Windows authentication configuration questions - bonobo

I installed version 6.3.0 of the bonobo server on a windows 2008 r2 box. I followed the instructions and all it was well with the out-of-the-box settings.
Now, I wanted to enable Windows Authentication. The goal is that the developers don't have to enter a password when they access the remote repository.
I started with this article. Firstly, I am not sure about the sequence of making the changes. Should it be done before running it the first time? Or after? It's not clear. Anyway, I did it both ways, and in both cases it doesn't work.
Scenario 1: Left everything out-of-the-box, I added myself as a user. After I made the web.config change I was still presented with the login page, and when I typed the password, I was redirected back to the login page.
Scenario 2: I shut down IIS, I made all the changes, and before restarting IIS, I updated the web.config as per the windows authentication article. I also disabled Anonymous Access and enabled Windows Authentication. After I restarted IIS, when I tried to access it, I got:
The request filtering module is configured to deny a request where the query string is too long. I fixed this by adding: maxQueryString="32768" to the requestLimits tag.
Now I get ERR_TOO_MANY_REDIRECTS when I try to access the root page.
The documentation is not clear on how you have to configure this thing for windows authentication. It looks to me that you need to leave the out-of-the-box settings, define your users, make sure one of them is admin, then change the setting to windows authentication. As soon as you turn on the windows authentication the admin user can't be used. I assume the server is trying to find the current user in its own database.
One other thing, if you turn on windows authentication in the web.config, do you need to enable the Windows Authentication in the IIS Authentication for the app and turn anonymous access off? I would think so, but the documentation doesn't specify anything. What happens if I am logged in with an account on different domain than the box with the bonobo server?
Is there someone that can clarify what has to be done exactly to get the windows authentication running?
Thanks

I hope you could solve the problem meanwhile
if not, change the "AuthenticationProvider" to "Windows" and "MembershipService" to "ActiveDirectory".
Check your Web.config if the following is uncommented
<appSettings>
...
<add key="AuthenticationProvider" value="Windows" />
<add key="MembershipService" value="ActiveDirectory" />
...
<add key="ActiveDirectoryDefaultDomain" value="<your.domain>" />
<add key="ActiveDirectoryBackendPath" value="~\App_Data\ADBackend" />
<add key="ActiveDirectoryMemberGroupName" value="Developer" />
<add key="ActiveDirectoryTeamMapping" value="Developers=Developer" />
<add key="ActiveDirectoryRoleMapping" value="Administrator=Developer" />
...
</appSettings>
...
<system.web>
...
<authentication mode="Windows" />
...
</system.web>

Related

Windows Authentication doesn't work with IIS Express 10

At work we were forced into a hardware refresh where we went from a Windows 7 box with VS 2013 and IIS Express 6 to a Windows 10 box with VS 2017 and IIS Express 10. The problem is that Windows Authentication refuses to work. I get a 401.2 - Unauthorized with the explanation of "Invalid Authentication Headers".
I've checked the web.config and the properties for the web project and they are correct. I've modified the applicationhost.config file in the .vs folder in the project to enable windows authentication. I even checked the permissions of the files to make sure authenticated users had the right permissions. None of this has worked.
This all worked fine in IIS Express 6. What did Microsoft change in IIS Express 10 that screws this all up?
Edit: have to manually type this stuff in, since I can't move code from the dev machine.
web.config:
<system.web>
<customErrors mode="off"/>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
If you want any other sections of the web.config, ask me.
As for ApplicationHost.config, it is basically whatever VS2017 creates, since this is a fresh machine and there wasn't an existing one with the project. Changes I tried making:
<windowsAuthentication enabled="true">
<anonymousAuthentication enabled="false" userName="">
<section name="windowsAuthentication" overrideModeDefault="allow">
One additional datapoint: The application runs on Firefox. I can log on fine to our test servers, running IIS 8.5, but can't access the application on IIS Express.
I've since created a new MVC application and just ran that. It runs fine in IE, but it won't authenticate users from Firefox and Edge.
Edit: Found out that Edge doesn't support Windows Authentication on localhost: https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/4776775/
Still need to get it to work with Firefox.
Edit again: So, I think I know what is going on. I have two user accounts: the regular user account and an admin account with more privileges. What I did under Windows 7 was that while I logged into my regular account, I ran VS under my admin account. Then I could run my web application and log into the web site with my admin account. This doesn't seem to work anymore. The only way I could get my application to work is to run it all under my admin account. Otherwise, Windows authentication won't work. Security-wise, this is broken as hell and I'd like to find a better solution.
you only need to change some properties in your project as mentioned in below link!
enable windows authentication
I'm going to mark this one as answered and I'll follow up with a new question. The current solution is to run everything on our admin account to get windows authentication working. Not ideal.

