I need to create an ASP .NET web page (hosted on Windows Server 2008R2 with IIS 7.5) which should be visible by domain users and anonymous users without prompting credential requests for both of them. Domain Users should be authorized to see the entire page, while anonymous users can see the public part of the page.
When I enable Windows authentication: domain users can see the entire page, but anonymous users are prompted for credentials.
When I enable anonymous authentication or both (anonymous and windows): anonymous users can see public part of the page, but domain users do not see the entire page (they are like anonymous users).
I use the following string to discriminate anonymous users and domain users:
WindowsAccountName = HttpContext.Current.Request.LogonUserIdentity.Name;
If WindowsAccountName is empty user is anonymous, otherwise is a domain user. Unfortunately, when anonymous authentication is enabled WindowsAccountName is always empty (even for domain users), but when anonymous authentication is disabled non-domain users are prompted for credentials.
Do you have any solution for these problem? Keep in mind that domain users are spread among different networks so IP address is not a good choice to discriminate domain users and non-domain users.
it looks like a catch-22 for me
Thanks.
The term for this is Mixed-Mode Authentication. I have done this multiple times.
This can be accomplished by using a windows authenticated site that does no more that pull the users credentials from AD and pass those to the anonymous site. I have done this using a custom ticket (GUID in a database) that expires in 5 seconds. The anonymous site takes the GUID passed, queries the DB and obtains the user id. Other ways I have done this with an encrypted URL parameter that contains the user id and time-stamp.
Internal Site
Create a Redirect URL Site: Setup this site as Window Auth so you can pull the User ID from Active Directory. Give your users this URL and/or make it the link they click on your Intranet. Then this site calls your anonymous site and passes the user credentials (login id).
a. This can be done either via an encrypted string on the URL or encrypted value in a cookie. You can encrypt with an expiration date/time value too.
b. (Speaking from Forms Auth) Create a Forms Authentication Ticket with that user ID. Run any other login logic you have. Done.
External Site - No Changes required. Let the users login as-is.
I don't know if it's too late to post this.I recently worked on enabling anonymous authentication on one page in the .NET 4.8 MVC application.
Let's say the page was accessible via URL: User/MyCustomPage
Application configuration was as follows:
1. In web.config authentication mode was specified and authorization was
set to deny for anonymous users.
<system.web>
<authentication mode= "windows"/>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
2. In the controller, authorize tag was there.
3. In IIS, windows authentication was enabled, and anonymous mode was disabled.
I did the below steps:
1. Removed authorize tag from the specific controller and added
[AllowAnonymous] tag.
2. Enabled anonymous authentication in the IIS server. Go to
server->authentication-> Anonymous-> click Enable in the right pane.
3. I had to add the particular path, to exclude it from regular
windows authentication by writing the below code in web.config file.
<location path="User/MyCustomPage"/>
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
But Still, I was getting prompt for windows credentials on accessing the above URL. The reason I found that was:
The View that MyCustomPage was returning, was consuming another resource.
So, I have to add that path too in the web.config.
<location path="Bundle/Content/css"/>
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
Related
I've already tried Use Anonymous authentication in MVC4 on single controller when the whole application uses Windows Authenticaion and IIS Mixed Anonymous and Windows Authentication , no such luck so far getting what I need to happen.
We have an MVC app on our network. Internally, it should use windows authentication, and we use an [AuthorizeByRole(param[] Role roles)] Attribute on many of our views / controllers.
However, we also need for external users to be able to access the app. We have contractors and physicians that don't have AD credentials, plus the mobile app uses an anonymous backend API.
What I need to happen:
Internal users: auto login using windows authentication, nice and simple
External users: Challenge for windows credentials (which it does) - if they hit cancel, they become an anonymous user, and can still view the app.
What happens now: Hitting cancel causes them to be redirected to the standard asp.net 401 page, rather than seeing the Guest page. Also, the mobile backend just automatically gets a 401, and can't hit the API at all.
Any thoughts?
more information
Here is a sample solution I have
In my web.config, I have:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
In IIS, I have
In my API controller, I put [AllowAnonymous] on both the controller and my GetKey method
On my phone, I go to /api/Auth/GetKey, and I'm challenged for AD credentials. When I hit cancel, I'm redirected to a 401 page.
