The test is running on a windows network that requires proxy (squid) authentication to access external websites, say www.google.com for sake of example.
Some background things to note
These sites cannot be added to the
proxy white list.
Same WatiN test passes in IE
I have tried tweaking about:config
ntlm settings to allow automatic
passing of saved credentials
www.google.com has been
added to Local Intranet sites
WatiN cannot use LogonDialogHandler
to deal with this, like IE can
The title of the dialog is Authentication Required and reads The proxy myproxy:8080 is requesting a user name and password. The site says "", with a text field for User Name: and Password:
Has anyone got any ideas of how to get around this?
I'm hoping there is something FireFox specific that will allow me to automatically pass through the credentials. An idea I might try is starting the browser with network credentials.
Maybe one of the settings here will help:
https://developer.mozilla.org/En/Integrated_Authentication
EDIT:
This will be fixed in Firefox 4:
https://bugzilla.mozilla.org/show_bug.cgi?id=521467
Here are some references that might offer other solutions to get around the logon dialog.
In this post they solved it using WindowsAutomation:
WatiN LogonDialogHandlers not working correctly in Windows 7
This solution passes the credentials in the url:
how to impersonate a windows domain user for automated web testing?
And this solution uses impersonation:
Watin Windows Authentication
You could also use FiddlerCore to manipulate the response to the server:
How to simulate http request using WatiN with specific HTTP referrer and query string?
HTH,
Jeroen
Related
I am building a Blazor Server app using .NET 6.0.11 and deploying using Http.Sys . The server and clients are all on the same Windows domain. I'd like to authorize users based on their domain login, instead of building a username/password database and infrastructure specific to this app.
The code in Program.cs to enable Windows Authentication, based on code from the official documentation:
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
builder.Services.AddAuthentication(HttpSysDefaults.AuthenticationScheme);
builder.WebHost.UseHttpSys(options =>
{
options.Authentication.Schemes =
AuthenticationSchemes.NTLM | AuthenticationSchemes.Negotiate;
options.Authentication.AllowAnonymous = false;
});
}
// ...
app.UseAuthentication();
app.UseAuthorization();
I view the authentication state using the first code sample from ASP.NET Core Blazor authentication and authorization.
If I launch the application on http://localhost:55555 then the page loads instantly and it shows my domain and username successfully.
However, if I launch the application as http://mycomputername.our.domain:55555, and access it via Chrome or Edge on the same machine, then a popup appears asking for username and password:
Note: I had to run a netsh http add urlacl url=.... one time only; the command was suggested by an exception message generated on first run after changing the launch URL.
Entering my domain login username and password is accepted, and the previous code sample does show my username successfully. I also noticed the following behaviour:
setting AllowAnonymous = true; means it will not prompt at all for the username/password; the page just proceeds with the user not authenticated.
If the username/password is not entered correctly (for a user on the domain) then HTTP error 401 is generated instantly, it never tries to execute the Blazor default error page for example.
I hope the authentication is being done between the client and the domain controller, not sending the user's password over the HTTP connection!
I am presuming the above behaviour will be the same for other domain uses on different machines accessing this server, although have not tested that yet.
My questions:
is it possible to skip the username/password popup , and just get the domain user that is already logged in on the client machine and doing the access?
(If not) would deploying to IIS instead of Http.Sys change anything?
There seem to be Blazor-based solutions discussed on this SO thread , but I can't see how to use them because the popup always appears as soon as any page is attempted , before any page is rendered; and if login fails, HTTP 401 error is generated with none of the Blazor pages being executed.
Footnote: I was using HTTP.sys instead of Kestrel due to documentation indicating that Kestrel did not support Windows Authentication; however it is working using Kestrel for me now, along with the information from the Accepted answer -- not sure what the story is there.
This is a client-side issue.
If I launch the application on http://localhost:55555 then the page loads instantly and it shows my domain and username successfully.
