We have an intranet site on our network which uses NTLM to perform single sign on that works without issues. I wrote a C# application which spawn's an IE window with the site URL. Because the application also installs other applications from a protected folder and the users on the domain have restricted rights it is ran with a local administrative account.
I have tried:
System.Diagnostics.Process.Start("IExplore.exe", "http://MyIntranetSite/");
// and
System.Diagnostics.Process.Start("http://MyIntranetSite/");
This works without any sort of issue on Windows 7, however on Windows XP it is prompting for user credentials for NTLM authentication.
Could someone point me in the right direction of how to get around this issue?
The most likely reason would be IE settings. NTLM SSO only works, on the client side, when IE chooses to use SSPI and handshakes with the server. IE parses the URL and uses its security settings to decide whether to do SSO or prompt for creds. http://support.microsoft.com/kb/258063
Related
I am building a Blazor Server app using .NET 6.0.11 and deploying using Http.Sys . The server and clients are all on the same Windows domain. I'd like to authorize users based on their domain login, instead of building a username/password database and infrastructure specific to this app.
The code in Program.cs to enable Windows Authentication, based on code from the official documentation:
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
builder.Services.AddAuthentication(HttpSysDefaults.AuthenticationScheme);
builder.WebHost.UseHttpSys(options =>
{
options.Authentication.Schemes =
AuthenticationSchemes.NTLM | AuthenticationSchemes.Negotiate;
options.Authentication.AllowAnonymous = false;
});
}
// ...
app.UseAuthentication();
app.UseAuthorization();
I view the authentication state using the first code sample from ASP.NET Core Blazor authentication and authorization.
If I launch the application on http://localhost:55555 then the page loads instantly and it shows my domain and username successfully.
However, if I launch the application as http://mycomputername.our.domain:55555, and access it via Chrome or Edge on the same machine, then a popup appears asking for username and password:
Note: I had to run a netsh http add urlacl url=.... one time only; the command was suggested by an exception message generated on first run after changing the launch URL.
Entering my domain login username and password is accepted, and the previous code sample does show my username successfully. I also noticed the following behaviour:
setting AllowAnonymous = true; means it will not prompt at all for the username/password; the page just proceeds with the user not authenticated.
If the username/password is not entered correctly (for a user on the domain) then HTTP error 401 is generated instantly, it never tries to execute the Blazor default error page for example.
I hope the authentication is being done between the client and the domain controller, not sending the user's password over the HTTP connection!
I am presuming the above behaviour will be the same for other domain uses on different machines accessing this server, although have not tested that yet.
My questions:
is it possible to skip the username/password popup , and just get the domain user that is already logged in on the client machine and doing the access?
(If not) would deploying to IIS instead of Http.Sys change anything?
There seem to be Blazor-based solutions discussed on this SO thread , but I can't see how to use them because the popup always appears as soon as any page is attempted , before any page is rendered; and if login fails, HTTP 401 error is generated with none of the Blazor pages being executed.
Footnote: I was using HTTP.sys instead of Kestrel due to documentation indicating that Kestrel did not support Windows Authentication; however it is working using Kestrel for me now, along with the information from the Accepted answer -- not sure what the story is there.
This is a client-side issue.
If I launch the application on http://localhost:55555 then the page loads instantly and it shows my domain and username successfully.
However, if I launch the application as http://mycomputername.our.domain:55555, and access it via Chrome or Edge on the same machine, then a popup appears asking for username and password:
That's because the browser recognizes localhost as a (somewhat trustworthy) server within your intranet, but considers mycomputername.our.domain to be a (potentially hostile) Internet service. For security reasons, Chrome and Edge only use your Windows credentials with servers within your own intranet by default.
To determine which group an URL belongs to, Chrome, Internet Explorer and Edge use Windows's own "Intranet zone" settings. To add your URL,
search for "Internet options" in the Windows Start Menu, then
navigate to Security/Local intranet/Sites/Advanced.
If you want to test with a non-Chromium based browser, here's how to configure Firefox. Firefox manages its own list of URLs where Windows authentication is allowed:
How to configure Firefox for NTLM SSO (Single-Sign-On)?
I hope the authentication is being done between the client and the domain controller, not sending the user's password over the HTTP connection!
If the client and the server agree to use Kerberos, sure: The client communicates with the domain controller to authenticate and to get a service ticket and then uses that ticket to access your service.
If they don't agree, they will use NTLM. In this case, authentication happens between the client and your server. However, NTLM won't send your password in plain text either, but rather uses it as part of a challenge-response mechanism.
is it possible to skip the username/password popup , and just get the
domain user that is already logged in on the client machine and doing
the access?
IMHO, this is not possible with "windows authentication", because the popup dialog that you see is a special browser feature to enable the windows authentication.This one created in order to support internal application with domain authentication. I don't know of any way to access that browser behavior.
(If not) would deploying to IIS instead of Http.Sys change anything?
Haven't done a deployment with Http.Sys, but according to the documentation it says that Http.Sys supports windows authentication. The deployment would be different since for Http.Sys you need to write the configuration in code, unlike the IIS.
My team tries to setup an intranet portal powered by Umbraco which requires Windows Authentication for authenticating its users that are stored as (Umbraco) Members.
Currently we have done the following:
In the Authentication Feature of IIS, we enabled only Windows Authentication at the root of the web site (all other authentication options are disabled).
In Web Config, we changed the Authentication settings mode attribute from Forms to Windows.
