I've got an MVC webpage with Windows authentication where users log in using domain credentials. Here are my auth web.config settings:
<system.web>
<compilation debug="true" targetFramework="4.6.1" />
<httpRuntime targetFramework="4.5" maxQueryStringLength="32768" maxUrlLength="65536" />
<customErrors mode="Off" />
<authentication mode="Windows" />
<authorization>
<allow roles="NG\All-Trained-Users" />
<deny users="*" />
</authorization>
<hostingEnvironment shadowCopyBinAssemblies="false" />
<pages>
<namespaces>
<add namespace="System.Web.Helpers" />
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Optimization" />
<add namespace="System.Web.Routing" />
<add namespace="System.Web.WebPages" />
</namespaces>
</pages>
<identity impersonate="true" />
</system.web>
However, access to shared resources is denied in the app.
Users are prompted for Windows auth after the global.asax.cs Application_Start() method finishes. In that method, the app has access to shared resources. For example, Console.Writeline(Directory.Exists("\\existing\shared\directory")) prints "true". My understanding is the logged-in Windows user identity is being used to authenticate access -- right?
I'm using the same credentials to log into Windows and to log into the webpage. However, when I log into the webpage, something changes, because Console.Writeline(Directory.Exists("\\existing\shared\directory")) prints "false" as the first line of the Index() method. Trying to access a file returns a System.UnauthorizedAccessException . Are those credentials treated differently within MVC?
System.Environment.UserName and System.Environment.UserDomainName return the same values in both Application_Start() and Index(). In File Explorer this user can navigate to the shared location and access files just fine. The network location lists the user as having access.
I've run out of places I know to look to fix this problem. I'm sure if I look in the right place it will show the wrong user or wrong domain or wrong authentication method, but I don't know where to look. Any hints for where I should go?
I'm going to blame the pandemic for this one. Evidently, when our office moved to remote and began using the VPN, our VPN settings triggered additional security features in IIS Express:
When using Integrated Security, anonymous access is disabled, and impersonation is turned on, a security measure kicks in and doesn't allow your site to access resources on any network servers.
We could probably track down a more secure fix to the VPN settings, but our temporary solution while out of office is to not use impersonation while debugging over the VPN.
Related
I saw similar questions like this on here but I simply can't find a good solution.
My problem:
I have an app that need to retrieve data from a connection string, and information that is retrieved depends on the authenticated windows user. When I run this in dev environment with IIS Express I get my logged in user.
However when I host it via IIS Local i get ( IIS APPPOOL\ ) as the user. I need this to be the windows user.
Even tho I get the login the application still outputs APPPOOL when I check this in my views
Anyone with a good solution to this?
I tried:
#System.Web.HttpContext.Current.User.Identity.Name
#System.Security.Principal.WindowsIdentity.GetCurrent().Name
#HttpContext.Current.Request.LogonUserIdentity.Name
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
<identity impersonate="true" />
<trace enabled="true" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
It sounds like your application are always imepersonate as application pool identity.
I can get the correct windows identity via
System.Web.HttpContext.Current.User.Identity.Name
HttpContext.Current.Request.LogonUserIdentity.Name
User.Identity.Name;
First of all, please ensure your authentication looks like this. Please disable impersonate and anonymous at the same time.
<location path="mysite">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
Secondly,please promise your windows authentication are not executed with app pool credential
Finally, you should get the correct credential.
I want restrict access of anonymous users to Music folder (in the root of my website). Then I put this code in web.config file in the Music folder:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
I tested this one too:
<allow users="*" />
<deny users="?" />
Also the web.config file of the website has the bellow config:
<authentication mode="Forms">
<forms loginUrl="~/account/login" timeout="2880" />
</authentication>
<modules runAllManagedModulesForAllRequests="false">
<remove name="FormsAuthenticationModule" />
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
</modules>
<rule name="Redirect to https" enabled="true" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:0}" appendQueryString="false" redirectType="Permanent" />
</rule>
<location path="~/Music">
<system.webServer>
<handlers accessPolicy="Read" />
</system.webServer>
</location>
And this code is part of the startup.cs:
var loginPath= new UrlHelper(HttpContext.Current.Request.RequestContext).Action(MVC.Account.Login());
appBuilder.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString(loginPath),
// Other Codes
}
Now, when i browse to example.com/music/1.mp3 it return me to /account/login but when i login it show me the following error from the browser:
WebsiteName redirected you too many times.
net::ERR_TOO_MANY_REDIRECTS
Also if i change the authentication mode to none, it show me a prompt like it (that i wont it!):
Note1: I cleared the browser cookies but no success.
