I have a windows forms based web application written on VB.NET and currently being used by a large number of users.
I currently am facing an issue where the application is being authenticated with an another user account instead of authenticating with the current user using the application.
I am using User.Identity.Name for user authentication and have only Windows Authentication enabled.
Other Details
The application is hosted in IIS on a windows 7 server machine from where it is accessible to everyone.
Strange thing is that the issue occurs only for 2 users and works fine for everyone else. Also it occurs only when using the hosted application(production url).
Also there is no default scenario set such as in case a user is not found, then a default user has to be filled in.
Observations
On debugging the application using the actual code on their local machines, their
respective user ids are fetched as expected.
Issue occurs in
Chrome regular mode
Chrome incognito mode
Firefox regular mode
Issue doesnt occur in
Firefox private mode
So I do not have a clue how to proceed here and what might be the root cause for the issue. Can anyone provide me some ideas to find the root cause of the issue and also a way to resolve it?
What I have tried:
I have made sure both Anonymous and Form Based modes of authentication are disabled.
Identity Impersonation is set to False.
I have also made sure there are no credentials set for the website in Credentials Manager.
I have also tried clearing browsing data including cache and other cookies.
Make sure you not setting the authentication method etc in your code behind, you'll want to set that in your web.config. Make sure one is not overwriting the other (set in 2 places). Also to get the user name you could also grab it from server variables, see what this returns
string user = Request.ServerVariables("LOGON_USER").ToString();
Related
I am hoping this will be a simple question. I am using IIS 7.5 / Visual Web Dev 2010 Express.
I know why this error appears :) it's a security/user issue. The problem is, I don't know what account/permissions this intranet is using that's causing the issue.
I use a simple authentication method that detects the user ID. If they're on that list, they are allowed to look at the page. This is done through:
[allow users] and [deny users]
(Brackets substituted for arrows.)
Authentication mode is set to Windows.
There is another intranet site that users can access- I have read and write permissions on that database that this web site uses. That intranet site works for me, but this gives me a security error.
I'm thinking that by using this authentication method, that it switches to a system profile which tries to access it and gets denied. Is there a generic system profile you guys know of that would cause such an error? Is that even a right assumption or is it a security setting that's related to my username?
Thanks in advance...
Well, maybe this could be helpful for someone in the future who is also facing the same problem. I am not sure where to find this, but apparently I had left out or there was not a tag called identity impersonate. By just having the authentication mode set to Windows, I thought it would take care of everything.
I am assuming that if you use Windows authentication, a system account will try and access the SQL database. Because that system account (whatever it may be, there is one defined somewhere but I forgot the name of it) does not have access, that permission error gets thrown.
What will make the web page use the user permission is with this tag:
[identity impersonate="true"/]
Substitute brackets with arrows.
I am currently trying to migrate a legacy ASP application from Windows Server 2000 and IIS5 on to Windows Server 2008 and IIS7. The authentication for this application uses an ISAPI filter. Both the application and the ISAPI filter work in the new environment except for one problem. The application in question is set up to be the root application (as in you access it by going to http://hostname/application.asp). If I access it by the stated URL, it asks for my authentication details, the ISAPI filter gets passed the correct login details and then does its thing. Then I added a default document to IIS7 to point to application.asp. Now if I access the application by going to http://hostname, the ISAPI filter gets passed the wrong login details. The ISAPI filter implements this method:
DWORD CMyISAPIFilter::OnAuthentication(CHttpFilterContext* pCtxt, PHTTP_FILTER_AUTHENT pAuthent)
In it, the pAuthent object gets passed in by IIS when it calls the ISAPI filter and has the pszUser property which normally holds the value entered in the authentication dialog. In my case (when accessing the website by using the default document entry), the pszUser property holds the value of the Windows account that is running the application pool instead. Just to make things clear, the ISAPI filter gets passed the correct value if I type in the application.asp part.
