I have an existing mvc webapi system that uses no authentication or authorization and I am attempting to add Windows authentication in. I approached this by creating a new simplified system with a single controller returning just static data.
The new system is set up to use Windows authentication, and as a result when I hook into the Application_AuthenticateRequest the HttpContext.Current.User is not null and has a populated Identity property with the correct WindowsPrincipal for the user sending the request.
In the existing system, when I amend the web.config to match the new (working) system all incoming requests have a null HttpContext.Current.User in Application_AuthenticateRequest.
I saw a post suggesting that I use the Application_AuthorizeRequest event handler as it is fired later in the pipeline. As expected the HttpContext.Current.User is not null at this point, however the Identity property of this is set as having an impersonation level of Anonymous and importantly is not authenticated.
I assume that my production system that I am trying to add authentication to is somehow configured to not use impersonation, yet my new proof of concept system is. As a result the Authenticate stage of the pipeline is adding an anonymous user to the HttpContext which is what I am seeing in the Authorize stage of the pipeline.
My question is how do I configure my production system to use impersonation so that I can access the user that has sent the request?
Please note that the system is deployed to an intranet so the Windows identity of the user is all I need and gives sufficient security.
my web config contains the following:
<system.web>
<compilation debug="true" targetFramework="4.6.1" />
<httpRuntime targetFramework="4.6.1" />
<authentication mode="Windows" />
<identity impersonate="true" />
<httpModules>
</httpModules>
</system.web>
in both systems (production and POC) and I have tried removing the <identity/> element from both and it appears to have no effect.
At this stage I am hosting only in IISExpress through VS2015
Turns out this was all down to IIS configuration.
When hosting a site within VS2015 using IISExpress, the applicationhost.config file that is used by IISExpress is one stored locally with the soure. Specifically in the $(SolutionDir).vs\config folder.
The config for my production system had windows authentication disabled and anonymous authentication enabled, and the POC system had the reverse. Changing this config file has fixed my problems, now the question is whether this will work on another user's PC or will an incorrect applicationhost.config file be generated??
Related
I am having an issue accessing a webservice with impersonate without a specified user.
Works:
<identity impersonate="true" userName="DOMAIN\USERNAME" password="MyPassword" />
Doesn't Work
<identity impersonate="true" />
While debugging I used the code below to verifiy the correct Domain and Username were being used, they are.
System.Security.Principal.WindowsIdentity.GetCurrent().Name;
Here is more of my web.config
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<allow users="*" />
<deny users="?"/>
</authorization>
I am logging into the prompt, image below
Any ideas why it will only work when I specify a user in the web.config? I am logging in with the same Domain\Username and password that I put into the <identity impersonate="true" userName="DOMAIN\USERNAME" password="MyPassword" /> . I've tried with multiple accounts and they all work when I put their credentials in the web.config but none work with identity set as<identity impersonate="true" /> and logging in.
EDIT
The remote server returned an error: (403) Forbidden.
EDIT 2
Everything works fine while debugging and while hitting the service on the server that contains the IIS it is hosted on, I've tried with multiple accounts and they all work. Everything is on the same domain
Note the following text from https://support.microsoft.com/en-us/kb/306158
Impersonate a Specific User for All the Requests of an ASP.NET
Application
To impersonate a specific user for all the requests on all pages of an
ASP.NET application, you can specify the userName and password
attributes in the tag of the Web.config file for that
application. For example:
Note The identity of the process that impersonates a specific user on a thread must have the "Act as part of the operating system"
privilege. By default, the Aspnet_wp.exe process runs under a computer
account named ASPNET. However, this account does not have the required
privileges to impersonate a specific user. You receive an error
message if you try to impersonate a specific user. This information
applies only to the .NET Framework 1.0. This privilege is not required
for the .NET Framework 1.1.
To work around this problem, use one of the following methods: Grant
the "Act as part of the operating system" privilege to the ASPNET
account (the least privileged account).
Note Although you can use this method to work around the problem,
Microsoft does not recommend this method. Change the account that the
Aspnet_wp.exe process runs under to the System account in the
configuration section of the Machine.config file.
You could setup the Aspnet_wp.exe process to run as the user you are trying to impersonate to get the desired privileges.
This has also been discussed before: How do you do Impersonation in .NET?
It could be the NTLM double-hop authentication issue. In short, ensure that Kerberos SPNs are properly set so it is used instead of NTLM. This MSDN blog post has a great explaination.
http://blogs.msdn.com/b/besidethepoint/archive/2010/05/09/double-hop-authentication-why-ntlm-fails-and-kerberos-works.aspx
Alternatively, basic or forms authentication will also achieve what you're looking to accomplish. This is because the application will have the user's credentials and, if properly configured, can use them to access back end resources.
