As the title states, I need a way to capture the username on my website so I can find it in the IIS logs. Now, I know how to pass the username in the header, but because the website uses anonymous authentication, it is not being captured in the log.
Is there a way to make this happen?
Since you are on an intranet, you can do this in IIS. Find your site, choose the IIS "Authentication" config icon, disable Anonymous and enable Windows Authentication.
The authentication will appear seamless to intranet users, as long as they are already authenticated to your domain. If not, it will require authentication (which helps confirm that they are who they say they are).
I have tried my best to search the web before asking this question. I've seen similar questions on stackoverflow, however, none has been answered satisfactorily for a long time now. This is one more attempt to get this recurring question answered.
The Problem
How to build an ASP.NET MVC 5 website which uses "Windows Auth" for Intranet users and "Forms Auth" for Internet users? We'd like to accomplish this using ASP.NET Identity. Moreover, we don't want to use Active Directory Groups for authorization. For Intranet users, we want to authenticate them using Active Directory and then fall back to ASP.NET Identity to manage their roles and other profile data.
It'll be nice if we don't ask the end user to choose auth method. The web app should log in intranet users seamlessly. They shouldn't even know that there is a login screen. Likewise, the internet users shouldn't be asked to enter their domain credentials. They should see form based login screen right away.
Is there any recommended way of solving this? Or could you comment if any of the following are proper solutions?
http://world.episerver.com/blogs/Dan-Matthews/Dates/2014/8/Mixing-Forms-and-Windows-Authentication/
https://github.com/MohammadYounes/MVC5-MixedAuth
http://mvolo.com/iis-70-twolevel-authentication-with-forms-authentication-and-windows-authentication/
FYI This is 2004 article, may not be helpful now:
https://msdn.microsoft.com/en-us/library/ms972958.aspx
IIS configuration
Enable Anonymous Authentication status in IIS for the whole site and Windows Authentication for some folder under root directory (for example, /WindowsLogin). In this folder place aspx file (for WebForms project) or create ApiController (for MVC project).
Site setup
On login page add button “Login with Windows/ActiveDirectory account” (in similar way as it is common practice to add buttons Login with Twitter, Facebook, Gmail, etc.). When user presses this button, they will be redirected to the page or controller in /WindowsLogin folder, which require Windows authentication. If site uses some Single Sign-On functionality, locate it in that page or controller, in other case just save Session for Windows users there. If user accessed that page or controller, they had been authenticated as Windows users already.
One of the possible ways could be creating two sites in IIS, but having the same target folder, where sources of site are located. First site is for internal users with enabled Windows Authentication mode and binding to 80 port, while second site is for external users with Anonymous mode enabled and binding to 8080 port, for example. Then, on firewall you will have to configure NAT, that all requests coming from within local network or VPN, will be redirected to local IIS server on port 80 and all requests coming from Internet, will be redirected to port 8080 of IIS server.
The term for this is Mixed-Mode Authentication. I have done this multiple times. You only need to tweak your main site. Here is how I have done it.
Keep your main MVC site as-is but run it as Anonymous vs. under Windows Auth.
Internal Site
Create a Redirect URL Site: Setup this site as Window Auth so you can pull the User ID from Active Directory. Give your users this URL and/or make it the link they click on your Intranet. Then this site calls your MVC Site and passes the user credentials (login id).
a. This can be done either via an encrypted string on the URL or encrypted value in a cookie. You can encrypt with an expiration date/time value too.
b. (Speaking from Forms Auth) Create a Forms Authentication Ticket with that user ID. Run any other login logic you have. Done.
External Site - No Changes required. Let the users login as-is.
Are you wanting to handle forms and AD authentication from one URL? I have used thinktecture (claims based auth) as the framework for WIF and marshaling various forms of authentication. However to handle if from one URL I had to handle some logic at login that associated the user to AD or Forms based. In a more recent project, this was handled at user management when we created the user account (it was associated to AD of Forms Auth). Then when the user logged in they would preface the AD domain name as part of the login. There are a number of ways to implement this, this was just one I have used. An example, instead of requiring the domain, just use the username, then check for AD or forms based flags on the username and then handle authentication accordingly
EDIT
Just an update in re-reading your question. Are the internet users and intranet users the same? If so you need to just go forms based auth across the board and manage the users in the product DB independent of AD. If they are the same then they could login prefacing the domain name to username. if you wanted to rely solely on AD.
I did a proof of concept of this some time ago, at my previous job, so the details are hazy and I don't have any code to refer to...
