I have a problem with this simple piece of code:
public void OnAuthorization(AuthorizationFilterContext context)
{
ClaimsPrincipal user = _httpContextAccessor.HttpContext.User;
ClaimsIdentity identity = user.Identity as ClaimsIdentity;
string userName = identity.Name; //!!!
_logger.Trace("windows user `{0}` is trying to access the system", userName);
var admins = _configurationRoot.GetSection(ConfigDescription.Admins).Get<List<string>>();
if (!admins.Contains(userName))
{
_logger.Trace("Permission denied.");
context.Result = new RedirectResult("/error/unauthorized", false);
}
}
When I launch my asp net app via IIS Express in Visual Studio everything works fine. My logs in this case:
2021-12-25 22:02:53.1783 TRACE windows user `Domain\username` is trying to access the system.
But userName is always empty after publishing on remote IIS.
2021-12-25 19:11:55.2524 TRACE windows user `` is trying to access the system.
2021-12-25 19:11:55.2524 TRACE Permission denied.
I was trying open website from localhost and via domain name, also added it into Trusted Sites, nothing helped.
web.config :
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" forwardWindowsAuthToken="true" arguments=".\BlaBla.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
</system.webServer>
</location>
</configuration>
Anonymous Authentication is enabled on IIS
Because if not, I can't open even error/unauthorized page like this:
To enable windows authentication in IIS need to make sure the followings
Enable Windows Authentication in IIS
Enable Windows Authentication in IIS web application
1. Enable Windows Authentication in IIS
we need to enable Windows Authentication in “Windows features” (Run command : optionalfeatures . Win + R → optionalfeatures)
2. Enable Windows Authentication in IIS web application
Then we need to Enable windows authentication for applications. Can be done in web.config as below or in IIS
web.config
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
IIS
Select the application in left node and select "Authentication" in feature view
Enable Windows Authentication and Disable anonymous Authentication.
More information
IIS Windows Authentication
Windows Authentication in ASP.NET Core
Related
So I have a Windows Authentication Web App in ASP.NET Core 3. It's default generated and has Windows Authentication enabled (ticked the "Windows Authentication Box" when creating). How do I access an API and get it's resources (Json-Objects in this case) when it uses Windows Authentication?
I already added this to the launchSettings.json:
"windowsAuthentication": true,
"anonymousAuthentication": false,
And I added this to the web.config file for hosting later but I don't think it matters as I want to get it running locally in Visual Studio:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
</configuration>
How do I make my application prompt the user to login with their credentials to verify access to the data from the api (using Windows Authentication)?
I am setting up an ASP.NET CORE 1.0.1 in a Windows 2012 R2 environment on IIS 8. The application connects to an SQL database and has a connection string in the application.json file (info changed):
"ConnectionStrings": {
"Database": "Data Source=qadb;Initial Catalog=companydb;Trusted_Connection=True"
},
In IIS, I've set up the application and the application pool has been set to run as a certain user (say company\sqluser). I verified that company\sqluser has read/write access to the database. The advanced settings for the application pool look as such:
.NET CLR Version: No Managed Code
Enable 32-bit Application: False
Managed Pipeline Mode: Integrated
Identity: company\sqluser
When I run the application, I get the following SQL error message:
System.Data.SqlClient.SqlException: Login failed for user ''.
I would like to have the application connect to the DB as company\sqluser, but for some reason it doesn't seem like it is able to do so. I've also tried running the application pool as my personal user account which has admin rights to the SQL DB and still get the error.
Am I missing a certain configuration?
EDIT: My web.config file is as follows:
<system.web>
<authentication mode="Windows"/>
</system.web>
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\CompanyApp.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" forwardWindowsAuthToken="true">
<environmentVariables>
<environmentVariable name="ASPNETCORE_ENVIRONMENT" value="Development" />
</environmentVariables>
</aspNetCore>
<rewrite>
<rules>
<rule name="HTTP to HTTPS" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" /><conditions><add input="{HTTPS}" pattern="off" />
</conditions><action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Try Integrated Security=true instead of Trusted_Connection=True in your connection string.
Integrated Security=true is the syntax for System.Data.SqlClient, while Trusted_Connection=true is the syntax for ODBC.
See https://learn.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlconnection.connectionstring?view=netcore-1.0 and https://learn.microsoft.com/en-us/dotnet/framework/data/adonet/connection-string-syntax
As I am not the developer for the application, I didn't realize that the developer overwrote the connection string in the code instead of using the appsettings.json file. What was missing was the following:
Trusted_Connection=True;
Once I removed the code that overwrote the connection string and made sure that Trusted_Connection was set to True in the appsettings, the application worked.
You can try setting Windows authentication. In IIS, make sure that the windows authentication module is added and enabled on.
Also, need to ensure app pool is running under domain account not local account.
