We are creating an intranet site and want to use SSO. The problem is however, that Internet Explorer (11) keeps asking for credentials. By specifying the username and password we are able to access it. Then the intranet application can be used without a problem. When Internet Explorer is closed however it asks for credentials again. The problem occurs on the testing machine (running in a domain) and also on my laptop at home which I also use to develop on. I access the test server with Remote Desktop and then test the site on the same machine as it is running on, which is Windows 2012R2 running IIS 8.5.
On the test server the application (ASP.NET MVC with SignalR and WebAPI) is using a URL that will not be automatically recognized as an intranet site although it is in the same IP range. Therefore I have added the site explicitely to the intranet zone in the settings of IE.
When I then right click on the site and request the properties I can see it is in the intranet zone. This is for as far as I could find the solution in these situations but for us there is something else going on.
This is the system.web section of web.config:
<system.web>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
In IIS I have tried enabling both Windows Authentication and Digest and also just one of those. The other authentication options are disabled, including Anonymous Authentication.
I also added the site to the trusted zone which did not help. Also changed the zone settings (for intranet and trusted) to do "Automatic logon on with the current username and password" but that didn't help either (I don't understand the setting Automatic logon only in Intranet zone though, because it seems a zone specific duplicate setting of the afore mentioned setting but ok). I also checked the advanced settings to be sure that Integrated Windows Security is enabled.
At the moment we're completely out of ideas.
Two more to your checklist:
make sure you have disabled anonymous authentication
make sure the domain controller is accessible from both the client PC and the IIS hosting the web app. Chances are the domain controller doesn't recognize the application server as coming from the same domain.
http://www.wiktorzychla.com/2012/06/iis-75-integrated-security-with-no.html
I have set the Full control to "Domain Users" in the Security Tab (NTFS permissions) of my Application Folder. Which resolved the problem in IE 11 but chrome is continuously asking for User name and password.
Related
I'm working on a ASP.NET MVC intranet site that uses windows authentication. My web.config is set up with:
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
Access to some parts of the site is also restricted using roles.
My main account is given the site administrator role, meaning that I have access to everything. This is fine for normal testing, but there are certain parts of the site that have more complex restrictions (e.g. user has role administrator or (user has role X and user is assigned to a group Y in the database)).
I've tried running site through Visual Studio, then opening another web browser as a different user, and when I access the site it pops up a windows authentication box but it won't accept any other logins - only when I enter my main account will it allow access. Roles don't have any affect on this, even when I add my second account as a site administrator it's denied access using this method.
^^If you think this is a duplicate of Testing intranet site that uses Windows authentication you didn't read the previous paragraph.^^
What am I doing wrong here? Is there some other method to test using multiple users?
Create a Virtual PC and attach it to your network, then log in as various users and test your site on there. I had the same issue and this did the trick.
Virtual PC download here - https://www.microsoft.com/en-us/download/details.aspx?id=3702
I eventually stumbled on the answer to this. The second user account that you want to test with needs to be given permissions to read the directories where the Visual Studio project is stored. Once that's done, running another browser instance with a different account works fine.
I've been trying to resolve this question for a couple weeks now via Google and reading SO, and not had much luck, so I thought I'd finally try asking myself.
I'm setting up a very, very simple ASP.NET site on our intranet to generate some information for internal users. I'm using Windows authentication, rather than anonymous access, because based on what user hits the site I will be generating different information.
Long story short, this works perfectly in testing on my local Windows 7 machine where I developed the application. However, from the Windows 2008 R2 server where I want it to reside, when I hit the site I get a pop-up asking for my credentials, and even if I enter them it asks me for them again and again. This happens regardless if I'm hitting the site remotely or locally. If I try using anonymous access I can reach the site both ways but as I cannot identify the user I cannot generate the information I would like to provide.
Notes:
In IIS, I have Windows Authentication and ASP.NET Impersonation
enabled for the site. Everything else is disabled.
For the sake of figuring it out, I currently have the web.config set to allow all users and am not denying any.
The host/URL I'm using for it is toolName.organization.local
I was concerned that it was an issue of the 2008 R2 server admin user residing in a different domain then my remote user that I was testing with but again it does not work locally either.
In the AppHost file, I currently have windowsAuthentication enabled.
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
Admittedly, I typically use forms authentication on this server for all of our other internal sites so I'm a bit new to windows authentication and this issue. At this point I'm just not sure what to try or check next, so any advice would be helpful. Thanks.
I know this is a slightly old topic, but I had this exact same problem. Turns out I had the AppPool using Identity: ApplicationPoolIdentity instead of NetworkService. Once I switched that (under Advanced Settings in IIS7.5) I no longer got the server prompting for additional credentials and the pass-through worked perfectly.