Allow for backup AD login for windows authentication ASP.NET MVC app

I work for a company that uses active directory for all computers. Everyone also has a AD user account but this does not mean that they use it all the time. Some users only use them for certain applications. For the most part, all general users just use a generic login out in the work areas.
I am new to MVC and I am trying to learn to do everything the proper way. I currently have an application that was written in JAVA that I need to convert to asp.net mvc. I want to make it so that users who are logged in under the shared username are required to login using their own AD credentials to authenticate and impose as themselves from then on in the application.
From what I can make sense of on google, I will need to make a custom authentication method. If so, maybe someone can graciously point me in the right direction.
Any help is greatly appreciated. Thank you all.
Assuming you are on IIS7, a former IIS team member wrote a very useful blog on combining windows and forms authentication.
I have and am currently using this in a production intranet system and the following are my comments on how to setup
Unlock the and configuration sections before you can use them in web.config:
%windir%\system32\inetsrv\appcmd unlock config /section:anonymousAuthentication
%windir%\system32\inetsrv\appcmd unlock config /section:windowsAuthentication
Register the forms authentication wrapper configuration section in your web.config:
section name="formsAuthenticationWrapper" type="Mvolo.Modules.FormsAuthConfigurationSection"
Replace the built-in Forms Authentication module with the wrapper:
<remove name="FormsAuthentication" />
<add name="FormsAuthentication" type="Mvolo.Modules.FormsAuthModule" />
Set the required settings for the gateway page:
<security>
<!-- Enable IIS Windows authentication for the login page -->
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
That should do it.

User.Identity.Name with windows authentication

I have a very simple partial view in my header called AccountInfoPanel.
It only has one line:
Welcome: #HttpContext.Current.User.Identity.Name
And in my Web.Config I have
<authentication mode="Windows" />
But the identity name is always empty.
If I debug through VS 2012, and break on the index action, I see it is empty.
If I run it through IIS with Windows Authentication Enabled and Anonymous Authentication diabled, I get a challenge.
So I try to plug in My account or a test1 and test2 account.
It comes back and says:
HTTP Error 401.1 - Unauthorized
You do not have permission to view this directory or page using the credentials that you supplied.
I also tried setting Impersonation to true and get the same response from the challenge.
Does anyone know how to set this up?
And if all the setup has to done in IIS, how do you debug your code within Visual Studio?
One other question. My boss seems to think you don't even need a login box. IE would just know who you are. And you could "run as" in IE with a different account.
Check one of possible issues on my checklist
http://netpl.blogspot.com/2012/06/iis-75-integrated-security-with-no.html
In short:
First, make sure that Anonymous Authentication is turned OFF for the site:
Second, enable integrated security in Interner Explorer (Options/Advanced and checkin the “Enable Integrated Windows Authentication” option).
Third, add your website to Local Intranet zone and select at least “Automatic logon only in Intranet Zone” option under Options/Security Settings/Local intranet/Custom level).
Fourth, make sure the user and application server are in the same domain.
To solve the problem, you have to enable the Windows Authentication feature. Follow the below steps:
-Click Start, and then click Control Panel. Open the Programs group.
-Under Programs and -Features, click Turn Windows Features on or off.
-Expand the item labeled Internet Information Services.
-Expand the item labeled World Wide Web Services. -Expand the item Security ->
Make sure to select Windows Authentication
Also you need to disable Anonymous Authentication from the IIS as follows: -Click on your application in IIS -Double click Authentication under IIS group -Click on Anonymous Authentication -Click on Disable on the right side under Actions. Hope this helps
Visual Studio installs IIS Express to serve web applications, so you have to configure it to use Windows Authentication.
Configuration file for IIS Express is usually here (more info: Where is the IIS Express configuration / metabase file found?):
%userprofile%\documents\iisexpress\config\applicationhost.config
Disable Anonymous authentication (enabled by default):
<anonymousAuthentication enabled="false" userName="" />
Enable Windows Authentication (disabled by default):
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
I know this is an old question, but since it's not answered maybe someone could use my tip. I've been struggling with such an issue for some time and finally, I've discovered that one needs to have URL Authorization installed in order to make it work.
Navigate to the windows features and install the following feature:
Web Server (IIS) -> Web Server -> Security -> URL Authorization
I've also restarted IIS just in case, but I'm not sure if it's needed.

