I am having an issue adding a Web Service Reference to the CRM Deployment Service at http:///MSCRMServices/2007/CrmDeploymentService.asmx
When I first attempt to connect it says Connecting to and prompts for credentials. After entering my credentials, it will continue to prompting for credentials indefinately.
When I attempt to navigate to the service in IE, I get prompted for credentials and after submitting them a few times, I get a 401 error.
When I attempt to navigate to the service in Firefox or Opera, the basic authentication dialog pops up and I enter credentials. The service description page correctly appears.
Is there something preventing IE/VS from submitting the credentials correctly? In each place, I am using the same domain/user credentials. I have tried it from IE on both a computer on the domain and a computer not on the domain and get the same results.
Not sure if this will help, but I vaguely remember something like this happening to us at work, and someone fixed it by disabling IPV6. Like I said my memory is hazy so I don't know if this is the exact problem that we were having too. I just remember that the solution was to disable IPV6 on the server.
Related
My website is redirecting to 404 error page when the page actually does exist. My website is set up so that it uses windows authentication. If the user does not have access, he/she is redirected to a page that tells them they have no access. If the user does have access then it takes them to another page. My website is set up on a 2008 server with IIS 7. The default document is Default.aspx, windows authentication is enabled and the rest is disabled, my website was working before I put in the security. I have also tried this with Anonymous Authentication. I also put to allow all users for now until I get this to work. I added in tracing to see what it was doing since we cannot debug on the server, so then I see that it is not getting the users' ID. So I do not know what I am missing. I cannot figure out why since this works perfectly on my local machine but not on the local server. I have researched this and I cannot come across anything else I can do. Also, this works when I run it on my local machine and I am using VS 2013.
To get the User's ID, I have used the following code:
un = HttpContext.Current.Request.LogonUserIdentity.Name.ToUpper();
un = User.Identity.Name;
un = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
It crashes on the following line due to the user ID being 0.
I have searched YouTube videos that walk through setting up Windows Authentication and I even have it working on another application perfectly fine! This is frustrating and would really appreciate any help I can get. Please let me know if further details are needed.
The error I get is a 404 error
Error Summary
HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
Detailed Error Information
Module IIS Web Core
Notification MapRequestHandler
Handler StaticFile
Error Code 0x80070002
Requested URL http://MyApp.com:80/Default.aspx
Physical Path D:\Sites\MyApp\Default
Logon Method Negotiate
Logon User XXX\bds
I am making a website at work, the main website is linked to a backend SQL which I don't have access to. Up until yesterday everything was working fine for months. Then yesterday my system had some issues and we needed to perform a revert to a more stable point.
and now my website is throwing this error:
System.Data.SqlClient.SqlException
Exception: Login failed. The login is from an untrusted domain and cannot be used
with Windows authentication.
The main website works, But these are being thrown from the ASP controls we set up.
I read over a few posts on StackOverflow and MSDN but I personally do not have access to that side database to switch the settings or connection strings. My manager thinks it's something with my user-profile settings but I can't see anything wrong, especially since it was working just fine before.
Is there anything I can do on my end to get the connection back to what is was before?
The "untrusted domain" part of the error message has me curious. Are you using integrated authentication to the web server? Are you doing impersonation as well and using the user's credentials to connect to SQL? If so it could be a matter of needing to set up the SQL server to trust delegation from the web server. A system replacement on the SQL server without setting up the delegation again could explain this. In that case, your windows admin would need to set up the proper trust relationship for delegated credentials.
I'm continuing someone else's development AND I don't know much about current practices for authentication in MVC applications.
The only things that are set about authentication are in the application's IIS configuration:
.NET Authrization Rules = Allow, All Users
Authentication:
Anonymous Authentication: Enabled
ASP .NET Impersonation: Disabled
Windows Authentication: Enabled
With this configuration, on the server, the browser asks me for a login/password. I enter my network login.
Then I can get identify the user with Request.RequestContext.HttpContext.User.Identity...
On local computer where I login using the same login/password: no user is logged in the application (Request.RequestContext.HttpContext.User.Identity.Name == ""). If I disable Anonymous Authentication, the browser simply keeps re-asking for loginpassword infinitely.
My first problem is that I would like to be able to log out on server.
From scarse info I got here and there I have already tried:
FormsAuthentication.SignOut(); --> does nothing
WebMatrix.WebData.WebSecurity.Logout(); --> Exception, tries to access a database (I got this from one of the VS2012 templates but I didn't think it would apply to my context).
if(this.Request.RequestContext.HttpContext.Session != null)
this.Request.RequestContext.HttpContext.Session.Clear(); --> Session is null, so this does nothing.
So, how can I log out in order to relog as a different user ?
(I would also like to be able to identify the user on local computer, but I think that should be asked in another topic.)
Removed FormsAuth logout method as the question is for Windows Auth... doh!
Update:
To get the logged in user name try the IPrincipal Controller.User:
User.Identity.Name
Doh my bad your using Windows Authentication...
In which case it's the browser that is caching the credentials not the server / IIS so clearing the session won't achieve anything.
Taken from here:
"The user credentials are being cached by the client browser, not by IIS. To
force the client user to enter credentials again, you would need to send an
appropriate 401 status message in response to the next client request.
