I am using Windows Authentication for the first time in a C# MVC web project and i have run into some issues. If i am accessing the website from localhost, the browser will prompt for windows credentials. This only happens with a new browser session. After that the site is opened.
When i try to access the site from a remote machine on the same network the browser does not prompt for credentials and I receive a 403 error. Viewing the page is declined. I created a login page to redirect unauthorized users to. Their credentials will be approved via Active Directory. In order to do this i had to enable Anonymous Authentication in IIS which i thought shouldn't be done when using Windows Authentication instead of Forms.
Could some one please help me with the 403 error and best practices/configurations for Windows Authentication? Thanks
This did the trick for me:
web.config:
<appSettings>
<add key="autoFormsAuthentication" value="false" />
<add key="enableSimpleMembership" value="false" />
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
<authentication mode="Windows" />
<identity impersonate="false" />
<authorization>
<deny users="?" />
</authorization>
I did have to keep Anonymous Authentication enabled in IIS which i'm still not sure is correct. Windows Authentication also enabled in IIS
Related
I saw similar questions like this on here but I simply can't find a good solution.
My problem:
I have an app that need to retrieve data from a connection string, and information that is retrieved depends on the authenticated windows user. When I run this in dev environment with IIS Express I get my logged in user.
However when I host it via IIS Local i get ( IIS APPPOOL\ ) as the user. I need this to be the windows user.
Even tho I get the login the application still outputs APPPOOL when I check this in my views
Anyone with a good solution to this?
I tried:
#System.Web.HttpContext.Current.User.Identity.Name
#System.Security.Principal.WindowsIdentity.GetCurrent().Name
#HttpContext.Current.Request.LogonUserIdentity.Name
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
<identity impersonate="true" />
<trace enabled="true" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
It sounds like your application are always imepersonate as application pool identity.
I can get the correct windows identity via
System.Web.HttpContext.Current.User.Identity.Name
HttpContext.Current.Request.LogonUserIdentity.Name
User.Identity.Name;
First of all, please ensure your authentication looks like this. Please disable impersonate and anonymous at the same time.
<location path="mysite">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
Secondly,please promise your windows authentication are not executed with app pool credential
Finally, you should get the correct credential.
I am working on an application transfer between Windows Server 2008R2 running IIS 7.5 into a Windows 2016 Server running IIS 10. The login system for the application is using Form Authentication with LDAP to allow the user to log in and make changes. The user can login without any issue on the 2008R2 server, creating the necessary cookie for usage. However, on the 2016 Server, the login system authentication seems to break. It seems as though the cookie is created but that the system does not seem to be able to find the user after the cookie is created. Furthermore, on a specific page that does not run any of the login processes, the application appears to be using Windows Authentication rather than the Forms Authentication that it is explicitly being told to use. The settings for the application in the web.config specifically tell it to use forms rather than windows authentication.
The web.config for the application contains the following information for the connection strings:
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://OURLDAPSYSTEM"/>
</connectionStrings>
The LDAP item for this system is only used for validation not permissions.
and the authentication and membership:
<system.web>
<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="~/" timeout="60" slidingExpiration="true" protection="All"/>
</authentication>
<membership defaultProvider="ADMembershipProvider">
<providers>
<add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" attributeMapUsername="sAMAccountName"/>
</providers>
</membership>
</system.web>
In the controller that performs the login process:
userLoginSuccess = Membership.ValidateUser(model.UserName, model.Password);
//Make call to another DB to check permissions for usage
FormsAuthentication.SetAuthCookie(model.UserName, true);
On the IIS on the server, the authentication for the application appears as follows:
Authentication for the application
While the authentication for the entire Web Site appears as follows: Authentication for the Site
Each of these match what is already located on the Windows 2008R2 server.
Anyone have any ideas what would have changed on the Windows 2016 server that would prevent the authentication from working the same as 2008R2? And if so, how would I fix this issue?
Same thing here - just spent all day looking at this.
Found this: https://www.itnota.com/enable-secure-httponly-cookies-iis/
<system.web>
...
<httpCookies httpOnlyCookies="true" requireSSL="false" />
...
</system.web>
We added the to the web.config and it worked.
I'm developing a ASP.NET MVC webapplication currently running on IIS Express (for development).
The webapplication has two pages
Computer
Department
General authentication settings in web.config
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
</roleManager>
</system.web>
The DeparmentController enforces authentication using the authorize attribute:
[Authorize(Roles = #"DOMAIN\Administrators")]
When visiting the computer page unauthorized, all content loads fine.
When visiting the department page, I'm prompted to enter my credentials. The authentication works as expected, but I get '500 Internal Server Error' on css, js and ico files.
During my research, I only found the exact same problem the other way around. Where the static files where not loaded for unauthorized users.
Did you implement windows authorization within iis as well, also does your user have permission to the directories that the page is displaying?
I'm trying to use Windows Authentication in my ASP.NET application. Whenever I try to view the app it sends me to a login page. How can I make it work without having to manually login via the browser?
web.config
<system.web>
<authentication mode="Windows"></authentication>
<anonymousIdentification enabled="false"/>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
<customErrors mode="Off"></customErrors>
<identity impersonate="true"></identity>
<compilation debug="true" targetFramework="4.0" />
<httpRuntime />
</system.web>
error after updating IIS Express
Most likely causes:
No authentication protocol (including anonymous) is selected in IIS.
