I am attempting to use Integrated Windows Authentication on IIS for an MVC web app. The original hope was that the user would be logged in automatically using the current Windows user credentials. I am running into the issue where the user is always prompted to enter user name and password. I have decided that we can live with this. However, I have also noticed that the user can enter any valid domain credentials...it's not limited to the currently logged in machine. But if this is the case, I need to provide a logout button, so the user can be switched if necessary.
Everything I can find on this issue, logging out in Windows Authentication, says you cannot do it because it pulls the credentials from the machine login. But it's obviously not doing that in my case, because I can enter any valid credentials and log in successfully. So a user could be logged onto the machine as user X, and then, when prompted, log into the web app as user Y. Am I to understand that, under Windows Authentication, there's no way to address this?
Are you sure you selected Windows Authentication While creating the Project? Confirm that and if yes, proceed to check your web.config that application authentication is set to windows.
Related
I‘ve got a MVC application configured to use Windows Authentication in IIS.
So If an user accesses the app from a machine within the same domain and a browser which supports WIA, no credentials dialog will be displayed and the user is logged in right away.
If an user accesses the app from a browser or a machine which does NOT support WIA or is outside the domain, the credentials dialog is being displayed correctly.
Additionally I‘d like to teach the app the following behavior.
Some users from the domains are not allowed to access my application, so the app should reject the user (e.g it is not within a specific AD group) even though it has authenticated successfully and force it to enter the credentials of a different user manually using the same dialog which is user to authenticate users using a browser not supporting it.
Thank you a lot in advance!
Got it - modifying the web.config according to this post does the trick.
https://serverfault.com/questions/352647/restrict-access-to-iis-site-to-an-ad-group
I'm continuing someone else's development AND I don't know much about current practices for authentication in MVC applications.
The only things that are set about authentication are in the application's IIS configuration:
.NET Authrization Rules = Allow, All Users
Authentication:
Anonymous Authentication: Enabled
ASP .NET Impersonation: Disabled
Windows Authentication: Enabled
With this configuration, on the server, the browser asks me for a login/password. I enter my network login.
Then I can get identify the user with Request.RequestContext.HttpContext.User.Identity...
On local computer where I login using the same login/password: no user is logged in the application (Request.RequestContext.HttpContext.User.Identity.Name == ""). If I disable Anonymous Authentication, the browser simply keeps re-asking for loginpassword infinitely.
My first problem is that I would like to be able to log out on server.
From scarse info I got here and there I have already tried:
FormsAuthentication.SignOut(); --> does nothing
WebMatrix.WebData.WebSecurity.Logout(); --> Exception, tries to access a database (I got this from one of the VS2012 templates but I didn't think it would apply to my context).
if(this.Request.RequestContext.HttpContext.Session != null)
this.Request.RequestContext.HttpContext.Session.Clear(); --> Session is null, so this does nothing.
So, how can I log out in order to relog as a different user ?
(I would also like to be able to identify the user on local computer, but I think that should be asked in another topic.)
Removed FormsAuth logout method as the question is for Windows Auth... doh!
Update:
To get the logged in user name try the IPrincipal Controller.User:
User.Identity.Name
Doh my bad your using Windows Authentication...
In which case it's the browser that is caching the credentials not the server / IIS so clearing the session won't achieve anything.
Taken from here:
"The user credentials are being cached by the client browser, not by IIS. To
force the client user to enter credentials again, you would need to send an
appropriate 401 status message in response to the next client request.
However, doing this would run counter to very legitimate user expectations
of how Windows authentication is supposed to work, so you may want to
reconsider. When Windows user credentials have already been accepted by a
server (either via a login dialog or automatic submission under IE
configuration for the target site or zone), a 401 is only expected if a
requested resource cannot be accessed under the previously supplied
credentials. When you send a 401 after any credentials have been previously
accepted, the user should expect that they need to use different credentials
from their initial login. If you're expecting the same credentials, then
user confusion should be anticipated.
All in all, if you really want to force a new login, perhaps a different
authentication mode might be more appropriate."
For an IE only workaround see this SO post.
I'm trying to develop an intranet app/website that uses Windows authentication.
I'd like to test it with multiple users, for roles etc.
At the moment I'm only using my own domain account. Is there a way I could simulate different users for the site?
As a picture is worth a thousand words here it goes how to do it in IE based on 2GDev's comment copied here for clarity:
Go to Internet Options => Security => Local Intranet => Custom Level
and change the User Authentication to "Prompt for username and
password"
Click OK then Apply. Close the browser. Reopen it and point it to the website's URL you want to debug. You should happily see the login prompt where you can login with a different User account to simulate concurrency for example (this is what I'm doing right now here):
When you use Windows Authentication you can change your identity by running the browser as another user.
In windows, go to the browser exe (or a shortcut), right-click on the icon and select "Run as.." from the menu. This will prompt you to specify the username and password to run the account under.
Provided the identity you specify has access to the machine you are running on, the browser will then be running "as" identity specified. If you browse to a site using Windows Authentication, it will authenticate using the identity specified, instead of your own.
Use Impersonation...
From MSDN
Impersonation
An ASP.NET application can use impersonation to perform operations and
access resources with the security context of the authenticated client
or of a specific Windows account.
And in your web.config
<identity impersonate="true" username="TestUser" password="P#ssw0rd" />
How about to install and run the Virtual PC with some ready for download installed systems from MS ?
By running a virtual pc on your computer you can emulate connections to your pc and at the same time, its looks like a diferent computer, with diferent Ip.
In my case, there are db tables with users and their properties. In users table got login field (Domain/UserName). Also got custom Identity and Principal, which using this table to authenticate user in global.asax autherticate_request method.
To simulate different users in debug mode, there is special control rendered in master page (or layout page for mvc). It contain select box with all users, and apply button.
On server side after apply button click in session pushed emulated user login and sending refresh to response.
So in next authenticate event occured checking for emulated user login in session and if it exists then authenticate continues based on emulateded login.
Bad side: need sync service to always have actual user table based on current AD.
Below is the scenario for a virtual directory following are the setting in IIS
Enable Anonymous Access is DISABLED (check box is unchecked).
Integrated Windows Authentication is DISABLED (check box is unchecked)
Basic authentication is ENABLED (checkbox is selected)
In the web.config of the webapplication (for the same virtual directory above) the setting is as follows:
When I browse an aspx page of the above web application it asks for username and password.
User enters username and password (in the dialog which appears as a part of windows authentication).
I can get the username that user has entered if the login is successful.
Is there any way I can get the username(that user has entered) even if the login fails.
Regards,
test_win
I don't believe that failed authentication information is stored in IIS in a way that's exposed to ASP.NET. If you were doing forms based authentication you would be able to track the invalid username/password, but since IIS is handling the authentication, I don't think you can get that information from code.
The logon attempt would be stored in the IIS log files, which you could process later from a separate process. You would want to look for 401/403 errors where a username is supplied.
I am building an intranet application, the requirement is to log in user without asking for credentials with the windows credentials he has logged on to computer, user if wants can logout from application and log in using the windows credentials pop up.
Use Windows Authentication.
Though, I don't think there's really a way to sign out of a website using Windows authentication. You're either authenticated or you aren't.
Also, I believe the automatic logging in will only occur:
When using IE
After saving credentials after logging in the first time in other browsers
After editing browser-specific settings (like FireFox's NTLM setting)