I'm making a personal management site only for me(using ASP.Net MVC, IIS8.0), so I want to use Windows authorization.
I turned on Windows authorization in IIS, so I can log on my web site on outside of my computer (like smartphone, both 4G network and WIFI LAN)
BUT I can't log on my site in my computer
actually, I can log on(automatically logs on) when I use url : [http://localhost/].
but when I access via my own domain, ex. [http://myowndomain.com], It shows a basic authorization form, When I submit the correct userId and password, it doesn't work and returns a 401 error. (401 - Unauthorized: Access is denied due to invalid credentials.)
What's wrong with my settings?
Related
I am building a Blazor Server app using .NET 6.0.11 and deploying using Http.Sys . The server and clients are all on the same Windows domain. I'd like to authorize users based on their domain login, instead of building a username/password database and infrastructure specific to this app.
The code in Program.cs to enable Windows Authentication, based on code from the official documentation:
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
builder.Services.AddAuthentication(HttpSysDefaults.AuthenticationScheme);
builder.WebHost.UseHttpSys(options =>
{
options.Authentication.Schemes =
AuthenticationSchemes.NTLM | AuthenticationSchemes.Negotiate;
options.Authentication.AllowAnonymous = false;
});
}
// ...
app.UseAuthentication();
app.UseAuthorization();
I view the authentication state using the first code sample from ASP.NET Core Blazor authentication and authorization.
If I launch the application on http://localhost:55555 then the page loads instantly and it shows my domain and username successfully.
However, if I launch the application as http://mycomputername.our.domain:55555, and access it via Chrome or Edge on the same machine, then a popup appears asking for username and password:
Note: I had to run a netsh http add urlacl url=.... one time only; the command was suggested by an exception message generated on first run after changing the launch URL.
Entering my domain login username and password is accepted, and the previous code sample does show my username successfully. I also noticed the following behaviour:
setting AllowAnonymous = true; means it will not prompt at all for the username/password; the page just proceeds with the user not authenticated.
If the username/password is not entered correctly (for a user on the domain) then HTTP error 401 is generated instantly, it never tries to execute the Blazor default error page for example.
I hope the authentication is being done between the client and the domain controller, not sending the user's password over the HTTP connection!
I am presuming the above behaviour will be the same for other domain uses on different machines accessing this server, although have not tested that yet.
My questions:
is it possible to skip the username/password popup , and just get the domain user that is already logged in on the client machine and doing the access?
(If not) would deploying to IIS instead of Http.Sys change anything?
There seem to be Blazor-based solutions discussed on this SO thread , but I can't see how to use them because the popup always appears as soon as any page is attempted , before any page is rendered; and if login fails, HTTP 401 error is generated with none of the Blazor pages being executed.
Footnote: I was using HTTP.sys instead of Kestrel due to documentation indicating that Kestrel did not support Windows Authentication; however it is working using Kestrel for me now, along with the information from the Accepted answer -- not sure what the story is there.
This is a client-side issue.
If I launch the application on http://localhost:55555 then the page loads instantly and it shows my domain and username successfully.
However, if I launch the application as http://mycomputername.our.domain:55555, and access it via Chrome or Edge on the same machine, then a popup appears asking for username and password:
That's because the browser recognizes localhost as a (somewhat trustworthy) server within your intranet, but considers mycomputername.our.domain to be a (potentially hostile) Internet service. For security reasons, Chrome and Edge only use your Windows credentials with servers within your own intranet by default.
To determine which group an URL belongs to, Chrome, Internet Explorer and Edge use Windows's own "Intranet zone" settings. To add your URL,
search for "Internet options" in the Windows Start Menu, then
navigate to Security/Local intranet/Sites/Advanced.
If you want to test with a non-Chromium based browser, here's how to configure Firefox. Firefox manages its own list of URLs where Windows authentication is allowed:
How to configure Firefox for NTLM SSO (Single-Sign-On)?
I hope the authentication is being done between the client and the domain controller, not sending the user's password over the HTTP connection!
If the client and the server agree to use Kerberos, sure: The client communicates with the domain controller to authenticate and to get a service ticket and then uses that ticket to access your service.
