I have created a asp.net web application and have used windows authentication, for testing purposes i want to use the application as a different user.
I thought running firefox as a different user would achieve this but doing this does not seem to work. The HttpContext.Current.User property is still logged in AD user.
Is there a setting or anything i need to change in firefox to fix this?
There is an very easy option for every program. Use RUNAS command. Open cmd and type:
runas /user:DOMAIN\USER "c:\Program Files (x86)\Mozilla Firefox\firefox.exe"
I think you can configure the "Integrated windows authentication" in fireFox in the about:config page.
Please take a look at the following link. This link is to activate the integrated authentication but maybe you can use it to do the revert operation.
Once FireFox ask you for username and password you will be able to enter a different from yours (logged one).
I don't know to much about firefox, but there is a setting under IE properties (which I think most other browsers derive security settings from). "Automatic login for intranet sites" - or something to that effect, needs to be turned off and it should then start to prompt you for login details.
Related
I have an aspx site that I'm working on for our company's intranet. I recently added some secure pages that require the user to be a member of particular groups in an Active Directory in order to view. We are using Windows Authentication for the site(I have windows authentication in the .config). Windows Authentication is enabled in the IIS, and Anonymous Authentication is disabled. I've also enabled NTLM Authentication in the projects properties.
As far as I can tell, the security stuff is working as expected. Only users with the proper credentials can access the secure pages (I'm securing them with the [Authenticate Roles = "bla"] check on the controller action).
The problem I'm having is not really a problem, but more of an annoyance. Whenever the user logs in to the site, they are prompted with a login dialog. I don't want this. I want the site to grab their credentials from the windows login and use that to determine their access rights. I was under the impression that Windows Authentication handled this on its own, but it appears I was wrong.
Basically, how can I get rid of the login prompt and have Windows Authentication handle all of that same functionality automatically?
Is there some server setting I might need to change? Could it be something in my code?
I want it to work with at least IE, Firefox, and Chrome, if that is at all possible.
***Update 7/23/2012
Thanks everyone for the suggestions, unfortunately I still haven't gotten this to work properly. Some things I've noticed that may help provide some more details
I'm fairly certain the intranet site is on our list of "trusted" sites (our network admin says it is).
I'm using NTLM authentication and NTLM authentication only. If I remove NTLM authentication and enable Negotiate: Kerberos authentication, I just get a 401 - Unauthorized error. I can fix this by disabling Kernel mode authentication, but then I still get the credentials prompt(which I don't want).
If I check "Enable Integrated Windows Authentication*" in IE > Internet Options > Advanced > Security, it will prompt me for credentials, but entering my credentials no longer works. It will ask me three times and then take me to the 401 error page.
IE9 asks me only for my password and pulls my username(good). Chrome and Firefox prompt me for username and password.
Look in Internet Explorer / Tools / Options / Advanced.
There is a checkbox "Enable Integrated Windows Authentication" under "Security".
Is this checked?
It's checked by default, and can be set by admins using a GPO:
http://www.windowsecurity.com/articles/configuring-advanced-ie-settings-using-group-policy.html
There is a setting within IE that allows this automatic pass through to happen. Your system administrator could create a group policy and push this to all users.
I've also been successful in configuring Firefox to function in the same matter but that would involve modifying individual users FF configurations.
This line should be in your web.config within the <system.web> element.
<authentication mode="Windows" />
Just thought I'd provide an update as to what actually solved the problem.
I tried all of the great suggestions you guys provided for internet explorer settings, but in the end, it turned out to be a server setting.
Flipping the order of Providers for the site to NTLM, Negotiate in that order solved the problem.
I use this simple line of code inside my HttpHandler:
Directory.CreateDirectory(#"\\srv-001\dev\folderToCreate\");
I receive an UnauthoridezAccessException telling me that the access to the path is denied.
From here, I create a little Dos application in C# doing the same thing and I was able to create the folder. So, I thought that it might be that IIS is running on a different user than myself. I went to IIS and changed the Application pool to a Custom user, myself. But, unfortunately, I got the same exception.
I have try to create a Share folder on my computer and I can create directory. Also, when debugging I can see that System.Threading.Thread.CurrentPrincipal.Identity have its AuthenticationType to "", IsAuthenticated to false and name to "".
So, with all those tests I can conclude that the HttpHandler that receive the file cannot create a directory because of some security access.
