When using Windows Authentication I can't disable impersonation - asp.net

I have the application pool of a web application set to run as a user called WebUser.
I have the following sections in my web.config:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<identity impersonate="false" />
I have created a file called a.txt and given only WebUser permissions on it. If I navigate to this file then I get a 401 error. However if I give my own user account access to this file then I can access it.
So it seems that the application is impersonating my identity. How can I make it run as the application pool user instead?
EDIT: Also - if I enable impersonation and make it impersonate WebUser then I still get a 401 error.
Thanks,
Joe

Ok I solved this by going to the site's advanced settings and changing the Physical Path Credential Logon Type to Interactive. I also had to set Physical Path Credentials to Specific User and enter WebUser's credentials, this stopped it from impersonating the authenticated user when accessing files.
Joe

Related

Windows Authentication on ASP.net application

I have a strange issue with aps.net which using windows Authentication, here is the scenario, I have APS.net application using the Windows Authentication, NTLM ... all my users on the Active Directory have access to the web application when they want, the issue that sometimes some users can't access to the system anymore, where they used to have access before, when they put their username#domain and the password in the pop-up login in the browser, the pop-up keep popping up like they have put a wrong username or password, we tried to log in to other services like email, laptop, using the same user name and password and it works fine, but not with the web application! any idea how or where to start my investigation? logs file? something similar? here is my IIS authentication setting:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
After many days of investigating the issue, it turned out that the issue is because of expired password.

WindowsIdentity always returns IIS user

I have an asp.net web application, on which i try to implement Windows authentication.
The application is hosted on IIS, and runs under Administrator account.
In the application, i am trying to get the name of the current windows logged-in user, ex Catalin Gavan.
Whatever i try, i always get the administrator user, the one which runs the ApplicationPool.
Here is what i tried:
Request.LogonUserIdentity); // "NT AUTHORITY\\IUSR"
WindowsIdentity.GetCurrent(); // "ADIDEVNET\\administrator"
WindowsIdentity.GetAnonymous();
WindowsIdentity.GetCurrent(true); // null
WindowsIdentity.GetCurrent(false); // "ADIDEVNET\\administrator"
How can i get the current logged-in windows user, from code behind?
Turn on Windows Authentication and that should fix it. Secondly, when you set the identity to administrator in the Advanced Settings, it will always log in as the administrator. Remove the identity from there, as well. A user will "impersonate" the admin account when that is set.
Try these web.config settings.
<system.web>
...
<authentication mode="Windows" />
<authorization>
<deny users="?" /> <!-- may want to remove this if you want to allow anonymous -->
</authorization>
<identity impersonate="false" />
</system.web>
In ASP.NET Web Forms, you should access Page.User, and in ASP.NET MVC or Web API, you should call Controller.User or ApiController.User accordingly. This user identity comes from the request and is set as the thread identity.
WindowsIdentity.GetCurrent returns the process identity, which is obviously the application pool identity you set.

Why Authorization element in web.config doesn't work with OWIN?

I have created web form application that uses OWIN and Azure AD for authentication as described here or here
I host this application in IIS under Default Web Site so i can access it as http://localhost
Then i added following configuration so that anonymous user cant access resources, except the starting page, ie. default.aspx
<authorization>
<deny users="?" />
</authorization>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Everything is working fine at this point, and user gets authenticated on Azure site and redirected to my application. I see HttpContext.Current.User.Identity.IsAuthenticated is true
then in IIS i created new application (not virtual directory) under Default Web Site, and point it to the physical location which has images. I name the child application "images"
Now AFTER authentication, when i try to access http://localhost/images/image1.jpg i get error
Error message 401.2.:
Unauthorized: Logon failed due to server
configuration. Verify that you have permission to view this directory
or page based on the credentials you supplied and the authentication
methods enabled on the Web server. Contact the Web server's
administrator for additional assistance.
Why the authentication is not propagated to child application?
The application is pool is running under windows account which is adminsitartor on that machine. I am using Windows 10 and IIS version 10.0.10586.0 nad VS 2013 Update 5

Developing public site using vs 2010, authentication should be?

