ASP.NET and IIS impersonate not working [duplicate] - c#

I have a .NET 3.5 application running under IIS 7 on Windows 2003 server and cannot get integrated windows authentication working properly as I continue to get prompted for a login. I have set Windows Authentication to enabled in IIS with all other security types disabled and my application web.config file authentication/authorization is set up as:
<system.web>
<compilation debug="true" strict="false" explicit="true" targetFramework="3.5" />
<authenticationmode="Windows"/>
<authorization>
<deny users = "?" />
</authorization>
</system.web>
With this setup, I'm expecting behind the scene verification of the Windows user to allow access and deny anonymous users. However, what I'm getting is a Windows login pop-up when I try to access the site.
I have been troubleshooting this issue for a few days now and cannot figure out the problem. Based on posts with similar problems, I confirmed my URL does not include any periods, double checked that my IE settings are set to Enable Integrated Windows Authentication, and also added my URL to my intranet sites, but still getting the pop-up.
To troubleshoot it further, I enabled Anonymous Authentication in IIS and modified my web.config file to which lets me right in and then added Response.Write(System.Security.Principal.WindowsIdentifity.getcurrent().user.name.toString()) to try to see what user is being used in the authentication. The result I'm getting is IIS APPPOOL\myapp which is obviously the IIS application pool for my application.
I really appreciate any help anyone can provide so that I'm still using only windows authentication but don't get the pop-up and the windows authentication is performed against the actual Windows user.
Thanks.
Additional note after troubleshooting further:
Just noticed that when the login fails and the Windows login prompt displays again, it is showing the username that attempted to login as "SERVERNAME"\"USERNAME" which led me to believe it was trying to validate the user against the server vs. the domain. To confirm this, I created a local user account directly on the app server with the same username and password as the network domain user and tried to login again. The result was that I received the login prompt again but when I entered the username and password this time, I was able to successfully login. The network user and app server are on the same domain so really not sure why IIS authentication is pointing to the local app server accounts and not to the domain accounts. I realize this is an IIS question at this point so posting on forums.iis.net as well but appreciate any advice anyone may have since have been troubleshooting this for days.

I have a Windows 2008 server that I'm working on, so my answer is not completely the same as what the OP has on a Windows 2003 server.
Here is what I did (recording this here so I can find it later).
I was having this same issue:
In my Web.config file, I had this section:
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
</system.web>
Under IIS, all of these seems to be solved under the Authentication icon.
Edit Permissions: Make sure your ASP.NET account has permission. Mine was not originally added.
Now go into the features of Authentication:
Enable Anonymous Authentication with the IUSR:
Enable Windows Authentication, then Right-Click to set the Providers.
NTLM needs to be FIRST!
Next, check that under Advanced Settings... the Extended Protection is Accept and Enable Kernel-mode authentication is CHECKED:
Once I did this, I went back to my web application, clicked the Browse link, and logged in without having to provide my credentials again.
I hope this proves beneficial to many of you, and I hope it is useful for me later as well.

Just for other people's benefit. If the error is a 401.1 Unauthorized and your error code matches 0xc000006d, then you're actually running into to a security "feature" that blocks requests to FQDN or custom host headers that don't match your local machine name:
Follow this support article to fix the issue:
https://webconnection.west-wind.com/docs/_4gi0ql5jb.htm (original, now defunct: http://support.microsoft.com/kb/896861)
From the support article, to ensure it doesn't get lost:
The work around is a registry hack that disables this policy
explicitly.
To perform this
configuration manually find this key in the registry on the server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
and edit or add a new key:
DisableLoopbackCheck (DWORD)
then sent the value to 1 to disable the loopback check (local
authentication works), or to 0 (local authentication is not allowed).
Or more easily you can use Powershell:
New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name
"DisableLoopbackCheck" -Value "1" -PropertyType dword
It looks like
recent builds of Windows 10 (1803 and later?) also require this
configuration setting in order to authenticate locally.
This one took me awhile because everyone else's comments here failed to help me. I found this article and it fixed it!

