On our intranet pages, we're checking who the user is and displaying it on the site as a label. For all other users the logged in name is correct. For this user it shows as OURDOMAIN\ADMINISTRATOR.
I know HOW it happened. One day there was an issue with permissions and I launched the page from her PC. IE prompted for the user, and rejected her login. I tried using the domain admin, and it let us access the page, but now I can't get it back to her login. It's not browser specific, as I installed Chrome and get the same behavior.
The page connects to the database (using SQL Authentication), and then runs a stored procedure. After that, the following code is run:
string userid = HttpContext.Current.User.Identity.Name.ToString();
lbl_User.Text = userid;
How / Where do I reset this for her? Is XP or IIS that cached these credentials?
It is most likely stored in Managed Passwords:
Click Start > Run
Enter "control userpasswords2"
Click the Advanced tab
Click Manage Passwords
Select the wrong credentials
Click Remove
You may need to log-off and back on again for these setting to change.
This is definitely a problem with the client PC and not IIS. Windows stores credentials for later use and will automatically send these to the web server via the browser.
I found the solution: the page was in the "Intranet" zone. I opened IE, and went into internet options. I went to the Internet Options, went to security tab, selected Intranet, and then "Custom Level". Went down to user authentication and set it to "Prompt for user name and password". Closed the browser, reopened that page and then it prompted me. Changed the credentials accordingly.
Related
I am attempting to use Integrated Windows Authentication on IIS for an MVC web app. The original hope was that the user would be logged in automatically using the current Windows user credentials. I am running into the issue where the user is always prompted to enter user name and password. I have decided that we can live with this. However, I have also noticed that the user can enter any valid domain credentials...it's not limited to the currently logged in machine. But if this is the case, I need to provide a logout button, so the user can be switched if necessary.
Everything I can find on this issue, logging out in Windows Authentication, says you cannot do it because it pulls the credentials from the machine login. But it's obviously not doing that in my case, because I can enter any valid credentials and log in successfully. So a user could be logged onto the machine as user X, and then, when prompted, log into the web app as user Y. Am I to understand that, under Windows Authentication, there's no way to address this?
Are you sure you selected Windows Authentication While creating the Project? Confirm that and if yes, proceed to check your web.config that application authentication is set to windows.
I'm continuing someone else's development AND I don't know much about current practices for authentication in MVC applications.
The only things that are set about authentication are in the application's IIS configuration:
.NET Authrization Rules = Allow, All Users
Authentication:
Anonymous Authentication: Enabled
ASP .NET Impersonation: Disabled
Windows Authentication: Enabled
With this configuration, on the server, the browser asks me for a login/password. I enter my network login.
Then I can get identify the user with Request.RequestContext.HttpContext.User.Identity...
On local computer where I login using the same login/password: no user is logged in the application (Request.RequestContext.HttpContext.User.Identity.Name == ""). If I disable Anonymous Authentication, the browser simply keeps re-asking for loginpassword infinitely.
My first problem is that I would like to be able to log out on server.
From scarse info I got here and there I have already tried:
FormsAuthentication.SignOut(); --> does nothing
WebMatrix.WebData.WebSecurity.Logout(); --> Exception, tries to access a database (I got this from one of the VS2012 templates but I didn't think it would apply to my context).
if(this.Request.RequestContext.HttpContext.Session != null)
this.Request.RequestContext.HttpContext.Session.Clear(); --> Session is null, so this does nothing.
So, how can I log out in order to relog as a different user ?
(I would also like to be able to identify the user on local computer, but I think that should be asked in another topic.)
Removed FormsAuth logout method as the question is for Windows Auth... doh!
Update:
To get the logged in user name try the IPrincipal Controller.User:
User.Identity.Name
Doh my bad your using Windows Authentication...
In which case it's the browser that is caching the credentials not the server / IIS so clearing the session won't achieve anything.
Taken from here:
"The user credentials are being cached by the client browser, not by IIS. To
force the client user to enter credentials again, you would need to send an
appropriate 401 status message in response to the next client request.
However, doing this would run counter to very legitimate user expectations
of how Windows authentication is supposed to work, so you may want to
reconsider. When Windows user credentials have already been accepted by a
server (either via a login dialog or automatic submission under IE
configuration for the target site or zone), a 401 is only expected if a
requested resource cannot be accessed under the previously supplied
credentials. When you send a 401 after any credentials have been previously
accepted, the user should expect that they need to use different credentials
from their initial login. If you're expecting the same credentials, then
user confusion should be anticipated.
All in all, if you really want to force a new login, perhaps a different
authentication mode might be more appropriate."