The username of the Members is stored in the domain\username format.
That works fine as far it concerns authentication and authorization of members in the front end. But in the back office (that requires Forms Authentication), it does not work well with the above settings, as sometimes the browser displays the authentication popup window and requires for the back office user to enter his (domain) credentials or sometimes randomly terminates the back office user's session and logs user out.
Is there any suggested way for implementing Windows Authentication for Umbraco portals that does not raise such issues in the back office?
Any help will be greatly appreciated.
In a .NET MVC4 application, access to controller are restricted by Authorize attribe.
[Authorize(Users = #"network-domain\-some-user-")]
[Authorize(Users = #"network-domain\-some-group")]
When publish on the server it seems to work fine.
On my development computer on the same network, I cannot get identified as a uaser. In IIS, if Windows Authentication is enabled and Anonymous Authentication is disabled for the application, the browser keeps asking for login password again and again.
No user can access it, even authorized users.
(Tried with FireFox and Internet Explorer.)
Maybe this is more an identification/browser problem.
How can I get identified as a user on my development computer
I had the same issue on my localhost. The problem is with hosts file. Some sort of security issue with hosts file vs windows auth. Access your site via localhost:port and win auth should work locally.
See my exactly the same question here: https://stackoverflow.com/a/20723552/809357
Is it possible to grab a users windows credentials (i.e. username) without having windows authentication enabled in IIS? With windows auth disabled the code below returns either NT AUTHORITY or IIS APPPOOL\ASP.NET v4.0 depending on if impersonation and anonymous authentication are enabled or not.
System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString();
I am converting an asp.net web application that is using forms authentication to custom authentication. Basically if a user is connecting from outside the network I force a credential check whereas if they are connecting from within the network I would like to be able to just grab their windows username. The internal portion works when I turn on windows authentication but I get the popup login box when testing outside of the network. I either need to disable windows authentication for non local connections or figure out how to get the windows username with windows authentication disabled. Any suggestions? (The other alternative i thought of was splitting the application in two and having separate authentication modes for each but I'd like to avoid this).
-I have also tried:
System.Web.HttpContext.Current.User.Identity.ToString();
System.Threading.Thread.CurrentPrincipal.ToString();
something like this is actually (kind of) possible using Active Directory Federated Services. In the event of a windows user from inside the network they can be configured to use their account details. For external users, they can be redirected to a page that will require them to log in.
However. This is very heavy-duty and an extreme pain in the..neck to implement and is really only applicable to enterprise solutions that have the resourses to use this kind of solution. Otherwise, I'd say go with the 2 site approach.
Simple answer is no.
Best solution is to create 2 sites. One for internal users that user windows authentication, one for external user that user forms authentication but authenticate against AD. You can make users always go to external site by default and then redirect based on their IP. That is redirect intranet users to internal user.
I have an aspx site that I'm working on for our company's intranet. I recently added some secure pages that require the user to be a member of particular groups in an Active Directory in order to view. We are using Windows Authentication for the site(I have windows authentication in the .config). Windows Authentication is enabled in the IIS, and Anonymous Authentication is disabled. I've also enabled NTLM Authentication in the projects properties.
As far as I can tell, the security stuff is working as expected. Only users with the proper credentials can access the secure pages (I'm securing them with the [Authenticate Roles = "bla"] check on the controller action).
The problem I'm having is not really a problem, but more of an annoyance. Whenever the user logs in to the site, they are prompted with a login dialog. I don't want this. I want the site to grab their credentials from the windows login and use that to determine their access rights. I was under the impression that Windows Authentication handled this on its own, but it appears I was wrong.
Basically, how can I get rid of the login prompt and have Windows Authentication handle all of that same functionality automatically?
Is there some server setting I might need to change? Could it be something in my code?
I want it to work with at least IE, Firefox, and Chrome, if that is at all possible.
***Update 7/23/2012
Thanks everyone for the suggestions, unfortunately I still haven't gotten this to work properly. Some things I've noticed that may help provide some more details
I'm fairly certain the intranet site is on our list of "trusted" sites (our network admin says it is).
I'm using NTLM authentication and NTLM authentication only. If I remove NTLM authentication and enable Negotiate: Kerberos authentication, I just get a 401 - Unauthorized error. I can fix this by disabling Kernel mode authentication, but then I still get the credentials prompt(which I don't want).
If I check "Enable Integrated Windows Authentication*" in IE > Internet Options > Advanced > Security, it will prompt me for credentials, but entering my credentials no longer works. It will ask me three times and then take me to the 401 error page.
IE9 asks me only for my password and pulls my username(good). Chrome and Firefox prompt me for username and password.
Look in Internet Explorer / Tools / Options / Advanced.
There is a checkbox "Enable Integrated Windows Authentication" under "Security".
Is this checked?
It's checked by default, and can be set by admins using a GPO:
http://www.windowsecurity.com/articles/configuring-advanced-ie-settings-using-group-policy.html
There is a setting within IE that allows this automatic pass through to happen. Your system administrator could create a group policy and push this to all users.
I've also been successful in configuring Firefox to function in the same matter but that would involve modifying individual users FF configurations.
This line should be in your web.config within the <system.web> element.
<authentication mode="Windows" />
Just thought I'd provide an update as to what actually solved the problem.
I tried all of the great suggestions you guys provided for internet explorer settings, but in the end, it turned out to be a server setting.
Flipping the order of Providers for the site to NTLM, Negotiate in that order solved the problem.