I have a C#.NET 4.0 application running under IIS 7 on Windows Server 2008 with IIS7 server. The application will run in the company intranet that automatically grabs the logged-in Windows username of the person viewing the page without being prompted to enter credentials when the page loads. Now i'm facing 2 problems:
1) Currently, the apps returns the production server name (eg: XYZ\sam) that the application located at. I want to get the current logged on username (eg: ABC\sam). It works fine at localhost but not at production server.
I've enabled <authentication mode="Windows" /> at web.config , enabled windows authentication and disabled anonymous authentication at IIS.
I've tried Page.User.Identity.Name, System.Web.HttpContext.Current.User.Identity.Name, System.Security.Principal.WindowsIdentity.GetCurrent().Name, and others but still failed to get the right name. How to get the current windows logged on user?
2) When I want to access the application, it keeps prompting out a windows for username and password. If I ignore it, it will prompt out
401 - Unauthorized: Access is denied due to invalid credentials. You
do not have permission to view this directory or page using the
credentials that you supplied.
How i gona fix it?
For question 1, it cannot retrieve the logged in username because the server is domain server. It works after transfer from workgroup to domain.
For question 2, it works fine(no pop out credential) if I access with the server name (eg:servername/appsname). But it will ask for credential if I use ip (eg:xxx.xx.xx.x/appsname) and didn't setup the tools internet options. Factor still not known.
For your 2 problem, to log automatically, you have to set it on the browser, for my experience, i have done this in IE: https://superuser.com/questions/537416/how-to-make-internet-explorer-automatically-login-in-a-certain-domain
Related
I am using C# asp.net to get windows login account (domain\username) for login my web automatically. I can get the account correctly when run the statement "System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString()" locally on visual studio. However, after deploying the web page to deploy server, it returns "NT AUTHORITY\IUSR".
Most of the solution I found on internet is to use Windows Authentication instead of Anonymous Authentication. I have tried this solution and a user login window is prompted when run the web. It needs to enter the username and password for the deployed server. However, my windows user login account cannot login to the deploy server. Therefore I cannot run the web on my computer.
I would like to know is it possible to get the window user login account if my window account cannot login to the deploy server?
Please try to enable two Authentication methods. First you have to enable Windows Authentication like you already mentioned to pass your credentails automatically to the server (of course only in Intranet).
Additionally you have to activate ASP.NET Impersonation to allow the server to use the passed credentials.
The Help tells you why:
Use ASP.NET Impersonation authentication when you want to run your
ASP.NET application under a security context different from the
default.
In your web.config you have to add the following nodes to your system.web node to tell your application to pass your credentials to the server:
<identity impersonate="true"/>
<authentication mode="Windows" />
The following post may look same but I was unable to correct the problem after attempting all the solutions provided as answers.
(Login failed for user 'DOMAIN\MACHINENAME$')
MY PROBLEM
I am deploying a asp.net web-app with forms authentication enabled on my IIS7 dev server in a Windows Network. My SQL Server is deployed on a remote box, in the same network, with necessary TCP ports opened for remote connections. All the domain users have been given access to necessary databases in SQL server.
Now when I try to run my web-app, following error comes up:
Login failed for user 'DOMAIN\MachineName$'.
I have already given adequate permissions to NT AUTHORITY\NETWORK SERVICE in my SQL server.
I don't want to give any permission to 'DOMAIN\MachineName$' in the SQL server as the developers keep changing the machine names for various test purposes.
The connecting string I am using is:
"Server=SQL-SERVER;Initial Catalog=MyDatabase;Integrated Security=SSPI;Persist Security Info=False"
SQL Provider is System.Data.SqlClient
Anonymous and Form authentication are enabled as my web-app contains login.aspx.
The point is that whenever you use NT AUTHORITY\NETWORK SERVICE as your application pool user, the system translates this in the network to DOMAIN\MachineName$.
What we do is to use the user name of the developer to connect to the machine by setting the username of the application pool to the developer's name.