However, if I launch the application as http://mycomputername.our.domain:55555, and access it via Chrome or Edge on the same machine, then a popup appears asking for username and password:
That's because the browser recognizes localhost as a (somewhat trustworthy) server within your intranet, but considers mycomputername.our.domain to be a (potentially hostile) Internet service. For security reasons, Chrome and Edge only use your Windows credentials with servers within your own intranet by default.
To determine which group an URL belongs to, Chrome, Internet Explorer and Edge use Windows's own "Intranet zone" settings. To add your URL,
search for "Internet options" in the Windows Start Menu, then
navigate to Security/Local intranet/Sites/Advanced.
If you want to test with a non-Chromium based browser, here's how to configure Firefox. Firefox manages its own list of URLs where Windows authentication is allowed:
How to configure Firefox for NTLM SSO (Single-Sign-On)?
I hope the authentication is being done between the client and the domain controller, not sending the user's password over the HTTP connection!
If the client and the server agree to use Kerberos, sure: The client communicates with the domain controller to authenticate and to get a service ticket and then uses that ticket to access your service.
If they don't agree, they will use NTLM. In this case, authentication happens between the client and your server. However, NTLM won't send your password in plain text either, but rather uses it as part of a challenge-response mechanism.
is it possible to skip the username/password popup , and just get the
domain user that is already logged in on the client machine and doing
the access?
IMHO, this is not possible with "windows authentication", because the popup dialog that you see is a special browser feature to enable the windows authentication.This one created in order to support internal application with domain authentication. I don't know of any way to access that browser behavior.
(If not) would deploying to IIS instead of Http.Sys change anything?
Haven't done a deployment with Http.Sys, but according to the documentation it says that Http.Sys supports windows authentication. The deployment would be different since for Http.Sys you need to write the configuration in code, unlike the IIS.
I am writing a (WiX Burn) installer that needs to get licence information from our ASP.NET server. We are using the System.Net.WebClient to make this request.
Some of our customers are using authenticating proxies, which return 407 responses to our installer.
I initially tried passing on the default credentials as per this post. However, on my machine and with the test proxy that I've set up, I'm getting the same issue as in this post where my default credentials simply aren't being picked up for some reason.
In any case, I imagine there will be cases where the proxy credentials are different from the default Windows credentials and the user will need to supply their proxy credentials manually.
I've seen a number of different options in Windows for this:
Use the CredUIPromptForCredentials dialog, which Visual Studio seems to use.
Use the more modern version CredUIPromptForWindowsCredentials dialog.
Use the InternetErrorDlg dialog
Forget about using the Windows dialogs and just deal with it in the installer UI.
What is the best way of doing this? Does it matter?
BONUS POINTS for helping with the issue of my default Windows credentials not being picked up by the WebClient!
I have created a asp.net web application and have used windows authentication, for testing purposes i want to use the application as a different user.
I thought running firefox as a different user would achieve this but doing this does not seem to work. The HttpContext.Current.User property is still logged in AD user.
Is there a setting or anything i need to change in firefox to fix this?
There is an very easy option for every program. Use RUNAS command. Open cmd and type:
runas /user:DOMAIN\USER "c:\Program Files (x86)\Mozilla Firefox\firefox.exe"
I think you can configure the "Integrated windows authentication" in fireFox in the about:config page.
Please take a look at the following link. This link is to activate the integrated authentication but maybe you can use it to do the revert operation.
Once FireFox ask you for username and password you will be able to enter a different from yours (logged one).
I don't know to much about firefox, but there is a setting under IE properties (which I think most other browsers derive security settings from). "Automatic login for intranet sites" - or something to that effect, needs to be turned off and it should then start to prompt you for login details.
I have an aspx site that I'm working on for our company's intranet. I recently added some secure pages that require the user to be a member of particular groups in an Active Directory in order to view. We are using Windows Authentication for the site(I have windows authentication in the .config). Windows Authentication is enabled in the IIS, and Anonymous Authentication is disabled. I've also enabled NTLM Authentication in the projects properties.
As far as I can tell, the security stuff is working as expected. Only users with the proper credentials can access the secure pages (I'm securing them with the [Authenticate Roles = "bla"] check on the controller action).