If the Controller is decorated with an [Authorize] Attribute, you can exclude individual methods, within that Controller, from the Authorization by decorating them with the [AllowAnonymous] Attribute.
Read more about it here.
On the other hand, you could also remove the [Authorize] Attribute from the Controller and only mark methods that need Authorization with it.
You have to decorate controller actions individually instead of the entire controller. Use [Authorize] for actions that only AD users can perform and leave the others undecorated for anonymous users.
I have an ASP.NET MVC4 website deployed on IIS with Windows Authentication enabled. My config file has this setting:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
My understanding is that this will allow me to authenticate without having to type in credentials; i.e. an intranet site.
This works as intended, except for the first page load. When I first access the website, I am directed to the following URL:
http://localhost/SandboxWebsite/login.aspx?ReturnUrl=%2fSandboxWebsite
This is obviously a page that asks for credentials. When I then navigate again to http://localhost/SandboxWebsite/, I am automatically authenticated without having to enter any credentials.
Why is this occurring and how can I prevent it?
The problem was that, whilst anonymous access was disabled as a setting, there was no authorisation rule to deny anonymous users. Why this redirected me to Login.aspx I do not know, but I fixed it by adding the following rules.
IIS > MyWebsite > .NET Authorization Rules
John,
this is a long shot but have you tried using an address other than LocalHost to access the site ? It may be that your ASP.NET MVC4 website is expecting a specific domain name/computer name or IP address because of the way it was setup.
You could alter your hosts file to test this out.
Hope this helps.
Dorje
I am switching from WebForms to MVC.
In the web.config of a WebForm I have the following:
<authentication mode="Forms">
<forms loginUrl="/forms/Login"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
If the user is not already authenticated they are redirected to a separate app on the web server /forms/Login/?ReturnUrl=%2fforms%2fLoginClient. That app has a standard log in screen and connects to active directory to verify user credentials and then on success creates the cookie and redirects the user back to the originally requested page using:
FormsAuthentication.RedirectFromLoginPage(username, false)
This is really convenient as I only have one login page UI to manage and all my code to talk to active directory in a single centralized location. Additionally, for new apps all I need to do to provide authentication is add the snippet above into the web.config of the new app.
Is there an equivalent way to do this in an MVC project?
I am familiar with the option to include an Account controller when creating a new MVC application.
However, this has a lot of stuff I don't want and way more Views than I'll ever need.
I don't want to have to create a new login page or duplicate my active directory auth code for every new MVC application that I create.
Thanks for any guidance on this.
I am working on ASP.net MVC 2.0 Web Application in C#.
I am very new to MVC . I wanted to implement Windows Authentication and Role based
Authentication in my application.
I was sucessful in implementing windows authentication. I have configured Properly to make my application work with windows authentication.
Code:
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
So, from Windows Active directory i was able to get the logged in user name.
Then in the Session_Start of my application , i am sending that username to database whether
that particular is a valid user for that Application.
Now, Here i only have two roles: Normal user and Admin
So, a normal user should be restricted to only some set of pages.
I have database table structure like this: Sample Data Example
UserID IsAdmin
1 false
2 true
3 false
I have read many articles on this. But, after reading all those i was pretty much confused about the approach to be followed.
How can i create my custom Authorize Attribute to restrict the access and hiding the contents of page.
Please give some ideas / sample examples on this.
NOte: I am working MVC 2.0 Application
I have an asp.net site, and I need to use both Windows Auth and Anonymous Auth together.
I need Windows auth as I need to get the username of the logged on user, but also the site runs a web-service which must be accessed anonymously.
If I turn on Windows Auth I can get the user and this works fine, but the site calling the web-service returns a 401 error. If I add in Anonymous access too the site using the web-service works fine, but I can no longer get the username of the logged in user.
How can I get the best of both - i.e. get the user name, but not kill my web service.
You can add the following to disable access to specific locations within your directory tree
<location path="path.to.web.service">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
while keeping the main site under control of the Windows authentication.
See : http://msdn.microsoft.com/en-us/library/b6x6shw7.aspx