I also encounter same problem in my intranet environment. The solution is simple yet hard to grab the idea. Usually, The IT Security In-charge will give you active directory service account to log in to your database. You can manage to log in with ssms but it fails in IIS because IIS choose to connect with domain/computername. So set custom account and fill in your domain/username and password.
In IIS Manager, select the application pool that your web app uses or
create a new one if you use the default one.
Click on “Advanced Settings” in the right Actions bar. Under Process Model, click on
the “Identity” value and select “Custom account”.
Click on the “Edit” and enter domain/user name and password for user account.
If you enter all information correctly, the pop-up will be closed successfully
without any error messages.
After that stop your Web Site.
Back again to your application pool and click on the “Recycle”.
Start your Web Site.
And that's it. you web application will successfully connect from IIS.
In a .NET MVC4 application, access to controller are restricted by Authorize attribe.
[Authorize(Users = #"network-domain\-some-user-")]
[Authorize(Users = #"network-domain\-some-group")]
When publish on the server it seems to work fine.
On my development computer on the same network, I cannot get identified as a uaser. In IIS, if Windows Authentication is enabled and Anonymous Authentication is disabled for the application, the browser keeps asking for login password again and again.
No user can access it, even authorized users.
(Tried with FireFox and Internet Explorer.)
Maybe this is more an identification/browser problem.
How can I get identified as a user on my development computer
I had the same issue on my localhost. The problem is with hosts file. Some sort of security issue with hosts file vs windows auth. Access your site via localhost:port and win auth should work locally.
See my exactly the same question here: https://stackoverflow.com/a/20723552/809357
I'm developing a website in ASP.NET and C#.
I've created the website so when a user goes to the site, his windows client username is read out with:
System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString();
and then I lookup his username in the db and create a user object with all necessary data (team, name, permission level, role, ...) from the return data.
Then I keep this object in a session var until the user logs out.
This was working like a charm locally but now that I've deployed to the server I get defaultAppPool for every user.
What am I doing wrong?
In my web.config file I have:
authentication mode="Windows"
I have to admit this is the first time that I'm doing the deploying myself and everything went smoothly except for this.
As you've discovered, System.Security.Principal.WindowsIdentity.GetCurrent() gives you the identity of the application pool.
You should be using HttpContext.Current.User.Identity.
Windows authentication and IIS
If you select Windows authentication for your ASP.NET application, you also need to configure authentication within IIS. That’s because Windows authentication is delegated back to IIS. IIS gives you a choice of four authentication methods:
If you select anonymous authentication, IIS does not perform any authentication. Anyone is allowed access to the ASP.NET application.
If you select basic authentication, users must provide a Windows username and password to connect. This information is sent across the network in clear text, making basic authentication dangerously insecure on the Internet.
If you select digest authentication, users must still provide a Windows username and password to connect. However, the password is hashed before being sent across the network. Digest authentication requires that all users be running Internet Explorer 5 or later and that Windows accounts be stored in Active Directory.
If you select Windows integrated authentication, passwords never cross the network. Users must still have a Windows username and password, but either the Kerberos or challenge/response protocols are used to authenticate the user. Windows-integrated authentication requires that all users be running Internet Explorer 3.01 or later.
Get current user identity as :
var userWinId = HttpContext.Current.User.Identity as WindowsIdentity;
Use
System.Web.HttpContext.Current.User.Identity.Name
instead of
User.Identity.Name
or
System.Security.Principal.WindowsIdentity.GetCurrent().Name
I want to get the client window username with which the user is logged in on their machine,
I have tried these:
Request.servervariable["LOGON_USER"],
Request.servervariable["AUTH_USER"],
Request.servervariable["REMOTE_USER"]
but when I deploy my application on IIS the values of all these are blank,
some constraints are applied for my app senario: I am using the authentication mode ="form"
because I am passing the Windows account username to db, then I'm authenticating if this Windows user id is present in db.
Similarly I want anonymous access in IIS.
Assuming you've enabled windows authentication, Page.User.Identity.Name should give you that!