I have an application buit partially in classic asp and in c#. The authentication used as
per the config file is windows. This is perfectly working.
Now I have to authenticate the users against active directory. (ie. if any AD users
requesting my application, it should authenticate the user (on login page load) and redirect
to the application home page instead of showing login page)
The login page is an asp page and I created an aspx page where the login.asp page will be
redirected during page load to autheticate with Active Directory. I hav e disabled anonymous
access in IIS and currently used only Integrated Windows Authentication. Also given
permission to "Authenticated Users" in Permissions.
While trying to access the login.asp page I am getting the following error.
You do not have permission to view this directory or page using the credentials that you
supplied because your Web browser is sending a WWW-Authenticate header field that the Web
server is not configured to accept.
Please try the following:
Contact the Web site administrator if you believe you should be able to view this directory
or page.
Click the Refresh button to try again with different credentials.
HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration.
Internet Information Services (IIS)
Kindly help me to fix this issue.
Thanks,
Priya
401.2 isn't usually an "error", per se. It's an authentication challenge. Your browser is not responding properly to the challenge it's being presented with. If the browser doesn't understand what's going on, it will just give up and show you 401.2 as an error.
The question is: what browser are you using? Try IE first. IE is very forgiving with NTLM and Kerberos challenges. If you're using Firefox, you will need to set it up to use integrated windows authentication by adding your domain names to the network.automatic-ntlm-auth.trusted-uris and network.negotiate-auth.trusted-uris settings in the about:config screen.
You could also be running into an issue where you have not properly defined a Service Principal Name for your service account. How that works would depend on how your website is running -- is it running under a domain account or under NETWORK SERVICE? If NETWORK SERVICE, this probably isn't your problem.
Related
I have created a simple WebForm asp.net web site. I have disabled the Windows Authentication checks within the code but set IIS8 to "Windows Authentication" as well as the web.config. I perform the Indentity.IsAuthenticated check in the backend to ensure the user is authenticated.
My issue is I get "The page cannot be displayed, please check your URL is correct". (This is in IE)
If I set my authentication to Anonymous the site works fine. I disable Anonymous Authentication and enable Windows Authentication only and receive this error. I have done quite abit of reading now and think I am just missing something small.
I used the IIS "default site" and set it to Windows Authentication and got a login prompt (as expected).
The server is running IIS8, windows 2012. Windows Authentication is installed as a feature, IIS site settings is set to use Windows Authentication only, as is the web.config. The web.config doesn't have Authorization tags for deny and allow but has <authentication mode="Windows" />. The errors occur on both IE and FireFox. No windows events are logged so i assume it's purely a authentication error that isn't displaying the site. The AppPool is set to Identity.
I think what confuses me most is the "default site" (with no code or logic) works and my site doesn't. The default site also doesn't have a web.config.
Any ideas would be grateful.
The issue may have to do with Kereberos.
I had the same issue and whilst troubleshooting server side issues, my co worker indicated that he was able to access the site.
It was then I realized my issue was a client side issue. Something may have been wrong with my Kerberos tickets. Maybe the domain controller that initially issued the ticket to me went offline. Rebooting my workstation was what got windows authentication working for me again.
Some other things you can try are:
Try changing your windows authentication provider to NTLM as a test.
Click on the site -> Click Authentication -> Click Windows Authentication -> Click Providers
Move NTLM to the top or add it if it isn't there.
Click ok.
IISReset. And try again.
If you prefer to use Kerberos, you may have to set the service principal names using the setspn.exe command.
For more information on Kerberos
https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/
Other things to check:
- Check your authorization rules and .NET Authorization Rules to ensure All Users are allowed to access the site.
Look in your IIS logs located at C:\inetpub\logs for more clues. In the folder, you'll find a folder for each site named after the site's id. You can find the site id clicking Sites on the IIS Management console. The site ids of each site will be displayed there.
Verify the application pool identity of the site has enough permissions.
I want implement .NET web site with AD authentication, If site is accessed internally then it should automatically login with current user.
BUT if site is access out site organization then it should redirect user to custom login for where user can enter AD login details.
Can anyone guide how we can achieve this functionally what configuration required.
ASP
.NET
IIS Configuration
Firewall (if required)
Any other configuration required.