ASP.NET Windows Authentication Not Working/Not Accepting Credentials

I've been trying to resolve this question for a couple weeks now via Google and reading SO, and not had much luck, so I thought I'd finally try asking myself.
I'm setting up a very, very simple ASP.NET site on our intranet to generate some information for internal users. I'm using Windows authentication, rather than anonymous access, because based on what user hits the site I will be generating different information.
Long story short, this works perfectly in testing on my local Windows 7 machine where I developed the application. However, from the Windows 2008 R2 server where I want it to reside, when I hit the site I get a pop-up asking for my credentials, and even if I enter them it asks me for them again and again. This happens regardless if I'm hitting the site remotely or locally. If I try using anonymous access I can reach the site both ways but as I cannot identify the user I cannot generate the information I would like to provide.
Notes:
In IIS, I have Windows Authentication and ASP.NET Impersonation
enabled for the site. Everything else is disabled.
For the sake of figuring it out, I currently have the web.config set to allow all users and am not denying any.
The host/URL I'm using for it is toolName.organization.local
I was concerned that it was an issue of the 2008 R2 server admin user residing in a different domain then my remote user that I was testing with but again it does not work locally either.
In the AppHost file, I currently have windowsAuthentication enabled.
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
Admittedly, I typically use forms authentication on this server for all of our other internal sites so I'm a bit new to windows authentication and this issue. At this point I'm just not sure what to try or check next, so any advice would be helpful. Thanks.
I know this is a slightly old topic, but I had this exact same problem. Turns out I had the AppPool using Identity: ApplicationPoolIdentity instead of NetworkService. Once I switched that (under Advanced Settings in IIS7.5) I no longer got the server prompting for additional credentials and the pass-through worked perfectly.
Hope that helps!
First, you should realize that Windows passthrough authentication only works with Internet Explorer, and then only if the site is in the trusted sites, or intranet sites security group. Firefox, Chrome, etc.. will always prompt for credentials.
Having said that, you have a couple of issues.
You should have an <authentication mode="Windows" /> element in your web.config
You should decide if you want the app to run in the context of the user, in which case you would also need an <identity impersonate="true"/> tag. If not it should be false (although this is the default).
You do not need to have any authorization rules in your web.config if the site itself is completely guarded by windows authentication.
Just in case it's helpful, the problem for me was that I had left my application pool in Classic mode, in order to try to use NTFS permissions. I never got that to work, but once I switched it back to Integrated mode, I could use <allow> and <deny> tags to configure specific users' access.

ASP.NET Authentication Issues on IIS7 - User.Identity.Name is empty for Windows authentication

We have an ASP.NET application on ASP.NET 4.0 using MVC 3 which uses Windows authentication.
When run from Visual Studio 2010 everything works as expected but when rolled out to IIS7 the Windows logged in user never gets populated (checking User.Identity.Name). No dialog prompt for user credentials comes up either.
The web.config setting:
<authentication mode="Windows" />
In IIS I can see that Windows authentication is enabled, as is Anonymous (disabling Anonymous results in a 403 Forbidden and no content being shown).
I've tried both enabling and disabling "Kernel-mode authentication" (useKernelMode="true"), but this doesn't seem to make any difference. Though I do remember that we had to disable this setting on another site on a different server to get the authentication to work properly (might point to a potential issue further down the stack?).
In case it's useful, from IIS's applicationHost.config:
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<digestAuthentication enabled="false" />
<basicAuthentication enabled="false" />
<windowsAuthentication enabled="true" useKernelMode="false">
<providers>
<clear />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
</security>
Any ideas what the issue could be?
Thanks in advance for any suggestions.
Update 1
I managed to find another IIS7 server to test on and I found if I disabled Anonymous access everything worked as desired. However I still have issues on the original IIS7 server even when I disable Anonymous access as well (I'm keeping Anonymous disabled now). So there must be some issue further down the stack I guess. Any ideas? Something I need to fix as it's going to keep popping up and biting us I imagine.
Update 2
If I enable Digest Authentication on the problem IIS7 box then I am challenged with the login prompt dialog and everything works as expected if I provide suitable credentials. But being an internal web app with users already logged in to the domain we don't really want to challenge them this way. Credentials should be passed through transparently as it works on the second IIS7 box.
Update 3
Some progress... I've found that if the web app is in the root and not a sub site then directly editing the applicationHost.config file for IIS7 to give the following authentication settings allows the site to work as expected:
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true">
<providers>
<clear />
<add value="NTLM" />
</providers>
</windowsAuthentication>
<digestAuthentication enabled="false" />
</authentication>
Using IIS7's UI to configure the authentication doesn't give quite the right results. authentication items are either missing after wards (as I guess IIS7 assumes they are being inherited) or they have the wrong settings (windowsAuthentication seems to need the providers configuration above present to work correctly).
Unfortunatly the web application in question is actually a sub application as there's an internal version (using windows authentication > www.site.com/internal) and an external version (using forms authentication > www.site.com/external). I still can't get the authentication to work as a sub application yet. I just get a "Error Code: 403 Forbidden".
In this case it was a Microsoft ISA Server issue. Seems the request was being routed internally through ISA for the Windows Authenticated site, once ISA was removed the problem disappeared.
I don't know a lot about ISA and how it routes requests but I assume it must have been stripping out some important information from the request because of some rule someone will have configured.
As a side note in case it helps diagnose similar setups: I was told by the network admin staff that internal traffic was not routed through ISA, but pinging the website internally showed that ISA was actually in play.
You mentioned that disabling anonymous access worked on another server, but on your main server you are experiencing 403 errors. Therefore, I would check the file based permissions on the folder where your site is running from. In the past I have needed to grant the \Network Serivce account full control to the site folder and all subfolders or I would experience 403 errors. Check the file permissions on the server that is working and see if there are differences with the server that is not working.
Also, if this is not the issue, I would recommend comparing all of the other IIS settings between the two servers, since you know it works on one and not the other. Find the difference.

Resources