Wondering if you can help me here, been battering away at this for days now.
i have an IIS site with windows authentication installed, which is working exactly the way it should do. This particular IIS Server houses approx 6 other sites so i have create a new Site called Helpdeskv6, with Application Pool Helpdeskv6 set to .NET 4 integrated using ApplicationPoolIndentity. We are currently working on a 2008 R2 domain, no windows firewall etc.
So i have now created a A Record that gives it a nice little name for our intranet users, the A record is called helpdesk (FQDN: helpdesk.my.domain). The IIS site is setup with bindings on standard port 80 for both helpdesk and the FQDN. but yet when i try and browse to the A record address it constantly prompts me for username and password. When i enter my details they work but i dont want users to be prompted.
i have ASP.NET Impersonation and Windows Authentiation enabled - Providers are NTLM and Negotiate. ASP Impersonation is Auth User. NTLM Authentication is ticked in my ASP Project Web Property page.
i have tried just enabling and disabling so many different settings, i have used setsnp -S HTTP/helpdesk.my.domain webserver001 and i have used setsmp -S HTTP/helpdesk webserver001 as i have read alot that apparently needs these in but nothing seems to work.
i have never used ASP Auth with a A Record before so i am at a severe loss please help, hope i supplied enough information as i do not want to have users entere their windows authentication constantly it should be auto so i am just fearfull i am missing a trick here as when i browse via netbios name it works but this is not appropriate for our environment
Forgot to close this out,
The issue was becuase the site wasnt being registered as a Intranet site and Auth details where not being transported over.
Related
I'm currently experiencing an issue with some users of an ASP.NET 4.8 Web API application hosted on Windows Server 2012 and IIS. The following properties are not returning that user's correct user name, and instead returning the name of a service account used for this server:
HttpContext.Current.User.Identity.Name
HttpContext.Current.Request.LogonUserIdentity.Name
I have no idea how to begin troubleshooting this - myself and most other users do not experience this issue, but for a handful of users the above does not return the correct username, returning the username of a service account used to remotely connect to the server in question. Forcing a login via a browser private window does rectify the issue, and the application correctly returns the expected username for each of the above properties.
What could be a cause for Windows Authentication not returning the correct user name and what is the best way to troubleshoot an issue like this?
edit: I was able to resolve the issue, see my answer below
After some additional research and troubleshooting, I determined that the users experiencing the issue described above had the service account in question stored in the Windows Credential Manager:
Removing the service account in question allowed them to be authenticated with the Intranet site with their normal Windows domain\username. As #pcalkins suggested, at some point the affected users had used these credentials on their machine, and Chrome, Edge, IE were using that saved credential when authenticating with the Intranet site.
Please check the following steps:
Make sure that windows authentication is enable and Anonymous Authentication is disable for the website.
Enable integrated security in Interner Explorer (Options/Advanced and checkin the "Enable Integrated Windows Authentication" option).
Add your website to Local Intranet zone and select at least "Automatic logon only in Intranet Zone" option under Options/Security Settings/Local intranet/Custom level).
Aake sure the user and application server are in the same domain.
I created an ASP.NET application for an internal purpose, where the domain user accesses a simple web form, fills in the form and submits. The application impersonates the user and sends an email as the logged on domain user to our ticketing system where a ticket is generated from the user who filled out the form. Now, everything works when I test by logging onto the same server that IIS (7.5) is located and submit the form, but when I try to do the same from my desktop (opening browser and pointing to web server), it does not work. After investigating the issue, I discovered that this is likely a double-hop issue (which I confirmed when the exchange admin checked logs after a few failed attempts and found that site was trying to send email as NTAuthority/Anonymous.)
I've combed the web and found a lot of info on this issue, but all I can seem find are articles detailing the issue in relation to earlier versions of IIS (IIS 5 or 6.) I’m using 7.5 so I’m not certain of how the process for resolving this would differ. Could someone who has had this issue on IIS 7.5 post the basic step by step instructions for resolving double-hop as it relates to IIS 7.5 and sending impersonated email to an Exchange server? Something to the effect of, step one – do this, step 2 – do this, etc…
Another question that I have is the following: Many articles that I have read specify setting up a service account for delegation, and then create SPNs...However with IIS 7.5, I have the option of using application pool identities. Would application pool identities work with delegating impersonation, or would a service account be required to fix the issue?
Thanks all!
From your description, it sounds like your ASP.NET application is trying to determine the logged in user by their Windows network login credentials?
