I am having an odd issue. I am using the newest MVC5 in Visual Studio 2013. I am trying to create a site that hosts an anonymous API as well as an Admin dashboard that requires intranet domain credentials through Windows Authentication. Everything works when running through IIS Express like I expect but not when hosted in real IIS.
When hosted in real IIS it gives me a logon box like I expect for the Admin portion but it doesn't take my logon and keeps prompting me. I know it is the right username and password for sure. Any idea why this is happening?
I have Windows Authentication installed in Windows Features and turned on in IIS for the site and all that.
Below is my setup..
[Authorize]
public class DashboardController : Controller
<add key="EnableSimpleMembership" value="false" />
<authentication mode="Windows"/>
<authorization>
<allow users="?" />
</authorization>
</system.web>
<location path="gsapi">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true"/>
<windowsAuthentication enabled="true"/>
</authentication>
</security>
</system.webServer>
</location>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
There is a security feature that tries to intercept reflection attacks on your server. These attacks are basically a "man in the middle" attack where the attacker performs a challenge-response protocol to the two participating systems that are attempting to authenticate.
When your server is using hostnames mapped to the loopback address, the security feature that is trying to protect you against these attacks is not able to tell legitimate requests from fraudulent ones. The symptom is that all challenge response attempts will fail.
Your choices are to specify host names in your registry or to disable the loopback check (not recommended).
The KB article that was linked in the comments gives specific instructions on what changes to make to work around this problem:
http://support.microsoft.com/kb/896861
-- EDIT 8/31/2022 --
The original MSKB URL has expired by now, but fortunately, it was archived before that happened:
https://web.archive.org/web/20140212102642/http://support.microsoft.com/kb/896861
It reads:
You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version
There are two methods to work around this issue, use one of the following methods, as appropriate for your situation.
Method 1: Specify host names (Preferred method if NTLM authentication is desired)
To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:
Set the DisableStrictNameChecking registry entry to 1.
For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Right-click MSV1_0, point to New, and then click Multi-String Value.
Type BackConnectionHostNames, and then press ENTER.
Right-click BackConnectionHostNames, and then click Modify.
In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
Quit Registry Editor, and then restart the IISAdmin service.
Method 2: Disable the loopback check (less-recommended method)
The second method is to disable the loopback check by setting the DisableLoopbackCheck registry key.
To set the DisableLoopbackCheck registry key, follow these steps:
Set the DisableStrictNameChecking registry entry to 1.
For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Right-click Lsa, point to New, and then click DWORD Value.
Type DisableLoopbackCheck, and then press ENTER.
Right-click DisableLoopbackCheck, and then click Modify.
In the Value data box, type 1, and then click OK.
Quit Registry Editor, and then restart your computer.
Related
I installed version 6.3.0 of the bonobo server on a windows 2008 r2 box. I followed the instructions and all it was well with the out-of-the-box settings.
Now, I wanted to enable Windows Authentication. The goal is that the developers don't have to enter a password when they access the remote repository.
I started with this article. Firstly, I am not sure about the sequence of making the changes. Should it be done before running it the first time? Or after? It's not clear. Anyway, I did it both ways, and in both cases it doesn't work.
Scenario 1: Left everything out-of-the-box, I added myself as a user. After I made the web.config change I was still presented with the login page, and when I typed the password, I was redirected back to the login page.
Scenario 2: I shut down IIS, I made all the changes, and before restarting IIS, I updated the web.config as per the windows authentication article. I also disabled Anonymous Access and enabled Windows Authentication. After I restarted IIS, when I tried to access it, I got:
The request filtering module is configured to deny a request where the query string is too long. I fixed this by adding: maxQueryString="32768" to the requestLimits tag.
Now I get ERR_TOO_MANY_REDIRECTS when I try to access the root page.