I'm quite stumped at this problem and have no clue as to how to solve it. To make matters workse I can't really rebuild/modify the ISAPI filter and am quite the beginner when it comes to IIS administration.
I have also found that authentication works if IIS does not have the Default Document feature installed. Without this feature the default document does not work (naturally) but authentication does. It's only after I add the Default Document feature that authentication breaks.
Thanks for your help!
Sounds like the web site is configured to use integrated security on the root level. Make sure you remove the checkmark from the Integrated Windows Authentication checkbox in the Directory Security-Tab.
The Node "Web Sites" can be configured as well. So make sure you don't miss that one ;-)
EDIT: Damn i can't upload a picture. Would make it easier for you to find the setting.
We have a web application and it uses System.Web.UI.Page.User.Identity to determine who the current user is. We are experiencing an intermittent problem, where a user is not recognized (their identity is blank or empty). Anonymous authentication is disabled so I don't see how they can fully access the web application without it recognizing who they are. This happens like once a month for half a day, and then it fixes itself. So it's really hard to diagnose but I would really like to track down the issue. Any suggestions? Thank you!
Make sure you have anonymous authentication turned off & windows authentication enabled for the application in IIS.
I'm working on my first application using ASP.Net with web services and I'm having an authentication issue. At least I think that's the issue.
When I run the application locally in debug mode it works fine. It even works when I run it out of debug mode (through IIS) in IE 7. But when I have a coworker run it (from my IIS) on their box, it doesn't work. When querying active directory to look up users it gives this error:
Sys.Net.WebServiceFailedException: The server method 'GetCurrentUser' failed with the following error: System.Runtime.InteropServices.COMException - An operations error has occurred.
What do I need to do to get this working remotely?
Ensure IE is correctly identifying the zone as the Intranet so it will automatically send the username for it. If its not, you'll need to manually add the URL to the Intranet Zone in the IE settings.
That should resolve it, and depending on your config you may need to add to your web.config
What is your web.config for the webservice
What is the authentication setting for the website in IIS? Unless it is set to Integrated Windows authentication it is not likely a permissions issue. If you want to rule out authentication, change the authentication method to Anonymous access and have your coworker try again.
Also, if you specify a user to impersonation in your web.config and you use a different user name in your active directory connection string it can cause an error but it is unclear if that is causing your issue.
I've been having trouble getting my ASP.NET application to automatically log users into the Intranet site I'm building. No matter the googling or the experimentation I applied, there is always a login box displayed by IE7.
I've got Windows authentication mode set in the Web.config, disabled anonymous access and configured the correct default domain in IIS, but it's still asking the user to log in and, more annoyingly, the user is required to provide the domain too (DOMAIN\auser), which is causing problems with non-technical visitors. Thank Zeus for password remembering functionality.
I'm not the network administrator so it's possible that something about Active Directory is set up incorrectly, or it could just be me missing something very simple. Please note that I don't want to impersonate the user, I just need to know that the IPrincipal.Name property matches that of a valid record in my user database, hence authenticating the user to my application.
To this end, it would be very useful to have a checklist of all configuration requirements for AD, ASP.NET and IIS to work together in this manner as a reference for debugging and hopefully reducing some user friction.
It sounds like you've covered all the server-side bases--maybe it's a client issue? I assume your users have integrated authentication enabled in IE7? (Tools -> Internet Options -> Advanced -> Security). This is enabled by default.
Also, is your site correctly recognized by IE7 as being in the Local Intranet zone? The IE7 default is to allow automatic logon only in that zone, so users would be prompted if IE thinks your site is on the internet. I believe using a hostname with a dot in it causes IE to place the site into the Internet zone.
Open Active Directory Users and Computers MMC snap in
Expand computers section from TreeView (left side)
Check if the computer is registered in your domain.
Also, you have to login with a domain account on that computer, otherwise that authentication box will be shown.
In IIS, enable annonymous access and allow the web.config to handle user authentication.