Thanks in Advance
I believe you can do that by enabling Windows Authentication and dealing with 401 Not Authorized results by checking, if user is authenticated(means he is Windows user, but is not authorized to access resource) or he is not authenticated it means he is not Windows user and you can redirect him to login page.
You have to take care of restrictions on Windows users and stuff around, but I believe it is possible to do that, even I am not a big fan of such authentication solution.
I have a deployed application that is using the Active Directory Membership Provider in order to authenticate users to our domain on an extranet. The application is using the .NET 3.5 framework. If you run the application locally it goes straight to the login page. But if you run the application from its deployed location on the server it first prompts with a Windows Security login prompt and after logging in, you are taken to the login page where you must login again. Why is this?
Your web application seems to be configured to use Active Directory Authentication (and doesn't allow anonymous access). Your users internally are already logged on to the domain and so IIS simply lets them past.
Your login.aspx page is protected by IIS so that you must be a member of the domain in order to even see the login.aspx page. This is a configuration issue in IIS and has very little to do with asp.net or C#.
If you are using forms authentication, you should be able to allow anonymous authentication in IIS and handle authentication using Forms only. However, this entirely depends on the web app and enabling anonymous access may inadvertently expose information you didn't intend to be publicly accessible.
Without knowing more about your application it's difficult to offer any more advice. Good luck.
Scenario:
https asp/asp.net website running of IIS 7.5 (windows server 2008)
IIS currently configured to allow anonymous authentication and forms authentication ,asp.net impersonation are disabled while windows authentication is not installed (I understand that windows authentication needs to installed for this.)
a single custom login page for both internal and external users
Requirment:
Internal users seamlessly login while capturing their LOGON name (window authentication)
External users (not on domain) should be prompted a manual login
Questions:
What approach can be used to implement this?
Looking for the IIS 7.5 and web.config settings
Approaches Found:
make 2 pages within 1 website, winlogin and weblogin(front page). Allow windows auth=true and anonymous auth=false on winlogin.aspx and vice versa on weblogin.aspx
user with a ip hits weblogin, if ip is known redirect to winlogin to capture logon and redirect to weblogin if the ip is unknown
have winlogin.aspx as the main page and redirect 401 errors to weblogin.aspx
This is how to configure IIS for integrated authentication.
http://netpl.blogspot.com/2012/06/iis-75-integrated-security-with-no.html
This will make your site available for intranet users WITHOUT the prompt for credentials.
Note that this also works for web users. A built-in web browser window is displayed as a result of HTTP 401. A user provides his/her credentials and is in.
If you rather want to show your custom web form as a result of 401 (unauthorized), you'd have to trick the browser a little:
http://www.codeproject.com/Articles/11202/Redirecting-to-custom-401-page-when-quot-Access-de
This way you can redirect an unauthorized response to a web form of your choice (for example, to show an asp.net login form).
Although the integrated authentication can be easily configured, prepare for a lot of experiments when setting up your mixed (integrated/forms) authentication. Things change with every version of IIS; also IIS7 behaves differently if a pool is in classic vs integrated mode.
For an ASP.NET MVC 2 application, we are using HttpContext.User.Identity.Name to get the user name for authentication purposes. This works fine when testing. Users who are in the database are able to access areas for which they have permissons, and redirected to a 401 page otherwise. The 401 page displays their username, explaining that this user is not authorized to access this content.
However, in a deployed environment, all attempts to access any portion of the application redirect to the 401 page, and the displayed username is blank!
How can we enable the deployed application to access the username of the request?
From my research, I should go to the following screen and enable Windows Authentication, but it's not in the list!
We had an issue like this to, what we ended up doing was turning off Anonymous Access in IIS. Remember to check the Integrated box at the bottom.. Hope this helps
Ah, if you are using IIS 7, you probably need to install it first! Here's a good overview. FTA:
The default installation of IIS 7 does not include the Windows
authentication role service. To use Windows authentication on IIS, you
must install the role service, disable Anonymous authentication for
your Web site or application, and then enable Windows authentication
for the site or application.
If you're not seeing it as an option, you probably don't have it installed.
(Dictated from my Winodws 7 machine,) Go to your Start menu and type: Turn Windows features on or off.
Next, in the dialog's treeview, go to Internet Information Services - World Wide Web Services - Security and then check the Windows Authentication checkbox.