I had a similar issue whereby I wanted to protect only a certain part of my website. Everything worked well except in IE. I have both Anonymous and Windows Authentication enabled.
For Anonymous, the Identity is set to the Application Pool identity. The problem was with the Windows Authentication. After some digging around I fired up fiddler and found that it was using Kerberos as the provider (actually it is set to Negotiate by default). I switched it to NTLM and that fixed it.
HTH
Daudi

Add permission [Domain Users] to your web security.
Right click on your site in IIS under the Sites folder
Click Edit Permissions...
Select the Security tab
Under the Group or usernames section click the Edit... button
In the Permissions pop up, under the Group or user names click Add...
Enter [Domain Users] in the object names to select text area and click OK to apply the change
Click OK to close the Permissions pop up
Click OK to close the Properties pop up and apply your new settings

If your URL has dots in the domain name, IE will treat it like it's an internet address and not local. You have at least two options:
Get an alias to use in the URL to replace server.domain. For example, myapp.
Follow the steps below on your computer.
Go to the site and cancel the login dialog. Let this happen:
In IE’s settings:

Don't create mistakes on your server by changing everything. If you have windows prompt to logon when using Windows Authentication on 2008 R2, just go to Providers and move UP NTLM for each your application.
When Negotiate is first one in the list, Windows Authentication can stop to work property for specific application on 2008 R2 and you can be prompted to enter username and password than never work. That sometime happens when you made an update of your application. Just be sure than NTLM is first on the list and you will never see this problem again.

This fixed it for me.
My Server and Client Pc is Windows 7 and are in same domain
in iis7.5-enable the windows authentication for your Intranet(disable all other authentication.. also No need mention windows authentication in web.config file
then go to the Client PC .. IE8 or 9- Tools-internet Options-Security-Local Intranet-Sites-advanced-Add your site(take off the "require server verfi..." ticketmark..no need
IE8 or 9- Tools-internet Options-Security-Local Intranet-Custom level-userauthentication-logon-select automatic logon with current username and password
save this settings..you are done.. No more prompting for username and password.
Make sure , since your client pc is part of domain, you have to have a GPO for this settings,.. orelse this setting will revert back when user login into windows next time

WindowsIdentity.GetCurrent is correct: you should get the APPPOOL user. This is because the ASP.NET process, which is executing your code, is the current identity. If you want it to return the user hitting the site's identity, you'll need to add the following line in your web.config:
<identity impersonate="true" />
This causes the process to assume the identity of the user requesting the page. All actions will be performed on their behalf, so any attempts to read folders on the network or access database resources and the like will mean the current user will need permissions to those things. You can read more about impersonation here. Note that depending on how your web/database server topology is set up, you may run into delegation issues with impersonation turned on.
But your original issue is that it appears the identity cannot be determined and you're getting a login popup. I'll note that you do not need the <deny> block if you have disabled anonymous authentication in IIS. We never include it (except in special <location> blocks and such) so I would say you might try removing it and trying again. Everything else sounds right, though.
You didn't specify what user is running the application pool in IIS. Is it a custom account or is it the default one? If it is custom, is it a domain account or a local account on the web server? Custom accounts can sometimes require a few more steps, such as registering a SPN. Also, it may be a problem with the custom account not having permission in AD for resolving the incoming user's account.
You might also check the IIS logs to see what response is being returned. It'll most likely be a 401, but it should have a sub number after it like 401.2 or something. That sub-number can sometimes help determine the root problem. This KB article lists five.

Can be browser related. If you are using IE, you can go to Advanced Settings and check you the "Enable Windows Integrated Authentication" checkbox is checked.

In my case the authorization settings were not set up properly.
I had to
open the .NET Authorization Rules in IIS Manager
and remove the Deny Rule

In our Intranet the issue was solved on the client side by tweaking settings in security as shown here. Either of the check boxes on the right worked for us.

I just solved a similar problem with an ASP.Net application.
Symptoms:
I could log in to my app using a local user, but not a domain user, even if the machine was correctly joined to the domain (as you say in your Additional Note). In the Security event viewer, there was an event with ID=4625 "Domain sid inconsistent".
Solution:
I found the solution here. The problem was that my test machines where cloned virtual machines (Windows Server 2008 R2; one Domain Controller, and one web server). Both had the same machine SID, which apparently caused problems. Here is what I did:
Remove the web server from the domain.
Run c:\Windows\System32\Sysprep\Sysprep.exe in the VM.
Reboot the VM.
Join the web server to the domain.
You loose some settings in the process (user preferences, static IP, recreate the self-signed certificate), but now that I have recreated them, everything is working correctly.