What is the reason of the redirect loop?
How should do this work as safe without redirect loop?
Update:
My project has a Return to Url mechanism in the login page. So when i browse /Music/1.mp3 it redirect me to /account/login?ReturnUrl=/Music/1.mp3and after login base this mechanism it redirect me to /Music/1.mp3 automatically. I think in this step I have not enough access permission to open /Music/1.mp3 again! And it redirect me to login page again and this loop continue until i get ERR_T_OOMANY_REDIRECTS error.
Even if you set "authenticate mode" to none, as your web.config has a required login <deny users="?" />, then the request will send a login request to the browser, then it will ask you by the browser login form.
What is the reason of the redirect loop?
This error may occur for a lot of reasons. The most common is that login is redirecting to a folder that user cannot access even once it is logged-in.
For instance, Your music folder web.config is denying a logged user. Then it will redirect from the folder to the login, then login will authenticate, then it will send the user back to the folder. Once the folder is denying all users, then it will send back to login again, and bingo, here is your loop.
you must make sure that you're not denying logged-in users.
How should do this work as safe without redirect loop?
After redirect from login the server will deliver the .mp3 file required.
Please note that when using MVC you must be sure that the folders that you have in your project not always match the path that user type in URL. For MVC Core application those contents must be on wwwroot folder.
I have developed a simple ASP.Net MVC 4 application using Windows Authentication to run on our company's local network. It works fine when deployed on IIS. But if I run the application through Visual studio, I get error message
Here is how my Web.Config file looks like
<system.web>
<authentication mode="Windows" />
<roleManager defaultProvider="WindowsProvider" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="WindowsProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime maxUrlLength="32767" maxQueryStringLength="32767" targetFramework="4.5" />
</system.web>
<system.webServer>
<modules>
<!--<remove name="FormsAuthenticationModule" />-->
</modules>
<security>
<requestFiltering>
<requestLimits maxUrl="32767" maxQueryString="32767" />
</requestFiltering>
</security>
For debugging, Application is configured to run using "Local IIS Web Server" with "Use IIS Express" option checked in Applications's Properties ->Web tab.
It turns out to be that I had to Enable Windows Authentication, Disable Anonymous Authentication in the Development Server Properties of my Project.
You need to add to project Web.config this:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="1" />
</authentication>
</system.web>
Where /Account/Login is your login method from controller.
Make sure your Directory Browsing is enabled.
See this link for adding user in IIS.
I'm trying to use Windows Authentication in my ASP.NET application. Whenever I try to view the app it sends me to a login page. How can I make it work without having to manually login via the browser?
web.config
<system.web>
<authentication mode="Windows"></authentication>
<anonymousIdentification enabled="false"/>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
<customErrors mode="Off"></customErrors>
<identity impersonate="true"></identity>
<compilation debug="true" targetFramework="4.0" />
<httpRuntime />
</system.web>
error after updating IIS Express
Most likely causes:
No authentication protocol (including anonymous) is selected in IIS.
Only integrated authentication is enabled, and a client browser was used that does not support integrated authentication.
Integrated authentication is enabled and the request was sent through a proxy that changed the authentication headers before they reach the Web server.
The Web server is not configured for anonymous access and a required authorization header was not received.
