Has anyone managed to achieve this?
Application should work like this:
App admin can add AD users
App admin can define users not from AD
If user is added from AD and trying to access to application from same AD - application should log him in automatically (single sign on).
If user is not from AD, or not added as application user - application login form is displayed
Just to mention, I managed to achieve this on IIS6. I have read several techniques so far with IIS 7 and 7.5 involved, but it seems none of them really works when deployed on production server.
So far I have 2 separate web applications. One web application is configured with forms authentication - this one is main. Other is configured as windows authentication.
So idea is, user tries to acces to main application, this one redirects him to the other application which tries to extract his domain username (NTLM), and redirects him back to main application. Main application tries to log him in as AD user, if this fails forms login is displayed. If AD user is added as application user (using separate admin module of application), he should be authenticated automatically, meaning no IIS login prompt should be displayed.
These two applications are running in same application pool. Also they are both in integrated pipeline mode.
This works if I set it up on my development win7 IIS, but when I deploy application on win 2008 server with IIS 7.5 - it's not working. I keep getting IIS login prompt. If I enter my credentials to IIS login prompt it will eventually log me into application.
Has anyone has similar issue and hopefully solved it?
Please update the question with the info you have provided.
As I understand, these two applications are in the same app pool and I believe you need to separate them into two app pools.
Progress update - this authentication works now as expected (I didn't have to split app pools). Problem was that on machine accessing application, app server hasto be registered as Local intranet. This is a must in order to IE sends credentials to server.
Related
I am trying to get the current windows user of the computer where my ASP.NET Core application is being accessed.
I have tried this on my solution.
System.Security.Principal.WindowsIdentity.GetCurrent().Name
On my machine, when running the application locally it works fine and it returns me my username but when i deploy the project, it returns me the name of the server.
Is what i am asking possible at all?
That's not how you do it. What you're doing returns the principal the application is running under. Locally, that's obviously you, because it's running under your account. However, on the server, it's the App Pool user. In either case, it's not the user accessing the application; it was only coincidental that locally, the user accessing the application and the account the application is running under were the same.
What you're looking for is Windows Authentication, which you need to specifically turn on (see: Configure Windows Authentication in ASP.NET Core). Then, you access the user as you would always access the user, regardless of authentication scheme: HttpContext.User.
I have viewed and tried dozens of "answers" on StackOverflow, but none work.
I have a pretty simple aspx page with C# code behind.
The web site is on a Windows 2008R2 server.
The web site looks like (actual names changed):
MyServer - set for Anonymous Authentication
Application Pools
ASP.NET v4.0 Classic - .Net 4.0, Classic pipeline, App Pool Identity
MySiteAppPool - .Net 2.0, Integrated, runs under a Domain-wide Service identity (call it "mycompany\domservice")
Sites
MyMainSite - Windows Authentication, uses "MySiteAppPool"
"AutoPrint" - my web app, Windows Authentication, uses "ASP.Net v4.0 Classic" app pool, ASP.NET Impersonation enabled
My "AutoPrint" web app has a start page "AutoPrint.aspx" and code behind ("AutoPrint.aspx.cs", plus several classes).
The server and main site are not alterable, as there are several other applications under this site.
The user currently invokes this app with :
http://MyServer/AutoPrint
Everything I have tried is returning the "mycompany\domservice" result:
Request.LogonUserIdentity.Name.ToString() - returns "mycompany\domservice"
System.Environment.UserName.ToString() - returns "domservice"
System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString() - returns "mycompany\domservice"
What am I missing here? Why is this so hard?
Further clarifications:
"mycompany\domservice" - the "domservice" account is just an ActiveDirectory account in the "mycompany" domain that has permissions to read/write directories needed by the site and other applications. When installing the Site and additional web apps, we use that account as the "connect as" user.
What I am trying to do is to get the ActiveDirectory name of the Windows user account of the person who opened their browser and accessed this app. If user "JJONES" logs into Windows and launches the app with "http://myserver/autoprint", I want to get either "JJONES" or "mycompany\JJONES" as the user name.
If you use anonymous authentication, then the browser does not send any credentials (user id/password) to the server. Therefore if you want the client user id on the server, you have to use non-anonymous authentication, e.g,. Windows or Forms. You can use non-anonymous authentication and then allow or deny access to your web site to specific users or groups of users, or all users.
