I have an ASP.NET MVC4 website deployed on IIS with Windows Authentication enabled. My config file has this setting:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
My understanding is that this will allow me to authenticate without having to type in credentials; i.e. an intranet site.
This works as intended, except for the first page load. When I first access the website, I am directed to the following URL:
http://localhost/SandboxWebsite/login.aspx?ReturnUrl=%2fSandboxWebsite
This is obviously a page that asks for credentials. When I then navigate again to http://localhost/SandboxWebsite/, I am automatically authenticated without having to enter any credentials.
Why is this occurring and how can I prevent it?
The problem was that, whilst anonymous access was disabled as a setting, there was no authorisation rule to deny anonymous users. Why this redirected me to Login.aspx I do not know, but I fixed it by adding the following rules.
IIS > MyWebsite > .NET Authorization Rules
John,
this is a long shot but have you tried using an address other than LocalHost to access the site ? It may be that your ASP.NET MVC4 website is expecting a specific domain name/computer name or IP address because of the way it was setup.
You could alter your hosts file to test this out.
Hope this helps.
Dorje
Related
I'm trying to create a simple action filter for my MVC site that checks the current Windows user against those allowed access to the site. For some reason, the filterContext.HttpContext.User.Identity object is always set to anonymous with no username. I've tried to grab it at different stages (OnAuthenticate and OnAuthorize), but it's always anonymous.
I currently have anonymous and Windows authentication enabled in IIS (actually followed this example to configure the Windows Auth feature), and I have the following block in the system.web node of my web.config:
<authentication mode="Windows" />
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
However for some reason, the Identity is always anonymous with no username. I have to be missing something here. With Windows Auth set in IIS, I'm always prompted for the username/password combo (which actually fails with HTTP401.1 error 0xc000006d, though I think this might be because I have a custom host header setup for development). I've also read a few articles that suggest this is because my site is determined to be in the internet zone and the answers always state to add the site to the intranet zone in Internet Explorer. This seems like a band-aid fix though, and not the actual solution.
Ideally, I would like to have the following:
User browses to my site
Behind the scenes, their Windows username is picked up, and authenticated against allowed users managed by the app
User authenticated successfully, page loads, user is none the wiser they were authenticated
What do I need to do to achieve this?
Thanks in advance for any help. Please let me know if I can provide more context.
Edit: Forgot to add I'm running this on Windows 7 SP1, IIS 7.5
Try
<system.web>
<identity impersonate="true" />
</system.web>
OR
Click On The Project Not the Solution => Open Properties Explorer not right click properties => you will find Anonymous Authentication set to disabled
In your solution explorer, press F4 over the project, and change Windows Authentication to Enable if you are running your project from Visual Studio;
In IIS select your WebSite -> Authentication and Disable Anonymous Authentication and make sure that "Windows Authentication" if Enable
These two rules are in wrong order in your code
<allow users="*" />
<deny users="?" />
Since you first allow everyone, the second rule is not even evaluated.
Try switching them
<deny users="?" />
<allow users="*" />
This way you first deny anonymous requests so that the authentication pipeline can even return 401 to the client. When the NTLM/Kerberos authentication picks the username, the second rule allows everyone (authenticated this time).
For this to work you also have to disable the anonymous authentication.
You need to disable the anonymous authentication from iis and enable windows auth only.
I need to create an ASP .NET web page (hosted on Windows Server 2008R2 with IIS 7.5) which should be visible by domain users and anonymous users without prompting credential requests for both of them. Domain Users should be authorized to see the entire page, while anonymous users can see the public part of the page.
When I enable Windows authentication: domain users can see the entire page, but anonymous users are prompted for credentials.
When I enable anonymous authentication or both (anonymous and windows): anonymous users can see public part of the page, but domain users do not see the entire page (they are like anonymous users).
I use the following string to discriminate anonymous users and domain users:
WindowsAccountName = HttpContext.Current.Request.LogonUserIdentity.Name;
If WindowsAccountName is empty user is anonymous, otherwise is a domain user. Unfortunately, when anonymous authentication is enabled WindowsAccountName is always empty (even for domain users), but when anonymous authentication is disabled non-domain users are prompted for credentials.
Do you have any solution for these problem? Keep in mind that domain users are spread among different networks so IP address is not a good choice to discriminate domain users and non-domain users.
it looks like a catch-22 for me
Thanks.
The term for this is Mixed-Mode Authentication. I have done this multiple times.
This can be accomplished by using a windows authenticated site that does no more that pull the users credentials from AD and pass those to the anonymous site. I have done this using a custom ticket (GUID in a database) that expires in 5 seconds. The anonymous site takes the GUID passed, queries the DB and obtains the user id. Other ways I have done this with an encrypted URL parameter that contains the user id and time-stamp.
Internal Site
Create a Redirect URL Site: Setup this site as Window Auth so you can pull the User ID from Active Directory. Give your users this URL and/or make it the link they click on your Intranet. Then this site calls your anonymous site and passes the user credentials (login id).
a. This can be done either via an encrypted string on the URL or encrypted value in a cookie. You can encrypt with an expiration date/time value too.
b. (Speaking from Forms Auth) Create a Forms Authentication Ticket with that user ID. Run any other login logic you have. Done.