The documentation is not clear on how you have to configure this thing for windows authentication. It looks to me that you need to leave the out-of-the-box settings, define your users, make sure one of them is admin, then change the setting to windows authentication. As soon as you turn on the windows authentication the admin user can't be used. I assume the server is trying to find the current user in its own database.
One other thing, if you turn on windows authentication in the web.config, do you need to enable the Windows Authentication in the IIS Authentication for the app and turn anonymous access off? I would think so, but the documentation doesn't specify anything. What happens if I am logged in with an account on different domain than the box with the bonobo server?
Is there someone that can clarify what has to be done exactly to get the windows authentication running?
Thanks
I hope you could solve the problem meanwhile
if not, change the "AuthenticationProvider" to "Windows" and "MembershipService" to "ActiveDirectory".
Check your Web.config if the following is uncommented
<appSettings>
...
<add key="AuthenticationProvider" value="Windows" />
<add key="MembershipService" value="ActiveDirectory" />
...
<add key="ActiveDirectoryDefaultDomain" value="<your.domain>" />
<add key="ActiveDirectoryBackendPath" value="~\App_Data\ADBackend" />
<add key="ActiveDirectoryMemberGroupName" value="Developer" />
<add key="ActiveDirectoryTeamMapping" value="Developers=Developer" />
<add key="ActiveDirectoryRoleMapping" value="Administrator=Developer" />
...
</appSettings>
...
<system.web>
...
<authentication mode="Windows" />
...
</system.web>
I am getting the below error when I try to run my website.
The website is hosted on Windows 2012 R2.
Config error: This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
Error Code : 0x80070021
Config Source:
60: <httpErrors errorMode="Detailed" />
61: <handlers>
62: <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
Below is what all I have tried:
Installed .Net 3.5 using "Add features and roles" in IIS
In the applicationHost file I have made the below code changes:
Changed sections handlers', modules, anonymousAuthentication, basicAuthentication,etc overrideModeDefault from "Deny" to "Allow".
Have done "HTTP Activation" in .Net 3.5 as well as 4.5.
Below is my web config file handler code:
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0"/>
<remove name="OPTIONSVerbHandler"/>
<remove name="TRACEVerbHandler"/>
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0"/>
</handlers>
Installed all the features in features windows in this path:
Internet Information Service --> World Wide Web Services --> Application development features --> All but CGI have been enabled.
In feature delegation ASP was Read Only earlier, I have changed it to Read/Write
Unlocked handlers using command prompt
But I am still unable to get rid of the error.
My local instance is working perfectly fine. Also, I have a development server on which this website is working, only in my production server I am getting this error.
Please help me to find out what might be causing this problem.
Follow the below steps to unlock the handlers at the parent level:
1) In the connections tree(in IIS), go to your server node and then to your website.
2) For the website, in the right window you will see configuration editor under Management.
3) Double click on the configuration editor.
4) In the window that opens, on top you will find a drop down for sections. Choose "system.webServer/handlers" from the drop down.
5) On the right side, there is another drop down. Choose "ApplicationHost.Config "
6) On the right most pane, you will find "Unlock Section" under "Section" heading. Click on that.
7) Once the handlers at the applicationHost is unlocked, your website should run fine.
Heres what worked for me, had a similar problem on my new laptop which had windows 10.
Search for "Turn windows features on or off"
Check "Internet Information Services"
Check "World Wide Web Services"
Check "Application Development Features"
Enable all items under this
try again, now it should work.
Most IIS sections are locked by default but you can "unlock" them by setting the attribute overrideModeDefault from "Deny" to "Allow" for the relevant section group by modifying the ApplicationHost.config file located in %windir%\system32\inetsrv\config in Administrator mode
I came across this thread and solve the issue by the below steps, My problem may be different. Hope this can help someone.
In Turn windows feature on and off navigate to server roles and select the least below mentioned items.
Cheers!
