I have a website deployed on a server with it's own domain. Is it possible to get the Windows username when that website is launched?
Say i have a website on foobar.com, when i access the site from any random windows desktop, i want to retrieve the windows username from client side.
I use this in code to access the username:
HttpContext.Current.Request.LogonUserIdentity.Name;
But this brings up a login prompt for the server that the website is residing, which doesn't help me. Even if i did log on to that server, it is still not getting the current user's windows username.
I have searched almost every post relating to this, but none are specific in this scenario.
IIS is setup to only windows auth. Any info on this is appreciated.
I have finally come to the conclusion that this is not possible. Instead went with integrating with Azure AD.
Related
We have an MVC application that validates windows users by instantiating a principalcontext, locally and for domain users. However, this immediately fails when a connection to the domain cannot be made. Is there a way to leverage the capability of windows to still validate domain credentials when disconnected from the domain?
We see that in SSMS you can also use windows authentication after the server has lost access to the domain.
To be clear, the machine is joined to the domain but does not have access to the domain controller, i.e. a corporate laptop that is taken home.
Thanks for the help in advance.
The answer is in how Kerberos (and I believe NTLM is similar) works in that they use session tickets. So once authentication is successful against a domain controller, you have a "ticket" that proves you authenticated. When you authenticate to anything else that requires Windows authentication, the ticket is sent.
To take advantage of this, you must use the built-in Windows authentication. You cannot take a username and password and try to authenticate them that way.
If everyone who uses your website can use Windows authentication - then you can enable it for your whole site.
If you have a mixed audience - some who have a domain account and some that don't - it's a little trickier, but still doable. I've done it. You can look at the OWIN-MixedAuth project. I haven't used that specifically.
That project seems to use a separate button for the Windows authentication. When I did it, I made it seamless (it tries Windows auth and fails back to a login page). I did that by doing an AJAX request in the background to a page that requires Windows authentication, and if it succeeds, just forward on. If it fails, show the login fields.
All that said, I don't know it will work if the server cannot reach the domain. It will probably work for users who have already authenticated to the site before it lost connection to the domain, or if the site is hosted on the same computer that it is being accessed from. But it might not work if a user it has never seen before tries to login while there is no access to the domain. You will have to test.
But the benefit of using Windows authentication anyway is that you can make the login seamless. As long as the site is in your Trusted Sites (in the Windows Internet Options) then IE and Chrome will automatically send the user's credentials.
Is it possible to have the c# code for my asp website to run as the user who is authenticated through windows authentication?
After spending a bit of time researching I understand I would need impersonation, but when I configure impersonation for example like this: <identity impersonate="true" /> I get an error from IIS about how the web config is setup wrong for integrated pipeline. Bypassing the error with: does work but the code is not executed as the authenticated user but instead as the defaultAppPool and so the IIS user.
I know this is probably not the best question, I just can't wrap my head around impersonation with windows authentication.
You can verify user with LDAP/AD combination. This means user enters username and password from his own windows account and sends this data t server that can check if this data right. Of course this will work for Local networks with single LDAP server.
Try following links for info: https://www.codeproject.com/Articles/18742/Simple-Active-Directory-Authentication-Using-LDAP
https://msdn.microsoft.com/en-us/library/ff649227.aspx
I would not want elevated rights in IIS. I would hand all data needed to do the job to another service that really does this work (as the right user).
I am having this strange problem with Windows Authentication in ASP.NET.
A user complaints that he cannot use his username to access one of my systems. However, the username is correct and every other user is able to access it.
When I tried to use my C# code to query the Active Directory to look for that user, I get an error that the user is not there! But, he is.
when I sent this to our technical team, they said that it is because the username is "too long" and then they gave me another one. which worked.
how can a user have an active username on AD and still cannot use it to login to ASP.NET web app
any idea?
I am working in C# on a web application that requires a login username and password. This application is made to be compatible with Windows and is being written in VS 2013. In this company's network, all computers require user credentials, and in all cases the user's credentials for the app will be the same as their Windows logon credentials. Therefore we are trying to implement a system where, instead of signing onto Windows and then entering the same credentials again in the app, the app can access the Windows credentials that were given by the current user and attempt to sign in automatically with those. I know there is a way to do this using active directory with Azure, but for the time being we are trying to avoid using Azure. I have tried using WindowsIdentity.GetCurrent() and Environment.UserName so far, but both of those only supply the username, not the password, and we need the full credentials. It wouldn't shock me if this cannot be done in this way for security purposes, but if there is a way it would be incredibly helpful. Does anyone know of a way to access the current user's credentials? Thanks
You don't need Azure to accomplish this. Your application pool simply needs to have Windows Authentication enabled. You will not have access to the password, however.
After that, you will need to most likely write a HttpHandler which will get the HttpContext.Current.User.Identity value and check it against a database or collection of authorized users. You don't need to "re-authenticate".
I have an ASP.Net web application running on an IIS server, and I need to find the visitors login username.
How can I can find this? When testing locally it found my username using new WindowsPrincipal(WindowsIdentity.GetCurrent());, but it finds NETWORK SERVICE when running the app on the server.
I assume you use forms authentication. Try:
User.Identity.Name