I have requirement to build windows authentication for our web applications. We plan to created local work groups (on Windows 2008 Server) to manage users instead of Active Directory. Our reason, it takes months to create groups and move users via AD (and our client would prefer we go this route). Is it possible to setup windows authentication for an asp.net application and validate the user credentials against the local workgroups? Keep in mind we would try to match their login names to our local workgroups.
You can use AspNetWindowsTokenRoleProvider. This makes ASP.net use the Windows Local groups.
In your web config do something like this.
<authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
--> <authentication mode="Windows"/>
<identity impersonate="false"/>
<authorization>
</authorization>
<roleManager enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider"/>
then in your aspx you can check if user exists in role. I placed this in my master page.
If Not Roles.IsUserInRole(Context.Current.User.identity.name, "Managers") Then
'label1.Text = "You are not authorized to view user roles."
Response.Redirect(Request.ApplicationPath & "\logout.html")
end if
You can read more from this Link from Microsoft http://msdn.microsoft.com/en-us/library/ff647401.aspx
under Using WindowsTokenRoleProvider
Related
I have an asp.net web application, on which i try to implement Windows authentication.
The application is hosted on IIS, and runs under Administrator account.
In the application, i am trying to get the name of the current windows logged-in user, ex Catalin Gavan.
Whatever i try, i always get the administrator user, the one which runs the ApplicationPool.
Here is what i tried:
Request.LogonUserIdentity); // "NT AUTHORITY\\IUSR"
WindowsIdentity.GetCurrent(); // "ADIDEVNET\\administrator"
WindowsIdentity.GetAnonymous();
WindowsIdentity.GetCurrent(true); // null
WindowsIdentity.GetCurrent(false); // "ADIDEVNET\\administrator"
How can i get the current logged-in windows user, from code behind?
Turn on Windows Authentication and that should fix it. Secondly, when you set the identity to administrator in the Advanced Settings, it will always log in as the administrator. Remove the identity from there, as well. A user will "impersonate" the admin account when that is set.
Try these web.config settings.
<system.web>
...
<authentication mode="Windows" />
<authorization>
<deny users="?" /> <!-- may want to remove this if you want to allow anonymous -->
</authorization>
<identity impersonate="false" />
</system.web>
In ASP.NET Web Forms, you should access Page.User, and in ASP.NET MVC or Web API, you should call Controller.User or ApiController.User accordingly. This user identity comes from the request and is set as the thread identity.
WindowsIdentity.GetCurrent returns the process identity, which is obviously the application pool identity you set.
I'm working on a ASP.NET MVC intranet site that uses windows authentication. My web.config is set up with:
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
Access to some parts of the site is also restricted using roles.
My main account is given the site administrator role, meaning that I have access to everything. This is fine for normal testing, but there are certain parts of the site that have more complex restrictions (e.g. user has role administrator or (user has role X and user is assigned to a group Y in the database)).
I've tried running site through Visual Studio, then opening another web browser as a different user, and when I access the site it pops up a windows authentication box but it won't accept any other logins - only when I enter my main account will it allow access. Roles don't have any affect on this, even when I add my second account as a site administrator it's denied access using this method.
^^If you think this is a duplicate of Testing intranet site that uses Windows authentication you didn't read the previous paragraph.^^
What am I doing wrong here? Is there some other method to test using multiple users?
Create a Virtual PC and attach it to your network, then log in as various users and test your site on there. I had the same issue and this did the trick.
Virtual PC download here - https://www.microsoft.com/en-us/download/details.aspx?id=3702
I eventually stumbled on the answer to this. The second user account that you want to test with needs to be given permissions to read the directories where the Visual Studio project is stored. Once that's done, running another browser instance with a different account works fine.
Another developer and I are both working on the same ASP.NET web app. The application uses Forms authentication, but the IIS virtual directory is configured with both "anonymous access" and "integrated Windows authentication". This mirrors the production site which authenticates as required.
A potentially key difference between our two setups is that he is on Windows 7 and IIS 7, whereas I'm on Windows XP and IIS 5 (for my sins).
Initially when we both run the app, the variable... HttpContext.Current.User.Identity.IsAuthenticated ...is false. This I'd expect because we're configured with Forms authentication. The app then redirects to a WindowsAuth.aspx page. That page checks the Request.ServerVariables["LOGON_USER"] server variable and, if this isn't null or empty, uses it to automatically sign in.
