I have web application which needs to access user mail box using EWS.
I am having trouble implementing impersontation.
If I impersonate my application in IIS or do run time impersonation and browser through localhost it works fine, however neither impersonation (using IIS config or runtime) works when i browse my application using IP.
I have tried Basic Authenticatio/Anonymous Authentication along with windows auth but failed to get it working. I tried my app to use either/both NTLM and Kerberos.
Ideal configuration for my app is only windows authentication on NTLM.
Please help if someone has faced this issue.
App should run for a account, but should impersonate user when needed to access his/her mailbox. I am running .net 4.5 on IIS 7.5
What you are seeing is the server double-hop authentication issue. By default Windows does not allow the user's credentials to be delegated from the web server running your ASP.NET site to your Exchange server. It works locally because there is only a single server hop as you are logged in to the machine running the ASP.NET site.
Kerberos is the way to go to make it work. You have to set your web server up to be trusted for delegation. I have no idea how to actually do this but this SO question may help you:
How can I fix the Kerberos double-hop issue?
Related
I have created a simple WebForm asp.net web site. I have disabled the Windows Authentication checks within the code but set IIS8 to "Windows Authentication" as well as the web.config. I perform the Indentity.IsAuthenticated check in the backend to ensure the user is authenticated.
My issue is I get "The page cannot be displayed, please check your URL is correct". (This is in IE)
If I set my authentication to Anonymous the site works fine. I disable Anonymous Authentication and enable Windows Authentication only and receive this error. I have done quite abit of reading now and think I am just missing something small.
I used the IIS "default site" and set it to Windows Authentication and got a login prompt (as expected).
The server is running IIS8, windows 2012. Windows Authentication is installed as a feature, IIS site settings is set to use Windows Authentication only, as is the web.config. The web.config doesn't have Authorization tags for deny and allow but has <authentication mode="Windows" />. The errors occur on both IE and FireFox. No windows events are logged so i assume it's purely a authentication error that isn't displaying the site. The AppPool is set to Identity.
I think what confuses me most is the "default site" (with no code or logic) works and my site doesn't. The default site also doesn't have a web.config.
Any ideas would be grateful.
The issue may have to do with Kereberos.
I had the same issue and whilst troubleshooting server side issues, my co worker indicated that he was able to access the site.
It was then I realized my issue was a client side issue. Something may have been wrong with my Kerberos tickets. Maybe the domain controller that initially issued the ticket to me went offline. Rebooting my workstation was what got windows authentication working for me again.
Some other things you can try are:
Try changing your windows authentication provider to NTLM as a test.
Click on the site -> Click Authentication -> Click Windows Authentication -> Click Providers
Move NTLM to the top or add it if it isn't there.
Click ok.
IISReset. And try again.
If you prefer to use Kerberos, you may have to set the service principal names using the setspn.exe command.
For more information on Kerberos
https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/
Other things to check:
- Check your authorization rules and .NET Authorization Rules to ensure All Users are allowed to access the site.
Look in your IIS logs located at C:\inetpub\logs for more clues. In the folder, you'll find a folder for each site named after the site's id. You can find the site id clicking Sites on the IIS Management console. The site ids of each site will be displayed there.
Verify the application pool identity of the site has enough permissions.
Im developing .Net 4.5 Web intranet project. My problem is there is some users can directly login with Windows authentication but also there is some users which they need to login the system with anonymous authentication due to the their company policy there is no posibility that they can add system configuration as trusted network or forest. Therefore system should check windows auth and if it fails without showing the windows prompt screen, should check the anonumys auth and users should login via form (LDAP) but due to the ecosystem of IIS it check anonymous authentication. I tried some solution but they didn't work on Microsoft Server 2012 R2. Is there any way that i can make this happen?
In Conclusion, I need to find a way to check IIS Windows auth after that anonymous Authentication. I found some solutions but they don't work on Microsoft Server 2012 R2. Also tried to get Windows Credentials such as Domain\username. I got it when there is only Windows Auth but when there is Windows and Anonymous authentications are enabled or only Anonuymous authentication is enabled, i couldn't get it because of anonymous authentication. Thanks in advance.
