I've written a web application for internal use at work (not for the wider internet) that makes use of Windows authentication - ASP.NET interrogating Windows for the current set of credentials. An authentication method called from the Page_PreInit of protected pages throws a 401 error if the username is not found in an AD group I've set up.
I implemented Earlz' CustomErrorsFixer from Throwing an HttpException always sends back HTTP 500 error? as I too was only getting 500s back. Now my custom error pages are working, which is great.
Developing locally in Visual Studio development server, I've found that if I do not have access, I just go straight to the 401 error page. However! When I publish the site to an IIS server, if the user doesn't have access they get a Windows username/password prompt (the ugly, small one in XP). This is actually quite handy because it gives people who are logged onto a different domain a chance to enter the correct credentials.
At this stage, when the password prompt comes up, if the user hits Cancel or Escape, they go to the custom 401 page, which tells them how to go about requesting access. IF however they try to enter a username and password, which defaults to the wrong domain and are therefore incorrect credentials, they are shown the default IIS 401 page, which I'm very keen to avoid. Third scenario - if they enter CORRECT credentials, they are asked 3 times, and then shown the custom error page.
So, users see the custom 401 page if they are "authenticated", and the standard IIS one if they are not.
However, I've been finding that most people when prompted with a username/password box just enter the username/password without domain - which ends up being incorrect and therefore sending them to the non-custom IIS 401 page. Does anyone know how I can solve this? It's extremely annoying, because people need to see the custom 401 page in order to see which group they need to request access to!
In case it matters, the browser we all use is IE8 on XP or IE9 on Windows 7. Please let me know if I should post any code up.
IIS7 intercepts the 401 along with a few other HTTP status code by default.
Try this:
<configuration>
<system.webServer>
<httpErrors existingResponse="PassThrough" />
</system.webServer>
</configuration>
Related
I have a curious problem with a legacy ASP.NET web application using Windows Authentication. A particular page is crashing, and an inspection of the page and the site logs indicates the page is crashing because the request is not properly authenticated - no Windows identity is being requested by IIS or supplied by IE 11.
The page has a curious path; it took a few minutes to decode how it was originally assembled. The initial request is not for a specific page, but is merely a folder-only URL that is routed to Default.aspx. The handler checks the query string and redirects to specific pages accordingly.
The initial request to the site is authenticated, as evidenced by the IIS site logs. The page to which the request is redirected (Response.Redirect) does not authenticate. The absence of the Windows authentication challenge leaves the site with no automatic identity to the targeted page, leading to the page crash (code depending on the identity fails). The sequence goes this way:
Original URL: /sitename/folder/?parameter1=value¶meter2=value
IIS issues the authentication challenge, and the authenticated user is shown in the logs - eg, domain\user
The request is then handled by folder/Default.aspx (default page as defined in IIS)
Default.aspx.cs inspects the query string, and routes the request to (eg) OtherPage.aspx via Response.Redirect.
OtherPage.aspx is requested, and the request is logged - with no authentication, and no challenge
OtherPage.aspx.cs crashes (no user credential)
I am trying to theorize how or why ASP.NET is even permitting the unauthenticated file request. I have tried to reproduce the behavior in a test environment, and have been unable to do so. I have suspected that "Automatic logon in Intranet zone" might have been disabled, or that stored local credentials may be present but somehow causing a conflict, but neither of those scenarios panned out. The former did result in a failed authentication attempt and a proper 401 response from the server (the target page was not fired in a test environment).
Further research into this question has led to a solution if not a 100% dissection of the cause.
The users experiencing the problem were accessing the target site via a link in an email message. The link, for some unknown reason, inhibited the credential exchange between IE and IIS until the site URL was placed in the "Local Intranet" sites list of IE. This allowed the "Automatic logon in Intranet sites only" option to apply which, in turn, allowed the authentication to work.
The reason this is not a "100% dissection" is because these users were accessing the site previously, wherein authentication worked when the site was accessed conventionally. Exactly how the email message link inhibited the authentication exchange is not known. At the moment, I theorize that some security setting inhibits authentication when originating from an email link unless the specific site URL is explicitly qualified as a trusted or Intranet site.
Thanks for your consideration.
My website is redirecting to 404 error page when the page actually does exist. My website is set up so that it uses windows authentication. If the user does not have access, he/she is redirected to a page that tells them they have no access. If the user does have access then it takes them to another page. My website is set up on a 2008 server with IIS 7. The default document is Default.aspx, windows authentication is enabled and the rest is disabled, my website was working before I put in the security. I have also tried this with Anonymous Authentication. I also put to allow all users for now until I get this to work. I added in tracing to see what it was doing since we cannot debug on the server, so then I see that it is not getting the users' ID. So I do not know what I am missing. I cannot figure out why since this works perfectly on my local machine but not on the local server. I have researched this and I cannot come across anything else I can do. Also, this works when I run it on my local machine and I am using VS 2013.
To get the User's ID, I have used the following code:
un = HttpContext.Current.Request.LogonUserIdentity.Name.ToUpper();
un = User.Identity.Name;
un = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
It crashes on the following line due to the user ID being 0.
