In a .NET MVC4 application, access to controller are restricted by Authorize attribe.
[Authorize(Users = #"network-domain\-some-user-")]
[Authorize(Users = #"network-domain\-some-group")]
When publish on the server it seems to work fine.
On my development computer on the same network, I cannot get identified as a uaser. In IIS, if Windows Authentication is enabled and Anonymous Authentication is disabled for the application, the browser keeps asking for login password again and again.
No user can access it, even authorized users.
(Tried with FireFox and Internet Explorer.)
Maybe this is more an identification/browser problem.
How can I get identified as a user on my development computer
I had the same issue on my localhost. The problem is with hosts file. Some sort of security issue with hosts file vs windows auth. Access your site via localhost:port and win auth should work locally.
See my exactly the same question here: https://stackoverflow.com/a/20723552/809357
Related
I am building a Blazor Server app using .NET 6.0.11 and deploying using Http.Sys . The server and clients are all on the same Windows domain. I'd like to authorize users based on their domain login, instead of building a username/password database and infrastructure specific to this app.
The code in Program.cs to enable Windows Authentication, based on code from the official documentation:
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
builder.Services.AddAuthentication(HttpSysDefaults.AuthenticationScheme);
builder.WebHost.UseHttpSys(options =>
{
options.Authentication.Schemes =
AuthenticationSchemes.NTLM | AuthenticationSchemes.Negotiate;
options.Authentication.AllowAnonymous = false;
});
}
// ...
app.UseAuthentication();
app.UseAuthorization();
I view the authentication state using the first code sample from ASP.NET Core Blazor authentication and authorization.
If I launch the application on http://localhost:55555 then the page loads instantly and it shows my domain and username successfully.
However, if I launch the application as http://mycomputername.our.domain:55555, and access it via Chrome or Edge on the same machine, then a popup appears asking for username and password:
Note: I had to run a netsh http add urlacl url=.... one time only; the command was suggested by an exception message generated on first run after changing the launch URL.
Entering my domain login username and password is accepted, and the previous code sample does show my username successfully. I also noticed the following behaviour:
setting AllowAnonymous = true; means it will not prompt at all for the username/password; the page just proceeds with the user not authenticated.
If the username/password is not entered correctly (for a user on the domain) then HTTP error 401 is generated instantly, it never tries to execute the Blazor default error page for example.
I hope the authentication is being done between the client and the domain controller, not sending the user's password over the HTTP connection!
I am presuming the above behaviour will be the same for other domain uses on different machines accessing this server, although have not tested that yet.
My questions:
is it possible to skip the username/password popup , and just get the domain user that is already logged in on the client machine and doing the access?
(If not) would deploying to IIS instead of Http.Sys change anything?
There seem to be Blazor-based solutions discussed on this SO thread , but I can't see how to use them because the popup always appears as soon as any page is attempted , before any page is rendered; and if login fails, HTTP 401 error is generated with none of the Blazor pages being executed.
Footnote: I was using HTTP.sys instead of Kestrel due to documentation indicating that Kestrel did not support Windows Authentication; however it is working using Kestrel for me now, along with the information from the Accepted answer -- not sure what the story is there.
This is a client-side issue.
If I launch the application on http://localhost:55555 then the page loads instantly and it shows my domain and username successfully.
However, if I launch the application as http://mycomputername.our.domain:55555, and access it via Chrome or Edge on the same machine, then a popup appears asking for username and password:
That's because the browser recognizes localhost as a (somewhat trustworthy) server within your intranet, but considers mycomputername.our.domain to be a (potentially hostile) Internet service. For security reasons, Chrome and Edge only use your Windows credentials with servers within your own intranet by default.
To determine which group an URL belongs to, Chrome, Internet Explorer and Edge use Windows's own "Intranet zone" settings. To add your URL,
search for "Internet options" in the Windows Start Menu, then
navigate to Security/Local intranet/Sites/Advanced.
If you want to test with a non-Chromium based browser, here's how to configure Firefox. Firefox manages its own list of URLs where Windows authentication is allowed:
How to configure Firefox for NTLM SSO (Single-Sign-On)?
I hope the authentication is being done between the client and the domain controller, not sending the user's password over the HTTP connection!
If the client and the server agree to use Kerberos, sure: The client communicates with the domain controller to authenticate and to get a service ticket and then uses that ticket to access your service.
If they don't agree, they will use NTLM. In this case, authentication happens between the client and your server. However, NTLM won't send your password in plain text either, but rather uses it as part of a challenge-response mechanism.
is it possible to skip the username/password popup , and just get the
domain user that is already logged in on the client machine and doing
the access?
IMHO, this is not possible with "windows authentication", because the popup dialog that you see is a special browser feature to enable the windows authentication.This one created in order to support internal application with domain authentication. I don't know of any way to access that browser behavior.
