I have developed a simple ASP.Net MVC 4 application using Windows Authentication to run on our company's local network. It works fine when deployed on IIS. But if I run the application through Visual studio, I get error message
Here is how my Web.Config file looks like
<system.web>
<authentication mode="Windows" />
<roleManager defaultProvider="WindowsProvider" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="WindowsProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime maxUrlLength="32767" maxQueryStringLength="32767" targetFramework="4.5" />
</system.web>
<system.webServer>
<modules>
<!--<remove name="FormsAuthenticationModule" />-->
</modules>
<security>
<requestFiltering>
<requestLimits maxUrl="32767" maxQueryString="32767" />
</requestFiltering>
</security>
For debugging, Application is configured to run using "Local IIS Web Server" with "Use IIS Express" option checked in Applications's Properties ->Web tab.
It turns out to be that I had to Enable Windows Authentication, Disable Anonymous Authentication in the Development Server Properties of my Project.
You need to add to project Web.config this:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="1" />
</authentication>
</system.web>
Where /Account/Login is your login method from controller.
Make sure your Directory Browsing is enabled.
See this link for adding user in IIS.
Related
I've got an MVC webpage with Windows authentication where users log in using domain credentials. Here are my auth web.config settings:
<system.web>
<compilation debug="true" targetFramework="4.6.1" />
<httpRuntime targetFramework="4.5" maxQueryStringLength="32768" maxUrlLength="65536" />
<customErrors mode="Off" />
<authentication mode="Windows" />
<authorization>
<allow roles="NG\All-Trained-Users" />
<deny users="*" />
</authorization>
<hostingEnvironment shadowCopyBinAssemblies="false" />
<pages>
<namespaces>
<add namespace="System.Web.Helpers" />
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Optimization" />
<add namespace="System.Web.Routing" />
<add namespace="System.Web.WebPages" />
</namespaces>
</pages>
<identity impersonate="true" />
</system.web>
However, access to shared resources is denied in the app.
Users are prompted for Windows auth after the global.asax.cs Application_Start() method finishes. In that method, the app has access to shared resources. For example, Console.Writeline(Directory.Exists("\\existing\shared\directory")) prints "true". My understanding is the logged-in Windows user identity is being used to authenticate access -- right?
I'm using the same credentials to log into Windows and to log into the webpage. However, when I log into the webpage, something changes, because Console.Writeline(Directory.Exists("\\existing\shared\directory")) prints "false" as the first line of the Index() method. Trying to access a file returns a System.UnauthorizedAccessException . Are those credentials treated differently within MVC?
System.Environment.UserName and System.Environment.UserDomainName return the same values in both Application_Start() and Index(). In File Explorer this user can navigate to the shared location and access files just fine. The network location lists the user as having access.
I've run out of places I know to look to fix this problem. I'm sure if I look in the right place it will show the wrong user or wrong domain or wrong authentication method, but I don't know where to look. Any hints for where I should go?
I'm going to blame the pandemic for this one. Evidently, when our office moved to remote and began using the VPN, our VPN settings triggered additional security features in IIS Express:
When using Integrated Security, anonymous access is disabled, and impersonation is turned on, a security measure kicks in and doesn't allow your site to access resources on any network servers.
We could probably track down a more secure fix to the VPN settings, but our temporary solution while out of office is to not use impersonation while debugging over the VPN.
I saw similar questions like this on here but I simply can't find a good solution.
My problem:
I have an app that need to retrieve data from a connection string, and information that is retrieved depends on the authenticated windows user. When I run this in dev environment with IIS Express I get my logged in user.
However when I host it via IIS Local i get ( IIS APPPOOL\ ) as the user. I need this to be the windows user.
Even tho I get the login the application still outputs APPPOOL when I check this in my views
Anyone with a good solution to this?
I tried:
#System.Web.HttpContext.Current.User.Identity.Name
#System.Security.Principal.WindowsIdentity.GetCurrent().Name
#HttpContext.Current.Request.LogonUserIdentity.Name
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
<identity impersonate="true" />
<trace enabled="true" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
It sounds like your application are always imepersonate as application pool identity.
I can get the correct windows identity via
System.Web.HttpContext.Current.User.Identity.Name
HttpContext.Current.Request.LogonUserIdentity.Name
User.Identity.Name;
First of all, please ensure your authentication looks like this. Please disable impersonate and anonymous at the same time.
<location path="mysite">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
Secondly,please promise your windows authentication are not executed with app pool credential
Finally, you should get the correct credential.
