I know this has been asked a lot, but I have not been able to find a working solution.
I'm trying to create an intranet website where I want to use Windows Authentication. But for some reason I can't get authentication to work.
I've searched far and wide on MSDN, Stack Overflow, blogs etc. and tried the proposed solutions - to no avail.
Here's what I'm using:
IIS 10.0.14393.0 (real IIS, not express)
Windows 10 (1607)
.NET Framework 4.6.1
ASP.NET MVC 5.2.3
In Visual Studio I created a new empty ASP.NET Web Application and put a checkmark in MVC. Then I added a very simple (Hello World) controller, model and view.
Finally I added the following (which many people claim to be the right solution) to web.config in the system.web section:
<authentication mode="Windows"/>
<authorization>
<allow users="DOMAIN\USER"/>
<deny users="*"/>
</authorization>
In IIS I created a new website, pointed it to the web application folder, and set up a host name which I added to "hosts" file.
Then I enabled the "Windows Authentication" feature under Authentication section.
In Internet Explorer (or Firefox or Chrome for that matter) I navigate to the website, using the route to the controller, and I'm then prompted for credentials. I enter credentials for the domain user, but I'm denied access.
Some people claim that "Anonymous Authentication" in IIS should also be enabled, but for me this doesn't help at all. Same problem.
Also, some people claim that it helps to go to "Providers" for "Windows Authentication" and reorder them to: NTLM, Negotiate. Doesn't change a thing for me.
Then I try to change authorization in web.config to just:
<allow users="*"/>
Doesn't help either.
It's like the auth-thing doesn't talk to AD at all.
Anyone know how to set this up correctly given the described scenario?
UPDATE (dec 8, 2016):
I found a pluralsight video (referenced from the asp.net/mvc website) by Scott Allen, where he explains the different authentication options for MVC5, and when it comes to doing an intranet site with Windows Authentication, it turns out it should be done pretty much like I've described in this question. Only thing is, when I try it out (I used the VS template for MVC and chose Windows Authentication), it only works in IISExpress - not in real IIS (even on same machine and both IISExpress and IIS setup to use Windows Authentication and not allow anonymous). So very frustrating.
You should not use <authorization> tag in ASP.Net MVC. It is meant for ASP.Net Web Form which is based on paths, whereas ASP.Net MVC works with Controllers, Actions and Routes.
In ASP.Net MVC, there are few ways to authenticate user via AD. I personally like to use use OWIN Middleware.
It has few pieces, so I created a sample project in GitHub AspNetMvcActiveDirectoryOwin. You can fork it, and test it right away.
The following three are the main classes -
AccountController
ActiveDirectoryService
OwinAuthenticationService
Related
Windows Authentication seems super simple, but I am still having trouble. So I decided to create a brand new Asp web app project with the Windows Authentication template. Of course, this works. In the designer, <asp:LoginName runat="server" /> works, and in code-behind User.Identity.Name works.
The only setting I can find is in web.config: <authentication mode="Windows"/>.
Back to my own web app project, I verified that I have the same web.config setting. However, the asp.LoginName tag and the User.Identity property have a blank string, i.e., no user name. Also, when using <deny users="?"/>
the page returns a 401.2 Access Denied response.
As I am testing both projects on the same dev machine, both in VS2015, the problem cannot be in settings of IIS Express or VS2015. Also using the same Firefox browser, although I also tried IE.
Is there a project setting in VS2015 that I overlooked?
Update:
I kind of solved this issue by copying all project source files to the brand new Asp web app project. In fact, I was in the process of converting a Web Site project to a Web Application project. I still do not know why I could not get Windows Authentication to work by configuration, but at least I can get going with further development.
However, I am still hoping for an answer . . . :-)
On your Web.config you must add:
<authentication mode="Windows" />
Your server must be a member of AD.
Check:
https://support.microsoft.com/en-us/help/323176/how-to-implement-windows-authentication-and-authorization-in-asp-net
You can write whatever you want in web.config, but if the desired mode of authentication is not enabled in [solution]/.vs/config/applicationhost.config , it will not work. Because the leading dot makes this a hidden path, this config is hard to find. No idea if this is a bug or a feature ...
