My intranet site has Windows Authentication enabled.
For me and a few other users, it works great, authentication happens in IE 'behind the scenes'.
But for some other (less privileged?) users (same domain), they receive a log-in prompt.
The computer settings/local intranet settings are the same.
When authentication is disabled, the page loads fine for everyone.
So that makes me think it's not a file permission issue.
What reasons could some users get authenticated and some not?
Related
I have an ASP.net web application that’s running on our intranet, it is using active directory for authentication. We recently migrated away from an old domain to a new domain. Some users are getting This Page Cannot Be Displayed error when connecting to the application.
The errors seem to persist on IE 11 but works in Chrome or Firefox. I suspect that IE is caching user credentials and trying to log users on using their stored credentials and passwords.
We have tried clearing cache and cookies with mixed results, the server has also been restarted but the problems persist.
Any thoughts on how to address this and force IE to users the use their actual credentials and not cached credentials?
Not to add confusion, but I have had some success with some users connecting using the IIS webserver IP address rather than the qualified name e.g. 10.x.x.x/appname.aspx instead of MyServerName/appname.aspx
Thanks
I suspect for those users with the problem that they have allowed IE to save their password. That is not in a cookie.
Have a look in Credential Manager on their workstations. Depending on the OS it would be: Control Panel\User Accounts\Credential Manager
Click "Web Credentials" and if there is a Web Password stored for your application, you will see the URL listed. Just delete it.
This would also explain why the IP works. Because the cached credential is tied to the URL.
I've set up a site using ASP.NET MVC 5 to use claims based security using our on premise ADFS server. The site performs the redirect to the ADFS server which asks for the users AD credentials to log in, and then redirects back to my site. At that point the user is authenticated and I have access to all the claims that ADFS is sending.
The issue is I don't my users to have to enter their credentials. I would assume their windows credentials could be sent to the server to make the sign in process seamless but I can't figure out how. I have attempted to set the authentication mode to windows but it has no effect.
Both the ADFS and my site are internal and the ADFS site appears in my Local Intranet Sites settings. I've tested with both IE9 & Chrome and they both have pop up a dialog box looking for credentials. I've spoken with the sysadmin and windows authentication is enabled for ADFS.
How can I authenticate with ADFS without my users being prompted for their credentials?
I encountered the same issue as well and finally figured out the cause. This may occur if the ADFS authentication page url is a non-intranet address.
To resolve the issue, change the wsfederation issuer address in application's web.config to one that would be treated by the browser as an intranet address.
Change the following
<wsFederation passiveRedirectEnabled="true" issuer="https://xyz.abc.com/adfs/ls/" realm="http://myapps/MVCpluADFS" requireHttps="true" />
to
<wsFederation passiveRedirectEnabled="true" issuer="https://xyz/adfs/ls/" realm="http://myapps/MVCpluADFS" requireHttps="true" />
where xyz is the machine name where ADFS is installed.
Do not change the adfs trust urls though. Keep them as they are since they would be used for matching and establishing trust between your application and ADFS.
The browser treats "xyz.abc.com" as an internet address, and hence displays a login prompt while "xyz" is treated as an intranet address so it automatically forwards logged in user credentials to the application without the user having to specify credentials himself/herself.
After this change, any intranet user would be directly logged in to the application if the browser used is Internet Explorer with default security settings (i.e. "Automatic logon only in Intranet zone" under Security tab -> Internet -> Custom level) or Chrome (since it picks up the settings set for Internet Explorer).
To make the automatic login work in Firefox, the following additional steps would have to be performed:
1) Type about:config into the firefox address bar. You might be warned about editing this section, go ahead anyway.
2) Type "fqdn" in the search bar. You should now see 2 settings i.e. "network.automatic-ntlm-auth.allow-non-fqdn" and "network.negotiate-auth.allow-non-fqdn". Change the values of both to true.
Are these intranet or extranet users?
Only intranet users can log in seamlessly with WIA.
This works OOTB with IE with the correct settings but other browsers need to be explicitly configured.
What browsers are you using?
Also the ADFS config needs to allow integrated auth.
I am building an Intranet system currently and the client has insisted on automatic login.
I have set up the system to authenticate the currently logged in (to windows) domain user in IIS 7.5 via Windows Authentication.
The system than uses the user's username to drag details from AD via LDAP.
This works perfectly locally, however if a remote client (lets say a spare pc I have as a test-bed) which is on the same domain, and logged in as a spare test user, it will ask for login details via the standard prompt.
Once the user has done this, the system works fine, drags details from AD etc etc. but will ask again for login details the next time.
So the question is: Why is this happening? and how can I stop the prompt?
Is it something to do with the IIS user?
I have authentication mode="Windows" in web.config, and I do NOT have Impersonate enabled.
Most probably all you have to do is to add the site to the local intranet zone in IE.
http://netpl.blogspot.com/2012/06/iis-75-integrated-security-with-no.html
I am developing an intranet MVC3 application that will be used by both domain and non domain computers.
Everyone has a domain account so whenever a non domain computer is to open the website a windows credentials prompt input box is expected to appear.
If i understand correctly this will be standard browser behavior since they won't pass windows credentials to a website unless they are in the same domain.
The problem however is that whenever i debug on my localhost i am in the same domain as the server(since i am the server obviously). This results in me being "logged in" with my workgroup windows account in stead of my domain account.
What i'm looking for is a way to trigger the prompt box so i can use my domain account to login rather then to get useless access with my workgroup account.
You can use Forms authentication with the ActiveDirectoryMembershipProvider.
Take a look to this tutorial on MSDN: http://msdn.microsoft.com/en-us/library/ms998360.aspx and this post: http://support.microsoft.com/kb/326340/en-us (sorry it's VB code).
Addendum: if you want just to test another user credentials you can use impersonation, just set-up your web.config.
We have an issue for our intranet site that is running in our local network.
In a nutshell, we have integrated Active Directory authentication with our application and what to use IIS integrated authentication to allow users to sign on without entering any credentials.
Assume the AD domain is "domain.name", and the server our application is hosted on is "server-name". We are running in Windows 2008 and the Integrated Authentication role is set up in IIS.
We have managed to make this work for http:||server-name/, however when we enter http:||server-name.domain.name/, users are prompted for their credentials in the standard way and if they cancel, a "401 Unauthorised" message is displayed.
The issue is, that it seems to authenticate when the machine name is accessed, but browsers do not pass over credentials when the fully qualified address is accessed.
Has anyone seen this before? Is there any advice they can shed on the situation? I ask as a programmer who has little experience with network setup and Active Directory.
Thanks
Have a look in IE settings. Tools > Internet Options > Security > Local Intranet > Custom Level. Scroll down to the very last setting "Automatic login only in Intranet zone". By default IE will only automatically pass along windows authenticated credentials to a site it considers "intranet".