I had an applicationhost.config inside my project folder. It seems IISExpress uses this folder, even though it displays a different file in my c:\users folder
.vs\config\applicationhost.config
When I tried these steps I kept getting error:
Search for "Turn windows features on or off"
Check "Internet Information Services"
Check "World Wide Web Services"
Check "Application Development Features"
Enable all items under this
Then i looked at event viewer and saw this error:Unable to install counter strings because the SYSTEM\CurrentControlSet\Services\ASP.NET_64\Performance key could not be opened or accessed. The first DWORD in the Data section contains the Win32 error code.
To fix the issue i manually created following entry in registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ASP.NET_64\Performance
and followed these steps:
Search for "Turn windows features on or off"
Check "Internet Information Services"
Check "World Wide Web Services"
Check "Application Development Features"
Enable all items under this
I think the better way is that you must remove you configuration from your web.config. Publish your code on the server and do what you want to remove directly from the IIS server interface.
Thanks to this method if you sucessfully do what you want, you just have to get the web.config and compare the differences. After that you just have to post the solution in this post :-P.
Below is what worked for me:
In IIS Click on root note "LAPTOP ____**".
From option being shown in middle tray, Click on Configuration editor at bottom.
In Top Drop Down select "system.webServer/handlers".
At right window in Section Unlock Section.
Click on your project properties, go to the web section, from the Servers section, change from IIS express to Local IIS, it will create a virtual directory for you
My projects folder is on a network drive, and I'm running Windows 8.1. If I create a brand new web site in Visual Studio 2013 that consists entirely of a single static file, test.js, and launch it using the IIS Express 8.5 that came with visual studio, I am able to view the contents of that file in my browser.
But, if I then go into Web.Config and turn on Windows Authentication using the code below, that same path now becomes a 404.0 error.
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false"/>
<windowsAuthentication enabled="true"/>
</authentication>
</security>
</system.webServer>
If, however, I follow this same procedure on a local path, it works just fine. It also works if I open the site in Visual Studio 2010 and run it with the ASP.NET Development Server.
Since it is Windows 8, which prevents other users (and by extension anything running as Administrator) from seeing my network drives, one possibility that occurred to me was that IIS might elevate itself when I turn on Windows Auth, but according to the task manager the IIS worker process is still running as me.
So far, I have tried:
Switching to a "Classic" app pool so that I can turn on on <identity impersonate="true"/>. (had no effect)
Changing the physicalPath of the <virtualDirectory/> to the UNC path of the share. (changes the error to 401.3, not authorized)
Giving Everyone full control of the folder on the file server. (had no effect)
Changing the default <processModel /> so the app pools run as me. (no effect)
One thing that has worked is giving "Everyone" access to the share itself, but for obvious security reasons I can't leave it like that. This also only solves the problem with physicalPath set to the UNC path (which Visual Studio likes to overwrite).
How can I get Windows Authentication to work on IIS Express without it trying to access my networked files as a different user?
Is your computer a member of a domain? Perhaps it's your browser set to autologin using windows credentials for all intranet sites. You can turn this off in Internet explorer and force it to prompt for the user id and password. In internet explorer go to tools, internet options, security, click Local Intranet, then click the Custom Level button at the bottom. Scroll all the way to the bottom of the settings list and change the Logon option from Automatic Logon to Prompt for user name and password. Then it should prompt for login the next time you go, and login using an account you know has access.
We are creating an intranet site and want to use SSO. The problem is however, that Internet Explorer (11) keeps asking for credentials. By specifying the username and password we are able to access it. Then the intranet application can be used without a problem. When Internet Explorer is closed however it asks for credentials again. The problem occurs on the testing machine (running in a domain) and also on my laptop at home which I also use to develop on. I access the test server with Remote Desktop and then test the site on the same machine as it is running on, which is Windows 2012R2 running IIS 8.5.
On the test server the application (ASP.NET MVC with SignalR and WebAPI) is using a URL that will not be automatically recognized as an intranet site although it is in the same IP range. Therefore I have added the site explicitely to the intranet zone in the settings of IE.