The issue is, on my PC Request.ServerVariables["LOGON_USER"] is always empty. To me this is correct since we have anonymous access enabled. But on my colleague's PC, and in production, the variable holds the user's username. I cannot understand why this is. Is there a difference between IIS 5 and 7 in this regard? Otherwise, can you explain this? Obviously I want my setup to reflect other environments but upgrading to Windows 7 is a last resort at this point.
https://support.microsoft.com/en-us/kb/306359
To populate the LOGON_USER variable when you use any authentication mode other than None, you can deny access to the Anonymous user in the section of the Web.config file. To deny access to the Anonymous user in the section, follow these steps:
Change the authentication mode in the Web.config file to anything other than None. For example, the following entry in the Web.config file sets the authentication mode to Forms-based authentication:
<authentication mode="Forms" />
To deny access to the Anonymous user in the Web.config file, use the following syntax:
<authorization>
<deny users = "?" /> <!-- This denies access to the Anonymous user -->
<allow users ="*" /> <!-- This allows access to all users -->
</authorization>
If you are using Windows authentication, you can also use the following steps to resolve this problem:
Change the authentication mode in the Web.config file to Windows as follows:
<authentication mode="Windows" />
In the Internet Services Manager, right-click the .aspx file or the Web Project folder, and then click Properties.
If you clicked Properties for the Web Project folder, click the Directory Security tab. If you clicked Properties for the .aspx file, click the File Security tab.
Under Anonymous Access and authentication control, click Edit.
In the Authentication methods dialog box, clear the Anonymous Access check box, and then select either the Basic, the Digest or the Integrated (NT Challenge/Response) check box.
Click OK to close both dialog boxes.
I would like to ask if anybody could provide an example of web.config for the following situation:
I have a web (ASP.NET) with form authentification (login controls), which I would like to have connected to our corporate Active Directory. In AD, we have defined users as well as groups. Authentification for the users (allow users...) works like a charm, however, when I want to add role authentification (allow roles...) it doesn't work. I've tried to enable role manager but don't know exactly how to setup the provider to communicate with the AD.
Furthermore, I would like to have all the settings only in web.config, not to do group authentification in the code (I know it's possible but I would prefer config solution only).
Althought I went through several tutorials on the web, most of the role authentification was oriented on using a local sql server or windows authorization, but not AD.
The idea is to write a custom role provider which reads groups from the AD and exposes as user roles:
http://slalomdev.blogspot.com/2008/08/active-directory-role-provider.html
if that site is on your intranet then you don't need to use login controls or the roles provider. AD is already a provider out of the box. Your web.config file needs to have
<authentication mode="Windows"/>
<authorization>
<!--<allow roles="AD_GROUP" />-->
<!--<allow users="USERS"/-->
<deny users="?"/> <!-- Important if you want to force authentication-->
</authorization>
the somewhere in your code you can check to see the user is in a role like this:
HttpContext.Current.User.IsInRole("AD_GROUP_NAME")
If you have a web application that will run inside a network, it makes sense for it to support windows authentication (active directory?).
Would it make sense to use AD security model as well, or would I make my own roles/security module that some admin would have to configure for each user?
I've never dealt with windows security before, so I am very confused as to how I should be handling security for a web application that runs within a windows network.
I guess there are 2 major points I have to tackle:
1. authentication
2. authorization
I have a feeling that best-practice would say to handle authorization myself, but use AD authentication right?
Basically windows handles everything, you never store usernames or passwords, AD and IIS do all the work for you
add this to your web.config
<system.web>
...
<authentication mode="Windows"/>
...
</system.web>
To configure Windows authentication
Start Internet Information Services
(IIS).
Right-click your
application's virtual directory, and
then click Properties.
Click the
Directory Security tab.
Under
Anonymous access and authentication
control, click Edit.
Make sure the
Anonymous access check box is not
selected and that Integrated Windows
authentication is the only selected
check box.
You can then deal with the business or authorization using web.config again. for example
<authorization>
<deny users="DomainName\UserName" />
<allow roles="DomainName\WindowsGroup" />
</authorization>
Read more here: http://msdn.microsoft.com/en-us/library/ms998358.aspx
This problem is solved in detail by Mr. Scott Guthrie in
Link 1 and Link 2
I used windows security on some of my internal sites.
Basically the way I set it up is I remove anonymous access in IIS, then assign permissions on the sites files though the standard windows security model.
I'm not sure if this is the best practices, but it has always worked well for me.