I inherited a project that I was asked to look at. It's an ASP.NET website that is deployed on a clients intranet server. They gave me VPN access and the source code. They are using Active Directory for authentication.
So here's my setup: Code running locally, connected to their db on their db server.
In the web.config I see that authentication mode=Windows and identity impersonate is true. However, when I run the project I get this error:
Could not create Windows user token from the credentials specified in
the config file. Error from the operating system 'The security
database on the server does not have a computer account for this
workstation trust relationship.
The username for the identity line (web.config) is a service account. All this runs fine in production. Any ideas as to why this app is not authenticating? Thanks!
If your dev machine is not joined to their domain, then it might not work. But maybe it's possible.
As a start, try disabling Kerberos and forcing NTLM using this in the web.config:
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true">
<providers>
<clear />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
If you are hosting locally in IIS, then you can do the same in IIS Manager. Select the site -> Authentication -> Right click Windows Authentication -> Providers -> Remove 'Negotiate' from the list, leaving only NTLM.
Related
I have an Angular frontend with a .NET framework backend, which has the following web.config file (nothing else about authorization/authentication):
<location path="Tokens">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="false" />
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
I am using AD login, which is the Tokens controller, the rest is secured by JWT tokens.
My current problem is, I wish to test the website with other computers in the domain using IIS and the website works if I use localhost, but as soon as I use my IP, errors start appearing.
My frontend configuration JSON:
{
...
"apiAddress": "https://IP:50505/",
...
}
And the backend web.config also contains this:
<add key="WhitelistedServerUrls" value="https://IP:34622" />
So if the IP in the config files is localhost, then everything works as it should, but if I exchange that for my actual IP, then I get CORS errors as shown in the image below:
None of these errors appear if I use localhost. Below is the list of the things I've tried:
CORS should be correctly set up in the code, but just to make sure, I also configured it in the HTTP Response Headers feature in IIS
this fixed CORS errors, but brought different errors, also signalr had an error that CORS origin is set up twice
I also added the website https://IP to local intranet in settings
prior to this, I was getting a login popup, doing this fixed it
my bindings for both frontend and backend are https with a self-signed certificate
browser notifies, that the certificate is not valid
My guess is that my IIS is not configured correctly, as the website works if I use localhost instead of an IP address.
You enabled Windows authentication, so that when CORS preflight request (anonymous OPTION request) sent by the browser arrives on IIS, 401 is returned by IIS and triggers the errors you see.
You will have to use IIS CORS module to properly process such preflight requests,
https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module
I am working on an application transfer between Windows Server 2008R2 running IIS 7.5 into a Windows 2016 Server running IIS 10. The login system for the application is using Form Authentication with LDAP to allow the user to log in and make changes. The user can login without any issue on the 2008R2 server, creating the necessary cookie for usage. However, on the 2016 Server, the login system authentication seems to break. It seems as though the cookie is created but that the system does not seem to be able to find the user after the cookie is created. Furthermore, on a specific page that does not run any of the login processes, the application appears to be using Windows Authentication rather than the Forms Authentication that it is explicitly being told to use. The settings for the application in the web.config specifically tell it to use forms rather than windows authentication.
The web.config for the application contains the following information for the connection strings:
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://OURLDAPSYSTEM"/>
</connectionStrings>
The LDAP item for this system is only used for validation not permissions.
and the authentication and membership:
<system.web>
<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="~/" timeout="60" slidingExpiration="true" protection="All"/>
</authentication>
<membership defaultProvider="ADMembershipProvider">
<providers>
<add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" attributeMapUsername="sAMAccountName"/>
</providers>
</membership>
</system.web>
In the controller that performs the login process:
userLoginSuccess = Membership.ValidateUser(model.UserName, model.Password);
//Make call to another DB to check permissions for usage
FormsAuthentication.SetAuthCookie(model.UserName, true);
On the IIS on the server, the authentication for the application appears as follows:
Authentication for the application
While the authentication for the entire Web Site appears as follows: Authentication for the Site
Each of these match what is already located on the Windows 2008R2 server.
Anyone have any ideas what would have changed on the Windows 2016 server that would prevent the authentication from working the same as 2008R2? And if so, how would I fix this issue?
Same thing here - just spent all day looking at this.
Found this: https://www.itnota.com/enable-secure-httponly-cookies-iis/
<system.web>
...
<httpCookies httpOnlyCookies="true" requireSSL="false" />
...
</system.web>
We added the to the web.config and it worked.
Alright Stackoverflow, after much fruitless research I've ended up here!