How can I grand access to my HttpHandler to be able to create a directory (and files) to a network folder?
actually, i thought of one other thing to check. not only is there the app pool identity, but there is also an identity associated with anonymous authentication. if you are on iis 7/7.5, you should be able to see the authentication icon for the web application and doubleclick that. selecting anonymous authentication and then clicking edit will reveal a dialog that gives you the option of specifying a user or the app pool user. i bet if you choose app pool user, that will fix it.
if you are on iis 6, i don't recall as clearly, but i'll give it a shot. don't have iis 6 in front of me to verify, but i remember there being an anonymous access button you can click that would bring up a dialog where you could specify the user. don't think you had the option there of using the app pool identity and had to specify the account explicitly.
I'm trying to develop an intranet app/website that uses Windows authentication.
I'd like to test it with multiple users, for roles etc.
At the moment I'm only using my own domain account. Is there a way I could simulate different users for the site?
As a picture is worth a thousand words here it goes how to do it in IE based on 2GDev's comment copied here for clarity:
Go to Internet Options => Security => Local Intranet => Custom Level
and change the User Authentication to "Prompt for username and
password"
Click OK then Apply. Close the browser. Reopen it and point it to the website's URL you want to debug. You should happily see the login prompt where you can login with a different User account to simulate concurrency for example (this is what I'm doing right now here):
When you use Windows Authentication you can change your identity by running the browser as another user.
In windows, go to the browser exe (or a shortcut), right-click on the icon and select "Run as.." from the menu. This will prompt you to specify the username and password to run the account under.
Provided the identity you specify has access to the machine you are running on, the browser will then be running "as" identity specified. If you browse to a site using Windows Authentication, it will authenticate using the identity specified, instead of your own.
Use Impersonation...
From MSDN
Impersonation
An ASP.NET application can use impersonation to perform operations and
access resources with the security context of the authenticated client
or of a specific Windows account.
And in your web.config
<identity impersonate="true" username="TestUser" password="P#ssw0rd" />
How about to install and run the Virtual PC with some ready for download installed systems from MS ?
By running a virtual pc on your computer you can emulate connections to your pc and at the same time, its looks like a diferent computer, with diferent Ip.
In my case, there are db tables with users and their properties. In users table got login field (Domain/UserName). Also got custom Identity and Principal, which using this table to authenticate user in global.asax autherticate_request method.
To simulate different users in debug mode, there is special control rendered in master page (or layout page for mvc). It contain select box with all users, and apply button.
On server side after apply button click in session pushed emulated user login and sending refresh to response.
So in next authenticate event occured checking for emulated user login in session and if it exists then authenticate continues based on emulateded login.
Bad side: need sync service to always have actual user table based on current AD.
The test is running on a windows network that requires proxy (squid) authentication to access external websites, say www.google.com for sake of example.
Some background things to note
These sites cannot be added to the
proxy white list.
Same WatiN test passes in IE
I have tried tweaking about:config
ntlm settings to allow automatic
passing of saved credentials
www.google.com has been
added to Local Intranet sites
WatiN cannot use LogonDialogHandler
to deal with this, like IE can
The title of the dialog is Authentication Required and reads The proxy myproxy:8080 is requesting a user name and password. The site says "", with a text field for User Name: and Password:
Has anyone got any ideas of how to get around this?
I'm hoping there is something FireFox specific that will allow me to automatically pass through the credentials. An idea I might try is starting the browser with network credentials.
Maybe one of the settings here will help:
https://developer.mozilla.org/En/Integrated_Authentication
EDIT:
This will be fixed in Firefox 4:
https://bugzilla.mozilla.org/show_bug.cgi?id=521467
Here are some references that might offer other solutions to get around the logon dialog.
In this post they solved it using WindowsAutomation:
WatiN LogonDialogHandlers not working correctly in Windows 7
This solution passes the credentials in the url:
how to impersonate a windows domain user for automated web testing?
And this solution uses impersonation:
Watin Windows Authentication
You could also use FiddlerCore to manipulate the response to the server:
How to simulate http request using WatiN with specific HTTP referrer and query string?
HTH,
Jeroen
I have a C#/.NET website on my local machine that I use to test.
Everytime I run the website in Internet Explorer 7, I have to empty the browser history or it will stay logged on as the previous person.
How do I make it so it lets me log in without having to empty the history every single time I want to test?
Your login information is stored in the session and that sets a cookie in IE7. So you don't have to clear the whole history - just a session cookie for the site.
Alternatively you could implement 'logout' functionality in your app.
Since the issue exists only in your development environment, a workaround would be to use a browser that implements a 'private' mode such as Google Chrome's incognito mode or Microsoft Internet Explorer 8's InPrivate mode
These browsers, when operating in these 'private' modes do not keep the cookies and temporary internet files after you close the window which should solve your issue.
However, it should be kept in mind that these browsers might not be fully compatible with the website you are developing.
Moreover, you should provide more information regarding the implementation of your website's authentication and your website in general if a more permanent solution is to be reached.