I also had the same issue. Tried most of the things found on this and other forums.
Finally was successful after doing a little own RnD.
I went into IIS Settings and then into my website permission options added my Organizations Domain User Group.
Now as all my domain user have been granted the access to that website i did not encounter that issue.
Hope this helps

I tried the above IIS configuration tricks and loopback registry hack, and I reviewed and recreated app pool permissions and a dozen other things and still wasn't able to get rid of the authentication loop running on my development workstation with IIS Express or IIS 7.5, from a local or remote browsing session. I received four 401.2 status responses and a blank page. The exact same site deployed to my IIS 8.5 staging server works flawlessly.
Finally I noticed markup in the Response Body that was rendered blank by the browser contained the default page for a successful log in. I determined that Custom Error handling for ASP.NET and HTTP for the 401 error was preventing/interfering with Windows Authentication my workstation but not the staging server. I spent several hours fiddling with this, but as soon as I removed custom handling for just the 401 error, the workstation was back to normal. I present this as yet one another way to shoot your own foot.

I was having this issue on .net core 2 and after going through most suggestions from here it seems that we missed a setting on web.config
<aspNetCore processPath="dotnet" arguments=".\app.dll" forwardWindowsAuthToken="false" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" />
The correct setting was forwardWindowsAuthToken="true" that seems obvious now but when there are so many situations for same problem it's harder to pinpoint
Edit: i also found helpful the following Msdn article that goes through troubleshooting the issue.

Have you tried logging in with your domain prefix, e.g. DOMAIN\Username? IIS 6 defaults to using the host computer as the default domain so specifying the domain at logon may solve the problem.

add to registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa solved my problem.

Create the Local Security Authority host names that can be referenced in a NTLM authentication request.
To do this, follow these steps for all the nodes on the client computer:
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Right-click MSV1_0, point to New, and then click Multi-String Value.
In the Name column, type BackConnectionHostNames, and then press
ENTER.
Right-click BackConnectionHostNames, and then click Modify.
In the Value data box, type the CNAME or the DNS alias, that is used
for the local shares on the computer, and then click OK.
Note
Type each host name on a separate line. If the
BackConnectionHostNames registry entry exists as a REG_DWORD type,
you have to delete the BackConnectionHostNames registry entry. Exit
Registry Editor, and then restart the computer.
Source: Error message when you try to access a server locally by using its FQDN or its CNAME alias after you install Windows Server 2003 Service Pack 1: Access denied or No network provider accepted the given network path
For what it's worth, I did not need to restart after making the change on Windows Server 2019.

Windows authentication in IIS7.0 or IIS7.5 does not work with kerberos (provider=Negotiate)
when the application pool identity is ApplicationPoolIdentity
One has to use Network Service or another build-in account.
Another possibility is to use NTLM to get Windows Authenticatio to work (in Windows Authentication, Providers, put NTLM on top or remove negotiate)
chris van de vijver

I had the same problem cause the user (Identity) that I used in the application pool was not belowing to IIS_IUSRS group. Added the user to the group and everything work

In my case the solution was (on top of adjustments suggested above) to restart my/users' local development computer / IIS (hosting server).
My user has just been added to the newly created AD security group - and policy didn't apply to user AD account until I logged out/restarted my computer.
Hope this will help someone.

I encountered the same credential prompting issue, and did a quick search and nothing on the internet would fix it. It took some time to find the problem, a silly one.
In IIS -> Advance Setting -> Physical Path Credential (is empty)
As soon as i added a machine ID (domain/user) that has access to the VM/server, the password prompting would stop.
Hope this helps

I got the same issue and it was resolved by changing the Application pool identity of the application pool under which the web application is running to NetworkService