I'm making a simple website to learn about asp.net/AD authentication.
I used some of the code snippets from this tutorial: https://support.microsoft.com/en-us/kb/316748 to successfully use AD with Forms Authentication from a login page. I use these IIS Authentication settings for the website:
Anonymous Authentication -Enabled
ASP.NET Impersonation -Disabled
Basic Authentication -Disabled
Digest Authentication -Disabled
Forms Authentication -Enabled
Windows Authentication -Disabled
I want to use the credentials for the currently logged in windows user and either not prompt or only prompt if it fails. When I change the Web.config authentication mode to "Windows" and the the IIS settings as shown below it has a pop-up credentials prompt but just keeps prompting and never accepts the credentials.
Anonymous Authentication -Enabled
ASP.NET Impersonation -Disabled
Basic Authentication -Disabled
Digest Authentication -Disabled
Forms Authentication -Disabled
Windows Authentication -Enabled
I've tried several other combinations but they all failed.
All files in this website are:
LdapAuthentication.cs - is in App_Code and is a direct copy/paste from the tutorial
Logon.aspx - is copy/pasted from the tutorial with the companies LDAP path added
Default.aspx - is a direct copy/paste from the WebForm1.aspx in the tutorial
Web.config (shown below)
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.5">
<assemblies>
<add assembly="System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
</assemblies>
</compilation>
<httpRuntime targetFramework="4.5" />
<authentication mode="Forms"> <!-- I also tried "Windows" -->
<forms loginUrl="logon.aspx" name="adAuthCookie" timeout="10" path="/" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
<identity impersonate="true" />
<anonymousIdentification enabled="false" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
</configuration>
Ensure that IIS is right configured to use ActiveDirectory Authentication with Forms, it works with local server from Visual studio but not in IIS.
In IIS 7+ it's the application pool account.
- Simply create a new application pool that runs under that account and assign that app pool to your application/site.
- Right click to the new pool (example ASP.NET V4.0 Mypool) - > Advanced Settings
- In Process model, choose LocalSystem as Identity.
Web.config:
<system.web>
<compilation targetFramework="4.0" debug="true"/>
..........
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="adAuthCookie" timeout="10" path="/"/>
</authentication>
<identity impersonate="false"/>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
I have successfully set up a test area on my website which is authenticated using forms auth on iis 8. I am using this in integrated mode with asp.net which as I understand should mean that with the correct web.config file I am able to make the server use the asp.net auth on everything not just URLs. If I try and navigate to a page that I haven't entered the credentials for it returns an error 403, which is what I expect. However if I put in the path of a file stored on the site exactly, it downloads the file without the need for credentials to be provided. Here is my current top level web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="false">
</compilation>
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" loginUrl="default.aspx" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="staff/test/test">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<system.webServer>
<modules>
<remove name="FormsAuthenticationModule" />
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="RoleManager" />
<add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
</system.webServer>
The area /staff/test/test has a word document in it. If I type www.website.com/staff/test/test/test.doc into my browser is downloads the file.
What should I change to secure that file?
Thanks for your replies. In the end it turned out to be the security permissions on the root of the website. The code I originally pasted on here worked fine I had the server\users group having read permissions where as I only needed iis_iusers having read permissions.
Thanks again
I have placed a c# web app on our IIS server, creating an application for it. I then changed the "Authentication" type to windows authentication for the site and also for the xml tags in my web config file. Now, when I navigate to the site, it asks me for the login username and password, but then does not authenticate, asking over and over for my credentials. In the browser login popup, i am typing
Domain\Username
Password.
How can I see why it will not authenticate, or find out what is wrong. I have done everything in articles I have found, but cannot find the issue. It is as if the server does not authenticate, but yet I can remote desktop to it with the same credentials, so it is on the domain.
Here is my web.conf file snippet with the settings:
<system.web>
<authentication mode="Windows" />
<identity impersonate="false"/>
<authorization>
<allow users="*"/>
<deny users="?"/>
</authorization>
enable="true" />
I also added the same configuration to the application host file on the IIS server. The entry is below:
<location path="TaxFormerWebApp">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" useKernelMode="true">
<extendedProtection tokenChecking="None" />
<providers>
<clear />
<add value="NTLM" />
</providers>
</windowsAuthentication>
<anonymousAuthentication enabled="false" />
</authentication>
<requestFiltering>
<fileExtensions applyToWebDAV="false" />
<verbs applyToWebDAV="false" />
<hiddenSegments applyToWebDAV="false" />
</requestFiltering>