Confused about Windows authentication.
I tried in the below way.
1) I have created 2 pages Home.aspx and Admin.aspx
2) Created Virtual directory and placed my application in the IIS.
3) Antonymous access is false and Integrated windows security is true.
4) In the web.config file haven given this code.
<authentication mode="Windows"/>
<authorization>
----------------------
</authorization>
5) Created new user under Computer management.
trying with various roles section in tag.
But what ever I am entering as a roles it is not asking the credentials.
seems some where near to roles section in tag is making problem.
please help me out what was the tag need to add for windows authentication.
Thanks in advance for your help.
You must also make sure your URL does not contain dots!
See my answer on: WIndows Authentication not working
Related
I know this has been asked a lot, but I have not been able to find a working solution.
I'm trying to create an intranet website where I want to use Windows Authentication. But for some reason I can't get authentication to work.
I've searched far and wide on MSDN, Stack Overflow, blogs etc. and tried the proposed solutions - to no avail.
Here's what I'm using:
IIS 10.0.14393.0 (real IIS, not express)
Windows 10 (1607)
.NET Framework 4.6.1
ASP.NET MVC 5.2.3
In Visual Studio I created a new empty ASP.NET Web Application and put a checkmark in MVC. Then I added a very simple (Hello World) controller, model and view.
Finally I added the following (which many people claim to be the right solution) to web.config in the system.web section:
<authentication mode="Windows"/>
<authorization>
<allow users="DOMAIN\USER"/>
<deny users="*"/>
</authorization>
In IIS I created a new website, pointed it to the web application folder, and set up a host name which I added to "hosts" file.
Then I enabled the "Windows Authentication" feature under Authentication section.
In Internet Explorer (or Firefox or Chrome for that matter) I navigate to the website, using the route to the controller, and I'm then prompted for credentials. I enter credentials for the domain user, but I'm denied access.
Some people claim that "Anonymous Authentication" in IIS should also be enabled, but for me this doesn't help at all. Same problem.
Also, some people claim that it helps to go to "Providers" for "Windows Authentication" and reorder them to: NTLM, Negotiate. Doesn't change a thing for me.
Then I try to change authorization in web.config to just:
<allow users="*"/>
Doesn't help either.
It's like the auth-thing doesn't talk to AD at all.
Anyone know how to set this up correctly given the described scenario?
UPDATE (dec 8, 2016):
I found a pluralsight video (referenced from the asp.net/mvc website) by Scott Allen, where he explains the different authentication options for MVC5, and when it comes to doing an intranet site with Windows Authentication, it turns out it should be done pretty much like I've described in this question. Only thing is, when I try it out (I used the VS template for MVC and chose Windows Authentication), it only works in IISExpress - not in real IIS (even on same machine and both IISExpress and IIS setup to use Windows Authentication and not allow anonymous). So very frustrating.
You should not use <authorization> tag in ASP.Net MVC. It is meant for ASP.Net Web Form which is based on paths, whereas ASP.Net MVC works with Controllers, Actions and Routes.
In ASP.Net MVC, there are few ways to authenticate user via AD. I personally like to use use OWIN Middleware.
It has few pieces, so I created a sample project in GitHub AspNetMvcActiveDirectoryOwin. You can fork it, and test it right away.
The following three are the main classes -
AccountController
ActiveDirectoryService
OwinAuthenticationService
I'm working on a ASP.NET MVC intranet site that uses windows authentication. My web.config is set up with:
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
Access to some parts of the site is also restricted using roles.
My main account is given the site administrator role, meaning that I have access to everything. This is fine for normal testing, but there are certain parts of the site that have more complex restrictions (e.g. user has role administrator or (user has role X and user is assigned to a group Y in the database)).
I've tried running site through Visual Studio, then opening another web browser as a different user, and when I access the site it pops up a windows authentication box but it won't accept any other logins - only when I enter my main account will it allow access. Roles don't have any affect on this, even when I add my second account as a site administrator it's denied access using this method.
