I tried to create an authentication system in aspx using Windows Authentication. It seems to be the default mode for authenticating users in an intranet, for a company using Windows PCs. I enabled 'Windows Authentication' for my site in IIS, and disabled the other types of Authentications. This is my Web.config file:
<system.web>
<authentication mode="Windows" />
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
</system.web>
What I have is a feedback provided by this line in my code (always false)
Response.Write(User.Identity.IsAuthenticated.ToString());
I'm not sure I'm doing all in the right way, but I've read many tutorials and all seems so easy... so, what I miss to do? I'm doing something wrong?
I haven't found anything that helped me in the implementation, simply all what I wrote seems to do nothing. Uh, also I don't see the Windows Auth Dialog
I solved adding a row in 'Authorization Rules' in IIS. In my company we all are admin, so I added an allow rule for admin users and I denied the access for others. All works correctly now, I show the Windows Auth Dialog and with username and password I am able to authenticate.
Check these requirements:
Windows authentication is enabled in IIS (you did it already).
Anonymous access is disabled in IIS (http://technet.microsoft.com/en-us/library/cc731244(v=ws.10).aspx).
Windows authentication is enabled in client's Internet Explorers.
impersonation is switched on in web.config ( http://msdn.microsoft.com/en-us/library/134ec8tc(v=vs.140).aspx).
As far as I remember, that's all.
Related
I'm trying to create a simple action filter for my MVC site that checks the current Windows user against those allowed access to the site. For some reason, the filterContext.HttpContext.User.Identity object is always set to anonymous with no username. I've tried to grab it at different stages (OnAuthenticate and OnAuthorize), but it's always anonymous.
I currently have anonymous and Windows authentication enabled in IIS (actually followed this example to configure the Windows Auth feature), and I have the following block in the system.web node of my web.config:
<authentication mode="Windows" />
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
However for some reason, the Identity is always anonymous with no username. I have to be missing something here. With Windows Auth set in IIS, I'm always prompted for the username/password combo (which actually fails with HTTP401.1 error 0xc000006d, though I think this might be because I have a custom host header setup for development). I've also read a few articles that suggest this is because my site is determined to be in the internet zone and the answers always state to add the site to the intranet zone in Internet Explorer. This seems like a band-aid fix though, and not the actual solution.
Ideally, I would like to have the following:
User browses to my site
Behind the scenes, their Windows username is picked up, and authenticated against allowed users managed by the app
User authenticated successfully, page loads, user is none the wiser they were authenticated
What do I need to do to achieve this?
Thanks in advance for any help. Please let me know if I can provide more context.
Edit: Forgot to add I'm running this on Windows 7 SP1, IIS 7.5
Try
<system.web>
<identity impersonate="true" />
</system.web>
OR
Click On The Project Not the Solution => Open Properties Explorer not right click properties => you will find Anonymous Authentication set to disabled
In your solution explorer, press F4 over the project, and change Windows Authentication to Enable if you are running your project from Visual Studio;
In IIS select your WebSite -> Authentication and Disable Anonymous Authentication and make sure that "Windows Authentication" if Enable
These two rules are in wrong order in your code
<allow users="*" />
<deny users="?" />
Since you first allow everyone, the second rule is not even evaluated.
Try switching them
<deny users="?" />
<allow users="*" />
This way you first deny anonymous requests so that the authentication pipeline can even return 401 to the client. When the NTLM/Kerberos authentication picks the username, the second rule allows everyone (authenticated this time).
For this to work you also have to disable the anonymous authentication.
You need to disable the anonymous authentication from iis and enable windows auth only.
I'm trying to create a simple web form with windows authentication. I haven't done anything more than create the project. Like so -
When I hit f5 to view in browser, the pages load, though with no style like so..
As far as I'm concerned, it's meant to look like a nice bootstrap file.
Some things I've tried -
Update my web config
<location path="Content" allowOverride="true">
<system.web>
<authorization>
<allow users="*" />
</authorization>
<globalization culture="pt-BR" uiCulture="pt-BR" />
</system.web>
Made sure that the paths are correct (though I haven't touched anything since making the project).
Any help is greatly appreciated!
EDIT:
I've created another project - and the only difference between this one and the one above is that there is no authentication. When I load the about page, the style loads as seen below -
Should also mention that this is a Visual Studio 2015 project...
I had the same issue. CSS was not loading when I enable Windows authentication.
The error code in iis log was 500 0 1346.
This was resolved after adding the application pool identity to the administrators group. Basically, the application pool identity must have "impersonate a client after authentication" policy. So adding it to a group with this policy should fix.
Article - https://blogs.msdn.microsoft.com/asgoyal/2012/08/25/one-thing-you-must-do-when-getting-http-500-0-1346-error/
I have an existing mvc webapi system that uses no authentication or authorization and I am attempting to add Windows authentication in. I approached this by creating a new simplified system with a single controller returning just static data.
The new system is set up to use Windows authentication, and as a result when I hook into the Application_AuthenticateRequest the HttpContext.Current.User is not null and has a populated Identity property with the correct WindowsPrincipal for the user sending the request.
In the existing system, when I amend the web.config to match the new (working) system all incoming requests have a null HttpContext.Current.User in Application_AuthenticateRequest.