In my C# web application hosted in IIS I want to connect to my database with a technical user without any credentials in my web.config (a user AD).
Moreover, my application communicate with a Sharepoint library with a kerberos authentication.
schema
My problem is I don't know how to do it.
Until now, the DB credentials were in the web.config and all worked perfectly but for more security I have to remove credentials from the web.config.
My IIS is configured with a technical user in the application pool, kerberos is correctly configured and the IIS authentication is configured like this:
enter image description here
Could you please help me and say me if it's possible, if yes how to do that.
Thank's a lot
If you use Win Auth with impersonation in IIS to forward the Kerberos token to SharePoint your web process is impersonated.
Your only options are:
use a sql login and encrypt the conneciton string in web.config
use impersonation in C# and use cryptography and a secure Location for
your AD tech. user password.
For an ASP.NET MVC 2 application, we are using HttpContext.User.Identity.Name to get the user name for authentication purposes. This works fine when testing. Users who are in the database are able to access areas for which they have permissons, and redirected to a 401 page otherwise. The 401 page displays their username, explaining that this user is not authorized to access this content.
However, in a deployed environment, all attempts to access any portion of the application redirect to the 401 page, and the displayed username is blank!
How can we enable the deployed application to access the username of the request?
From my research, I should go to the following screen and enable Windows Authentication, but it's not in the list!
We had an issue like this to, what we ended up doing was turning off Anonymous Access in IIS. Remember to check the Integrated box at the bottom.. Hope this helps
Ah, if you are using IIS 7, you probably need to install it first! Here's a good overview. FTA:
The default installation of IIS 7 does not include the Windows
authentication role service. To use Windows authentication on IIS, you
must install the role service, disable Anonymous authentication for
your Web site or application, and then enable Windows authentication
for the site or application.
If you're not seeing it as an option, you probably don't have it installed.
(Dictated from my Winodws 7 machine,) Go to your Start menu and type: Turn Windows features on or off.
Next, in the dialog's treeview, go to Internet Information Services - World Wide Web Services - Security and then check the Windows Authentication checkbox.
I have a web application set up on our intranet that uses windows authentication (successfully) that I am trying to link to a database running on a separate server.
The problem that I am having however, is that when I try to use a trusted connection to log in to the sql server, instead of passing the domain/username of the person using the website the application is passing NT AUTHORITY\ANONYMOUS LOGON.
I checked that the authentication was working by having the website display a greeting that does identify my username correctly when I log on to the site, so it isn't an anonymous access issue. I think it is an impersonation issue somehow despite the fact that set in the web.config file for the application.
Curiously, the web application works fine when I run it on either my dev machine or even locally through remote desktop on the production server. I'm not sure what's going on here.
Finally, I'm running iis 7.5, windows server 2008 r2 and sql server 2008
This is called Constrained Delegation. Basically what that means is that an impersonated context by default cannot be delegated to authenticate with a resource on the network. If constrained delegation would not be in place anyone could create a web site in the enterprise and expose some benign application. But underneath, once the user authenticated with the site, it could impersonate that user to do anything, like read his mail, sale stock on his behalf, give raises to site developer, *anything. This is why impersonated contexts are not trusted outside the machine that impersonated the user.
To allow an impersonated context to connect to a remote resource (like a file share, or a database server) the domain administrator has to explicitly set up Constrained Delegation, which allows the impersonated context to authenticate with one specific resource.
There are numerous articles describing the problem and the solution:
How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0
Protocol Transition with Constrained Delegation Technical Supplement
How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0
Configuring Servers for Delegation (IIS 6.0)
How to: Use Protocol Transition for Impersonating and Delegating the Original Caller in WCF
it is a known behavior called double-hop issue. See http://weblogs.asp.net/owscott/archive/2008/08/22/iis-windows-authentication-and-the-double-hop-issue.aspx
If your web application tries to access your database it does it with the account under which the IIS w3wp.exe process is running (networkservice by default).
If you want to change this, you will need to use impersonation.
This document explains it pretty good.
As the document also explains depending on your application, you might want to use trusted subsystem instead of impersonation.