I have a website hosted on nodejs, using http-proxy-middleware where I proxy all the api calls to an ASP.NET API.
I have the ASP.NET api deployed on a remote IIS server (not on my computer but in the domain) with windows authentication on with NTLM only and I have this in the web.config:
<system.web>
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
<authentication mode="Windows" />
</system.web>
When I set up my website on a local IIS server (on my computer) and set its authentication to anonymous this works correctly, no login popups.
Calling the api from postman with NTLM authentication also works perfectly.
But when I deploy the website to the remote IIS server I can open the site without problems but when the site queries the API I get a login popup that does not accept my credentials (mydomain\myusername), it will instead show the popup again and again in chrome but stop after 3 tries in IE and return a 401 unauthorized error.
Because this works locally I'm thinking the problem must be somewhere with the IIS server but I cannot figure out what it is.
There was a problem with the IIS server, when trying to fix the problem I often switched between anonymous and windows authentication but the changes didn't work unless i restarted the IIS by writing iisreset /noforce in the command console afterwards
By doing this on the remote IIS it worked like it did on my local IIS.
Related
We have an application which is developed using MVC3 and .Net framework 4.0. To prevent HTTP Verb Tampering, we have included below code in application's web.config file. In local machine given fix was working as expected and returns 401 unauthorized code.
<authorization>
<allow verbs="GET" users="*" />
<allow verbs="POST" users="*" />
<deny verbs="*" />
</authorization>
When we deployed the same code, test result returns 202 OK. So the fix is not working. Is there any way around that we can fix this issue?
Are you are working with the "Play" button on Visual Studio? Is this using a IIS Express or are you really "deploying" that to an IIS WebAPP on your local machine?
I usually do not use the "Play" button when I am developing for IIS, specially when I am developing for a specif IIS Server. When that happens, I try to have the same IIS Server configuration on my machine and create a WebApp pointing to my Dev folder to test it.
If you are having trouble to config your web.config, I would use the IIS visual tools, check the modifications made on the web.config and commit that.
Please note that there are some differences in the configuration in the ASP.NET side and on the IIS side:
Please check this website:
https://learn.microsoft.com/en-us/iis/manage/configuring-security/understanding-iis-url-authorization
And refer to these notes:
Differences Between ASP.NET URL Authorization and IIS URL Authorization
There are small but important differences between ASP.NET UrlAuthorization and IIS URL Authorization.
ASP.NET Url Authorization is installed when you install ASP.NET on top of IIS.
This refers to IIS 7.0
Even though several configurations are compatible between one IIS to another, some specific changes might apply.
I have published both my WCF service and ASP.NET Web application in IIS but i seem to have a problem connecting to the database after publishing. Its like the two cannot see each other. I have tested both and saw that they have been successfully published.
the service reference is referenced in the web application and works as normal when i run the web application locally but not working after publishing.
Is there a setting that i am missing. Both are hosted on IIS.
There is possibility that you are using
Windows authentication, I mean if Integrated Security = true in your connection string than make sure your Windows authentication enabled in your IIS.
Do this if this is the case.
IIS7: Setup Integrated Windows Authentication like in IIS6
if this is not the case than this answer is helpful for you
Change connection string from development to production when publishing
In my project, I use windows authentication for auditing purposes (rather than logging in), so I know who has made certain changes. The variable used to access the usernames is User.Identity.Name and I have also made sure to set up my web.config file correctly:
<system.web>
<authentication mode="Windows" />
</system.web>
This all worked fine, but I have recently published my project to a live server and for some reason it has stopped seeing the usernames (it now logs a blank string instead), even though it worked on my local machine. Any idea what I may have missed to make this work on a live server? It still works with no problems on my local machine.
I've created a WebApi with .Net.
On localhost (Visual Studio) all works well.
Also, when I publish it on a IIS 7 on a Windows Server 2008, it works well too.
Now I want to secure some methods.
I've created as
public class BasicAuthHttpModule : IHttpModule
and in the web.config I configured this as
<system.webServer>
<modules>
<add name="BasicAuthHttpModule" type="WebHostBasicAuth.Modules.BasicAuthHttpModule"/>
</modules>
</system.webServer>
The mehod I want to secure has [Authorize] above it.
On my localhost (debug in Visual Studio) it works well again.
With Postman I see that I can access the method with the specified username/password.
But when I put this on the IIS server, I get a 500 Internal Server Error:
500 – Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed
Must I configure IIS somewhere to achieve this, or has this an other cause?
Ensure that you have "Basic Authentication" installed for your IIS server.
Follow the steps as to how to manage which features are installed for IIS on your server by following the steps provided here: http://technet.microsoft.com/en-us/library/cc771209.aspx
Ensure that the feature "WWW-Service" -> "Security" -> "Basic Authentication" is selected.
Alternatively, ensure that the IIS user has the required rights to the folder/files of your site. Depending on what your site does, "Read and Execute" could be enough.
The user that is used for IIS7 is IIS_IUSRS.
Additional reading on the users of IIS can be found here: http://www.iis.net/learn/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis
Already solved it!
I've discovered that there were two <modules> inside the <system.webServer> what caused the error
I'm using forms authentication and launching a site from Visual Studio 2010. It is using the Visual Studio Development (web) Server and not IIS. The web.config has:
<authenticaion mode="Forms">
<forms name=".MyApp" protection="All" cookieless="UseCookies"/>
</authentication>
The login page is using the ASP.NET login control. Before the user even logs in, I can see following:
HttpContext.Current.Request.LogonUserIdentity.AuthenticationType == "NTLM"
HttpContext.Current.User.Identity == System.Security.Principal.GenericIdentity
HttpContext.Current.User.Identity.AuthenticationType == "NTLM"
This user seems to be authenticated as a local system user and not a web user. Doesn't this mean the user will always be authenticated, regardless if they logged into the site or not?
How is a web user NTLM?
As far as I know cassini does does not support Windows authentication.
Its runs as a local system account and thats what you see as NTLM authenticated.
If you are developping/debugging security features for an Asp.Net application (or WCF) I highly suggest you deploy to IIS.
If I'm not mistaken you're seeing yourself as being the User (being authenticated) running Visual Studio (in your user context) when you are debugging using VS and it's dev server.
Visual Studio runs in your context (your Windows user account/permissions, etc.) - Request.LogonUserIdentity.User
It shouldn't affect your debugging of Web Forms/Forms Authentication. After successful Forms Auth Login, you can obtain HttpContext.User.Identity.Name of the "forms auth user" (web user).