I need to authenticate into a web app using Single Sign-On, through Active Directory. I want to get the userName doing: System.Threading.Thread.CurrentPrincipal.Identity.Name, and then, through LDAP, get the password from the AD, and log into the web app.
The problem is that System.Threading.Thread.CurrentPrincipal.Identity.Name returns empty.
Here is my Web.Config:
<authentication mode="Forms">
<forms loginUrl="~/SignIn" timeout="120" />
</authentication>
Now, I'm using active directory as a way to authenticate, and it works fine. But I also need to make it Single Sign-On.
Thanks
You need to activate Windows authentication.
<authentication mode="Windows" />
Don't forget to install the Windows Authentication feature for IIS.
If you want to use mixed authentication (Forms & Windows at the same time) I recommend OWIN-MixedAuth
You can use HttpContext to retrieve the user identity. You must set authentication mode as "Windows Authentication"
https://stackoverflow.com/a/40938106/950944
Related
I am having an issue accessing a webservice with impersonate without a specified user.
Works:
<identity impersonate="true" userName="DOMAIN\USERNAME" password="MyPassword" />
Doesn't Work
<identity impersonate="true" />
While debugging I used the code below to verifiy the correct Domain and Username were being used, they are.
System.Security.Principal.WindowsIdentity.GetCurrent().Name;
Here is more of my web.config
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<allow users="*" />
<deny users="?"/>
</authorization>
I am logging into the prompt, image below
Any ideas why it will only work when I specify a user in the web.config? I am logging in with the same Domain\Username and password that I put into the <identity impersonate="true" userName="DOMAIN\USERNAME" password="MyPassword" /> . I've tried with multiple accounts and they all work when I put their credentials in the web.config but none work with identity set as<identity impersonate="true" /> and logging in.
EDIT
The remote server returned an error: (403) Forbidden.
EDIT 2
Everything works fine while debugging and while hitting the service on the server that contains the IIS it is hosted on, I've tried with multiple accounts and they all work. Everything is on the same domain
Note the following text from https://support.microsoft.com/en-us/kb/306158
Impersonate a Specific User for All the Requests of an ASP.NET
Application
To impersonate a specific user for all the requests on all pages of an
ASP.NET application, you can specify the userName and password
attributes in the tag of the Web.config file for that
application. For example:
Note The identity of the process that impersonates a specific user on a thread must have the "Act as part of the operating system"
privilege. By default, the Aspnet_wp.exe process runs under a computer
account named ASPNET. However, this account does not have the required
privileges to impersonate a specific user. You receive an error
message if you try to impersonate a specific user. This information
applies only to the .NET Framework 1.0. This privilege is not required
for the .NET Framework 1.1.
To work around this problem, use one of the following methods: Grant
the "Act as part of the operating system" privilege to the ASPNET
account (the least privileged account).
Note Although you can use this method to work around the problem,
Microsoft does not recommend this method. Change the account that the
Aspnet_wp.exe process runs under to the System account in the
configuration section of the Machine.config file.
You could setup the Aspnet_wp.exe process to run as the user you are trying to impersonate to get the desired privileges.
This has also been discussed before: How do you do Impersonation in .NET?
It could be the NTLM double-hop authentication issue. In short, ensure that Kerberos SPNs are properly set so it is used instead of NTLM. This MSDN blog post has a great explaination.
http://blogs.msdn.com/b/besidethepoint/archive/2010/05/09/double-hop-authentication-why-ntlm-fails-and-kerberos-works.aspx
Alternatively, basic or forms authentication will also achieve what you're looking to accomplish. This is because the application will have the user's credentials and, if properly configured, can use them to access back end resources.
You may also want to look into Kerberos delegation. Its a way to restrict that second hop to just one resource via it's SPN.
I've got windows authentication in one of web projects I've been working on. Due to all other have forms authentication, I want to implement it also in this particular project. I've followed this article http://www.codeproject.com/Articles/37558/Windows-Authentication-Using-Form-Authentication and added new login page, but after running project I've got redirected to the same default page it used before.
Here's changes which I made to web.config:
<authentication mode="Forms">
<forms loginUrl="login.aspx"></forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
What are my possible mistakes?