See also my other question on another test case of this problem: https://stackoverflow.com/a/48806942/1845672
I am having trouble using Mixed Forms Authentication and Windows Security.
I am not too familiar with IIS and security. I found this article today:
https://msdn.microsoft.com/en-us/library/ms972958.aspx#mixedsecurity_topic5
I first started by adding an authentication mode to my web.config file:
<authentication mode="Forms">
<forms loginUrl="~/Login"></forms>
</authentication>
the tutorial above says my loginURL should be WinLogin.aspx, I guess this is where my confusion starts.
As in the tutorial above it states the following:
Using the IIS Manager, right-click the WinLogin.aspx file, click Properties, and then go to the File Security tab to edit the authentication and access control for this single file. Then simply un-check Enable anonymous access and check Integrated Windows authentication.
I don’t see WinLogin.aspx in my IIS Manager.
My question is, do I need to create a site in my IIS Manager and create a WinLogin.aspx file my project?
I am using MVC, so if I add my project to IIS, do I follow the same steps for WinLogin.aspx but for my Login Controller file? LoginController.cs ? I am very confused on this subject.
Thanks,
According to the tutorial, you'll need two files, WebLogin.aspx and WinLogin.aspx. WinLogin.aspx just exists to test the Integrated Windows Authentication, otherwise users would login via WebLogin.aspx. The tutorial for WinLogin.aspx should be in the source code for the article (linked to at the top of the article).
Instead of WebLogin.aspx, you can provide a route to your MVC login page.
I have never used Windows Authentication for ASP.NET MVC web applications before, but Forms Authentication. Recently, I have had an ASP.NET MVC 4 web application that requires a Windows Authentication implementation for users who are granted to log in my company web server. So, I have some questions regarding Windows Authentication. I am using Visual Studio 2012.
How does Windows Authentication work?
How do I implement Windows Authentication correctly in the web.config file?
How do I test if the Windows Authentication really works for my ASP.NET MVC 4 web site? In other words, how do I test it on my local development PC with local IIS (version 8), and on my company real web server with IIS version 7?
For IIS 8.5 and MVC 4:
How does Windows Authentication work?
In this mode, User.Identity (as in HttpContext.Current.User.Identity) is populated by the underlying web server. This might be IIS Express in the link from #R Kumar demonstrated, or full blown IIS as in the video by #Thomas Benz.
Specifically, User.Identity is a WindowsIdentity object. E.g. the following cast will work:
WindowsIdentity clientId = (WindowsIdentity)HttpContext.Current.User.Identity;
How do I implement Windows Authentication correctly in the web.config file?
<system.web>
<authentication mode="Windows" />
...
How do I test if the Windows Authentication really works for my ASP.NET MVC 4 web site? In other words, how do I test it on my local development PC with local IIS (version 8), and on my company real web server with IIS version 7?
First, change the ASP.NET authorization to exclude the current user. E.g.
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="yourdomain\someotheruser" />
<deny users="*" />
</authorization>
Second, enable Windows Authentication for your site using IIS Manager. It's under the 'Authentication' feature. And disable anonymous authentication.
Note that older explanation will suggest you make changes under element of your site's web.config. However, recent IIS implementations prevent this for security reasons.
Three, point your browser at the webpage. The browser should ask you to provide credentials, because the current user is not allowed access to the website. Provide the ones that are authorized for the site, and your MVC code should run.
Four, check the user identity. E.g.
WindowsIdentity clientId = (WindowsIdentity)HttpContext.Current.User.Identity;
I have done this with ASP.NET MVC 1.0. That was a relatively long time ago. I remember the IIS settings being confusing. I just did some checking, and it does not look like things have changed much to ASP.NET MVC 4.0 as far as attributes on the controllers.
For your questions:
How does it work? The following references pretty much sum things up pretty well. Authenticating Users with Windows Authentication (C#)
is NOT exactly right for ASP.NET MVC 4.0, but it has some background.
How to Create an Intranet Site Using ASP.NET MVC is for ASP.NET MVC 3.0.