Related

ASP.NET Windows Authentication - Page cannot be displayed

I have created a simple WebForm asp.net web site. I have disabled the Windows Authentication checks within the code but set IIS8 to "Windows Authentication" as well as the web.config. I perform the Indentity.IsAuthenticated check in the backend to ensure the user is authenticated.
My issue is I get "The page cannot be displayed, please check your URL is correct". (This is in IE)
If I set my authentication to Anonymous the site works fine. I disable Anonymous Authentication and enable Windows Authentication only and receive this error. I have done quite abit of reading now and think I am just missing something small.
I used the IIS "default site" and set it to Windows Authentication and got a login prompt (as expected).
The server is running IIS8, windows 2012. Windows Authentication is installed as a feature, IIS site settings is set to use Windows Authentication only, as is the web.config. The web.config doesn't have Authorization tags for deny and allow but has <authentication mode="Windows" />. The errors occur on both IE and FireFox. No windows events are logged so i assume it's purely a authentication error that isn't displaying the site. The AppPool is set to Identity.
I think what confuses me most is the "default site" (with no code or logic) works and my site doesn't. The default site also doesn't have a web.config.
Any ideas would be grateful.
The issue may have to do with Kereberos.
I had the same issue and whilst troubleshooting server side issues, my co worker indicated that he was able to access the site.
It was then I realized my issue was a client side issue. Something may have been wrong with my Kerberos tickets. Maybe the domain controller that initially issued the ticket to me went offline. Rebooting my workstation was what got windows authentication working for me again.
Some other things you can try are:
Try changing your windows authentication provider to NTLM as a test.
Click on the site -> Click Authentication -> Click Windows Authentication -> Click Providers
Move NTLM to the top or add it if it isn't there.
Click ok.
IISReset. And try again.
If you prefer to use Kerberos, you may have to set the service principal names using the setspn.exe command.
For more information on Kerberos
https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/
Other things to check:
- Check your authorization rules and .NET Authorization Rules to ensure All Users are allowed to access the site.
Look in your IIS logs located at C:\inetpub\logs for more clues. In the folder, you'll find a folder for each site named after the site's id. You can find the site id clicking Sites on the IIS Management console. The site ids of each site will be displayed there.
Verify the application pool identity of the site has enough permissions.

Getting asp.net c# code to run as Windows Authenticated user

Is it possible to have the c# code for my asp website to run as the user who is authenticated through windows authentication?
After spending a bit of time researching I understand I would need impersonation, but when I configure impersonation for example like this: <identity impersonate="true" /> I get an error from IIS about how the web config is setup wrong for integrated pipeline. Bypassing the error with: does work but the code is not executed as the authenticated user but instead as the defaultAppPool and so the IIS user.
I know this is probably not the best question, I just can't wrap my head around impersonation with windows authentication.
You can verify user with LDAP/AD combination. This means user enters username and password from his own windows account and sends this data t server that can check if this data right. Of course this will work for Local networks with single LDAP server.
Try following links for info: https://www.codeproject.com/Articles/18742/Simple-Active-Directory-Authentication-Using-LDAP
https://msdn.microsoft.com/en-us/library/ff649227.aspx
I would not want elevated rights in IIS. I would hand all data needed to do the job to another service that really does this work (as the right user).

ASP.NET Accessing Client Windows Credentials

So I have spent almost all day researching for a solution to this question and have tried a multitude of things to no avail. First, let me set the situation up. The core solution I need is to access a user's Windows Credentials on a site hosted on IIS 6.1 Server. Everything else regarding access to pages and other role based functionality I have already handled. As a side note, this site is going to be accessed through an intranet and by far the primary browser IE9.
Now when running the project locally, something like
HttpContext.Current.User.Identity worked fine.
But, as mentioned in the premise of the problem, when a user accesses the site, that function is returning the server's window's credentials and not the users. (Specifically it was returning something like AppPool\Project)
So, I tried changing the IIS server settings. I disabled Anonymous Access, changed the apps configiration to Network Service, Enabled Windows Authentication, moved NTFM as the primary provider, changed the web config to have this:
<system.web>
<authentication mode="Windows"/>
<identity impersonate="true"/>
</system.web>
(I have tried changing impersonate to both true and false)
I have also tried different ways of returning the name of the user, like User.Identity, Environment.Name etc. etc.
Here is what I am trying to avoid:
ASP.NET Default Windows Role Based Setup - This solution was used in another project, but the end users did not like receiving a login window when they did not have access to a page.
Changing Internet Explorer Settings- During my research, I saw some solutions proposed changing the trusted sites. I do not have the ability to change this information and would like a solution that does not require a user to modify their IE settings (The option to use Integrated Windows Credentials is already checked for all users)
If anyone has a solution to this problem, it would be greatly appreciated.