When switching to Forms Authentication from Windows Authentication, you'll need to disable Windows Authentication in IIS for your Application. It doesn't do it for you automatically when you enable Forms Authentication in the web.config.
You most likely have both Forms and Windows Authentication enabled in IIS on your Application. I believe IIS will default to Windows Authentication in that case and bypass your login form.
To check that, you can do the following:
Go to IIS
Locate your Application
Go to Authentication
Adjust the following
Anonymous Authentication: Enabled
ASP.NET Impersonation: Disabled
Basic Authentication: Disabled
Digest Authentication: Disabled
Forms Authentication: Enabled
Windows Authentication: Disabled
You can also disable Anonymous Authentication if you don't want a landing page prior to logging in as well.
I have an asp.net MVC application that will be running on our company's intranet. I want to retrieve the logged on/windows identity of the user in lieu of a login page. Using Current.Request.LogonUserIdentity.Name and running on my local Visual Studio (ASP.Net Development Server), I am able to retrieve the user's domain/username. When published to my intranet webserver(IIS 7), I am only able to retrieve the username of the service my app pool is running under. Is it possible, using Forms authentication, for me to be able to retrieve the logged in user? Many of the discussions I have found suggest switching to Windows authentication...which is not an option for me at this point. My current authentication is forms:
<authentication mode="Forms">
<forms loginUrl="~/User/Logon" timeout="2880" />
</authentication>`
my IIS has Anonymous, Impersonation, and Forms authentication enabled.
Did you try Thread.CurrentPrincipal.Identity?
My Windows Authentication is working with IIS7 but now i want to deny specific users based on the data that i have in SQL server.
I know i can send a information access denied but i want to send windows login form to the user to enter different credentials, so that IIS can authenticate the new credentials and send it to the c# to authorize the user again.
Edit - To rephrase the question
I want to use both windows authentication and authentication based on database data. First i want the users to be authenticated via Windows authentication and then application will authenticate the user. But my question is if the application denies the user then I want the Windows authentication dialog box to show up to the user for windows credentials to start the process from beginning.
If you want to authenticate by using information from a database, you would have to use forms authentication.
The steps you have to take are:
Build a Login-Webpage (login.aspx in this example)
Put this in your web.config, to specify the login page and deny access for all users initially:
Code:
<authentication mode="Forms">
<!-- Login.aspx is the login page forms authentication should use. -->
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH" timeout="30" slidingExpiration="true" >
</forms>
</authentication>
<authorization>
<!-- deny all users access to ressources of this app, if not logged in. -->
<deny users="?" />
</authorization>
In your login page, in code behind, call this to let a user pass:
Code:
FormsAuthentication.SetAuthCookie("UserName", False)
One of the method you can do is create your own login form and authenticate user using LDAP queries.
So initially it authenticates user via windows authentication and if other criteria doesn't satisfy the user access you can send your own login form and authenticate user using LDAP queries.
Imagine when you create a new MVC4 Project and you start registering an account using SimpleMembership and you logged using Remember Me checkbox.
Now, when you create another MVC 4 Project, the application tries to loggin using the previous account, although throws an error because it does not exist. I mean, if a do a login in a web page, the another one uses the same account.
How can avoid this, I guess has to be with ForgeryTokens or something like that
Customize the name of the cookie so that it's unique per application.
<authentication mode="Forms">
<!-- **Defaults** timeout="30" slidingExpiration="true" -->
<forms name=".MyApplication" defaultUrl="~/" loginUrl="~/LogIn" />
</authentication>
if you are using a single sign on mechanism then it is a exceptionable scenario but if you do not wish to allow the same authentication with same account to another website then make sure the web.config file for both projects must have a different machine keys.
Also, this is happened because of cookies on your machine is set to true, to create cookies file and allow access to other project using this cookies details.
< Authentication />
It happens because when the web page is served the browser sees localhost as the domain name. It saves the cookie for localhost.
When you host another website on the same server with localhost, then the browser sends the same cookie again.
If you are using the same cookie name in both the applications, then the system will try to think that the user is already authenticated and you will get the error.
You can change the cookie name in web.config file.
Read this:
Can I change the FormsAuthentication cookie name?