I am too new to post more than two links, so you will have to search MSDN for "AuthorizeAttribute Class" for .NET Framework 4.
What settings for web.config? - I just remember changing one element, "authentication mode".
As far as testing, my Windows OS versions matched better, and my development machine was on the same Windows domain. But if I remember correctly, this just worked. YMMV, but one thing I do remember considering was implementing my own authorization. Maybe that is an avenue for your case, to roll your own, and then switch to Windows authentication in production. But I would suggest a couple of test iterations with a test server if you can set one up on the company domain.
I found out a helpful video that was very useful to me by showing step by step to implement and test Windows authentication for an ASP.NET MVC web site. So, I close this question.
Video from a very kind poster:
How to implement windows authentication in ASP.NET MVC 3 ( Model view controller) application?
I am new to ASP.NET development and moreover I am only extending an existing application which i did not create.
I have a working ASP.NET application which uses "Forms authentication" throughout all its pages. I have added a new webservice in a subfolder "webservices\Dummy.asmx". This webservice works fine but because it should be called by an external application which can't authenticate through a form, i need to enable "Integrated Windows Authentication (Basic Authentication or Digest Authentication)" ONLY for the subfolder "webservices".
I tried to configure it in IIS but it did not work.
So that i can set a different authentication method i have to create the folder "webservices" as an "Application". But if i do so then my function stops working with the error "Could not create type 'Dummy'."
Is it possible to have one web application and to authentication methods ?
If yes how is it configured in IIS ?
Or what would be the better way if i need ONLY one page (webservice) to use a different authentication then the rest of my application.
Thank you in advance for any information.
Bye
PS: I use Windows 2008 Server and the app runs on .NET Framwork 2.0
I tried to configure it in IIS but it
did not work. So that i can set a
different authentication method i have
to create the folder "webservices" as
an "Application". But if i do so then
my function stops working with the
error "Could not create type 'Dummy'."
This is the correct way. Can you explain the problem you are having here ? What is dummy ?
Mixing Forms and Windows Security in
ASP.NET
http://msdn.microsoft.com/en-us/library/ms972958.aspx
Web services that live in a larger application often do not need to be protected. If that's acceptable in your scenario, you can use a standard web.config construct to allow anonymous access to the service while still protecting the rest of the application.
Add a location node to the main configuration node that defines the rules for just the web service:
<location path="webservices\Dummy.asmx">
<system.web>
<authorization>
<!-- this overrides the parent app protection rules -->
<allow users="*" />
</authorization>
</system.web>
</location>
If you have a web application that will run inside a network, it makes sense for it to support windows authentication (active directory?).
Would it make sense to use AD security model as well, or would I make my own roles/security module that some admin would have to configure for each user?
I've never dealt with windows security before, so I am very confused as to how I should be handling security for a web application that runs within a windows network.
I guess there are 2 major points I have to tackle:
1. authentication
2. authorization
I have a feeling that best-practice would say to handle authorization myself, but use AD authentication right?
Basically windows handles everything, you never store usernames or passwords, AD and IIS do all the work for you
add this to your web.config
<system.web>
...
<authentication mode="Windows"/>
...
</system.web>
To configure Windows authentication
Start Internet Information Services
(IIS).
Right-click your
application's virtual directory, and
then click Properties.
Click the
Directory Security tab.
Under
Anonymous access and authentication
control, click Edit.
Make sure the
Anonymous access check box is not
selected and that Integrated Windows
authentication is the only selected
check box.
You can then deal with the business or authorization using web.config again. for example
<authorization>
<deny users="DomainName\UserName" />
<allow roles="DomainName\WindowsGroup" />
</authorization>
Read more here: http://msdn.microsoft.com/en-us/library/ms998358.aspx
This problem is solved in detail by Mr. Scott Guthrie in
Link 1 and Link 2
I used windows security on some of my internal sites.
Basically the way I set it up is I remove anonymous access in IIS, then assign permissions on the sites files though the standard windows security model.
I'm not sure if this is the best practices, but it has always worked well for me.