External Site - No Changes required. Let the users login as-is.
I don't know if it's too late to post this.I recently worked on enabling anonymous authentication on one page in the .NET 4.8 MVC application.
Let's say the page was accessible via URL: User/MyCustomPage
Application configuration was as follows:
1. In web.config authentication mode was specified and authorization was
set to deny for anonymous users.
<system.web>
<authentication mode= "windows"/>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
2. In the controller, authorize tag was there.
3. In IIS, windows authentication was enabled, and anonymous mode was disabled.
I did the below steps:
1. Removed authorize tag from the specific controller and added
[AllowAnonymous] tag.
2. Enabled anonymous authentication in the IIS server. Go to
server->authentication-> Anonymous-> click Enable in the right pane.
3. I had to add the particular path, to exclude it from regular
windows authentication by writing the below code in web.config file.
<location path="User/MyCustomPage"/>
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
But Still, I was getting prompt for windows credentials on accessing the above URL. The reason I found that was:
The View that MyCustomPage was returning, was consuming another resource.
So, I have to add that path too in the web.config.
<location path="Bundle/Content/css"/>
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
Imagine when you create a new MVC4 Project and you start registering an account using SimpleMembership and you logged using Remember Me checkbox.
Now, when you create another MVC 4 Project, the application tries to loggin using the previous account, although throws an error because it does not exist. I mean, if a do a login in a web page, the another one uses the same account.
How can avoid this, I guess has to be with ForgeryTokens or something like that
Customize the name of the cookie so that it's unique per application.
<authentication mode="Forms">
<!-- **Defaults** timeout="30" slidingExpiration="true" -->
<forms name=".MyApplication" defaultUrl="~/" loginUrl="~/LogIn" />
</authentication>
if you are using a single sign on mechanism then it is a exceptionable scenario but if you do not wish to allow the same authentication with same account to another website then make sure the web.config file for both projects must have a different machine keys.
Also, this is happened because of cookies on your machine is set to true, to create cookies file and allow access to other project using this cookies details.
< Authentication />
It happens because when the web page is served the browser sees localhost as the domain name. It saves the cookie for localhost.
When you host another website on the same server with localhost, then the browser sends the same cookie again.
If you are using the same cookie name in both the applications, then the system will try to think that the user is already authenticated and you will get the error.
You can change the cookie name in web.config file.
Read this:
Can I change the FormsAuthentication cookie name?
I have an asp.net site, and I need to use both Windows Auth and Anonymous Auth together.
I need Windows auth as I need to get the username of the logged on user, but also the site runs a web-service which must be accessed anonymously.
If I turn on Windows Auth I can get the user and this works fine, but the site calling the web-service returns a 401 error. If I add in Anonymous access too the site using the web-service works fine, but I can no longer get the username of the logged in user.
How can I get the best of both - i.e. get the user name, but not kill my web service.
You can add the following to disable access to specific locations within your directory tree
<location path="path.to.web.service">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
while keeping the main site under control of the Windows authentication.
See : http://msdn.microsoft.com/en-us/library/b6x6shw7.aspx
I am developing a simple ASP.NET website that will run on the intranet on a WS2008(IIS7) box and respond to users running XP/IE8. Everything is domain connected and I am trying to automatically login the users much like SharePoint does.
On my dev machine (XP), when running the site through VS, everything works. I can pickup on the user perfectly. I am using the following settings:
<authentication mode="Windows"/>
<identity impersonate="true"/>
<anonymousIdentification enabled="false"/>
<authorization>
<allow users="*"/>
<deny users="?"/>
</authorization>
However, when I publish to the WS2008 box, it doesn't work. Clearly I am missing a setting in IIS7 to support this.
I have the following set for Authentication on the site:
Anon Auth - Enabled
ASP.NET Impersonation - Enabled
Basic Auth - Disabled
Forms Auth - Disabled
Windows Auth - Disabled
What am I missing?
Thanks
Try disabling anonymous login from the iis. Go to the security options for the site on IIS and uncheck the Enable Anonymous login. Make sure that windows authentication is checked.
Edit:: If the login box appears when trying to login with IE, there is a setting that you can set so that IE sends the username when used in the intranet sites. Go to tools > internet options > security and in the security settings select the option Automatic Logon with current username and password or Automatic Logon only in intranet Zone You have to make sure that the site you are trying to use is added in the intranet zone.
There is a similar setting with firefox and chrome I believe but I am not sure how to set it up
You need to enable "Windows Authentication" in IIS and disable "Anon Auth"
Here are the settings, you should be using:
Anon Auth - Disabled
ASP.NET Impersonation - Enabled
Basic Auth - Disabled
Forms Auth - Disabled
Windows Auth - Enabled
Consider also the intranet zone settings for the browser, as well as the security settings. Try adding other flavors/variations of the URL to the intranet sites zone in IE. My understanding is this is how IE determines if it should automatically submit credentials instead of prompting.