For an ASP.NET MVC 2 application, we are using HttpContext.User.Identity.Name to get the user name for authentication purposes. This works fine when testing. Users who are in the database are able to access areas for which they have permissons, and redirected to a 401 page otherwise. The 401 page displays their username, explaining that this user is not authorized to access this content.
However, in a deployed environment, all attempts to access any portion of the application redirect to the 401 page, and the displayed username is blank!
How can we enable the deployed application to access the username of the request?
From my research, I should go to the following screen and enable Windows Authentication, but it's not in the list!
We had an issue like this to, what we ended up doing was turning off Anonymous Access in IIS. Remember to check the Integrated box at the bottom.. Hope this helps
Ah, if you are using IIS 7, you probably need to install it first! Here's a good overview. FTA:
The default installation of IIS 7 does not include the Windows
authentication role service. To use Windows authentication on IIS, you
must install the role service, disable Anonymous authentication for
your Web site or application, and then enable Windows authentication
for the site or application.
If you're not seeing it as an option, you probably don't have it installed.
(Dictated from my Winodws 7 machine,) Go to your Start menu and type: Turn Windows features on or off.
Next, in the dialog's treeview, go to Internet Information Services - World Wide Web Services - Security and then check the Windows Authentication checkbox.
Related
I have created a simple WebForm asp.net web site. I have disabled the Windows Authentication checks within the code but set IIS8 to "Windows Authentication" as well as the web.config. I perform the Indentity.IsAuthenticated check in the backend to ensure the user is authenticated.
My issue is I get "The page cannot be displayed, please check your URL is correct". (This is in IE)
If I set my authentication to Anonymous the site works fine. I disable Anonymous Authentication and enable Windows Authentication only and receive this error. I have done quite abit of reading now and think I am just missing something small.
I used the IIS "default site" and set it to Windows Authentication and got a login prompt (as expected).
The server is running IIS8, windows 2012. Windows Authentication is installed as a feature, IIS site settings is set to use Windows Authentication only, as is the web.config. The web.config doesn't have Authorization tags for deny and allow but has <authentication mode="Windows" />. The errors occur on both IE and FireFox. No windows events are logged so i assume it's purely a authentication error that isn't displaying the site. The AppPool is set to Identity.
I think what confuses me most is the "default site" (with no code or logic) works and my site doesn't. The default site also doesn't have a web.config.
Any ideas would be grateful.
The issue may have to do with Kereberos.
I had the same issue and whilst troubleshooting server side issues, my co worker indicated that he was able to access the site.
It was then I realized my issue was a client side issue. Something may have been wrong with my Kerberos tickets. Maybe the domain controller that initially issued the ticket to me went offline. Rebooting my workstation was what got windows authentication working for me again.
Some other things you can try are:
Try changing your windows authentication provider to NTLM as a test.
Click on the site -> Click Authentication -> Click Windows Authentication -> Click Providers
Move NTLM to the top or add it if it isn't there.
Click ok.
IISReset. And try again.
If you prefer to use Kerberos, you may have to set the service principal names using the setspn.exe command.
For more information on Kerberos
https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/
Other things to check:
- Check your authorization rules and .NET Authorization Rules to ensure All Users are allowed to access the site.
Look in your IIS logs located at C:\inetpub\logs for more clues. In the folder, you'll find a folder for each site named after the site's id. You can find the site id clicking Sites on the IIS Management console. The site ids of each site will be displayed there.
Verify the application pool identity of the site has enough permissions.
I'm working on a .NET MVC web app, and I'm using Windows authentication. My IE has "Integrated Windows Authentication" enabled, and it works when I navigate to other sites hosted on the same IIS server (a.k.a I am not prompted for login). However when I go to this one page and call an API method, base.isAuthorized(actionContext) evaluates to false in the C# code, resulting in me being shown the login dialog. Correct me if I'm wrong, but I thought Windows Authentication would authenticate me right when I enter the webpage... why am I still prompted for credentials?
Authentication settings can be different for each web site on the server. Check your IIS settings for this particular web site. Make sure that Windows Authentication is enabled, and that Anonymous Authentication is disabled.
I receive a Windows login prompt when accessing a site on IIS with a host other than localhost.
For example,
http://localhost/mysite -- works
http://ipaddresss/mysite -- login prompt
If I enable Anonymous Access in the IIS settings for the web application, the prompt goes away and I can access the site fine. I have Windows Authentication enabled as well.
I want to be able to disable Anonymous Access without getting the windows login prompt.
