I installed a MVC 5 web application on a cloud hosted server. It uses Windows authentication. The company itself uses a different domain than the servers in the cloud use.
For example. The company uses xycom as domain and the cloud computers use xycloudcom as domain.
The xycloudcom servers have access to the AD controller of the xycom domain.
Now I installed an application on the cloud server. It has only Windows Authentication enabled and all works fine when accessing from a computer and account in xycom domain.
The only issue is that I am not able to open the website from the server itself. It opens a dialog asking me for my credentials. If I enter them (my xycom account) I get a 401 Unauthorized.
If I enable Anonymous authentication I can open the web site. So it's not a DNS issue.
Can someone help to solve this issue since I need to trigger an action by a console application in ScheduledTasks using a web request.
Server is Windows 2012 R2.
You will not be able to open the site from the server, if that server is not on the same domain.
The integrated windows authentication would work only if there is a trust between your Cloud VM's domain and the xycom comain.
Hope this helps.
Related
I am using Windows Server 2018, IIS 10 and my web application targets .Net Framework 4.5.1. My API, I built using .Net Core 2.1 and Visual Studio 2017. Both the website and the API use windows authentication.
I used this person's tutorial to try and setup Kerberos two hop authentication (https://blogs.msdn.microsoft.com/surajdixit/2018/02/07/kerberos-configuration-manager-for-internet-information-services-server/).
Steps I've taken and tried,
Set the app pool to run under a custom domain account.
Added an SPN to the domain account that points to the website DNS address in the domain
Switched the app pool to classic mode
Turned on Windows Authentication and Impersonation for the website.
Had system admin grant the custom domain account delegation rights.
The current problem I am facing, is now that I made all these modifications to the app pool and the website in IIS, when I try to connect to the website, it prompts for credentials, which shouldn't happen as it should authenticate me through my windows domain account, when I input the credentials, it just refreshes with the prompt for credentials again. When running locally everything works correctly and the HttpClient in my web application successfully calls out to the API.
I have spent hours on this and would appreciate any help. I am out of ideas.
So after trying multiple walkthroughs and working with other developers, I found that the issue was both applications, the web app and the api, running on the same server. Once I moved the api to it's own dedicated server, I had no need for impersonation and was able to just load the user profile credentials from the app pool as it was running as a domain account. HttpClient and WebClient objects were both successful then at making requests to the api by setting UseDefaultCredentials = true.
If anyone ever has this issue, try hosting your api on a different server. I spent a few days thinking it was something I had done wrong in configuring things, and in the end, it was just where I was hosting the applications.
There may be a way to make this work successfully on the same server, but I was unable to make it work. Maybe someone else who is more experienced can add to this post to help show how to do this on the same server. Happy coding everyone.
I am completely a novice about Asp.net and Azure platform. I created a simple web application in VS2013 and deployed it to Azure web application. When I try to open my url (xxx.azurewebsites.net) it shows me a login page that my local application does not consist.
I digged some info about it, but due my knowledge level of web development and Azure platform, I did not understand the problem. It seems Azure Active Directory should be used, but I am not certain about it.
My question is, is there a way to skip the login page? If not, how can I define credentials to my application to be accessed?
Thank you.
As far as I know, Visual Studio 2013 offers several authentication options (No Authentication, Individual User Accounts, Organizational Accounts and Windows Authentication) for the Web Forms, MVC, and Web API templates.
According to your description, it seems that you select Organizational Accounts option for your application, which will configure the application to use Windows Identity Foundation (WIF) for authentication based on user accounts in Azure Active Directory (Azure AD, which includes Office 365) or Windows Server Active Directory. If you don’t want authentication for your application, please choose No Authentication option when you create the project.
I have created a self-hosted ASP.NET Web API service (using OWIN) that I am running as a Windows service. I want the user to have the option of using Windows authenticated users in SQL Server and I would like the browser/user-agent accessing the (REST API) web service to pass through the NTLM user info so that they get Windows authenticated access to the SQL Server database.
Is there a standard way of doing this?
Thanks.
I have an MVC application that will be running on an IIS 7.5 Server in an application pool running under a service account.
In my application I make a connection to a TFS server, this connection needs to be made by the service account.
My application enforces windows authentication, this is so I can gather usage data about which users use the application. I do this through a custom Action Filter in MVC to collect the username like this: HttpContext.User.Identity.Name
How is it possible for me to impersonate the service account, yet be able to keep the windows username of the original user? I can successfully connect to my TFS server if I use anonymous authentication, while running the application pool under the service account.
Let me know if you need more information.
i have a WCF service hosted in a managed windows service. This WCF service communicate with sharepoint through the client object model in order to create, delete and update the document. My WCF service use a netTCPBinding with message security and windows authentication.
I need to retrieve the identity of the caller to have the right user under the property 'create by' of the sharepoint document.
Without activating impersonation, the wcf run under an network application account (app_svc) and when i create a document, the 'create by' property have this value: 'app_svc'
When i use impersonation, the sharepoint give me a http 401 error. The WCF service and sharepoint are not on the same machine.
How i can do it? Note that i have no rights and no access on the Active Directory and the domain controller server.
Any Help would be appreciated.
i am not familiar with sharepoint. but when you're impersonating a client and try to forward the credentials to another machine, you have to ensure the following items:
the client gets authenticated through kerberos (set SPNs)
the sharepoint authenticates users though kerberos as well (set SPNs)
delegation to the target SPNs is activated on the technical domain account of the IIS application pool / service. If it is running under a local built-in account (network service, local system etc) delegation has to be activated on the computer account object in AD.
The whole scenario is also known as double-hopp scenario.
I cannot write a complete guide here. Best you google for impersonation, delegation and double-hop.
All the steps i mentioned require access to a AD domain controller.