I'm developing a public web site in vs2010,
can I keep the authentication as windows authentication and just enable anon access
or should I leave it with the default forms authentication.
The site will NOT require any type of logging in mechanism...so really I dont see a point in forms authentication, but most users will not have windows authentication either.
So I am confused, in my asp.net web.config file what authentication do I use for a public website?
I also asked this question which is kind of related: developing site in vs2010 but changed to local IIS and prompts
But I am not having any luck with this :(. The site when using local IIS keeps prompting for a user name and password (See the stackoverflow question I posted above), ive checked the app pools, the security, and the permissions and it still prompts me for a user name and password. It prompts me about 10 times and if I keep cancelling out of it the page comes up but the images are not displayed nor is the CSS rendered. So it looks like it prompts for each image on the site, but all folders inherit from the parent and I've added Network, Network service, ASPNET user, the default app pool user...I dont know what else to do.
So two issues:
1) What do I specify in my web config for a public site
2) How do I get rid of this prompting!
Thanks
You don't need to specify specify any authentication. Just deploy it as is, with the Web.Config out of the box.
<authentication mode="None" />
Go here for more reading.
Because it is prompting you with a login dialog, try using an authorization element in your web.config file with any authentication you like. Use "*" to allow access to all users by default. Refer to this article for more detail.
<authorization>
<allow users="*" />
</authorization>
Your web.config file has two sections that control requests for login. These are
<authentication> ... </authentication>
and
<authorisation> --- </authorization>
Authorization controls who can access what, and Authentication determines how the credentials of a particular user are established to see if they have the correct authorization to access your site.
An example of their usage might be
<authorization>
<allow users="*" />
</authorization>
<authentication mode="Forms">
<forms loginUrl="login.aspx" timeout="40320" cookieless="UseCookies" slidingExpiration="true" />
</authentication>
which allows access to all users to the root of my applications and their credentials are determined using forms authentication.
Other parts of your site are allowed to have alternate authorization requirements through the use of a location tag in your web.config
However, neither section is required if no part of your site requires this functionality. However, you should be aware that there other places that this might be determined. There is a file called machine.config that determines the settings for the machine. Your web.config has priority over the machine.config, but if the authorization and authentication settings are made in the machine.config and not in you web.config then the machine.config wins.
Hope that helps. If you can post your web.config that might help us to point you in the right direction.

Add authentication to subfolders without creating a web application

We have an existing publicly accessible web application with user controls, data access libraries, graphics, etc. We want to create a new secure section of the site that accesses some of the already existing resources.
Initially we created the new section of the site as a virtual directory which (we hoped) would allow us to access the parent site's resources. We added the appropriate location information to the base web.config (authentication and authorization) but we continue to see the following error "Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS."
In response to that error we created the directory as a new application. This allows us to authenticate properly but has the drawback of not being able to access any of the resources in the parent directory (since it's outside the application scope).
Is there any way to secure the new section of the site while at the same time utilize the already existing resources?
In your web.config file in the root of your site, if you add:
<location path="relativePathToDir">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
This is working for me using FormsAuthentication, the user gets redirected to the default login page if not authenticated
I typed up a summary since many were facing the same situation regarding subfolder authentication.
Subfolder Authorization
ASP.NET can only have a single
authentication mode for one
application.
The different
applications CANNOT share resource
among them.
Scenario
Let's say the home page should not prompt login dialog. It should let users pass through without whatever login is. However, in the same applicatiopn, in a different folder presumably, another page needs to check user permission against database table using user network login ID. By default IE treats all web site with only hostname a Intranet. By its default intranet setting, it will not prompt the login dialog and pass user login and password to the application if Windows Authentication is used. However, the tricky party is, if the application has an actual domain, IE will think it is an Internet site, and it will prompt the login and password if Windows Authentication is used.
The only way to not to promopt login dialog for Internet site using Windows Authentication, is to also turn on the anonymous authentication in IIS. However, you will lose the ability to capture the login info because the Anonymous has precedence over the Windows Authentication. The good news is there is a way to resolve that issue. If an application subfolder needs to capture the login information, you will need to overwrite the parent authorization in Location element in web.config.
1 In IIS, configure Authentication as follows:
Enable Anonymous Authentication,
Enable Windows Authentication
2 Add the followings in Web.Config.
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
<!-- secured is the relative subfolder name. deny anonymous user, so only the authenticated login will pass through -->
<location path="secured" allowOverride="true">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Remove the application, then add this to the top-level web.config:
<configuration>
<system.web>
<!-- applies application wide -->
</system.web>
<location path="securedirectory" allowOverride="false">
<system.web>
<!-- applies only to the path specified -->
</system.web>
</location>
</configuration>
MSDN Reference

Resources