Force user to enter credentials manually while using WIA - c#

I‘ve got a MVC application configured to use Windows Authentication in IIS.
So If an user accesses the app from a machine within the same domain and a browser which supports WIA, no credentials dialog will be displayed and the user is logged in right away.
If an user accesses the app from a browser or a machine which does NOT support WIA or is outside the domain, the credentials dialog is being displayed correctly.
Additionally I‘d like to teach the app the following behavior.
Some users from the domains are not allowed to access my application, so the app should reject the user (e.g it is not within a specific AD group) even though it has authenticated successfully and force it to enter the credentials of a different user manually using the same dialog which is user to authenticate users using a browser not supporting it.
Thank you a lot in advance!

Got it - modifying the web.config according to this post does the trick.
https://serverfault.com/questions/352647/restrict-access-to-iis-site-to-an-ad-group

Related

Integrated Windows Authentication - Logout

I am attempting to use Integrated Windows Authentication on IIS for an MVC web app. The original hope was that the user would be logged in automatically using the current Windows user credentials. I am running into the issue where the user is always prompted to enter user name and password. I have decided that we can live with this. However, I have also noticed that the user can enter any valid domain credentials...it's not limited to the currently logged in machine. But if this is the case, I need to provide a logout button, so the user can be switched if necessary.
Everything I can find on this issue, logging out in Windows Authentication, says you cannot do it because it pulls the credentials from the machine login. But it's obviously not doing that in my case, because I can enter any valid credentials and log in successfully. So a user could be logged onto the machine as user X, and then, when prompted, log into the web app as user Y. Am I to understand that, under Windows Authentication, there's no way to address this?
Are you sure you selected Windows Authentication While creating the Project? Confirm that and if yes, proceed to check your web.config that application authentication is set to windows.

How to get the Windows client user ASPX C#

I have viewed and tried dozens of "answers" on StackOverflow, but none work.
I have a pretty simple aspx page with C# code behind.
The web site is on a Windows 2008R2 server.
The web site looks like (actual names changed):
MyServer - set for Anonymous Authentication
Application Pools
ASP.NET v4.0 Classic - .Net 4.0, Classic pipeline, App Pool Identity
MySiteAppPool - .Net 2.0, Integrated, runs under a Domain-wide Service identity (call it "mycompany\domservice")
Sites
MyMainSite - Windows Authentication, uses "MySiteAppPool"
"AutoPrint" - my web app, Windows Authentication, uses "ASP.Net v4.0 Classic" app pool, ASP.NET Impersonation enabled
My "AutoPrint" web app has a start page "AutoPrint.aspx" and code behind ("AutoPrint.aspx.cs", plus several classes).
The server and main site are not alterable, as there are several other applications under this site.
The user currently invokes this app with :
http://MyServer/AutoPrint
Everything I have tried is returning the "mycompany\domservice" result:
Request.LogonUserIdentity.Name.ToString() - returns "mycompany\domservice"
System.Environment.UserName.ToString() - returns "domservice"
System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString() - returns "mycompany\domservice"
What am I missing here? Why is this so hard?
Further clarifications:
"mycompany\domservice" - the "domservice" account is just an ActiveDirectory account in the "mycompany" domain that has permissions to read/write directories needed by the site and other applications. When installing the Site and additional web apps, we use that account as the "connect as" user.
What I am trying to do is to get the ActiveDirectory name of the Windows user account of the person who opened their browser and accessed this app. If user "JJONES" logs into Windows and launches the app with "http://myserver/autoprint", I want to get either "JJONES" or "mycompany\JJONES" as the user name.
If you use anonymous authentication, then the browser does not send any credentials (user id/password) to the server. Therefore if you want the client user id on the server, you have to use non-anonymous authentication, e.g,. Windows or Forms. You can use non-anonymous authentication and then allow or deny access to your web site to specific users or groups of users, or all users.
Thank you for all the helpful comments/suggestions.
The problem turned out to be a combination of factors. The App Pool I was using was using App Pool Identity (which has limited rights), so I had to use a specific account (the domain service account) in the "Connect as..." for the physical path credentials in order to access certain files.
Changing to use an App Pool that used an account with sufficient privileges (the domain service account) allowed me to leave the "Connect as..." using Pass-through authentication when converting to application.
Voila - I now get the user credentials using pretty much any of the proposed methods. After way too many hours of beating my head against the keyboard...
Have you looked at using HttpContext.User property ? This will give the current logged on user. After which point you may need to perform some nifty LDAP queries to get the username from AD.
See https://msdn.microsoft.com/en-us/library/system.web.httpcontext.user(v=vs.110).aspx
You may want to see the below link on how to search AD on the link "How can I search Active Directory by username using C#?"
Hope this helps you.