When I then right click on the site and request the properties I can see it is in the intranet zone. This is for as far as I could find the solution in these situations but for us there is something else going on.
This is the system.web section of web.config:
<system.web>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
In IIS I have tried enabling both Windows Authentication and Digest and also just one of those. The other authentication options are disabled, including Anonymous Authentication.
I also added the site to the trusted zone which did not help. Also changed the zone settings (for intranet and trusted) to do "Automatic logon on with the current username and password" but that didn't help either (I don't understand the setting Automatic logon only in Intranet zone though, because it seems a zone specific duplicate setting of the afore mentioned setting but ok). I also checked the advanced settings to be sure that Integrated Windows Security is enabled.
At the moment we're completely out of ideas.
Two more to your checklist:
make sure you have disabled anonymous authentication
make sure the domain controller is accessible from both the client PC and the IIS hosting the web app. Chances are the domain controller doesn't recognize the application server as coming from the same domain.
http://www.wiktorzychla.com/2012/06/iis-75-integrated-security-with-no.html
I have set the Full control to "Domain Users" in the Security Tab (NTFS permissions) of my Application Folder. Which resolved the problem in IE 11 but chrome is continuously asking for User name and password.
I have a very simple partial view in my header called AccountInfoPanel.
It only has one line:
Welcome: #HttpContext.Current.User.Identity.Name
And in my Web.Config I have
<authentication mode="Windows" />
But the identity name is always empty.
If I debug through VS 2012, and break on the index action, I see it is empty.
If I run it through IIS with Windows Authentication Enabled and Anonymous Authentication diabled, I get a challenge.
So I try to plug in My account or a test1 and test2 account.
It comes back and says:
HTTP Error 401.1 - Unauthorized
You do not have permission to view this directory or page using the credentials that you supplied.
I also tried setting Impersonation to true and get the same response from the challenge.
Does anyone know how to set this up?
And if all the setup has to done in IIS, how do you debug your code within Visual Studio?
One other question. My boss seems to think you don't even need a login box. IE would just know who you are. And you could "run as" in IE with a different account.
Check one of possible issues on my checklist
http://netpl.blogspot.com/2012/06/iis-75-integrated-security-with-no.html
In short:
First, make sure that Anonymous Authentication is turned OFF for the site:
Second, enable integrated security in Interner Explorer (Options/Advanced and checkin the “Enable Integrated Windows Authentication” option).
Third, add your website to Local Intranet zone and select at least “Automatic logon only in Intranet Zone” option under Options/Security Settings/Local intranet/Custom level).
Fourth, make sure the user and application server are in the same domain.
To solve the problem, you have to enable the Windows Authentication feature. Follow the below steps:
-Click Start, and then click Control Panel. Open the Programs group.
-Under Programs and -Features, click Turn Windows Features on or off.
-Expand the item labeled Internet Information Services.
-Expand the item labeled World Wide Web Services. -Expand the item Security ->
Make sure to select Windows Authentication
Also you need to disable Anonymous Authentication from the IIS as follows: -Click on your application in IIS -Double click Authentication under IIS group -Click on Anonymous Authentication -Click on Disable on the right side under Actions. Hope this helps
Visual Studio installs IIS Express to serve web applications, so you have to configure it to use Windows Authentication.
Configuration file for IIS Express is usually here (more info: Where is the IIS Express configuration / metabase file found?):
%userprofile%\documents\iisexpress\config\applicationhost.config
Disable Anonymous authentication (enabled by default):
<anonymousAuthentication enabled="false" userName="" />
Enable Windows Authentication (disabled by default):
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
I know this is an old question, but since it's not answered maybe someone could use my tip. I've been struggling with such an issue for some time and finally, I've discovered that one needs to have URL Authorization installed in order to make it work.
Navigate to the windows features and install the following feature:
Web Server (IIS) -> Web Server -> Security -> URL Authorization
I've also restarted IIS just in case, but I'm not sure if it's needed.