I've an ASPNET MVC3 application running fine on Forms authentication on IIS10. When I've tried to change to Windows authentication, I want to use LogonUserIdentity.Name to check the username on my own users table but on the first request it's working fine and returning the name of the Logged user on the system but on all other (ajax) requests is returning the IIS User.
What could be wrong? I've searched a lot and verified the following article (https://richhewlett.com/2011/02/15/getting-a-users-username-in-asp-net/) and I've Windows authentication enabled and impersonation disabled (not defined really).
Related
I'm currently experiencing an issue with some users of an ASP.NET 4.8 Web API application hosted on Windows Server 2012 and IIS. The following properties are not returning that user's correct user name, and instead returning the name of a service account used for this server:
HttpContext.Current.User.Identity.Name
HttpContext.Current.Request.LogonUserIdentity.Name
I have no idea how to begin troubleshooting this - myself and most other users do not experience this issue, but for a handful of users the above does not return the correct username, returning the username of a service account used to remotely connect to the server in question. Forcing a login via a browser private window does rectify the issue, and the application correctly returns the expected username for each of the above properties.
What could be a cause for Windows Authentication not returning the correct user name and what is the best way to troubleshoot an issue like this?
edit: I was able to resolve the issue, see my answer below
After some additional research and troubleshooting, I determined that the users experiencing the issue described above had the service account in question stored in the Windows Credential Manager:
Removing the service account in question allowed them to be authenticated with the Intranet site with their normal Windows domain\username. As #pcalkins suggested, at some point the affected users had used these credentials on their machine, and Chrome, Edge, IE were using that saved credential when authenticating with the Intranet site.
Please check the following steps:
Make sure that windows authentication is enable and Anonymous Authentication is disable for the website.
Enable integrated security in Interner Explorer (Options/Advanced and checkin the "Enable Integrated Windows Authentication" option).
Add your website to Local Intranet zone and select at least "Automatic logon only in Intranet Zone" option under Options/Security Settings/Local intranet/Custom level).
Aake sure the user and application server are in the same domain.
I have a classic ASP Web application that's been running on a Windows Server 2003 server with IIS 6.0 for several years. I have to move it to a Windows Server 2008 server with IIS 7.0. I've got it working, but the ServerVariable LOGON_USER doesn’t get populated. This seems to be because I have enabled Anonymous Authentication and allowed Anonymous Authorization to the site. However, if I disable/deny either of those, then I get an Authentication or Authorization error when attempting to open it. I have to have the LOGON_USER variable for the program to work correctly, but no matter what combination of Authentication/Authorization I use, I get errored out if I don't allow anonymous login. Rather at a loss at this point as to what to try next. Any suggestions?
When you disable anonumous access, the site will become inaccessible for users that are not logged in.
You will need to add at least read-rights in Windows Explorer to the folder your web-application is running in.
If you do that, IIS will then prompt you for a username and password. You can use the credentials of the user you have assigned read rights to.
This will then authenticate you as that specific user, and allow you to run the site. This will also fill the LOGON_USER servervariable with the username of the user you added.
Here's some more documentation on how to create a user for access using basic authentication in IIS:
http://technet.microsoft.com/nl-nl/library/cc772009%28v=ws.10%29.aspx
http://msdn.microsoft.com/en-us/library/aa292114%28v=vs.71%29.aspx
How do I create a user account for basic authentication?
Is it possible for the browser to know the currently logged in AD user without explicitly logging in? I want the code in the server to execute with the same permissions as the user in the browser. Is that possible or do I have to require the user to explicitly log on?
Context: ASP.NET, mostly IE 7, IIS 7.
Thanks.
If you...
use Integrated Windows Authentication in IIS
in web.config where relevant
and your users and IIS server are on the same domain
...then it is possible to pass credentials through the browser. IE (being Microsoft's creation) can do this without prompting, other browsers may still insist on users inputting their credentials at the start of a new session.
OK there are a couple parts to this question so I'll take them one at a time:
First, you would like to authenticate "without explicitly logging in". This is definitely possible with Internet Explorer using Windows Integrated authentication. Please see this article (Internet Explorer May Prompt You for a Password) for more details on requirements for your environment. You will want to enable this with ASP.NET Windows Authentication mode.
Second, you want server side code to run as the client's locally logged in user. This is called Identity Impersonation, and you should read this MSDN article to show how to configure it: Using IIS Authentication with ASP.NET Impersonation
Also See: MSDN Windows Authentication Provider
I have implemented web service with Basic Authentication with .Net 4. To implement basic authentication I have implemented HttpModule. When I call my web service via Internet Explorer, it prompts for Username password, I enter valid username/password and it works perfectly fine.
However when I deploy me web service on Dev Environment and call my service in internet explorer. That gives me user prompt; I enter valid username/password but it keeps prompting me username/password, eventually after three tries I get Error message 401.2 - access is denied.
My Authentication settings are:
Anonymous Access Enabled
Basic Authentication Disabled
Windows Authentication Disabled
In my HttpModule every time User is authenticated, I log if authentication was successful. And I can see in log file, all three times authentication was successful. But it still error out. :(
By the way If I run web services in Integrated mode, it works fine. Unfortunately my requirement is to run web services in Classic mode.
Environment Details:
OS: Windows Server 2008 R2,
IIS: 7.5 Classic mode
I am stuck with this from last 4 days. Please help!
Call me crazy, but wouldn't you have to have Basic Authentication Enabled to be authenticating anyone successfully?
I'm guessing that you have identity impersonation turned on and anonymous turned on which is causing your ASP.Net application to execute as the "IUSER_" account. The "IUSER_" account does not have access to a specific resource you are trying to access (could be API call, file, bla, bla).
If you do have identity impersonation turned off and you have anonymous turned on then your ASP.Net code should be running as the application pool account. Which means that account does not have access to a specific resource you are trying to access (bla, bla, bla).
Here is an old skool MSDN article that discusses IIS and ASP.Net security. Like I mentioned it is old, but the concepts still ring true.
I have a website with a large user base configured with asp.net 2.0 forms authentication. Before the user logs in via forms authentication is it possible to retrieve the windows login name/user account name on the machine they are using?
Many thanks
It certainly is possible--by adding another web application to your system. Here's roughly how I have done it:
Your primary web app uses Forms authentication. On the forms login page, any user that is determined to be on the local LAN (check IP address), redirect them to another app that uses Windows authentication. In this second app, you can determine the user (assuming the browser is configured to send credentials automatically to the zone in which your app resides), then set a cookie which your first app can read, and redirect the user back to the original app.
This does work.
This would only be possible if you were using Windows Authentication in your web application and then only if the user had logged in.
The kind of information you are after is not sent as part of the web request (quite rightly) and is therefore unknown to the web server.
Unfortunately no - if the user has not logged on, they are browsing anonymously, and are therefore unknown to the server. There is no way to identify them.
Once they're logged on, if you're using impersonation use WindowsIdentity.GetCurrent().Name. However, for forms authentication there's no direct way to ask the browser for their Windows credentials as they may not even be running Windows!
Not BEFORE no (not from the server).
Depending on the type of Auth you use, though, and the way the site is configured, you CAN get them to log in with their windows details.
See Mixing Forms and Windows Security in ASP.NET on Microsoft's MSDN.
The main difference with #TheObjectGuy answer is that instead of using 2 websites, this does all in a single website by configuring IIS to use the Integrated Windows authentication just in a "single" page (WinLogin.aspx).