My Windows Authentication is working with IIS7 but now i want to deny specific users based on the data that i have in SQL server.
I know i can send a information access denied but i want to send windows login form to the user to enter different credentials, so that IIS can authenticate the new credentials and send it to the c# to authorize the user again.
Edit - To rephrase the question
I want to use both windows authentication and authentication based on database data. First i want the users to be authenticated via Windows authentication and then application will authenticate the user. But my question is if the application denies the user then I want the Windows authentication dialog box to show up to the user for windows credentials to start the process from beginning.
If you want to authenticate by using information from a database, you would have to use forms authentication.
The steps you have to take are:
Build a Login-Webpage (login.aspx in this example)
Put this in your web.config, to specify the login page and deny access for all users initially:
Code:
<authentication mode="Forms">
<!-- Login.aspx is the login page forms authentication should use. -->
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH" timeout="30" slidingExpiration="true" >
</forms>
</authentication>
<authorization>
<!-- deny all users access to ressources of this app, if not logged in. -->
<deny users="?" />
</authorization>
In your login page, in code behind, call this to let a user pass:
Code:
FormsAuthentication.SetAuthCookie("UserName", False)
One of the method you can do is create your own login form and authenticate user using LDAP queries.
So initially it authenticates user via windows authentication and if other criteria doesn't satisfy the user access you can send your own login form and authenticate user using LDAP queries.
Related
I need to authenticate into a web app using Single Sign-On, through Active Directory. I want to get the userName doing: System.Threading.Thread.CurrentPrincipal.Identity.Name, and then, through LDAP, get the password from the AD, and log into the web app.
The problem is that System.Threading.Thread.CurrentPrincipal.Identity.Name returns empty.
Here is my Web.Config:
<authentication mode="Forms">
<forms loginUrl="~/SignIn" timeout="120" />
</authentication>
Now, I'm using active directory as a way to authenticate, and it works fine. But I also need to make it Single Sign-On.
Thanks
You need to activate Windows authentication.
<authentication mode="Windows" />
Don't forget to install the Windows Authentication feature for IIS.
If you want to use mixed authentication (Forms & Windows at the same time) I recommend OWIN-MixedAuth
You can use HttpContext to retrieve the user identity. You must set authentication mode as "Windows Authentication"
https://stackoverflow.com/a/40938106/950944
I need to create an ASP .NET web page (hosted on Windows Server 2008R2 with IIS 7.5) which should be visible by domain users and anonymous users without prompting credential requests for both of them. Domain Users should be authorized to see the entire page, while anonymous users can see the public part of the page.
When I enable Windows authentication: domain users can see the entire page, but anonymous users are prompted for credentials.
When I enable anonymous authentication or both (anonymous and windows): anonymous users can see public part of the page, but domain users do not see the entire page (they are like anonymous users).
I use the following string to discriminate anonymous users and domain users:
WindowsAccountName = HttpContext.Current.Request.LogonUserIdentity.Name;
If WindowsAccountName is empty user is anonymous, otherwise is a domain user. Unfortunately, when anonymous authentication is enabled WindowsAccountName is always empty (even for domain users), but when anonymous authentication is disabled non-domain users are prompted for credentials.
Do you have any solution for these problem? Keep in mind that domain users are spread among different networks so IP address is not a good choice to discriminate domain users and non-domain users.
it looks like a catch-22 for me
Thanks.
The term for this is Mixed-Mode Authentication. I have done this multiple times.
This can be accomplished by using a windows authenticated site that does no more that pull the users credentials from AD and pass those to the anonymous site. I have done this using a custom ticket (GUID in a database) that expires in 5 seconds. The anonymous site takes the GUID passed, queries the DB and obtains the user id. Other ways I have done this with an encrypted URL parameter that contains the user id and time-stamp.
Internal Site
Create a Redirect URL Site: Setup this site as Window Auth so you can pull the User ID from Active Directory. Give your users this URL and/or make it the link they click on your Intranet. Then this site calls your anonymous site and passes the user credentials (login id).
a. This can be done either via an encrypted string on the URL or encrypted value in a cookie. You can encrypt with an expiration date/time value too.
b. (Speaking from Forms Auth) Create a Forms Authentication Ticket with that user ID. Run any other login logic you have. Done.