Impersonation issue with ASP.NET MVC

I'm having a strange problem while using impersonation with ASP.NET MVC. I have a site that checks the status of different servers by reading some configurations files on each one of them. The app can also modify such files. Because the app will be used by several people (all of them with administrative grants in the servers),I need to have a log of all the changes done. I enabled Windows authentication to my site in IIS7 and also enabled id impersonation by adding the following to my web.config file.
<identity impersonate="true"/>
Just to be sure that the impersonation is working correctly, every time a user logged in I use the following to obtain the user that will be sending all the requests.
System.Security.Principal.WindowsIdentity.GetCurrent().Name;
When I enter the site from my Visual Studio environment, everything works correctly, the user logged is my NT id rather than the NETWORK SERVICE user and I'm able to access the remote files without problems. However, when I publish the site to our server it stops working. Even though it does seem that the impersonation is working because the NT id of the logged user is shown as the windows identity, I cannot access the files. What I found even weirder is that if I access the site directly on the server's browser, everything works ok, so I'm not sure where's the problem. In resume, here's what I'm dealing with.
Id impersonation works from development environment
Id impersonation works browsing directly in the server where the site is.
Id impersonation doesn't work when accessing the site from a browser outside the server. Even though the logged user name corresponds to the impersonated user profile, the site can not access the remote files.
Does anybody have an idea of what might be wrong? I'm kind of lost with this one...
In order to access remote files on behalf of an impersonated client, your server needs to be trusted for delegation. See this KB article for more info, or just google "trusted for delegation".

System.Security.SecurityException: Request for principal permission failed

Can anyone help point me in the right direction of how I might be able to fix this error?
System.Web.Services.Protocols.SoapException: Server was unable to process request.
---> System.Security.SecurityException: Request for principal permission failed.
at System.Security.Permissions.PrincipalPermission.ThrowSecurityException()
at System.Security.Permissions.PrincipalPermission.Demand()
at System.Security.PermissionSet.DemandNonCAS()
at LiveDocx.MailMerge.SetLocalTemplate(String template, String format)
I have installed this software that my company purchased from LiveDocx. So, I don't have ability to modify code or even read the code. I have installed everything according to their documentation and the site is confirmed to work. I can only change settings in IIS, folder permissions, and Web.config. Our server, their software.
Now, I am having issue with staying logged into the webservice. Before you think it is the soap client, I have confirmed that it works by calling the vendor's servers.
Locally, I can successfully call the web service during login and it works fine. However, when I make a subsequent call, I get the Request for principal permission failed.
At the request of their technical support, I have added <trust level="Full" /> to the web.config, but that didn't work. Now, they have stopped replying to our emails.
I am not an ASP.NET developer, so my knowledge is limited on server settings. Can someone point me in the right direction why this error happens and a few places to look to resolve this issue?
I finally found a solution. This error about permissions is a bit misleading. After lots of trial and errors, I finally accepted the Application Pool user's permissions had nothing to do with this problem. Which lead me to investigate the web.config settings and that is where I found the problem.
The problem was that the supplied web.config file was missing <authentication> tag and the required settings. This tag (from my understanding) is what enables cookies. I hope this helps others with this error even if not related to LiveDocx. Seems Request for principal permission failed. can be caused for various reasons which makes it a frustrating error.
This article was very helpful How To: Use Membership in ASP.NET 2.0
I would suspect the identity of the user that is executing the request, which is most likely the ASP.Net Application Pool user for the web site your IIS application is running in.
The easiest way to test this is to create a new application pool for your IIS application (unless there are no other apps in your current app pool), choose a different identity for the app pool (you could start with network service, but it may require a local user), then assign your app to that pool.
This should tell you if it's a permissions problem with the app pool identity.
I ran into this because I had an application under a website configured to use the wrong cookie name.
The web.config at my root web site looked like this
<authentication mode="Forms">
<forms name="AuthCookie" path="/"></forms>
</authentication>
and the application under it had a web.config under that looked like this
<authentication mode="Forms">
<forms name="WRONGCOOKIENAME" path="/"></forms>
</authentication>
The application had web form with a constructor that looked like this
[PrincipalPermissionAttribute(SecurityAction.Demand, Role = "Foo", Authenticated = true)]
So it required authentication but it didn't have it because the cookie name was wrong. Fixing the cookie name resolved the error.
I had a similar issue and I was using a forms application and keep on getting this issue. I was also using Principal permission and Security Action Demand.
I tried all the web.config related settings and the final issue was with the application pool.
If you are having the application migrated from WinXP to Win7 and other higher version you might see there is a Managed Pipeline which is by default pointing the website to Intergrated mode. I changed this to classic mode which has fixed the issue. Hopefully this would help the members who are trying to move the application from WinXp to Win7
After lot of trial and error with respective of reading all blogs and answer's post, i was still not able to resolve it.
Finally, I suspect on thing in my Project.
We are DevExpress product which got expired before some days, So as per my assumption it should be Licensed as so we purchased the license for the same now it's started working normally.
P.S.: If you're using any Licensed Product, You might get this error as well. So do also check about License.

Categories

Resources