I saw a post suggesting that I use the Application_AuthorizeRequest event handler as it is fired later in the pipeline. As expected the HttpContext.Current.User is not null at this point, however the Identity property of this is set as having an impersonation level of Anonymous and importantly is not authenticated.
I assume that my production system that I am trying to add authentication to is somehow configured to not use impersonation, yet my new proof of concept system is. As a result the Authenticate stage of the pipeline is adding an anonymous user to the HttpContext which is what I am seeing in the Authorize stage of the pipeline.
My question is how do I configure my production system to use impersonation so that I can access the user that has sent the request?
Please note that the system is deployed to an intranet so the Windows identity of the user is all I need and gives sufficient security.
my web config contains the following:
<system.web>
<compilation debug="true" targetFramework="4.6.1" />
<httpRuntime targetFramework="4.6.1" />
<authentication mode="Windows" />
<identity impersonate="true" />
<httpModules>
</httpModules>
</system.web>
in both systems (production and POC) and I have tried removing the <identity/> element from both and it appears to have no effect.
At this stage I am hosting only in IISExpress through VS2015
Turns out this was all down to IIS configuration.
When hosting a site within VS2015 using IISExpress, the applicationhost.config file that is used by IISExpress is one stored locally with the soure. Specifically in the $(SolutionDir).vs\config folder.
The config for my production system had windows authentication disabled and anonymous authentication enabled, and the POC system had the reverse. Changing this config file has fixed my problems, now the question is whether this will work on another user's PC or will an incorrect applicationhost.config file be generated??
I am having an issue accessing a webservice with impersonate without a specified user.
Works:
<identity impersonate="true" userName="DOMAIN\USERNAME" password="MyPassword" />
Doesn't Work
<identity impersonate="true" />
While debugging I used the code below to verifiy the correct Domain and Username were being used, they are.
System.Security.Principal.WindowsIdentity.GetCurrent().Name;
Here is more of my web.config
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<allow users="*" />
<deny users="?"/>
</authorization>
I am logging into the prompt, image below
Any ideas why it will only work when I specify a user in the web.config? I am logging in with the same Domain\Username and password that I put into the <identity impersonate="true" userName="DOMAIN\USERNAME" password="MyPassword" /> . I've tried with multiple accounts and they all work when I put their credentials in the web.config but none work with identity set as<identity impersonate="true" /> and logging in.
EDIT
The remote server returned an error: (403) Forbidden.
EDIT 2
Everything works fine while debugging and while hitting the service on the server that contains the IIS it is hosted on, I've tried with multiple accounts and they all work. Everything is on the same domain
Note the following text from https://support.microsoft.com/en-us/kb/306158
Impersonate a Specific User for All the Requests of an ASP.NET
Application
To impersonate a specific user for all the requests on all pages of an
ASP.NET application, you can specify the userName and password
attributes in the tag of the Web.config file for that
application. For example:
Note The identity of the process that impersonates a specific user on a thread must have the "Act as part of the operating system"
privilege. By default, the Aspnet_wp.exe process runs under a computer
account named ASPNET. However, this account does not have the required
privileges to impersonate a specific user. You receive an error
message if you try to impersonate a specific user. This information
applies only to the .NET Framework 1.0. This privilege is not required
for the .NET Framework 1.1.
To work around this problem, use one of the following methods: Grant
the "Act as part of the operating system" privilege to the ASPNET
account (the least privileged account).
Note Although you can use this method to work around the problem,
Microsoft does not recommend this method. Change the account that the
Aspnet_wp.exe process runs under to the System account in the
configuration section of the Machine.config file.
You could setup the Aspnet_wp.exe process to run as the user you are trying to impersonate to get the desired privileges.
This has also been discussed before: How do you do Impersonation in .NET?
It could be the NTLM double-hop authentication issue. In short, ensure that Kerberos SPNs are properly set so it is used instead of NTLM. This MSDN blog post has a great explaination.
http://blogs.msdn.com/b/besidethepoint/archive/2010/05/09/double-hop-authentication-why-ntlm-fails-and-kerberos-works.aspx
Alternatively, basic or forms authentication will also achieve what you're looking to accomplish. This is because the application will have the user's credentials and, if properly configured, can use them to access back end resources.
You may also want to look into Kerberos delegation. Its a way to restrict that second hop to just one resource via it's SPN.
I have an ASP.NET MVC4 website deployed on IIS with Windows Authentication enabled. My config file has this setting:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
My understanding is that this will allow me to authenticate without having to type in credentials; i.e. an intranet site.
This works as intended, except for the first page load. When I first access the website, I am directed to the following URL:
http://localhost/SandboxWebsite/login.aspx?ReturnUrl=%2fSandboxWebsite
This is obviously a page that asks for credentials. When I then navigate again to http://localhost/SandboxWebsite/, I am automatically authenticated without having to enter any credentials.
Why is this occurring and how can I prevent it?
The problem was that, whilst anonymous access was disabled as a setting, there was no authorisation rule to deny anonymous users. Why this redirected me to Login.aspx I do not know, but I fixed it by adding the following rules.
IIS > MyWebsite > .NET Authorization Rules
John,
this is a long shot but have you tried using an address other than LocalHost to access the site ? It may be that your ASP.NET MVC4 website is expecting a specific domain name/computer name or IP address because of the way it was setup.
You could alter your hosts file to test this out.
Hope this helps.
Dorje