For an IE only workaround see this SO post.
I have a C#.NET 4.0 application running under IIS 7 on Windows Server 2008 with IIS7 server. The application will run in the company intranet that automatically grabs the logged-in Windows username of the person viewing the page without being prompted to enter credentials when the page loads. Now i'm facing 2 problems:
1) Currently, the apps returns the production server name (eg: XYZ\sam) that the application located at. I want to get the current logged on username (eg: ABC\sam). It works fine at localhost but not at production server.
I've enabled <authentication mode="Windows" /> at web.config , enabled windows authentication and disabled anonymous authentication at IIS.
I've tried Page.User.Identity.Name, System.Web.HttpContext.Current.User.Identity.Name, System.Security.Principal.WindowsIdentity.GetCurrent().Name, and others but still failed to get the right name. How to get the current windows logged on user?
2) When I want to access the application, it keeps prompting out a windows for username and password. If I ignore it, it will prompt out
401 - Unauthorized: Access is denied due to invalid credentials. You
do not have permission to view this directory or page using the
credentials that you supplied.
How i gona fix it?
For question 1, it cannot retrieve the logged in username because the server is domain server. It works after transfer from workgroup to domain.
For question 2, it works fine(no pop out credential) if I access with the server name (eg:servername/appsname). But it will ask for credential if I use ip (eg:xxx.xx.xx.x/appsname) and didn't setup the tools internet options. Factor still not known.
For your 2 problem, to log automatically, you have to set it on the browser, for my experience, i have done this in IE: https://superuser.com/questions/537416/how-to-make-internet-explorer-automatically-login-in-a-certain-domain
I'm trying to develop an intranet app/website that uses Windows authentication.
I'd like to test it with multiple users, for roles etc.
At the moment I'm only using my own domain account. Is there a way I could simulate different users for the site?
As a picture is worth a thousand words here it goes how to do it in IE based on 2GDev's comment copied here for clarity:
Go to Internet Options => Security => Local Intranet => Custom Level
and change the User Authentication to "Prompt for username and
password"
Click OK then Apply. Close the browser. Reopen it and point it to the website's URL you want to debug. You should happily see the login prompt where you can login with a different User account to simulate concurrency for example (this is what I'm doing right now here):
When you use Windows Authentication you can change your identity by running the browser as another user.
In windows, go to the browser exe (or a shortcut), right-click on the icon and select "Run as.." from the menu. This will prompt you to specify the username and password to run the account under.
Provided the identity you specify has access to the machine you are running on, the browser will then be running "as" identity specified. If you browse to a site using Windows Authentication, it will authenticate using the identity specified, instead of your own.
Use Impersonation...
From MSDN
Impersonation
An ASP.NET application can use impersonation to perform operations and
access resources with the security context of the authenticated client
or of a specific Windows account.
And in your web.config
<identity impersonate="true" username="TestUser" password="P#ssw0rd" />
How about to install and run the Virtual PC with some ready for download installed systems from MS ?
By running a virtual pc on your computer you can emulate connections to your pc and at the same time, its looks like a diferent computer, with diferent Ip.
In my case, there are db tables with users and their properties. In users table got login field (Domain/UserName). Also got custom Identity and Principal, which using this table to authenticate user in global.asax autherticate_request method.
To simulate different users in debug mode, there is special control rendered in master page (or layout page for mvc). It contain select box with all users, and apply button.
On server side after apply button click in session pushed emulated user login and sending refresh to response.
So in next authenticate event occured checking for emulated user login in session and if it exists then authenticate continues based on emulateded login.
Bad side: need sync service to always have actual user table based on current AD.
Below is the scenario for a virtual directory following are the setting in IIS
Enable Anonymous Access is DISABLED (check box is unchecked).
Integrated Windows Authentication is DISABLED (check box is unchecked)
Basic authentication is ENABLED (checkbox is selected)
In the web.config of the webapplication (for the same virtual directory above) the setting is as follows:
When I browse an aspx page of the above web application it asks for username and password.
User enters username and password (in the dialog which appears as a part of windows authentication).
I can get the username that user has entered if the login is successful.
Is there any way I can get the username(that user has entered) even if the login fails.
Regards,
test_win
I don't believe that failed authentication information is stored in IIS in a way that's exposed to ASP.NET. If you were doing forms based authentication you would be able to track the invalid username/password, but since IIS is handling the authentication, I don't think you can get that information from code.
The logon attempt would be stored in the IIS log files, which you could process later from a separate process. You would want to look for 401/403 errors where a username is supplied.