The requirements were:
Single URL for internal (LAN) and external (internet) access
Two types of users, people on the domain and external (non-AD) users
Windows authentication for domain users both internally and externally
The ability to enter domain logon details when using iPads (no windows auth)
The core idea in the solution I came up with was that we used Active Directory Group Policy to add a custom string to http request header user agent, the content doesn't matter, in fact we used a long random string of characters.
https://technet.microsoft.com/en-us/library/cc770379.aspx
Then the landing page for the site checks for this, and if found redirects to a virtual directory, with windows auth, that checked their AD account, populated the ASP.NET authentication token and then redirected them to their home page.
If the custom header isn't there then it just displayed the normal login form.
The only other thing was to add an AD email/password check to the normal login form so that if a domain user accessed the site from a non-windows device (iPad) then they could use their normal login details.
Why not put your website code on the server, robocopy it to two separate websites and just handle the changes in authentication by configuring the web.config. (one would be setup with anonymous and one with windows authentication.)
It's not as snazzy as other methods but it's relatively painless. There are two sites but the content (except for the web.config) are identical.
I am developing an intranet MVC3 application that will be used by both domain and non domain computers.
Everyone has a domain account so whenever a non domain computer is to open the website a windows credentials prompt input box is expected to appear.
If i understand correctly this will be standard browser behavior since they won't pass windows credentials to a website unless they are in the same domain.
The problem however is that whenever i debug on my localhost i am in the same domain as the server(since i am the server obviously). This results in me being "logged in" with my workgroup windows account in stead of my domain account.
What i'm looking for is a way to trigger the prompt box so i can use my domain account to login rather then to get useless access with my workgroup account.
You can use Forms authentication with the ActiveDirectoryMembershipProvider.
Take a look to this tutorial on MSDN: http://msdn.microsoft.com/en-us/library/ms998360.aspx and this post: http://support.microsoft.com/kb/326340/en-us (sorry it's VB code).
Addendum: if you want just to test another user credentials you can use impersonation, just set-up your web.config.
We have been running an ASP application in local intranet using IIS7 and now have requirement to get Client computer name and logged user name, so that we can show his home page according to his setting. I did search on internet but did not find any solution yet. I also tried using LOGON_USER server variables but it works fine when I run using localhost but not when use IP Address (Return blank value). I also enabled window authentication and disabled anonymous but I prompt for user name and password even I did not set user name and password.
You will not be able to determine the computername directly. You will need to perform a reverse DNS lookup on the client's IP. Check out the link below from ASP101 to accomplishing this in ASP classic.
As far as the username, you will need to enable authentication in IIS otherwise all incoming requests will be anonymous. If you are running in a trusted environment, setup IIS for "Integrated Windows Authentication". This will allow the client's current user information to be used to authenticate to your website without a userid/password prompt. Note that integrated authentication is not part of the default IIS7 install.
Good luck.
ASP based Reverse DNS Lookup
http://www.asp101.com/articles/jason/reversedns/default.asp
Integrated Windows Authentication in IIS6 and IIS7
http://blogs.iis.net/nitashav/archive/2010/03/12/iis6-0-ui-vs-iis7-x-ui-series-integrated-windows-authentication.aspx
You can also achieve this by using WMI, however the remote computer and logged on user must be part of a domain that you have the administration credentials for. You will also need to use reverse DNS to find out the computer name, which #jking89 has given a great reference to above. Take a look at the WMI Win32_ComputerSystem class, here http://msdn.microsoft.com/en-us/library/aa394102(VS.85).aspx. Hope this helps as an alternate solution.
We have an issue for our intranet site that is running in our local network.
In a nutshell, we have integrated Active Directory authentication with our application and what to use IIS integrated authentication to allow users to sign on without entering any credentials.
Assume the AD domain is "domain.name", and the server our application is hosted on is "server-name". We are running in Windows 2008 and the Integrated Authentication role is set up in IIS.
We have managed to make this work for http:||server-name/, however when we enter http:||server-name.domain.name/, users are prompted for their credentials in the standard way and if they cancel, a "401 Unauthorised" message is displayed.
The issue is, that it seems to authenticate when the machine name is accessed, but browsers do not pass over credentials when the fully qualified address is accessed.
Has anyone seen this before? Is there any advice they can shed on the situation? I ask as a programmer who has little experience with network setup and Active Directory.
Thanks
Have a look in IE settings. Tools > Internet Options > Security > Local Intranet > Custom Level. Scroll down to the very last setting "Automatic login only in Intranet zone". By default IE will only automatically pass along windows authenticated credentials to a site it considers "intranet".