Our all libraries and application use forms authentication, so it is necessary to use it here.
The application is hosted on IIS with below settings:
anonymous authentication: enabled
forms authentication: enabled
windows authentication: disabled (this must not be changed)
This returns the user under IIS runs (in my case IIS APPPOOL\tdm)
string userName = System.Security.Principal.WindowsIdentity.GetCurrent();
string userName = Environment.UserName;
In web.config:
<authentication mode="None" /> //(this again must not be changed)
Is it possible somehow to take the Windows credentials of the user who uses the application?
My job is when someone enters the app to log in with this credentials automatically, but for that, I must find a way to take his Windows user account.
I don't think that what you are asking for is possible within a standard webforms framework. You cannot automatically get a browser to send the windows credentials without enabling windows authentication.
If the application is hosted on the same domain, it is relatively easy to use standard forms authentication with an existing AD username/password - also called Single Sign On.
When you enable Windows authentication in an application, and then make a request from a browser, it actually returns a 401 - Unauthorized status code. The browser then decides based on your settings whether to send your identity in a second request. This may happen automatically, or it may prompt for credentials.
Related
My team tries to setup an intranet portal powered by Umbraco which requires Windows Authentication for authenticating its users that are stored as (Umbraco) Members.
Currently we have done the following:
In the Authentication Feature of IIS, we enabled only Windows Authentication at the root of the web site (all other authentication options are disabled).
In Web Config, we changed the Authentication settings mode attribute from Forms to Windows.
The username of the Members is stored in the domain\username format.
That works fine as far it concerns authentication and authorization of members in the front end. But in the back office (that requires Forms Authentication), it does not work well with the above settings, as sometimes the browser displays the authentication popup window and requires for the back office user to enter his (domain) credentials or sometimes randomly terminates the back office user's session and logs user out.
Is there any suggested way for implementing Windows Authentication for Umbraco portals that does not raise such issues in the back office?
Any help will be greatly appreciated.
I am using C# asp.net to get windows login account (domain\username) for login my web automatically. I can get the account correctly when run the statement "System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString()" locally on visual studio. However, after deploying the web page to deploy server, it returns "NT AUTHORITY\IUSR".
Most of the solution I found on internet is to use Windows Authentication instead of Anonymous Authentication. I have tried this solution and a user login window is prompted when run the web. It needs to enter the username and password for the deployed server. However, my windows user login account cannot login to the deploy server. Therefore I cannot run the web on my computer.
I would like to know is it possible to get the window user login account if my window account cannot login to the deploy server?
Please try to enable two Authentication methods. First you have to enable Windows Authentication like you already mentioned to pass your credentails automatically to the server (of course only in Intranet).
Additionally you have to activate ASP.NET Impersonation to allow the server to use the passed credentials.
The Help tells you why:
Use ASP.NET Impersonation authentication when you want to run your
ASP.NET application under a security context different from the
default.
In your web.config you have to add the following nodes to your system.web node to tell your application to pass your credentials to the server:
<identity impersonate="true"/>
<authentication mode="Windows" />
I am developing an intranet application using ASP.NET MVC 4. I am using custom forms authentication. When the user accesses the application I want to take the user's Windows logged-in username and check that username in my database. But I don't know how to take that username. I try to take it using the following code:
string CurLoggedInUsername = Environment.UserName;
This gives me the username when I run from Visual Studio, but when I host my application on IIS it gives a weird value. I also tried to use
string CurLoggedInUsername = httpcontext.current.user.identity.name;
but no use. Is there a way to get the user's Windows logged-in username before authentication?
It sounds like you may need to consider mixed-mode authentication. I.e. Windows and Forms authentication. The thing is they don't necessarily play well together.
The following article describes the problem and how to overcome it. The thrust of the article centres around how a 401 challenge (Windows authentication) and 302 redirect (forms authentication) are incompatible in > IIS 7 integrated mode and a way to use a couple of forms and HTTP pipeline interception to get at user details. I used the approach successfully for a large public sector client (albeit for a webforms application). I'm sure the principles are the same.
IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication
I forgot to add in the code examples the right place to look for Windows authentication credentials are presented. It's been a while, so I can't remember it off the top of my head.
Is it possible to grab a users windows credentials (i.e. username) without having windows authentication enabled in IIS? With windows auth disabled the code below returns either NT AUTHORITY or IIS APPPOOL\ASP.NET v4.0 depending on if impersonation and anonymous authentication are enabled or not.
System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString();
I am converting an asp.net web application that is using forms authentication to custom authentication. Basically if a user is connecting from outside the network I force a credential check whereas if they are connecting from within the network I would like to be able to just grab their windows username. The internal portion works when I turn on windows authentication but I get the popup login box when testing outside of the network. I either need to disable windows authentication for non local connections or figure out how to get the windows username with windows authentication disabled. Any suggestions? (The other alternative i thought of was splitting the application in two and having separate authentication modes for each but I'd like to avoid this).
-I have also tried:
System.Web.HttpContext.Current.User.Identity.ToString();
System.Threading.Thread.CurrentPrincipal.ToString();
something like this is actually (kind of) possible using Active Directory Federated Services. In the event of a windows user from inside the network they can be configured to use their account details. For external users, they can be redirected to a page that will require them to log in.
However. This is very heavy-duty and an extreme pain in the..neck to implement and is really only applicable to enterprise solutions that have the resourses to use this kind of solution. Otherwise, I'd say go with the 2 site approach.
Simple answer is no.
Best solution is to create 2 sites. One for internal users that user windows authentication, one for external user that user forms authentication but authenticate against AD. You can make users always go to external site by default and then redirect based on their IP. That is redirect intranet users to internal user.
I'm developing a website in ASP.NET and C#.
I've created the website so when a user goes to the site, his windows client username is read out with:
System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString();
and then I lookup his username in the db and create a user object with all necessary data (team, name, permission level, role, ...) from the return data.
Then I keep this object in a session var until the user logs out.
This was working like a charm locally but now that I've deployed to the server I get defaultAppPool for every user.
What am I doing wrong?
In my web.config file I have:
authentication mode="Windows"
I have to admit this is the first time that I'm doing the deploying myself and everything went smoothly except for this.
As you've discovered, System.Security.Principal.WindowsIdentity.GetCurrent() gives you the identity of the application pool.
You should be using HttpContext.Current.User.Identity.
Windows authentication and IIS
If you select Windows authentication for your ASP.NET application, you also need to configure authentication within IIS. That’s because Windows authentication is delegated back to IIS. IIS gives you a choice of four authentication methods:
If you select anonymous authentication, IIS does not perform any authentication. Anyone is allowed access to the ASP.NET application.
If you select basic authentication, users must provide a Windows username and password to connect. This information is sent across the network in clear text, making basic authentication dangerously insecure on the Internet.
If you select digest authentication, users must still provide a Windows username and password to connect. However, the password is hashed before being sent across the network. Digest authentication requires that all users be running Internet Explorer 5 or later and that Windows accounts be stored in Active Directory.
If you select Windows integrated authentication, passwords never cross the network. Users must still have a Windows username and password, but either the Kerberos or challenge/response protocols are used to authenticate the user. Windows-integrated authentication requires that all users be running Internet Explorer 3.01 or later.
Get current user identity as :
var userWinId = HttpContext.Current.User.Identity as WindowsIdentity;
Use
System.Web.HttpContext.Current.User.Identity.Name
instead of
User.Identity.Name
or
System.Security.Principal.WindowsIdentity.GetCurrent().Name