(If not) would deploying to IIS instead of Http.Sys change anything?
Haven't done a deployment with Http.Sys, but according to the documentation it says that Http.Sys supports windows authentication. The deployment would be different since for Http.Sys you need to write the configuration in code, unlike the IIS.
I'm making a personal management site only for me(using ASP.Net MVC, IIS8.0), so I want to use Windows authorization.
I turned on Windows authorization in IIS, so I can log on my web site on outside of my computer (like smartphone, both 4G network and WIFI LAN)
BUT I can't log on my site in my computer
actually, I can log on(automatically logs on) when I use url : [http://localhost/].
but when I access via my own domain, ex. [http://myowndomain.com], It shows a basic authorization form, When I submit the correct userId and password, it doesn't work and returns a 401 error. (401 - Unauthorized: Access is denied due to invalid credentials.)
What's wrong with my settings?
I have a C#.NET 4.0 application running under IIS 7 on Windows Server 2008 with IIS7 server. The application will run in the company intranet that automatically grabs the logged-in Windows username of the person viewing the page without being prompted to enter credentials when the page loads. Now i'm facing 2 problems:
1) Currently, the apps returns the production server name (eg: XYZ\sam) that the application located at. I want to get the current logged on username (eg: ABC\sam). It works fine at localhost but not at production server.
I've enabled <authentication mode="Windows" /> at web.config , enabled windows authentication and disabled anonymous authentication at IIS.
I've tried Page.User.Identity.Name, System.Web.HttpContext.Current.User.Identity.Name, System.Security.Principal.WindowsIdentity.GetCurrent().Name, and others but still failed to get the right name. How to get the current windows logged on user?
2) When I want to access the application, it keeps prompting out a windows for username and password. If I ignore it, it will prompt out
401 - Unauthorized: Access is denied due to invalid credentials. You
do not have permission to view this directory or page using the
credentials that you supplied.
How i gona fix it?
For question 1, it cannot retrieve the logged in username because the server is domain server. It works after transfer from workgroup to domain.
For question 2, it works fine(no pop out credential) if I access with the server name (eg:servername/appsname). But it will ask for credential if I use ip (eg:xxx.xx.xx.x/appsname) and didn't setup the tools internet options. Factor still not known.
For your 2 problem, to log automatically, you have to set it on the browser, for my experience, i have done this in IE: https://superuser.com/questions/537416/how-to-make-internet-explorer-automatically-login-in-a-certain-domain
We have an intranet site on our network which uses NTLM to perform single sign on that works without issues. I wrote a C# application which spawn's an IE window with the site URL. Because the application also installs other applications from a protected folder and the users on the domain have restricted rights it is ran with a local administrative account.
I have tried:
System.Diagnostics.Process.Start("IExplore.exe", "http://MyIntranetSite/");
// and
System.Diagnostics.Process.Start("http://MyIntranetSite/");
This works without any sort of issue on Windows 7, however on Windows XP it is prompting for user credentials for NTLM authentication.
Could someone point me in the right direction of how to get around this issue?
The most likely reason would be IE settings. NTLM SSO only works, on the client side, when IE chooses to use SSPI and handshakes with the server. IE parses the URL and uses its security settings to decide whether to do SSO or prompt for creds. http://support.microsoft.com/kb/258063
Has anyone managed to achieve this?
Application should work like this:
App admin can add AD users
App admin can define users not from AD
If user is added from AD and trying to access to application from same AD - application should log him in automatically (single sign on).
If user is not from AD, or not added as application user - application login form is displayed
Just to mention, I managed to achieve this on IIS6. I have read several techniques so far with IIS 7 and 7.5 involved, but it seems none of them really works when deployed on production server.
So far I have 2 separate web applications. One web application is configured with forms authentication - this one is main. Other is configured as windows authentication.
So idea is, user tries to acces to main application, this one redirects him to the other application which tries to extract his domain username (NTLM), and redirects him back to main application. Main application tries to log him in as AD user, if this fails forms login is displayed. If AD user is added as application user (using separate admin module of application), he should be authenticated automatically, meaning no IIS login prompt should be displayed.
These two applications are running in same application pool. Also they are both in integrated pipeline mode.
This works if I set it up on my development win7 IIS, but when I deploy application on win 2008 server with IIS 7.5 - it's not working. I keep getting IIS login prompt. If I enter my credentials to IIS login prompt it will eventually log me into application.
Has anyone has similar issue and hopefully solved it?
Please update the question with the info you have provided.
As I understand, these two applications are in the same app pool and I believe you need to separate them into two app pools.
Progress update - this authentication works now as expected (I didn't have to split app pools). Problem was that on machine accessing application, app server hasto be registered as Local intranet. This is a must in order to IE sends credentials to server.