" />
</bindings>
</site>
Authentication:
<sectionGroup name="authentication">
<section name="anonymousAuthentication" overrideModeDefault="Deny" />
...
<section name="windowsAuthentication" overrideModeDefault="Allow" />
</sectionGroup>
<authentication>
<anonymousAuthentication enabled="false" userName="" />
...
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
<add name="AnonymousAuthenticationModule" lockItem="true" />
<location path="MySite">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
The problem was connected with netsh and binding configuration in ISS Express. At first I setup it through my ip, and it resulted in confusing errors.
While searching for anything in the web I ran across Setting up IIS Express. All the same there, but it's suggested using pc name in netsh and iis applicationhost.config.
So, I added
netsh http add urlacl url=http://MyPCName:MyPort/ user=everyone
and
<binding protocol="http" bindingInformation="*:MyPort:MyPCName" />
and a miracle!! It worked.
As for the IE, I had to turn off the "Use Windows authorization" flag to make it work. Many thanks to Internet Explorer - Enable Integrated Windows Authentication. But nevertheless IE still asks for login and password, if an ip is used in url. If pc name is used it works silently.
Firefox either asks for login and password (and works if one enters valid credentials) or you should apply How To: Firefox and Integrated Windows Authentication (mentioned in my question) and then it works silently both with ip and pc name.
Hope this helps someone else.
EDIT
One remark: I had to launch VS2010 with administrtor permissions. If not, I still get HTTP 500 error based on the bad impersonation error. So, it looks like IIS Express, launched by VS2010 without administrator permissions under Windows 7, won't be able to work correctly.
As far as I understood, the clue is to give the appropriate permissions to IIS_IUSRS. But until that it's easier to launch VS 2010 with administrator privilages.
It may be due to the error in resolving the root path where Css is located.
You can try with Url helpers to resolve this issue.
<link rel="stylesheet" type="text/css" href="#Url.Content("~/Content/Site.css")" media="screen" />
In Asp.net development server(In visual studio environments) <link href="/Content/Site.css" rel="stylesheet" type="text/css" /> will work fine.. but while hosting in IIS, root path cannot be resolved using a relative path. With the help of Url helpers we can resolve this issue. Using Firebug you can see the load error of resources if any.
Edit:
In the web.config under the <system.web> section modify as follows.
<system.web>
<identity impersonate="true" userName="ServerName\Administrator" password="password"/>
</system.web>
Give the proper values for username and password. You can try giving folder permission to the IIS user groups(IUSR ,IIS_IUSR) to the folder where application is hosted.(Right click the hosted folder -> Properties under the Security tab, you can find the user groups and can give permissions)
try placing a web.config file in you Content folder. and put the following code in it.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>