Windows IIS 7.5
Windows Server 2008 R2
ASP.NET 4.5 MVC Web application
This does not seem to be browser related. I get the same behavior whether it's IE or Firefox.
This is what I did to resolve the problem.
In IE, I added the IP address to the local intranet sites in the Security tab.
Apparently Windows Integrated Security is only guaranteed in IE.
I used this Knowledge Base Article as a reference. http://support.microsoft.com/kb/258063
It's an internet setting, which can be changed in IE or the control panel.
Internet Options -> Security -> Local Intranet -> Sites - Making your your site/domain is in the list
IE is prompting for windows credentials if it's not in the Intranet Zone or not in the list of intranet sites. Add the site to your intranet zones list for automatic login.
Based on this article I've created a basic ASP.NET MVC site using the Visual Studio 2013 Intranet Site template with the default settings and changing nothing.
When running the site in debug mode instead of logging me in and displaying my domain\username, I am getting prompted to enter my username/password in a Authentication Required dialog.
I was under the impression, since I am already authenticated against the domain, I should be logged straight into the application using my AD account without having to enter in anything. When I do try explicitly entering my AD name or a local user account, nothing is accepted.
EDIT
If I type in my username/password with Firefox I am authenticated, but not with Chrome and IE.
Any ideas?
What you're encountering is something that's frustrated me about windows authentication for a long time. Internet explorer has a feature called pass-through authentication that authenticates you automatically when using windows auth. Other browsers have work arounds: https://addons.mozilla.org/en-US/firefox/addon/integrated-auth-for-firefox/ .
It's up to the sys admins to implement those measures for the other browsers, but nobody ever does, so we get stuck typing in our full usernames and passwords in every browser but IE.
What you can do is follow this approach : http://blogs.msdn.com/b/chunliu/archive/2010/09/21/creating-a-custom-login-page-for-windows-authentication.aspx
Not nearly as simple as enabling windows auth, or even implementing forms auth for that matter, but consider a scenario where you want infrastructure to manage permissions and administer user accounts, or if you want to expose your login page globally without exposing AD.
IE won't pass credentials to a site unless it's in the intranet security zone or the same domain. You can add your site to IE's list of trusted sites using
Internet Options > Security > Trusted sites > Sites
Chrome takes its trusted site settings from IE's settings, so once you add to IE, it should also work in Chrome
Check with your IIS (Internet Information Server) Manager and see if your application has the right permissions for the user.
Go to the "Connections" panel on the left-hand side
Under "Sites", navigate to your application or folder holding the application
Right click and select "Edit Permissions..."
Go to the "Security" tab
Check if your Windows ID or Windows Group (if multiple users) have the correct permissions to this site under the "Group or user names" box
If the user or group is not there, click on the "Edit" button and then click the "Add" button
Also check if "Windows Authentication" is enabled and both "Anonymous Authentication" and "ASP.NET Impersonation" are disabled for the application on the IIS.
Scenario:
https asp/asp.net website running of IIS 7.5 (windows server 2008)
IIS currently configured to allow anonymous authentication and forms authentication ,asp.net impersonation are disabled while windows authentication is not installed (I understand that windows authentication needs to installed for this.)
a single custom login page for both internal and external users
Requirment:
Internal users seamlessly login while capturing their LOGON name (window authentication)
External users (not on domain) should be prompted a manual login
Questions:
What approach can be used to implement this?
Looking for the IIS 7.5 and web.config settings
Approaches Found:
make 2 pages within 1 website, winlogin and weblogin(front page). Allow windows auth=true and anonymous auth=false on winlogin.aspx and vice versa on weblogin.aspx
user with a ip hits weblogin, if ip is known redirect to winlogin to capture logon and redirect to weblogin if the ip is unknown
have winlogin.aspx as the main page and redirect 401 errors to weblogin.aspx
This is how to configure IIS for integrated authentication.
http://netpl.blogspot.com/2012/06/iis-75-integrated-security-with-no.html
This will make your site available for intranet users WITHOUT the prompt for credentials.
Note that this also works for web users. A built-in web browser window is displayed as a result of HTTP 401. A user provides his/her credentials and is in.
If you rather want to show your custom web form as a result of 401 (unauthorized), you'd have to trick the browser a little:
http://www.codeproject.com/Articles/11202/Redirecting-to-custom-401-page-when-quot-Access-de
This way you can redirect an unauthorized response to a web form of your choice (for example, to show an asp.net login form).
Although the integrated authentication can be easily configured, prepare for a lot of experiments when setting up your mixed (integrated/forms) authentication. Things change with every version of IIS; also IIS7 behaves differently if a pool is in classic vs integrated mode.