WindowsIdentity always returns IIS user - asp.net

I have an asp.net web application, on which i try to implement Windows authentication.
The application is hosted on IIS, and runs under Administrator account.
In the application, i am trying to get the name of the current windows logged-in user, ex Catalin Gavan.
Whatever i try, i always get the administrator user, the one which runs the ApplicationPool.
Here is what i tried:
Request.LogonUserIdentity); // "NT AUTHORITY\\IUSR"
WindowsIdentity.GetCurrent(); // "ADIDEVNET\\administrator"
WindowsIdentity.GetAnonymous();
WindowsIdentity.GetCurrent(true); // null
WindowsIdentity.GetCurrent(false); // "ADIDEVNET\\administrator"
How can i get the current logged-in windows user, from code behind?

Turn on Windows Authentication and that should fix it. Secondly, when you set the identity to administrator in the Advanced Settings, it will always log in as the administrator. Remove the identity from there, as well. A user will "impersonate" the admin account when that is set.
Try these web.config settings.
<system.web>
...
<authentication mode="Windows" />
<authorization>
<deny users="?" /> <!-- may want to remove this if you want to allow anonymous -->
</authorization>
<identity impersonate="false" />
</system.web>

In ASP.NET Web Forms, you should access Page.User, and in ASP.NET MVC or Web API, you should call Controller.User or ApiController.User accordingly. This user identity comes from the request and is set as the thread identity.
WindowsIdentity.GetCurrent returns the process identity, which is obviously the application pool identity you set.

Related

Windows Authentication on ASP.net application

I have a strange issue with aps.net which using windows Authentication, here is the scenario, I have APS.net application using the Windows Authentication, NTLM ... all my users on the Active Directory have access to the web application when they want, the issue that sometimes some users can't access to the system anymore, where they used to have access before, when they put their username#domain and the password in the pop-up login in the browser, the pop-up keep popping up like they have put a wrong username or password, we tried to log in to other services like email, laptop, using the same user name and password and it works fine, but not with the web application! any idea how or where to start my investigation? logs file? something similar? here is my IIS authentication setting:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
After many days of investigating the issue, it turned out that the issue is because of expired password.

How to get windows login username in asp.net with single sign on

I want to get windows login username in asp.net with single sign on
I use Global.asax Session_Start
I tried WindowsIdentity.GetCurrent();
İt is working in local but it is not working in IIS. In local DomainName//UserName but in IIS IISAPPPOOL\AppName
In IIS Authenthentication => Anonymous Authenthentication is enabled, ASP.NET Impersonation is disabled, Forms Authentication is disabled also when ı change them application is not working.
My web config is like this
<authentication mode="Windows">
</authentication>
<authorization>
<deny users="?" />
</authorization>
<identity impersonate="true" />
Thread.CurrentPrincipal.Identity.Name; is null
HttpContext.Current.Request.LogonUserIdentity.Name; is IIS IISAPPPOOL\AppName
Context.User.Identity.Name; is null
System.Security.Principal.WindowsPrincipal p = System.Threading.Thread.CurrentPrincipal as System.Security.Principal.WindowsPrincipal; is null
HttpContext.Current.User.Identity.Name; is null
How can ı solve this
Just disable anonymous authentication and enable windows authentication.
Windows authentication may not be installed. If so, it will not work in any way. Go to server roles on Windows Server or windows features on Windows 7 / 8: complete manual.
I solved it :)
just Configuring IE Trusted Sites with Group Policy Preferences Registry
http://deployhappiness.com/managing-internet-explorer-trusted-sites-with-group-policy/
thanks

When using Windows Authentication I can't disable impersonation

I have the application pool of a web application set to run as a user called WebUser.
I have the following sections in my web.config:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<identity impersonate="false" />
I have created a file called a.txt and given only WebUser permissions on it. If I navigate to this file then I get a 401 error. However if I give my own user account access to this file then I can access it.
So it seems that the application is impersonating my identity. How can I make it run as the application pool user instead?
EDIT: Also - if I enable impersonation and make it impersonate WebUser then I still get a 401 error.
Thanks,
Joe
Ok I solved this by going to the site's advanced settings and changing the Physical Path Credential Logon Type to Interactive. I also had to set Physical Path Credentials to Specific User and enter WebUser's credentials, this stopped it from impersonating the authenticated user when accessing files.
Joe

Setup windows authentication for ASP.NET using local workgroups?

I have requirement to build windows authentication for our web applications. We plan to created local work groups (on Windows 2008 Server) to manage users instead of Active Directory. Our reason, it takes months to create groups and move users via AD (and our client would prefer we go this route). Is it possible to setup windows authentication for an asp.net application and validate the user credentials against the local workgroups? Keep in mind we would try to match their login names to our local workgroups.
You can use AspNetWindowsTokenRoleProvider. This makes ASP.net use the Windows Local groups.
In your web config do something like this.
<authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
--> <authentication mode="Windows"/>
<identity impersonate="false"/>
<authorization>
</authorization>
<roleManager enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider"/>
then in your aspx you can check if user exists in role. I placed this in my master page.
If Not Roles.IsUserInRole(Context.Current.User.identity.name, "Managers") Then
'label1.Text = "You are not authorized to view user roles."
Response.Redirect(Request.ApplicationPath & "\logout.html")
end if
You can read more from this Link from Microsoft http://msdn.microsoft.com/en-us/library/ff647401.aspx
under Using WindowsTokenRoleProvider

ASP.NET active directory authentication User.IsInRole

I developed an ASP.NET Intranet application. Now I was asked to add authentication for the application - it should be based on Active Directory. The user should not fill in any login or password.
From within ASP.NET C# code I should be able to check something like this:
if (User.IsInRole("MyApplicationReaders"))
{
doSomething();
}
else if (User.IsInRole("MyApplicationAdmins"))
{
doSomethingElse();
}
MyApplicationReaders and MyApplicationAdmins are names of Active Directory groups.
Can you please point me to some easy step-by-step tutorial how to achieve this? I failed to find any :-(
Try to search harder.
You have to add to configuration file authentication method:
<authentication mode="Windows" />
And also add authorization rules:
<authorization>
<allow users="DomainName\Bob, DomainName\Mary" />
<allow roles="BUILTIN\Administrators, DomainName\Manager" />
<deny users="*" />
</authorization>
This this page for help.
PS: After you'll add windows authentication to your app you will be able to check User.IsInRole for authenticated users. But in some browsers your users will be promted to enter their's windows credentials.
You can set IIS to authenticate users automatically, but typically you implement your own authorization scheme. In the past, I have used a database to map my AD accounts to application roles/permissions.
In order to use the IsInRole(), you have to populate the User Principal object. The easiest place to do that is in the Global.asax event BeginRequest. Also take a look at creating a Custom Role Provider.

Resources