Only integrated authentication is enabled, and a client browser was used that does not support integrated authentication.
Integrated authentication is enabled and the request was sent through a proxy that changed the authentication headers before they reach the Web server.
The Web server is not configured for anonymous access and a required authorization header was not received.
The "configuration/system.webServer/authorization" configuration section may be explicitly denying the user access.
applicationhost.config
<authentication>
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="false" />
<clientCertificateMappingAuthentication enabled="false" />
<digestAuthentication enabled="false" />
<iisClientCertificateMappingAuthentication enabled="false">
</iisClientCertificateMappingAuthentication>
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
Windows Authentication with IISExpress
Update your web.config
Make sure your web.config file both enables windows authentication and also denies anonymous authentication. HttpContext.Current.User.Identity.Name will be blank if the app falls through to anonymous authentication. Your config should look something like this:
<authentication mode="Windows" />
<authorization>
<deny users="?"/>
</authorization>
Error 401.2 Unauthorized
Sometimes, you might get the error 401.2 Unauthorized: Logon failed due to server configuration error. If you do, verify that you have permission to view this directory or page based on the credentials you supplied. Also make sure you have the authentication methods enabled on the Web server.
Updating applicationhost.config
You also might find you have to update the IISExpress applicationhost.config file (dont’ worry – I didn’t know it either). This is essentially the file version of the IIS configuration tool, where you can configure the web server itself. Finding the applicationhost.config file can be tricky. It might be in:
%userprofile%\documents\iisexpress\config\applicationhost.config
or
%userprofile%\my documents\iisexpress\config\applicationhost.config
Once you find it, update the following lines (paying special attention to enabled=true):
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
This is the article
We use Windows authentication for almost all of our intranet apps, including SharePoint. Employees must login if their browser doesn't automatically send their Windows credentials automatically to the site.
On IE, this is a matter of the browser's configuration. I think there are also ways to configure Chrome and Firefox to send Windows login automatically. I think Chrome will follow Window's internet settings (on the client) just like IE. Try to set the User Authentication options to "Automatic Logon with current username and password".
See below screenshot for an illustration to where that is.
Also note that this involves the user's browser sending a Windows Token to the application. The application must understand and trust the source of this token, and this would work with the support of a "domain" in which both the user and application reside in. I think it will work on a single machine (while you are debugging), but if you want this to work on multiple computers on a network, you need to look into creating a domain. A typical way to create a domain is Active Directory.
Let me know.
When debugging my web app in VS 2017, I found I needed to update [solution path]\.vs\config\applicationhost.config. I replaced the authentication section with:
<authentication>
<anonymousAuthentication enabled="false" userName="" />
<basicAuthentication enabled="false" />
<clientCertificateMappingAuthentication enabled="false" />
<digestAuthentication enabled="false" />
<iisClientCertificateMappingAuthentication enabled="false">
</iisClientCertificateMappingAuthentication>
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
More here: https://stackoverflow.com/a/4813716/555142
Open IIS (Windows + R 'inetmgr')
Select the IIS Server (Root Node)
Double Click - 'Authentication'
Windows Authentication - Right-click and select 'Enable'
Forms Authentication - Right-click and select 'Disable'
Restart the IIS Server
I was able get it working by removing the negotiate provider.
<windowsAuthentication enabled="true">
<providers>
<add value="NTLM" />
</providers>
</windowsAuthentication>
In Asp.net Application for windows authentication
In aspx page
asp:Label runat="server" ID="windows"
aspx.cs page
windows.Text = User.Identity.Name;
webconfig:
authentication mode="Windows"
but authentication is not performed what problem ??
Add the following in your web.config under system.web to make sure that the windows authorization is triggered:
<authorization>
<allow users="?" />
</authorization>
Your web.config wants to contain like this:
<configuration>
<system.web>
<authentication mode="Windows" />
<anonymousIdentification enabled="false" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
This will force all users to use their windows/Active Directory login. A 401 Access Denied error will be given to those who don't log in.
Because Integrated Windows Authentication uses the current Windows
user information on the client computer for the authentication, it
does not immediately prompt the user for a user name and password.
However, if the authentication exchange cannot identify the user, a
dialog box appears that prompts the user for a Windows user account
user name and password
Source: How to implement Windows authentication and authorization in ASP.NET
Try adding the following block to see if it's working
<authorization>
<deny users="*" />
</authorization>
After adding this, run the application and you should get HTTP 401 - Access is denied error.
You can customize authorization from then on.
UPDATE:
Here's a different approach and how to configure it via IIS management console:
Deploy your site to IIS
Click on your site and select Authentication
Disable Anonymous Authentication and enable Windows Authentication as shown in the image below
Go back to features and select .NET Authorization Rules. Here you can add allow/deny rules on a role or user basis.
To test your current code deny anonymous users and allow all. When you connect to your application you should be able to use the Windows user you used to log in.