The problem I'm having is not really a problem, but more of an annoyance. Whenever the user logs in to the site, they are prompted with a login dialog. I don't want this. I want the site to grab their credentials from the windows login and use that to determine their access rights. I was under the impression that Windows Authentication handled this on its own, but it appears I was wrong.
Basically, how can I get rid of the login prompt and have Windows Authentication handle all of that same functionality automatically?
Is there some server setting I might need to change? Could it be something in my code?
I want it to work with at least IE, Firefox, and Chrome, if that is at all possible.
***Update 7/23/2012
Thanks everyone for the suggestions, unfortunately I still haven't gotten this to work properly. Some things I've noticed that may help provide some more details
I'm fairly certain the intranet site is on our list of "trusted" sites (our network admin says it is).
I'm using NTLM authentication and NTLM authentication only. If I remove NTLM authentication and enable Negotiate: Kerberos authentication, I just get a 401 - Unauthorized error. I can fix this by disabling Kernel mode authentication, but then I still get the credentials prompt(which I don't want).
If I check "Enable Integrated Windows Authentication*" in IE > Internet Options > Advanced > Security, it will prompt me for credentials, but entering my credentials no longer works. It will ask me three times and then take me to the 401 error page.
IE9 asks me only for my password and pulls my username(good). Chrome and Firefox prompt me for username and password.
Look in Internet Explorer / Tools / Options / Advanced.
There is a checkbox "Enable Integrated Windows Authentication" under "Security".
Is this checked?
It's checked by default, and can be set by admins using a GPO:
http://www.windowsecurity.com/articles/configuring-advanced-ie-settings-using-group-policy.html
There is a setting within IE that allows this automatic pass through to happen. Your system administrator could create a group policy and push this to all users.
I've also been successful in configuring Firefox to function in the same matter but that would involve modifying individual users FF configurations.
This line should be in your web.config within the <system.web> element.
<authentication mode="Windows" />
Just thought I'd provide an update as to what actually solved the problem.
I tried all of the great suggestions you guys provided for internet explorer settings, but in the end, it turned out to be a server setting.
Flipping the order of Providers for the site to NTLM, Negotiate in that order solved the problem.
So I play an online game that's web based and I'd like to automate certain things with it using C#. Problem is that I can't simply use WebClient.DownloadData() because I need to be logged in to actually recieve the source. The other alternative was to use the built-in web browser control but that doesn't give me access to source code. Any suggestions?
I don't think NetworkCredentials will work in all cases. This only works with "Basic" or "Negotiate" authentication.
I've done this before with an internal website for some load testing, but sounds like you are trying to "game" the game. For that reason I won't go into details but the login to the site is probably being done in the form of an HTTP POST when you hit the login button.
You'd have to trap the POST request and replicate it in your code and make sure that your implementation maintains the session state as well, because if the game site is written well at all it will make sure that the current session has logged in before doing anything game related.
You can set the login credentials on the webclient using its Credentials property before calling DownloadData:
WebClient client = new WebClient();
client.Credentials = new NetworkCredential("username", "password");
EDIT: As mjmarsh points out, this will only work for sites that use a challenge-response method of authentication as part of a single request (I'm so used to dealing with this at work, I hadn't considered the other types!). If the site uses forms authentication (or indeed any other form of authentication), this method will not work as the authentication is not part of a single request - multiple requests are needed that you will need to handle yourself.
Network credentials will not work as mjmarsh has already pointed out.
While web scraping we come across lot of pages where login is needed. One of the approaches I use is install fiddler and monitor the POST and GET packets while manually logging in the site. This allows you to find out how the browser emulates the login. Then you need to recreate the same process by Code.
For example, most web servers use cookies to assume the session is authenticated. So you can use the credentials to post UserName and Password on the web site and record the Cookie. This cookie can then be used to access any further details on the web site.
Please check following link to check out more about Advanced Web Scraping:
http://krishnan.co.in/blog/post/Web-Scraping-Yahoo-Mail.aspx
In this blog, you will find how to authenticate into Yahoo account and then read the page after authentication.