I am in the deployment phase of two separate asp.net 4.5 web applications being put onto a server running asp.net 4.6. We use a mixture of windows 7 and windows 10. All computers are on the same domain and the server is running IIS 8.5. This intranet application is supposed to use windows authentication to either send a user with invalid credentials to a web page with an error message or give the person access to the site. The problem is that some users are getting prompted to login regardless of security group that they belong to.
I have added the domain to the company wide whitelist and set internet explorer to use automatic windows authentication on intranet websites. We have tried moving the site to a non-shared folder. We finally tried converting both of the web applications to a web site project and the security worked just fine. However, we don't want to use web site projects anymore and find this to be a temporary solution.
I have made certain that authentication has been set to windows.
When checking the IIS logs, I see the error codes 401 0 0 15 and 401 2 5 0. Maybe there is some other setting that we are overlooking when deploying? Any help would be greatly appreciated.
For your application to log in with your network's active directory, you need to configure windows authentication twice, the first one is from your application (Visual Studio) and the second one is in the IIS and you must convert the folder into an application and use the framework version correctly.
Visual Studio:
<system.web>
<authentication mode = "Windows" />
</system.web>
IIS:
Convert the folder to application by right clicking and "Convert to application", then select the application and go to the "Authentication" tab disable "Anonymous authentication" and enable "Windows authentication"
Greetings from Mexico.
Related
I have not dealt with classic ASP for over 13 years (and IIS and ASP.NET for a while as well) and today I had to move a classic ASP website to a new server - Windows 2012 with IIS 8.5 from Windows Server 2003 with IIS6. I copied the website directory onto one of the drives (the same drive letter as it was on the old server) and went to IIS Manager and created an application for that directory.
Locally I can access the application via http://localhost/AppAlias/Default.asp and it renders in IE but when I access it remotely via http://ServerName/AppAlias/Default.asp, it does not rende rin IE, instead I get "Internet Explorer cannot display the webpage" error. When I open the same URL in Chrome, it renders just like it does when accessed locally.
I checked IIS settings on the server for ASP applications and under Basic Settings I clicked on Test Settings. Authentication uses Pass-through and it seemed fine but authorization had a warning mark on it. The message was "Cannot verify access to path E:\Pages\Test\AppAlias" and in details I found the following:
The server is configured to use pass-through authentication with a built-in account to access the
specified physical path. However, IIS Manager cannot verify whether the built-in account has access.
Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain,
and the application pool identity is NetworkService or LocalSystem, verify that \$
has Read access to the physical path. Then test these settings again.
I gave Network Service read access but still having an issue. Can anyone help?
My "Hello World" c#.Net application works fine on my local Windows 7. Moving to our server I get 401.2 error.
Here what I have done (following advices in some forums):
Changed the Anonymous authentication use to application pull user
Created a new application pull
Created a new Windows user with access to application folders
Set the authentication of the application pull to that user
Set the application pull for my application to that application pull
Please note that:
I receive the error both from within the server and outside
I receive this error from all the browser I tested: Chrome, IE 9.0 and Firefox
An html file in the same folder is visible
What am I missing?
Thanks,
Asaf
You don't need to create a new windows user. I know you've said what steps you've done, but I'm going to highlight what I do each time I add a new site.
Set the Identity of the Application Pool to
ApplicationPoolIdentity.
In the website, set Anonymous Authentication to Enabled. Click
Edit on the right and set the Authentication Credentials to
Application pool identity.
In the website, again, choose Basic Settings on the right. Click
the Connect As.. button and make sure Application User is
selected.
Give the appropriate access to the folder on your hard drive(s); i.e
Application Pool name = hello.com, the user is IIS
AppPool\hello.com.
I think your issue is that you haven't given the folder permissions for the Application Pool User. I think you've incorrectly given them to an unneccessary Windows account.
HTH
Do you have the correct version of .NET installed on Server? Also you need to register ASP.NET in IIS - c:\windows\Microsoft.NET\framework\v2.0.50727 (or v4.0....)
aspnet_regiis.exe -i
and after restart IIS with iisreset in command line
Goal
I am trying to deploy an MVC3 application that requires Windows Authentication (specifically Kerberos) as an Application within an older asp.net Anonymous Authentication Website.
Symptoms
In IIS 7.5 Express on my box it works perfect, obviously. When I deploy it to IIS 7.5 as its own site I get challenged for domain credentials, though none are accepted. When I deploy it as an application I get the custom error page back from the hosting site. To confirm - Kerbtray shows no ticket in either scenario.
Details
Both the Site and the new child Apps run on the same application pool, and the application pool runs as AppPoolIdentity. That built-in IIS app pool account (IIS AppPool\MyAppPoolName) has full Read/Execute permissions down both the Site's and the App's folder trees. No impersonation is used.
Question(s)
Is there anything special I need to do to get NTLM and Kerberos working on an App inside an anonymous auth Site?