I am attempting to get a .NET Core 2.0 site hosted out of IIS with Windows Authentication and SSL, and no matter what I try I continue to get inconsistent/intermittent 403 Access Denied errors.
If there was something dead-wrong, I would expect it never to work. However, it works maybe ~3/10 times if I restart the site and the app pool. There is nothing useful that I can find in the Event Viewer, Application Logs, or IIS trace logs.
Things I have done in no particular order:
The app pool is running as a gmsa account with rights to my database (prod.service$)
Granted log on as a service, and log on as batch to the gmsa account.
Granted IIS_IUSRS, prod.service$, and Domain Users permissions on the web root folder. Currently at full-control out of despair.
Granted IIS_IUSRS, prod.service$, and Domain Users permissions to the certificate.
Enabled Windows Auth, Disabled Anonymous Auth
Set default document pointing to the front-page.
Set the app pool to "Load Profile"
Set the .NET CLR version to "No Managed Code"
Set ForwardWindowsAuthToken to true in the web.config
NTLM has been moved to the top of the list as the first auth provider under Site > Authentication > Right-Click Windows Authentication > Providers
One more detail is that I am trying to authenticate with users from a different domain, where a one-way trust is set up. I am remoting into the host with credentials from the 'other' domain, so it has visibility.
Here is my web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\MCP.MVP.dll" stdoutLogEnabled="true" stdoutLogFile=".\logs\stdout" forwardWindowsAuthToken="true" startupTimeLimit="3600" requestTimeout="23:00:00" />
<defaultDocument>
<files>
<add value="/home/index" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
<!--ProjectGuid: [REDACTED] -->
From Startup.cs:
services.AddAuthentication(IISDefaults.AuthenticationScheme);
services.Configure<IISOptions>(options =>
{
options.AutomaticAuthentication = true;
});
From Program.cs
public static IWebHost BuildWebHost(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseIISIntegration()
.UseStartup<Startup>()
.Build();
Using Authorize attributes everywhere:
[Authorize(Policy = "RequireViewerRole")]
Authorization Glue, where Configuration["RequireViewerRoles"] is a comma delimited list of domain groups:
services.AddAuthorization(options =>
{
options.AddPolicy("RequireViewerRole", policy => policy.RequireRole(Configuration["RequireViewerRoles"].Split(',')));
});
Have I entered .NET Core 2.0 bug territory, or am I missing something?
It turned out to be a massive red herring!
It was a 401.2 "invalid server configuration" error. I finally noticed a pattern where the application would work if I opened up the folder security permissions dialogue, which would forcibly hit the domain-controller and cache the group names from the user domain. The application would work fine for about 5 minutes, before refusing to authenticate again with no other changes made.
The issue was solved by configuring the domain name on the group, which is obvious in retrospect. (DomainName\\Domain Users). The fact that it worked at all without the domain name led to a lot of confusion. There was nothing to indicate this error from the IIS logs, and ultimately it was solved by trial and error.
I have done the following
app pool configuration as .Net framework 4.0
Folder security (allow access for the app pool user)
Website security (anonymous access is needed for my site)
Re-register ASP.Net by running aspnet_regiis ad nauseam
Added the section in web config file as
<system.webServer>
<modules>
<remove name="UrlRoutingModule-4.0"/>
<add name="UrlRoutingModule-4.0" type="System.Web.Routing.UrlRoutingModule" preCondition=""/>
</modules>
</system.webServer>
I'd appreciate any pointers or personal experience.
I am using Windows Authentication for the first time in a C# MVC web project and i have run into some issues. If i am accessing the website from localhost, the browser will prompt for windows credentials. This only happens with a new browser session. After that the site is opened.
When i try to access the site from a remote machine on the same network the browser does not prompt for credentials and I receive a 403 error. Viewing the page is declined. I created a login page to redirect unauthorized users to. Their credentials will be approved via Active Directory. In order to do this i had to enable Anonymous Authentication in IIS which i thought shouldn't be done when using Windows Authentication instead of Forms.
Could some one please help me with the 403 error and best practices/configurations for Windows Authentication? Thanks
This did the trick for me:
web.config:
<appSettings>
<add key="autoFormsAuthentication" value="false" />
<add key="enableSimpleMembership" value="false" />
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
<authentication mode="Windows" />
<identity impersonate="false" />
<authorization>
<deny users="?" />
</authorization>
I did have to keep Anonymous Authentication enabled in IIS which i'm still not sure is correct. Windows Authentication also enabled in IIS