I have searched YouTube videos that walk through setting up Windows Authentication and I even have it working on another application perfectly fine! This is frustrating and would really appreciate any help I can get. Please let me know if further details are needed.
The error I get is a 404 error
Error Summary
HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
Detailed Error Information
Module IIS Web Core
Notification MapRequestHandler
Handler StaticFile
Error Code 0x80070002
Requested URL http://MyApp.com:80/Default.aspx
Physical Path D:\Sites\MyApp\Default
Logon Method Negotiate
Logon User XXX\bds
I am working on ASP.Net MVC-4 application. I have to implement windows authentication.
I have set authentication mode as 'Windows' in web.config file as shown below.
<system.web>
<authentication mode="Windows" />
</system.web>
In controller I try to get username as below.
string userName = User.Identity.Name;
but every time I am getting empty value.
Please let me know for any suggestions.
Thanks in advance.
Windows authentication is performed by IIS to establish our managed code User.Identity. Therefore, you need to enable Windows Authentication in your IIS, and in order to force the user to authenticate before being able to access our application, you need to disable Anonymous Authentication
With the given information, it looks like you've configured your project correctly but haven't actually authenticated the user yet.
First some background. There is a simplified tutorial on asp.net where, in between the lines, the following statement is mentioned:
By default, the ASP.NET Development Web Server executes all pages in the context of the current Windows account (whatever account you used to log into Windows).
This means that when you run your project with F5, it executes everything under your currently logged in user account. However, it isn't yet authenticated for the application and therefor your User.Identity.* is not set yet.
In order to verify if this is the case, you should add the [Authorize] attribute on the first controller (or Action) that is called in you ASP.NET MVC project. Most likely you'll be confronted with a "HTTP Error 401.0 - Unauthorized" exception. In this case, you should enable your webserver to authenticate first. The above mentioned tutorial will help you with this.
I'm continuing someone else's development AND I don't know much about current practices for authentication in MVC applications.
The only things that are set about authentication are in the application's IIS configuration:
.NET Authrization Rules = Allow, All Users
Authentication:
Anonymous Authentication: Enabled
ASP .NET Impersonation: Disabled
Windows Authentication: Enabled
With this configuration, on the server, the browser asks me for a login/password. I enter my network login.
Then I can get identify the user with Request.RequestContext.HttpContext.User.Identity...
On local computer where I login using the same login/password: no user is logged in the application (Request.RequestContext.HttpContext.User.Identity.Name == ""). If I disable Anonymous Authentication, the browser simply keeps re-asking for loginpassword infinitely.
My first problem is that I would like to be able to log out on server.
From scarse info I got here and there I have already tried:
FormsAuthentication.SignOut(); --> does nothing
WebMatrix.WebData.WebSecurity.Logout(); --> Exception, tries to access a database (I got this from one of the VS2012 templates but I didn't think it would apply to my context).
if(this.Request.RequestContext.HttpContext.Session != null)
this.Request.RequestContext.HttpContext.Session.Clear(); --> Session is null, so this does nothing.
So, how can I log out in order to relog as a different user ?
(I would also like to be able to identify the user on local computer, but I think that should be asked in another topic.)
Removed FormsAuth logout method as the question is for Windows Auth... doh!
Update:
To get the logged in user name try the IPrincipal Controller.User:
User.Identity.Name
Doh my bad your using Windows Authentication...
In which case it's the browser that is caching the credentials not the server / IIS so clearing the session won't achieve anything.
Taken from here:
"The user credentials are being cached by the client browser, not by IIS. To
force the client user to enter credentials again, you would need to send an
appropriate 401 status message in response to the next client request.
However, doing this would run counter to very legitimate user expectations
of how Windows authentication is supposed to work, so you may want to
reconsider. When Windows user credentials have already been accepted by a
server (either via a login dialog or automatic submission under IE
configuration for the target site or zone), a 401 is only expected if a
requested resource cannot be accessed under the previously supplied
credentials. When you send a 401 after any credentials have been previously
accepted, the user should expect that they need to use different credentials
from their initial login. If you're expecting the same credentials, then
user confusion should be anticipated.
All in all, if you really want to force a new login, perhaps a different
authentication mode might be more appropriate."
For an IE only workaround see this SO post.
I am having an issue adding a Web Service Reference to the CRM Deployment Service at http:///MSCRMServices/2007/CrmDeploymentService.asmx
When I first attempt to connect it says Connecting to and prompts for credentials. After entering my credentials, it will continue to prompting for credentials indefinately.
When I attempt to navigate to the service in IE, I get prompted for credentials and after submitting them a few times, I get a 401 error.
When I attempt to navigate to the service in Firefox or Opera, the basic authentication dialog pops up and I enter credentials. The service description page correctly appears.
Is there something preventing IE/VS from submitting the credentials correctly? In each place, I am using the same domain/user credentials. I have tried it from IE on both a computer on the domain and a computer not on the domain and get the same results.
Not sure if this will help, but I vaguely remember something like this happening to us at work, and someone fixed it by disabling IPV6. Like I said my memory is hazy so I don't know if this is the exact problem that we were having too. I just remember that the solution was to disable IPV6 on the server.