If not, any advice on things/places to look would be great - the ApplicationHost.config and the app's web.config files look fine.
EDIT: For clarification, this is all on a corporate network that uses Kerberos extensively for other purposes. "Site" refers to an IIS Website and is distinguished from an "Application" that must be hosted within an IIS Site.
After working on this a bit more, I found the answer:
Nothing special is needed to host a Windows (Kerberos) authenticated IIS App within an Anonymous authenticated IIS Site on IIS 7.5 so long as:
a. Kernel Mode Authentication is On - No SPNs required.
b. The application uses the same App Pool Identity as the hosting parent. Different App Pools and their identities can be used, but this does require further NTFS permissions and is beyond the scope of this particular issue.
The issue with my error was something much more simple yet elusive... the parent Site had a custom set of error pages defined in <HttpErrors> including pages for 401 and 403.
This was the error page returned when the user requested a page from the nested Application because Kerberos sends a 401 first, to challenge the user for credentials and ask/him her to get and provide a Kerberos ticket... but because the parent Site returned a 200 response (the custom error page) the user never got a Kerberos ticket.
With these off, the user is now appropriately getting a Kerberos ticket and falls back to NTLM as by default.
I created a web application by going to IIS right-clicking on Default Web Site and selecting Add Application. Then I give the Alias name, select DefaultAppPool and point it to Physical path.
When I try to browse to http://localhost/mywebapp I get 'Access is denied' with following details:
Error message 401.2.: Unauthorized: Logon failed due to server
configuration. Verify that you have permission to view this directory
or page based on the credentials you supplied and the authentication
methods enabled on the Web server. Contact the Web server's
administrator for additional assistance.
Anonymous Authentication is enabled on the IIS Website.
The web application is ASP.NET MVC5 application.
The web application is running under its default identity: ApplicationPoolIdentity
Here are the settings for DefaultAppPool
Make sure your application is not on a network share or in the windows user (magic) directory. (It can be in the Visual Studio default magic user directory if you follow my instructions below)
If you're on Win7, create a new MVC 3 application, ^F5 to run. Then in solution explorer, right click the project and select properties. In the left pane, select the Web tab. The default is Cassini ( Use Visual Studio Development Server). Select the next radio, Use Local IIS Web server. Now ^F5 and it will launch your app from IIS. You can also find your application in IIS manager and in the right pane, select browse 80. Now that it's working, compare the differences in your two application.
Your approach should also work. You might try creating a new MVC application and use your approach to test on IIS. The most common mistake is creating a vDir, not an application
The error message is pretty good. To set ACLS on the application pool identity, follow the instructions under Securing Resources at http://learn.iis.net/page.aspx/624/application-pool-identities/
Also see Understanding Built-In User and Group Accounts in IIS 7
IF the new MVC app should fail, repeat, but create a Web Forms app.
Make sure IUSR has permission to the directory that webapp is sitting in.
Also, if your application is accessing permissioned resources(File IO, MSMQ...etc), you will have to change the Identity of the app pool or make sure ISUR has permission.
Make sure that the NETWORK SERVICE account (or whatever system account IIS is using) has permissions to the application folder.
To check the system account that's being used, go to the application pool settings, and the system account will be listed under the Identity tab:
EDIT
Make sure that the application is using the correct application pool. Also, if you haven't already specified a default document, that could be your problem. You can test this by including a page name in the URL, e.g. http://localhost/mywebapp/default.aspx
net 2.0/umbraco 4.0.3 website hosted in IIS6 with a couple of url rewrites using http://urlrewriting.net/ ..
We just moved the site to IIS 7/classic pool and the URL rewrites stopped working.. can anyone give a hint of what might be the issue as we are trying for sometime without any luck!
Regards,
Anz
#mahesh Umbraco 4.0.3 only requires .NET 3.5 (read: .NET 2.0 with AJAX libraries, which are included in the distribution).
#Anz, best things to check for are:
Have you added the wildcard ISAPI handler to the site for Classic mode? For extensionless URLs to work, you must add a wildcard handler to the site, which then points to C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll. This applies to IIS6 and IIS7 sites in Classic mode (IIS6 only has classic mode).
In Integrated mode, however, this isn't required... so you could try switching your application pool to Integrated mode and see if this works.
Check your application pool's identity. Sometimes the site won't load components properly because the identity of the application pool can't access them. In IIS7, you have a new principle called ApplicationPoolIdentity, which creates a new user just for that app-pool, in the format "IIS APPPOOL\". If your app-pool has it's Identity property set to ApplicationPoolIdentity, you need to grant read/write/modify access on it by going to the folder, right-clicking and hitting Properties, switching to Security, click "Edit", click "Add...", type "IIS APPPOOL\" (without quotes, with all spaces), click OK. Set the "Modify" attribute against this user, click Apply, click Close.
HTH,
Benjamin
Alternatively:
I had upgraded the server from 32-bit Windows to 64-bit Windows.
Needed to check 'allow 32-bit applications' on the app pools.