Thank you for all the helpful comments/suggestions.
The problem turned out to be a combination of factors. The App Pool I was using was using App Pool Identity (which has limited rights), so I had to use a specific account (the domain service account) in the "Connect as..." for the physical path credentials in order to access certain files.
Changing to use an App Pool that used an account with sufficient privileges (the domain service account) allowed me to leave the "Connect as..." using Pass-through authentication when converting to application.
Voila - I now get the user credentials using pretty much any of the proposed methods. After way too many hours of beating my head against the keyboard...
Have you looked at using HttpContext.User property ? This will give the current logged on user. After which point you may need to perform some nifty LDAP queries to get the username from AD.
See https://msdn.microsoft.com/en-us/library/system.web.httpcontext.user(v=vs.110).aspx
You may want to see the below link on how to search AD on the link "How can I search Active Directory by username using C#?"
Hope this helps you.
My team tries to setup an intranet portal powered by Umbraco which requires Windows Authentication for authenticating its users that are stored as (Umbraco) Members.
Currently we have done the following:
In the Authentication Feature of IIS, we enabled only Windows Authentication at the root of the web site (all other authentication options are disabled).
In Web Config, we changed the Authentication settings mode attribute from Forms to Windows.
The username of the Members is stored in the domain\username format.
That works fine as far it concerns authentication and authorization of members in the front end. But in the back office (that requires Forms Authentication), it does not work well with the above settings, as sometimes the browser displays the authentication popup window and requires for the back office user to enter his (domain) credentials or sometimes randomly terminates the back office user's session and logs user out.
Is there any suggested way for implementing Windows Authentication for Umbraco portals that does not raise such issues in the back office?
Any help will be greatly appreciated.
Is it possible to grab a users windows credentials (i.e. username) without having windows authentication enabled in IIS? With windows auth disabled the code below returns either NT AUTHORITY or IIS APPPOOL\ASP.NET v4.0 depending on if impersonation and anonymous authentication are enabled or not.
System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString();
I am converting an asp.net web application that is using forms authentication to custom authentication. Basically if a user is connecting from outside the network I force a credential check whereas if they are connecting from within the network I would like to be able to just grab their windows username. The internal portion works when I turn on windows authentication but I get the popup login box when testing outside of the network. I either need to disable windows authentication for non local connections or figure out how to get the windows username with windows authentication disabled. Any suggestions? (The other alternative i thought of was splitting the application in two and having separate authentication modes for each but I'd like to avoid this).
-I have also tried:
System.Web.HttpContext.Current.User.Identity.ToString();
System.Threading.Thread.CurrentPrincipal.ToString();
something like this is actually (kind of) possible using Active Directory Federated Services. In the event of a windows user from inside the network they can be configured to use their account details. For external users, they can be redirected to a page that will require them to log in.
However. This is very heavy-duty and an extreme pain in the..neck to implement and is really only applicable to enterprise solutions that have the resourses to use this kind of solution. Otherwise, I'd say go with the 2 site approach.
Simple answer is no.
Best solution is to create 2 sites. One for internal users that user windows authentication, one for external user that user forms authentication but authenticate against AD. You can make users always go to external site by default and then redirect based on their IP. That is redirect intranet users to internal user.
I'm writing an web application (in C#) where I need to logon to a web page using different credentials to the user logged on locally to Windows. That page the executes a process on the web server but it executes as the user that has logged into the web page. The user logging into the web page is authenticated against Active Directory. I've used Windows Authenication and ASP.NET impersonation to launch processes on the web server, and I can create a site that uses forms authentication against AD, however I can't find a good article that explains how to run a process impersonating a user that have logged on using forms authentication from AD. Whenever I run anything it just give me an error because it's trying to run as 'NT AUTHORITY\IUSR'. Does anyone know of any good articles, or can you give me any code examples?
Thanks in advance,
Rich
take a look at ProecessStartInfo - you can setup security etc. (if your thread is already running impersonated then you can get some of the necessary info from System.Threading.Thread.CurrentThread /CurrentPrincipal) and then call Preocess.Start.