However, doing this would run counter to very legitimate user expectations
of how Windows authentication is supposed to work, so you may want to
reconsider. When Windows user credentials have already been accepted by a
server (either via a login dialog or automatic submission under IE
configuration for the target site or zone), a 401 is only expected if a
requested resource cannot be accessed under the previously supplied
credentials. When you send a 401 after any credentials have been previously
accepted, the user should expect that they need to use different credentials
from their initial login. If you're expecting the same credentials, then
user confusion should be anticipated.
All in all, if you really want to force a new login, perhaps a different
authentication mode might be more appropriate."
For an IE only workaround see this SO post.
I have an aspx site that I'm working on for our company's intranet. I recently added some secure pages that require the user to be a member of particular groups in an Active Directory in order to view. We are using Windows Authentication for the site(I have windows authentication in the .config). Windows Authentication is enabled in the IIS, and Anonymous Authentication is disabled. I've also enabled NTLM Authentication in the projects properties.
As far as I can tell, the security stuff is working as expected. Only users with the proper credentials can access the secure pages (I'm securing them with the [Authenticate Roles = "bla"] check on the controller action).
The problem I'm having is not really a problem, but more of an annoyance. Whenever the user logs in to the site, they are prompted with a login dialog. I don't want this. I want the site to grab their credentials from the windows login and use that to determine their access rights. I was under the impression that Windows Authentication handled this on its own, but it appears I was wrong.
Basically, how can I get rid of the login prompt and have Windows Authentication handle all of that same functionality automatically?
Is there some server setting I might need to change? Could it be something in my code?
I want it to work with at least IE, Firefox, and Chrome, if that is at all possible.
***Update 7/23/2012
Thanks everyone for the suggestions, unfortunately I still haven't gotten this to work properly. Some things I've noticed that may help provide some more details
I'm fairly certain the intranet site is on our list of "trusted" sites (our network admin says it is).
I'm using NTLM authentication and NTLM authentication only. If I remove NTLM authentication and enable Negotiate: Kerberos authentication, I just get a 401 - Unauthorized error. I can fix this by disabling Kernel mode authentication, but then I still get the credentials prompt(which I don't want).
If I check "Enable Integrated Windows Authentication*" in IE > Internet Options > Advanced > Security, it will prompt me for credentials, but entering my credentials no longer works. It will ask me three times and then take me to the 401 error page.
IE9 asks me only for my password and pulls my username(good). Chrome and Firefox prompt me for username and password.
Look in Internet Explorer / Tools / Options / Advanced.
There is a checkbox "Enable Integrated Windows Authentication" under "Security".
Is this checked?
It's checked by default, and can be set by admins using a GPO:
http://www.windowsecurity.com/articles/configuring-advanced-ie-settings-using-group-policy.html
There is a setting within IE that allows this automatic pass through to happen. Your system administrator could create a group policy and push this to all users.
I've also been successful in configuring Firefox to function in the same matter but that would involve modifying individual users FF configurations.
This line should be in your web.config within the <system.web> element.
<authentication mode="Windows" />
Just thought I'd provide an update as to what actually solved the problem.
I tried all of the great suggestions you guys provided for internet explorer settings, but in the end, it turned out to be a server setting.
Flipping the order of Providers for the site to NTLM, Negotiate in that order solved the problem.
I've written a web application for internal use at work (not for the wider internet) that makes use of Windows authentication - ASP.NET interrogating Windows for the current set of credentials. An authentication method called from the Page_PreInit of protected pages throws a 401 error if the username is not found in an AD group I've set up.
I implemented Earlz' CustomErrorsFixer from Throwing an HttpException always sends back HTTP 500 error? as I too was only getting 500s back. Now my custom error pages are working, which is great.
Developing locally in Visual Studio development server, I've found that if I do not have access, I just go straight to the 401 error page. However! When I publish the site to an IIS server, if the user doesn't have access they get a Windows username/password prompt (the ugly, small one in XP). This is actually quite handy because it gives people who are logged onto a different domain a chance to enter the correct credentials.
At this stage, when the password prompt comes up, if the user hits Cancel or Escape, they go to the custom 401 page, which tells them how to go about requesting access. IF however they try to enter a username and password, which defaults to the wrong domain and are therefore incorrect credentials, they are shown the default IIS 401 page, which I'm very keen to avoid. Third scenario - if they enter CORRECT credentials, they are asked 3 times, and then shown the custom error page.
So, users see the custom 401 page if they are "authenticated", and the standard IIS one if they are not.
However, I've been finding that most people when prompted with a username/password box just enter the username/password without domain - which ends up being incorrect and therefore sending them to the non-custom IIS 401 page. Does anyone know how I can solve this? It's extremely annoying, because people need to see the custom 401 page in order to see which group they need to request access to!
In case it matters, the browser we all use is IE8 on XP or IE9 on Windows 7. Please let me know if I should post any code up.
IIS7 intercepts the 401 along with a few other HTTP status code by default.
Try this:
<configuration>
<system.webServer>
<httpErrors existingResponse="PassThrough" />
</system.webServer>
</configuration>