If so, all you should need to do is turn off "Enable Anonymous Access" in your IIS site and make sure that "Authenticated Access" has the "Integrated Windows Authentication" turned on. Then IIS should properly query the browser for their login info and the session should use the user's credentials. This assumes a few things about the client browser used and if something other than Internet Explorer is used, then you might also need to turn on one of the other authentication methods so that the other browsers will properly prompt the user for their network login credentials. Sorry I don't have a running IIS 7.5 server at the moment to give you the exact site properties and descriptions to look at. So if you cannot determine it from my description here, hopefully someone else might add on with that or I can try to follow up later if you need.
I am developing an intranet MVC3 application that will be used by both domain and non domain computers.
Everyone has a domain account so whenever a non domain computer is to open the website a windows credentials prompt input box is expected to appear.
If i understand correctly this will be standard browser behavior since they won't pass windows credentials to a website unless they are in the same domain.
The problem however is that whenever i debug on my localhost i am in the same domain as the server(since i am the server obviously). This results in me being "logged in" with my workgroup windows account in stead of my domain account.
What i'm looking for is a way to trigger the prompt box so i can use my domain account to login rather then to get useless access with my workgroup account.
You can use Forms authentication with the ActiveDirectoryMembershipProvider.
Take a look to this tutorial on MSDN: http://msdn.microsoft.com/en-us/library/ms998360.aspx and this post: http://support.microsoft.com/kb/326340/en-us (sorry it's VB code).
Addendum: if you want just to test another user credentials you can use impersonation, just set-up your web.config.
I'm having trouble configuring my ASP.NET web.config and my IIS web site to get the setup I want. Here's what I want at the end of the day:
The application connects to SQL Server using a particular NT ID
The NT ID used to connect to SQL Server is not in the web.config. Or at least its password isn't.
I can use HttpContext.Current.User.Identity.Name (or some other means) to get the NT ID of the real user that is connecting to the application.
If I setup an ASP.NET 3.5 in Visual Studio 2008, this basically is all working locally. But when I deploy to IIS, I can get the first two bullets successfully, but I can't get the third bullet. Identity.Name is null. The way I have it deployed right now is impersonation is set to true in the web.config, and IIS has anonymous access enabled with the anonymous user set to the NT ID I want to connect to the SQL Server.
The connection string I'm using to connect to SQL Server looks like this:
Server=[My Server];Database=[My DB];Trusted_Connection=Yes;
I have tried setting authorization to which was suggested in other posts, but that just makes Internet Explorer pop up a login box.
This is a Windows Server 2003 box running IIS 6.0.
This may very well be a stupid question, and/or duplicate question. But I've done a lot of searching and trial and error and I can't seem to get the magic settings.
By default, the machine\ASPNET account or the NETWORK_SERVICE account, depending on the version of IIS you are using (I'm not sure if IIS 7 is using NETWORK_SERVICE but 6 did). If you want a different account, the impersonation is applied on the configuration file (both user name and password) to run the account as. Now you can encrypt this part of the config section using the aspnet_regiis utility. But you have to supply an account. I don't think you can get away without this that I know of... unless maybe it can be done through IIS.
HTH.
This is called the Double-Hop Problem and prohibits the forwarding of user's credentials to third parties. This occurs when they browse from one machine, against a site on another (first hop), and forwarding the credentials to a third machine (second hop).
The problem will not appear if you host IIS and SQL Server on the same machine.
There's alot more technical details published on this at How to use the System.DirectoryServices namespace in ASP.NET, which explains the double-hop issue, and primary and secondary tokens.
We have an issue for our intranet site that is running in our local network.
In a nutshell, we have integrated Active Directory authentication with our application and what to use IIS integrated authentication to allow users to sign on without entering any credentials.
Assume the AD domain is "domain.name", and the server our application is hosted on is "server-name". We are running in Windows 2008 and the Integrated Authentication role is set up in IIS.
We have managed to make this work for http:||server-name/, however when we enter http:||server-name.domain.name/, users are prompted for their credentials in the standard way and if they cancel, a "401 Unauthorised" message is displayed.
The issue is, that it seems to authenticate when the machine name is accessed, but browsers do not pass over credentials when the fully qualified address is accessed.
Has anyone seen this before? Is there any advice they can shed on the situation? I ask as a programmer who has little experience with network setup and Active Directory.
Thanks
Have a look in IE settings. Tools > Internet Options > Security > Local Intranet > Custom Level. Scroll down to the very last setting "Automatic login only in Intranet zone". By default IE will only automatically pass along windows authenticated credentials to a site it considers "intranet".