You may also want to look into Kerberos delegation. Its a way to restrict that second hop to just one resource via it's SPN.
I have an ASP.NET MVC4 website deployed on IIS with Windows Authentication enabled. My config file has this setting:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
My understanding is that this will allow me to authenticate without having to type in credentials; i.e. an intranet site.
This works as intended, except for the first page load. When I first access the website, I am directed to the following URL:
http://localhost/SandboxWebsite/login.aspx?ReturnUrl=%2fSandboxWebsite
This is obviously a page that asks for credentials. When I then navigate again to http://localhost/SandboxWebsite/, I am automatically authenticated without having to enter any credentials.
Why is this occurring and how can I prevent it?
The problem was that, whilst anonymous access was disabled as a setting, there was no authorisation rule to deny anonymous users. Why this redirected me to Login.aspx I do not know, but I fixed it by adding the following rules.
IIS > MyWebsite > .NET Authorization Rules
John,
this is a long shot but have you tried using an address other than LocalHost to access the site ? It may be that your ASP.NET MVC4 website is expecting a specific domain name/computer name or IP address because of the way it was setup.
You could alter your hosts file to test this out.
Hope this helps.
Dorje
I tried to create an authentication system in aspx using Windows Authentication. It seems to be the default mode for authenticating users in an intranet, for a company using Windows PCs. I enabled 'Windows Authentication' for my site in IIS, and disabled the other types of Authentications. This is my Web.config file:
<system.web>
<authentication mode="Windows" />
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
</system.web>
What I have is a feedback provided by this line in my code (always false)
Response.Write(User.Identity.IsAuthenticated.ToString());
I'm not sure I'm doing all in the right way, but I've read many tutorials and all seems so easy... so, what I miss to do? I'm doing something wrong?
I haven't found anything that helped me in the implementation, simply all what I wrote seems to do nothing. Uh, also I don't see the Windows Auth Dialog
I solved adding a row in 'Authorization Rules' in IIS. In my company we all are admin, so I added an allow rule for admin users and I denied the access for others. All works correctly now, I show the Windows Auth Dialog and with username and password I am able to authenticate.
Check these requirements:
Windows authentication is enabled in IIS (you did it already).
Anonymous access is disabled in IIS (http://technet.microsoft.com/en-us/library/cc731244(v=ws.10).aspx).
Windows authentication is enabled in client's Internet Explorers.
impersonation is switched on in web.config ( http://msdn.microsoft.com/en-us/library/134ec8tc(v=vs.140).aspx).
As far as I remember, that's all.
Imagine when you create a new MVC4 Project and you start registering an account using SimpleMembership and you logged using Remember Me checkbox.
Now, when you create another MVC 4 Project, the application tries to loggin using the previous account, although throws an error because it does not exist. I mean, if a do a login in a web page, the another one uses the same account.
How can avoid this, I guess has to be with ForgeryTokens or something like that
Customize the name of the cookie so that it's unique per application.
<authentication mode="Forms">
<!-- **Defaults** timeout="30" slidingExpiration="true" -->
<forms name=".MyApplication" defaultUrl="~/" loginUrl="~/LogIn" />
</authentication>
if you are using a single sign on mechanism then it is a exceptionable scenario but if you do not wish to allow the same authentication with same account to another website then make sure the web.config file for both projects must have a different machine keys.
Also, this is happened because of cookies on your machine is set to true, to create cookies file and allow access to other project using this cookies details.
< Authentication />
It happens because when the web page is served the browser sees localhost as the domain name. It saves the cookie for localhost.
When you host another website on the same server with localhost, then the browser sends the same cookie again.
If you are using the same cookie name in both the applications, then the system will try to think that the user is already authenticated and you will get the error.
You can change the cookie name in web.config file.
Read this:
Can I change the FormsAuthentication cookie name?
I've got a web method set up on SERVER A and need to connect to the file system on SERVER B.
Currently I have a wide array of web services that already run on SERVER A where the identity on the application pool is set to NETWORK SERVICE. The issue is that I cannot seem to give the NETWORK SERVICE on A access to the file system on B. Changing the user on the app pool isn't really an option as there are too many possible train wrecks that could materialize on the outgoing web service calls.
So the solution I am trying to come up with is temporarily changing the Web Method identity user from NETWORK SERVICE to DOMAIN/SOMEUSER when the web method is called.
The property I need to change is System.Web.HttpContext.Current.User.Identity.Name
Can anyone tell me how I can go about doing this? Many of the solutions online seem to refer to Windows Azure - which I'm not using, so the approaches outlined don't work.
Thanks!
Try using impersonate in your service.
<system.web> ....
<identity impersonate="true" userName="accountname" password="password" />
You might have to play with the tag in the web.config. Our is normally set to <identity impersonate="false" /> and the application pool uses a domain user for permissions.