The "configuration/system.webServer/authorization" configuration section may be explicitly denying the user access.
applicationhost.config
<authentication>
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="false" />
<clientCertificateMappingAuthentication enabled="false" />
<digestAuthentication enabled="false" />
<iisClientCertificateMappingAuthentication enabled="false">
</iisClientCertificateMappingAuthentication>
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
Windows Authentication with IISExpress
Update your web.config
Make sure your web.config file both enables windows authentication and also denies anonymous authentication. HttpContext.Current.User.Identity.Name will be blank if the app falls through to anonymous authentication. Your config should look something like this:
<authentication mode="Windows" />
<authorization>
<deny users="?"/>
</authorization>
Error 401.2 Unauthorized
Sometimes, you might get the error 401.2 Unauthorized: Logon failed due to server configuration error. If you do, verify that you have permission to view this directory or page based on the credentials you supplied. Also make sure you have the authentication methods enabled on the Web server.
Updating applicationhost.config
You also might find you have to update the IISExpress applicationhost.config file (dont’ worry – I didn’t know it either). This is essentially the file version of the IIS configuration tool, where you can configure the web server itself. Finding the applicationhost.config file can be tricky. It might be in:
%userprofile%\documents\iisexpress\config\applicationhost.config
or
%userprofile%\my documents\iisexpress\config\applicationhost.config
Once you find it, update the following lines (paying special attention to enabled=true):
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
This is the article
We use Windows authentication for almost all of our intranet apps, including SharePoint. Employees must login if their browser doesn't automatically send their Windows credentials automatically to the site.
On IE, this is a matter of the browser's configuration. I think there are also ways to configure Chrome and Firefox to send Windows login automatically. I think Chrome will follow Window's internet settings (on the client) just like IE. Try to set the User Authentication options to "Automatic Logon with current username and password".
See below screenshot for an illustration to where that is.
Also note that this involves the user's browser sending a Windows Token to the application. The application must understand and trust the source of this token, and this would work with the support of a "domain" in which both the user and application reside in. I think it will work on a single machine (while you are debugging), but if you want this to work on multiple computers on a network, you need to look into creating a domain. A typical way to create a domain is Active Directory.
Let me know.
When debugging my web app in VS 2017, I found I needed to update [solution path]\.vs\config\applicationhost.config. I replaced the authentication section with:
<authentication>
<anonymousAuthentication enabled="false" userName="" />
<basicAuthentication enabled="false" />
<clientCertificateMappingAuthentication enabled="false" />
<digestAuthentication enabled="false" />
<iisClientCertificateMappingAuthentication enabled="false">
</iisClientCertificateMappingAuthentication>
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
More here: https://stackoverflow.com/a/4813716/555142
Open IIS (Windows + R 'inetmgr')
Select the IIS Server (Root Node)
Double Click - 'Authentication'
Windows Authentication - Right-click and select 'Enable'
Forms Authentication - Right-click and select 'Disable'
Restart the IIS Server
I was able get it working by removing the negotiate provider.
<windowsAuthentication enabled="true">
<providers>
<add value="NTLM" />
</providers>
</windowsAuthentication>
I have placed a c# web app on our IIS server, creating an application for it. I then changed the "Authentication" type to windows authentication for the site and also for the xml tags in my web config file. Now, when I navigate to the site, it asks me for the login username and password, but then does not authenticate, asking over and over for my credentials. In the browser login popup, i am typing
Domain\Username
Password.
How can I see why it will not authenticate, or find out what is wrong. I have done everything in articles I have found, but cannot find the issue. It is as if the server does not authenticate, but yet I can remote desktop to it with the same credentials, so it is on the domain.
Here is my web.conf file snippet with the settings:
<system.web>
<authentication mode="Windows" />
<identity impersonate="false"/>
<authorization>
<allow users="*"/>
<deny users="?"/>
</authorization>
enable="true" />
I also added the same configuration to the application host file on the IIS server. The entry is below:
<location path="TaxFormerWebApp">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" useKernelMode="true">
<extendedProtection tokenChecking="None" />
<providers>
<clear />
<add value="NTLM" />
</providers>
</windowsAuthentication>
<anonymousAuthentication enabled="false" />
</authentication>
<requestFiltering>
<fileExtensions applyToWebDAV="false" />
<verbs applyToWebDAV="false" />
<hiddenSegments applyToWebDAV="false" />
</requestFiltering>