If they don't agree, they will use NTLM. In this case, authentication happens between the client and your server. However, NTLM won't send your password in plain text either, but rather uses it as part of a challenge-response mechanism.
is it possible to skip the username/password popup , and just get the
domain user that is already logged in on the client machine and doing
the access?
IMHO, this is not possible with "windows authentication", because the popup dialog that you see is a special browser feature to enable the windows authentication.This one created in order to support internal application with domain authentication. I don't know of any way to access that browser behavior.
(If not) would deploying to IIS instead of Http.Sys change anything?
Haven't done a deployment with Http.Sys, but according to the documentation it says that Http.Sys supports windows authentication. The deployment would be different since for Http.Sys you need to write the configuration in code, unlike the IIS.
I receive a 401 error (invalid credentials) when I login over the Internet.
This happens only for some users on a deployed system. These users are
added during the Identity database initialization.
If I login locally on the deployment server, the login works fine. Additionally,
I have no problems when logging in locally on my development computer.
The authentification is based on the Identity framework.
I found the solution. The problem is that in the header of the page an action was called, for which the users whose login failed had no authorization. It is strange that it worked for local logins.
We have a vendor app that uses windows authentication to pass windows credentials from their MVC app to a web browser control that is pointed at a internal site. This provides a SSO-like experience from the app to the IIS session.
We want to publish the IIS site on the internet and the external/non-domain user must be automatically authenticated in our domain out on the internet. We don't want to put a domain controller in the DMZ. The vendor app is a compiled c#.net site. They will log into our portal site with a simple username and password. This set will be the same for an actual AD user. We want to turn their simple login into a windows authenticated "session" so that when we redirect them to the vendor app, their app will see that they are (somehow) an authenticated windows authentication user and simply pass them on through. (Providing them with a SSO-like experience).
This works if you are on our network and logged into the domain, but these will be non-domain users out on the internet.
In a .NET MVC4 application, access to controller are restricted by Authorize attribe.
[Authorize(Users = #"network-domain\-some-user-")]
[Authorize(Users = #"network-domain\-some-group")]
When publish on the server it seems to work fine.
On my development computer on the same network, I cannot get identified as a uaser. In IIS, if Windows Authentication is enabled and Anonymous Authentication is disabled for the application, the browser keeps asking for login password again and again.
No user can access it, even authorized users.
(Tried with FireFox and Internet Explorer.)
Maybe this is more an identification/browser problem.
How can I get identified as a user on my development computer
I had the same issue on my localhost. The problem is with hosts file. Some sort of security issue with hosts file vs windows auth. Access your site via localhost:port and win auth should work locally.
See my exactly the same question here: https://stackoverflow.com/a/20723552/809357
I have a C#.NET 4.0 application running under IIS 7 on Windows Server 2008 with IIS7 server. The application will run in the company intranet that automatically grabs the logged-in Windows username of the person viewing the page without being prompted to enter credentials when the page loads. Now i'm facing 2 problems:
1) Currently, the apps returns the production server name (eg: XYZ\sam) that the application located at. I want to get the current logged on username (eg: ABC\sam). It works fine at localhost but not at production server.
I've enabled <authentication mode="Windows" /> at web.config , enabled windows authentication and disabled anonymous authentication at IIS.
I've tried Page.User.Identity.Name, System.Web.HttpContext.Current.User.Identity.Name, System.Security.Principal.WindowsIdentity.GetCurrent().Name, and others but still failed to get the right name. How to get the current windows logged on user?
2) When I want to access the application, it keeps prompting out a windows for username and password. If I ignore it, it will prompt out
401 - Unauthorized: Access is denied due to invalid credentials. You
do not have permission to view this directory or page using the
credentials that you supplied.
How i gona fix it?
For question 1, it cannot retrieve the logged in username because the server is domain server. It works after transfer from workgroup to domain.
For question 2, it works fine(no pop out credential) if I access with the server name (eg:servername/appsname). But it will ask for credential if I use ip (eg:xxx.xx.xx.x/appsname) and didn't setup the tools internet options. Factor still not known.
For your 2 problem, to log automatically, you have to set it on the browser, for my experience, i have done this in IE: https://superuser.com/questions/537416/how-to-make-internet-explorer-automatically-login-in-a-certain-domain