In ASP.net, we usually do like this:
<system.web>
<authentication mode="Windows"/>
</system.web>
In Asp.net core, this way usually works:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-2.2&tabs=visual-studio
I have just uploaded an ASP.NET Core 2.1 app. I get this error when I try to run my website on IIS 8.0
Detailed Error Information:
Module IIS Web Core
Notification BeginRequest
Handler Not yet determined
Error Code 0x8007052e
Config Error Can not log on locally to
C:\Inetpub\vhosts\website-domain.my\dev.website-domain.my\MSS as user
username with virtual directory password
Config File
\?\C:\inetpub\temp\apppools\dev.website-domain.my(domain)(4.0)(pool)\dev.website-domain.my(domain)(4.0)(pool).config
Requested URL http://dev.website-domain.my:80/MSS/
Physical Path
C:\Inetpub\vhosts\website-domain.my\dev.website-domain.my\MSS\
Logon Method Not yet determined
Logon User Not yet determined
Config Source:
<application path="/MSS" applicationPool="dev.website-domain.my(domain)(4.0)(pool)">
<virtualDirectory path="/" physicalPath="C:\Inetpub\vhosts\website-domain.my\dev.website-domain.my\MSS" userName="username" password="[enc:AesProvider:4+kg/83a+hodVa/zMgLvRNQjrQjQp82oK77jfYDH0ak=:enc]" />
</application>
I have given full access control to my username user on the MSS folder but i still get this error. My application pool is showing the username user in the Identity column as well. What else am I missing? Could this be a .net core issue also?
I got I similar error when was deploying my ASP.NET Core app to IIS. The error was caused by missing IIS module AspNetCoreModuleV2.
It was fixed by installing ASP.NET Core 6.0 Runtime - https://dotnet.microsoft.com/en-us/download/dotnet/thank-you/runtime-aspnetcore-6.0.5-windows-hosting-bundle-installer
My web.config file
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\DevOpsTestService2.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
</system.webServer>
</location>
</configuration>
The error I got
I created a brand new Asp.Net Core 2.0 web mvc application with windows authentication enabled.
If I immediately hit play it prompts me for user credentials which is not what I want. If I hit cancel it then redirects me to a 401.2 unauthorized error screen with the following error:
"You are not authorized to view this page due to invalid
authentication headers."
When I then stop the application and enable anonymous authentication on the project and hit play again, it runs the application successfully but will not display my username. #User.Identity.Name returns empty string.
How do I get around the security prompt while still being able to display my username?
In the .NET Framework, I would use this in the web.config file along with anonymous authentication = true and it would work the way I want:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
I am using Visual Studio 15.4.1.
I think that the <authentication> tag is related to ASP.NET, and not IIS. In ASP.NET Core, the System.Web pipeline doesn't run.
I've had success in implementing Windows authentication with ASP.NET Core by using the following configuration in the web.config
<configuration>
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</configuration>
The <system.webServer> section is the one getting modified when you change the authentication settings through IIS Manager.
Edit after Ben's first comment
Sorry, I had misread part of your initial message, and thought that you were trying to deploy your application in IIS.
It looks like Windows Authentication is set up correctly since you get prompted for credentials. What I don't understand is why you get prompted. I'm using IE11, Edge and Chrome, and they all know how to send Windows credentials without prompting me.
What browser are you using when doing your test? Could you try with the ones I listed above?
I to do:
Click Start, point to Administrative Tools, and then click Internet
Information Services (IIS) Manager. In the Connections pane, expand
the server name, expand Sites, and then select the site, application
or Web service for which you want to enable Extended Protection for
Windows authentication. Scroll to the Security section in the Home
pane, and then double-click Authentication. In the Authentication
pane, select Windows Authentication. Click Enable in the Actions
pane. Click Advanced Settings in the Actions pane.
after set in web.config <authentication mode="Windows" />
If I start app from VS2010 - All works well.
If else I start app from IIS I have problem.
Requested user data I enter Computer\NameUser.
then an error:
Error HTTP 401.2 - Unauthorized You have no right to view this page
because of the inadmissibility of the authentication header.
update:
update2:
file: C:\Windows\System32\inetsrv\config\applicationhost.config
<location path="windowsAuthTest">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" userName="User" password="[enc:AesProvider:BZ7e2mkTjJL7Wo8xMm2PQKZ2biP1nKB2SjAfw9WmJoBhkMbl4DYqEJU0bzIj3CxF:enc]" />
<windowsAuthentication enabled="true" useKernelMode="false">
<extendedProtection tokenChecking="None" />
<providers>
<clear />
<add value="NTLM" />
<add value="Negotiate" />
</providers>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
</location>
Take a look at my previous answer.
Basically, that means that the authentication ticket does not match the expectation of the server.
You should force the server to use NTML or Kerberos (depending on your authentication strategy).
[Edit] as appcmd can be a bit obscure, here is the manual stop to force NTLM authentication.
Navigate to C:\Windows\System32\inetsrv\config
Backup, Backup, Backup and rebackup applicationhost.config
To be sure backup again
Open the file applicationhost.config with your favorite xml editor
search for the node <location path="Your web site name/yourapplication">
Setup the correct authentication provider :
The important part is that there is the <clear /> node. This will break inheritance from the global configuration.
This can be applied to the whole IIS server, or a specific web site, or (like here) a specific web application).
I'm not sure, but I wonder if this can be set in the web.config within the app directly instead of the IIS config file. This merits to be tested.
After that you access to security of your site you must to add right for the user windows.