I have to install a ASP.NET site in a intranet network.
I'm using a authentication mode=Forms".
In a my page i need to get the domain\user of the user connected.
I've followed this article:
http://support.microsoft.com/kb/306359
But it doesn't work.
My web.config has:
<identity impersonate="true"/>
<authentication mode="Forms" >
<forms name="login" loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx" timeout="30000" />
</authentication>
<authorization>
<deny users = "?" />
<!-- This denies access to the Anonymous user -->
<allow users ="*" />
<!-- This allows access to all users -->
</authorization>
I'm using IIS 6 and .net 4
In Authentication methods settings of iis i've checked
-Enable anonymous access
-Integrated windows authentication
How can i do?
thanks
If you have anonymous access enabled the web-site visitors will all be impersonating the IUSR_MachineName account (or whatever you have configured as the anonymous account).
You need to disable anonymous access so the site will force the user to authenticate with his/her credentials so they will be available in your ASP.NET page. Otherwise the server has no idea who the current user is.
Related
Currently having issues grabbing the domain user and also allowing anonymous users to access the page. As I have it set up in web.config currently, it makes anonymous users log in. I would just like to allow anyone but grab the domain user if it exists.
Web.config
<system.web>
<authentication mode="Windows" />
<authorization>
<!--<allow users="*" />-->
<deny users="?" />
</authorization>
<identity impersonate="true" />
</system.web>
Above is currently the only setup I can use to grab the domain user, however it asks anonymous users to log in still.
Trying two methods to grab the domain user:
string CurrentUser = System.Web.HttpContext.Current.User.Identity.Name.ToString();
string CurrentUser2 = System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString();
Am I going about this all wrong?
Edit: Following what #MethodMan said, I'm using the UserPrincipal.
UserPrincipal CurrentUser = UserPrincipal.Current;
ViewBag.CurrentUser = CurrentUser.DisplayName.ToString();
However, I'm getting the following error on IIS but not IIS Express:
Unable to cast object of type 'System.DirectoryServices.AccountManagement.GroupPrincipal' to type 'System.DirectoryServices.AccountManagement.UserPrincipal'.
Not sure what it means because I'm only using UserPrincipal.
I have a system in which it is necessary for users to pass through login section to access home page. I am able to do that using asp C# Ado and SQL. But the problem is security. Still users are able to access Home Page without entering credentials by simply changing the URL. When users will open the website the URL will be this:
www.domain.co/Login.aspx
If any user changes it to this:
www.domain.co/Home.aspx
Still they will be able to access it. I do not want it. Can anyone guide me how to achieve this functionality?
Hope that you know the use and advantages of session. You can make use of it.
What you want to do is:
Create a session variable(let it be user_id) set its value as the id of the current user if the user successfully logged into the site. Which means session["user_id"] having the user id if there is any logged user.
You can check for session["user_id"] in the load event of other pages, if it is null means throw him out( redirect to the login page).
Creating session:
session["user_id"] = "Id of the user"; // This will be the unique identifier
This will be added after checking his/her credentials and are valid.
Checking session in the Home page/ or any other page:
if(string.IsNullOrEmpty(session["user_id"]))
Response.Redirect("Login.Aspx");
If your are not using it already, you should see how to add Forms Authentication: https://support.microsoft.com/en-us/kb/301240
<authentication mode="Forms">
<forms name=".ASPXFORMSDEMO" loginUrl="logon.aspx"
protection="All" path="/" timeout="30" />
</authentication>
Then you can deny access to anonymous users to all the site doing:
<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>
Or to specific pages:
<location path="Restricted.aspx">
<system.web>
<authorization>
<deny users ="?" />
</authorization>
</system.web>
</location>
I am using forms authentication in asp.net4. But the authorization is behaving very unusually.
Following is my web.config snippet-
<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="2880" protection="All" path="/" />
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
When i try to open any web page i am redirected to Login page as expected. If close my browser i should be logged out, but thats not happening although i am setting persistentCookie=false as follow
FormsAuthentication.RedirectFromLoginPage(username, false);
Now after closing browser if a login again i am considered authenticated user, but if i clear cookie cache in my browser than i wont be considered authenticated user.
I am not setting cookie anywhere and i dont want persistent cookie, than why is this happening.
Please tell me if i am missing something.
Anobody know something related to this
I just found that this problem is only with Chrome 21.0, and not with Firefox 7.0 or Opera 11.4 (problem of authenticating even though session ends).
When you use authentication mode="Forms" your auth credentials stored in cookies by default. If you want to change this behaviour you can use cookieless="UseUri" attribute, than your credential will be stored in the URL. You can find more inforamtion forms Element for authentication.
timeout attribute specify how long cookies will be stored (in minutes) by default it is 30.
I built a web app a while back that is miss behaving out of the blue. Page.User.Identity.Name returns the machine name ie phil_toshiba/phil instead of the username i set when the user logs in through the log in form (should be an email address):
System.Web.Security.FormsAuthentication.RedirectFromLoginPage(tb_email.Text, true);
I dont know why it has only just started doing it but it doesn't do it on the live site just the local project i need to work with to update some features. the live and local are in sync (code is exactly the same) only difference is the live site is compiled and using iis.
EDIT this is the authentication tag in my web.config file:
<authentication mode="Forms" >
<forms loginUrl="Default.aspx" name=".ASPXFORMSAUTH" defaultUrl="Sections.aspx">
</forms>
</authentication>
Check your web.config, it should be set to use Forms authentication not Windows:
<system.web>
<authentication mode="Forms"/>
</system.web>
I have 3 application that need single sign on. These are the web config sections I am using for authentication, authorization and the machine key settings. All the settings are the same in all 3 web applications. It works perfectly in Internet Explorer, but doesn't work at all in Firefox or Chrome. Is there anything else I need to do to get this work with Firefox and Chrome?
<authentication mode="Forms">
<forms loginUrl="~/login.aspx" timeout="2880" name="SSOCookie" path="/" requireSSL="false" slidingExpiration="true" cookieless="UseCookies" enableCrossAppRedirects="true"/>
</authentication>
<authorization>
<deny users ="?"/>
<!--allow users ="*"/-->
</authorization>
<machineKey
validationKey="2C02F632ABC3B809F0662B06EED7E985345504D93BB2893C3C8106F48A273054D4C29EDD63F34CF3E19C76AA8FCF12C28AC127A9C5D6DEFC139800B302CADBDC"
decryptionKey="D7367948DC5AA193408CADB000E580A0FCCD71D8412D28E9AC76455FA85DB766"
validation="SHA1" decryption="AES"
/>
It appears you have to enable this in FireFox on each client
Open Firefox and navigate to about:config
Type “ntlm” in the filter field
double click on network.automatic-ntlm-auth.trusted-uris
enter a comma and space separated list of urls that you want NTLM to be enabled for
for more details check out http://sivel.net/2007/05/firefox-ntlm-sso/
it seems that Chrome does not support NTLM
http://www.google.com/support/chrome/bin/static.py?page=known_issues.cs
however, the user should be able to enter her credentials once and have them saved.