External Site - No Changes required. Let the users login as-is.
I don't know if it's too late to post this.I recently worked on enabling anonymous authentication on one page in the .NET 4.8 MVC application.
Let's say the page was accessible via URL: User/MyCustomPage
Application configuration was as follows:
1. In web.config authentication mode was specified and authorization was
set to deny for anonymous users.
<system.web>
<authentication mode= "windows"/>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
2. In the controller, authorize tag was there.
3. In IIS, windows authentication was enabled, and anonymous mode was disabled.
I did the below steps:
1. Removed authorize tag from the specific controller and added
[AllowAnonymous] tag.
2. Enabled anonymous authentication in the IIS server. Go to
server->authentication-> Anonymous-> click Enable in the right pane.
3. I had to add the particular path, to exclude it from regular
windows authentication by writing the below code in web.config file.
<location path="User/MyCustomPage"/>
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
But Still, I was getting prompt for windows credentials on accessing the above URL. The reason I found that was:
The View that MyCustomPage was returning, was consuming another resource.
So, I have to add that path too in the web.config.
<location path="Bundle/Content/css"/>
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
I am having an ASP.NET website running under Windows Authentication.The issue I am facing is that I can't get pass from login screen while submitting my credentials:
I have the following settings in IE:
"Enable Integrated Windows Authentication" checkbox is checked.
"Automatic logon with current username and password" radio button is selected.
IIS authentication is set to "Windows Authentication":
My web.config is having:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
The provider for that authentication is set to "NTLM"
AppPoolIdentity is set to "NetworkService"
I have even given "Full rights" to "Everyone" role to my website.
I have confirmed the user with which I am trying to login exists in Windows Active directory:
In order to debug the cause I attached the process to source and I noticed that I was able to reach Application_BeginRequest but the breakpoints I added in PreRequestHandlerExecute handler could not reach, may be thrown out in between to login modal again.
Can you help me locating the cause of windows login modal not accepting my credentials?
Don't use the Internet Zone. Add an entry to the Intranet zone for your web site.
Here's my scenario:
I have an intranet application. I want to let the network users automatically get logged into the application using the Windows Authentication features. If the user isn't into my network, I'll pop up to them a login screen.
So, I changed the authentication mode into web.config file to Windows. Then I'm using the HttpContext.User.Identity object in order to get the logged user into the network. So I ran the app into my localhost and it works great.
When I publish the application into the server, when I try to automatic log in, the Identity object is always empty.
So, I've tried the following steps:
Deny anonymous users. <deny users="?"/>, which not allows any anonymous users to enter in the application, but I got a problem here: when the user isn't into our network, the server pops up that default authentication window from Window Servers, not my personal login screen.
Let anonymous users in. If I get rid with that <deny users="?"/>, any user can access the page, but it ALWAYS goes to the login screen, even if I'm into my local network.
So, what I need is: when the user is into the local network, go straight without login. If they aren't, pop up a login screen to them.
Can someone help me to figure out what's going on?
Thank you all!
Do the following,
<identity impersonate="true" />
<authentication mode="None" />
<authorization>
<deny users="?" />
</authorization>
Hope it helps.
I have an asp.net site, and I need to use both Windows Auth and Anonymous Auth together.
I need Windows auth as I need to get the username of the logged on user, but also the site runs a web-service which must be accessed anonymously.
If I turn on Windows Auth I can get the user and this works fine, but the site calling the web-service returns a 401 error. If I add in Anonymous access too the site using the web-service works fine, but I can no longer get the username of the logged in user.
How can I get the best of both - i.e. get the user name, but not kill my web service.
You can add the following to disable access to specific locations within your directory tree
<location path="path.to.web.service">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
while keeping the main site under control of the Windows authentication.
See : http://msdn.microsoft.com/en-us/library/b6x6shw7.aspx