Logout of MVC4 application

I'm continuing someone else's development AND I don't know much about current practices for authentication in MVC applications.
The only things that are set about authentication are in the application's IIS configuration:
.NET Authrization Rules = Allow, All Users
Authentication:
Anonymous Authentication: Enabled
ASP .NET Impersonation: Disabled
Windows Authentication: Enabled
With this configuration, on the server, the browser asks me for a login/password. I enter my network login.
Then I can get identify the user with Request.RequestContext.HttpContext.User.Identity...
On local computer where I login using the same login/password: no user is logged in the application (Request.RequestContext.HttpContext.User.Identity.Name == ""). If I disable Anonymous Authentication, the browser simply keeps re-asking for loginpassword infinitely.
My first problem is that I would like to be able to log out on server.
From scarse info I got here and there I have already tried:
FormsAuthentication.SignOut(); --> does nothing
WebMatrix.WebData.WebSecurity.Logout(); --> Exception, tries to access a database (I got this from one of the VS2012 templates but I didn't think it would apply to my context).
if(this.Request.RequestContext.HttpContext.Session != null)
this.Request.RequestContext.HttpContext.Session.Clear(); --> Session is null, so this does nothing.
So, how can I log out in order to relog as a different user ?
(I would also like to be able to identify the user on local computer, but I think that should be asked in another topic.)
Removed FormsAuth logout method as the question is for Windows Auth... doh!
Update:
To get the logged in user name try the IPrincipal Controller.User:
User.Identity.Name
Doh my bad your using Windows Authentication...
In which case it's the browser that is caching the credentials not the server / IIS so clearing the session won't achieve anything.
Taken from here:
"The user credentials are being cached by the client browser, not by IIS. To
force the client user to enter credentials again, you would need to send an
appropriate 401 status message in response to the next client request.
However, doing this would run counter to very legitimate user expectations
of how Windows authentication is supposed to work, so you may want to
reconsider. When Windows user credentials have already been accepted by a
server (either via a login dialog or automatic submission under IE
configuration for the target site or zone), a 401 is only expected if a
requested resource cannot be accessed under the previously supplied
credentials. When you send a 401 after any credentials have been previously
accepted, the user should expect that they need to use different credentials
from their initial login. If you're expecting the same credentials, then
user confusion should be anticipated.
All in all, if you really want to force a new login, perhaps a different
authentication mode might be more appropriate."
For an IE only workaround see this SO post.

Get Windows user credentials with windows authorization disabled in IIS

Is it possible to grab a users windows credentials (i.e. username) without having windows authentication enabled in IIS? With windows auth disabled the code below returns either NT AUTHORITY or IIS APPPOOL\ASP.NET v4.0 depending on if impersonation and anonymous authentication are enabled or not.
System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString();
I am converting an asp.net web application that is using forms authentication to custom authentication. Basically if a user is connecting from outside the network I force a credential check whereas if they are connecting from within the network I would like to be able to just grab their windows username. The internal portion works when I turn on windows authentication but I get the popup login box when testing outside of the network. I either need to disable windows authentication for non local connections or figure out how to get the windows username with windows authentication disabled. Any suggestions? (The other alternative i thought of was splitting the application in two and having separate authentication modes for each but I'd like to avoid this).
-I have also tried:
System.Web.HttpContext.Current.User.Identity.ToString();
System.Threading.Thread.CurrentPrincipal.ToString();
something like this is actually (kind of) possible using Active Directory Federated Services. In the event of a windows user from inside the network they can be configured to use their account details. For external users, they can be redirected to a page that will require them to log in.
However. This is very heavy-duty and an extreme pain in the..neck to implement and is really only applicable to enterprise solutions that have the resourses to use this kind of solution. Otherwise, I'd say go with the 2 site approach.
Simple answer is no.
Best solution is to create 2 sites. One for internal users that user windows authentication, one for external user that user forms authentication but authenticate against AD. You can make users always go to external site by default and then redirect based on their IP. That is redirect intranet users to internal user.

Testing intranet site that uses Windows authentication

I'm trying to develop an intranet app/website that uses Windows authentication.
I'd like to test it with multiple users, for roles etc.
At the moment I'm only using my own domain account. Is there a way I could simulate different users for the site?
As a picture is worth a thousand words here it goes how to do it in IE based on 2GDev's comment copied here for clarity:
Go to Internet Options => Security => Local Intranet => Custom Level
and change the User Authentication to "Prompt for username and
password"
Click OK then Apply. Close the browser. Reopen it and point it to the website's URL you want to debug. You should happily see the login prompt where you can login with a different User account to simulate concurrency for example (this is what I'm doing right now here):
When you use Windows Authentication you can change your identity by running the browser as another user.
In windows, go to the browser exe (or a shortcut), right-click on the icon and select "Run as.." from the menu. This will prompt you to specify the username and password to run the account under.
Provided the identity you specify has access to the machine you are running on, the browser will then be running "as" identity specified. If you browse to a site using Windows Authentication, it will authenticate using the identity specified, instead of your own.
Use Impersonation...
From MSDN
Impersonation
An ASP.NET application can use impersonation to perform operations and
access resources with the security context of the authenticated client
or of a specific Windows account.
And in your web.config
<identity impersonate="true" username="TestUser" password="P#ssw0rd" />
How about to install and run the Virtual PC with some ready for download installed systems from MS ?
By running a virtual pc on your computer you can emulate connections to your pc and at the same time, its looks like a diferent computer, with diferent Ip.
In my case, there are db tables with users and their properties. In users table got login field (Domain/UserName). Also got custom Identity and Principal, which using this table to authenticate user in global.asax autherticate_request method.
To simulate different users in debug mode, there is special control rendered in master page (or layout page for mvc). It contain select box with all users, and apply button.
On server side after apply button click in session pushed emulated user login and sending refresh to response.
So in next authenticate event occured checking for emulated user login in session and if it exists then authenticate continues based on emulateded login.
Bad side: need sync service to always have actual user table based on current AD.

Categories