trying to do something really basic!
I have an MVC5 Web app - and I want to make it work as an intranet app. I had a look at https://msdn.microsoft.com/en-us/library/gg703322(VS.98).aspx and it seems straightforward . I want to things a little different though .. I want to control access by roles in a global way .. I would have thought through web.config.
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
So - we have 2 servers , 1 Domain Controller SBS2008 and 1 web server Windows 2012 server which is connected to the SBS domain .
1) I can log on to app ok if I am a domain administrator
2) I can deny myself access using those settings in web.config.
The problem is whenever a standard user tries to go to the site they are asked for a user name and password. Help!
One other thing - I can't enable impersonation or I get Error 500 .
Related
I'm trying to create a simple action filter for my MVC site that checks the current Windows user against those allowed access to the site. For some reason, the filterContext.HttpContext.User.Identity object is always set to anonymous with no username. I've tried to grab it at different stages (OnAuthenticate and OnAuthorize), but it's always anonymous.
I currently have anonymous and Windows authentication enabled in IIS (actually followed this example to configure the Windows Auth feature), and I have the following block in the system.web node of my web.config:
<authentication mode="Windows" />
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
However for some reason, the Identity is always anonymous with no username. I have to be missing something here. With Windows Auth set in IIS, I'm always prompted for the username/password combo (which actually fails with HTTP401.1 error 0xc000006d, though I think this might be because I have a custom host header setup for development). I've also read a few articles that suggest this is because my site is determined to be in the internet zone and the answers always state to add the site to the intranet zone in Internet Explorer. This seems like a band-aid fix though, and not the actual solution.
Ideally, I would like to have the following:
User browses to my site
Behind the scenes, their Windows username is picked up, and authenticated against allowed users managed by the app
User authenticated successfully, page loads, user is none the wiser they were authenticated
What do I need to do to achieve this?
Thanks in advance for any help. Please let me know if I can provide more context.
Edit: Forgot to add I'm running this on Windows 7 SP1, IIS 7.5
Try
<system.web>
<identity impersonate="true" />
</system.web>
OR
Click On The Project Not the Solution => Open Properties Explorer not right click properties => you will find Anonymous Authentication set to disabled
In your solution explorer, press F4 over the project, and change Windows Authentication to Enable if you are running your project from Visual Studio;
In IIS select your WebSite -> Authentication and Disable Anonymous Authentication and make sure that "Windows Authentication" if Enable
These two rules are in wrong order in your code
<allow users="*" />
<deny users="?" />
Since you first allow everyone, the second rule is not even evaluated.
Try switching them
<deny users="?" />
<allow users="*" />
This way you first deny anonymous requests so that the authentication pipeline can even return 401 to the client. When the NTLM/Kerberos authentication picks the username, the second rule allows everyone (authenticated this time).
For this to work you also have to disable the anonymous authentication.
You need to disable the anonymous authentication from iis and enable windows auth only.
So, I have two applications, one is Web and the other is a console app. The console app creates directories/folders and pdfs in a remote server. The web site (that is running in IIS) has a .aspx document that starts that console app. Running the console app does't give me problems, the problems come when I run the web site and fails to create the directories and pdfs. This is the error:
Error: Access to the path '\\SERVERIP\rae\RAE\' is denied.
That server has credentials and I am thinking that when I run just the console app it takes the credentials before typed (because to access the remote server I needed to type the credentials to see the folders in that server) but when I run the web site, the credentials are asked again (no prompt shown) and that's why the access is denied.
I am using C#'s System.IO.Directory.Exists(route); to check if exists and if it doesn't System.IO.Directory.CreateDirectory(route);
Is there a way to set the credentials for that server in code, on IIS or with another method?
you can set the condition on web.config for specific folder only.
<configuration>
<location path="Path/To/Public/Folder">
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="*"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
Via the graphical interface of the IIS,
Application Pools
Select the one used by your application
Go to advanced settings (on the far right)
Set the identity to the User you want
I have started looking into Forms Authentication with Windows Authentication (I believe its called Mixed Forms Authentication, but I could and probably am wrong)
So far I have discovered in my web.config file I need to add the following lines:
<authentication mode="Forms">
<forms loginUrl="~/Login"></forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
which I have done. But the next part confuses me. I have been reading about WinLog and WebLog pages and one has to be Windows Authentication and the other a forms Authentication.
I am under the impression this is how the flow should go
Add the lines above to your web.config
Brings user to login page
User gets redirected from another project that has Windows Authenication with the creds they filled and the other project sends a response saying yes or no.
The part after the web.config is super confusing, can someone tell me if I am on the right track or far from it?
What I am trying to do is not have an ugly dialog box, but instead have a custom login page.
If someone can point me in the right direction, that would be great.
ASP.NET has 3 different ways of authentication:
- Windows
- Forms
- Passport
Mixed mode authentication has been known as a somehow problematic way of authenticating users, in order to achieve it, you'll need one application to authenticate the users from a form, and another one to authenticate the users from IIS.
You will find some more info here:
ASP.NET MVC and mixed mode authentication
http://aspalliance.com/553_Mixed_Mode_Authentication.all
https://msdn.microsoft.com/en-us/library/aa291347(v=vs.71).aspx
I have an ASP.NET MVC4 website deployed on IIS with Windows Authentication enabled. My config file has this setting:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
My understanding is that this will allow me to authenticate without having to type in credentials; i.e. an intranet site.
This works as intended, except for the first page load. When I first access the website, I am directed to the following URL:
http://localhost/SandboxWebsite/login.aspx?ReturnUrl=%2fSandboxWebsite
This is obviously a page that asks for credentials. When I then navigate again to http://localhost/SandboxWebsite/, I am automatically authenticated without having to enter any credentials.
Why is this occurring and how can I prevent it?
The problem was that, whilst anonymous access was disabled as a setting, there was no authorisation rule to deny anonymous users. Why this redirected me to Login.aspx I do not know, but I fixed it by adding the following rules.
IIS > MyWebsite > .NET Authorization Rules
John,
this is a long shot but have you tried using an address other than LocalHost to access the site ? It may be that your ASP.NET MVC4 website is expecting a specific domain name/computer name or IP address because of the way it was setup.
You could alter your hosts file to test this out.
Hope this helps.
Dorje
I am working on ASP.net MVC 2.0 Web Application in C#.
I am very new to MVC . I wanted to implement Windows Authentication and Role based
Authentication in my application.
I was sucessful in implementing windows authentication. I have configured Properly to make my application work with windows authentication.
Code:
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
So, from Windows Active directory i was able to get the logged in user name.
Then in the Session_Start of my application , i am sending that username to database whether
that particular is a valid user for that Application.
Now, Here i only have two roles: Normal user and Admin
So, a normal user should be restricted to only some set of pages.
I have database table structure like this: Sample Data Example
UserID IsAdmin
1 false
2 true
3 false
I have read many articles on this. But, after reading all those i was pretty much confused about the approach to be followed.
How can i create my custom Authorize Attribute to restrict the access and hiding the contents of page.
Please give some ideas / sample examples on this.
NOte: I am working MVC 2.0 Application