Hope that helps!
First, you should realize that Windows passthrough authentication only works with Internet Explorer, and then only if the site is in the trusted sites, or intranet sites security group. Firefox, Chrome, etc.. will always prompt for credentials.
Having said that, you have a couple of issues.
You should have an <authentication mode="Windows" /> element in your web.config
You should decide if you want the app to run in the context of the user, in which case you would also need an <identity impersonate="true"/> tag. If not it should be false (although this is the default).
You do not need to have any authorization rules in your web.config if the site itself is completely guarded by windows authentication.
Just in case it's helpful, the problem for me was that I had left my application pool in Classic mode, in order to try to use NTFS permissions. I never got that to work, but once I switched it back to Integrated mode, I could use <allow> and <deny> tags to configure specific users' access.
I have setup an ASP.NET MVC3 website using Windows Authentication and am getting a 401.1. The error code is 0x8009030e on the 401 page. Users should be able to access the site using their domain credentials.
I don't get the error if I logon to the machine and hit the website via localhost (http://localhost/mysite). However, even logged onto the server, if I hit the website through the server name (ie http://machinename.com/mysite) I still get the error.
The website uses it's own .net 4.0 app pool and using integrated mode. The site is configured for Windows Authentication only in the config.
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
...and in IIS. I don't have extended properties configured, and have enabled kernel-mode authentication (both are the default). I've tried toggling "IIS Manager Permissions" without any luck.
Any ideas?
I had to do two things to get this working properly:
Make the app pool use "Classic" instead of "Integrated" mode. After making, the change I was getting a 403.x error.
I solved the 403.x error by granting (Read/Execute) NTFS permissions to the "Domain Users" group.
I have asp.net application which is running great but I installed same application on new server when I run my application browser shows “You are not authorized to view this Page”. When I add my application link in trusted site it work properly without any error message.
I am scared why my application behaves differently for that particular server.
Please suggest possible solution to avoid above mentioned problem.
The most obvious thing that springs to mind is that you are on a network with a domain account. The site you are accessing, for one reason or another, is not being picked up as local intranet and so, by default, your browser is not forwarding your domain credentials to the remote site.
Once you add it to the trusted sites, it will.
Can you have a look at the bottom right of your browser (assuming IE here) and tell me what "zone" it says (local intranet, internet, etc) when accessing the remote server. If it doesn't say "Local Intranet" it may be the cause.
Are you accessing this server by IP address? This will always fail to resolve as "Local Intranet".
Thanks very much for your reply. When we try to access application by using IP Address
a logon dialog box is presented to enter credentials and browser's status bar shows "Local Intranet" zone.
In our web.config file we have given form authentication as follows
<authentication mode="Forms">
<forms name="OurApplication" loginUrl="login.aspx"/>
</authentication>
<authorization>
<allow users="*"/>
<!-- Allow all users -->
</authorization>
In the IIS authentication section under directory security tab following setting is applied.
Enable Anonymous Access is true
Integrated Windows Authentication is true.
With the above settings same application is working fine on DR and UAT Servers but not on the production server.
Please tell me the way to avoid the logon dialog box.
Best Regards,
Neil
If you have a web application that will run inside a network, it makes sense for it to support windows authentication (active directory?).
Would it make sense to use AD security model as well, or would I make my own roles/security module that some admin would have to configure for each user?
I've never dealt with windows security before, so I am very confused as to how I should be handling security for a web application that runs within a windows network.
I guess there are 2 major points I have to tackle:
1. authentication
2. authorization
I have a feeling that best-practice would say to handle authorization myself, but use AD authentication right?
Basically windows handles everything, you never store usernames or passwords, AD and IIS do all the work for you
add this to your web.config
<system.web>
...
<authentication mode="Windows"/>
...
</system.web>
To configure Windows authentication
Start Internet Information Services
(IIS).
Right-click your
application's virtual directory, and
then click Properties.
Click the
Directory Security tab.
Under
Anonymous access and authentication
control, click Edit.
Make sure the
Anonymous access check box is not
selected and that Integrated Windows
authentication is the only selected
check box.
You can then deal with the business or authorization using web.config again. for example
<authorization>
<deny users="DomainName\UserName" />
<allow roles="DomainName\WindowsGroup" />
</authorization>
Read more here: http://msdn.microsoft.com/en-us/library/ms998358.aspx
This problem is solved in detail by Mr. Scott Guthrie in
Link 1 and Link 2
I used windows security on some of my internal sites.
Basically the way I set it up is I remove anonymous access in IIS, then assign permissions on the sites files though the standard windows security model.
I'm not sure if this is the best practices, but it has always worked well for me.