^^If you think this is a duplicate of Testing intranet site that uses Windows authentication you didn't read the previous paragraph.^^
What am I doing wrong here? Is there some other method to test using multiple users?
Create a Virtual PC and attach it to your network, then log in as various users and test your site on there. I had the same issue and this did the trick.
Virtual PC download here - https://www.microsoft.com/en-us/download/details.aspx?id=3702
I eventually stumbled on the answer to this. The second user account that you want to test with needs to be given permissions to read the directories where the Visual Studio project is stored. Once that's done, running another browser instance with a different account works fine.
Firstly I just want to say I'm not an ASP developer, I'm PHP through n through...
So my problem is this, all of a sudden a client site has started prompting for users to be logged in when viewing pages in a sub directory, when I download the web.config file I can see the authentication mode set to "Windows" this would appear to be an issue but it was working up until now, so I set it to None and uploaded the file (there isn't a web.config in the sub directory, just the site root) and it continues to prompt me for the login.
Is there something I need to do to "refresh" the server or something? I've looked through the hosting control panel and can't find anything about anonymous access or restarting the server, its on a shared hosting account and the control panel is pretty below average
Any help is greatly appreciated!! I'm in a panic and the hosting company don't have ASP support on hand
Thanks,
Mark
In the folder that you want anonymous access, just use the web.config authorization section to allow anonymous users:
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
The * essentially means Everyone so it just saying that for the current directory, everyone is allowed access- you only need this in the web.config...nothing more.
If you are still receiving prompts after this, then the folder itself must have permissions at the operating centre level (NTFS permissions) which do not allow Anonymous access...Although you say the ASP support isn't at hand, I presume you can raise help tickets with them to enable this access?
Edit
I should add that this setting of authorization is different to setting an Authentication scheme (Windows Authentication, Forms Authentication etc). For example, you might have Forms Authentication for your website but specifically want anonymous access to a folder (like this case) so setting your authentication option isn't actually relevant.
When I submit a form to other page in my ASP.NET site, it asks for windows authentication. How do I remove this?
There are two ways to set up windows authentication. One is in IIS and one is in web.config. So basically you need to check that there is no <authentication mode="windows"> tag in your main web.config or in a web.config in the specific folder where the aspx page in question is located. Furthermore you also need to go to the IIS manager (inetmgr) and make sure that windows authentication is not enabled in the folder in question.
If you have a web application that will run inside a network, it makes sense for it to support windows authentication (active directory?).
Would it make sense to use AD security model as well, or would I make my own roles/security module that some admin would have to configure for each user?
I've never dealt with windows security before, so I am very confused as to how I should be handling security for a web application that runs within a windows network.
I guess there are 2 major points I have to tackle:
1. authentication
2. authorization
I have a feeling that best-practice would say to handle authorization myself, but use AD authentication right?
Basically windows handles everything, you never store usernames or passwords, AD and IIS do all the work for you
add this to your web.config
<system.web>
...
<authentication mode="Windows"/>
...
</system.web>
To configure Windows authentication
Start Internet Information Services
(IIS).
Right-click your
application's virtual directory, and
then click Properties.
Click the
Directory Security tab.
Under
Anonymous access and authentication
control, click Edit.
Make sure the
Anonymous access check box is not
selected and that Integrated Windows
authentication is the only selected
check box.
You can then deal with the business or authorization using web.config again. for example
<authorization>
<deny users="DomainName\UserName" />
<allow roles="DomainName\WindowsGroup" />
</authorization>
Read more here: http://msdn.microsoft.com/en-us/library/ms998358.aspx
This problem is solved in detail by Mr. Scott Guthrie in
Link 1 and Link 2
I used windows security on some of my internal sites.
Basically the way I set it up is I remove anonymous access in IIS, then assign permissions on the sites files though the standard windows security model.
I'm not sure if this is the best practices, but it has always worked well for me.