I've set up a site using ASP.NET MVC 5 to use claims based security using our on premise ADFS server. The site performs the redirect to the ADFS server which asks for the users AD credentials to log in, and then redirects back to my site. At that point the user is authenticated and I have access to all the claims that ADFS is sending.
The issue is I don't my users to have to enter their credentials. I would assume their windows credentials could be sent to the server to make the sign in process seamless but I can't figure out how. I have attempted to set the authentication mode to windows but it has no effect.
Both the ADFS and my site are internal and the ADFS site appears in my Local Intranet Sites settings. I've tested with both IE9 & Chrome and they both have pop up a dialog box looking for credentials. I've spoken with the sysadmin and windows authentication is enabled for ADFS.
How can I authenticate with ADFS without my users being prompted for their credentials?
I encountered the same issue as well and finally figured out the cause. This may occur if the ADFS authentication page url is a non-intranet address.
To resolve the issue, change the wsfederation issuer address in application's web.config to one that would be treated by the browser as an intranet address.
Change the following
<wsFederation passiveRedirectEnabled="true" issuer="https://xyz.abc.com/adfs/ls/" realm="http://myapps/MVCpluADFS" requireHttps="true" />
to
<wsFederation passiveRedirectEnabled="true" issuer="https://xyz/adfs/ls/" realm="http://myapps/MVCpluADFS" requireHttps="true" />
where xyz is the machine name where ADFS is installed.
Do not change the adfs trust urls though. Keep them as they are since they would be used for matching and establishing trust between your application and ADFS.
The browser treats "xyz.abc.com" as an internet address, and hence displays a login prompt while "xyz" is treated as an intranet address so it automatically forwards logged in user credentials to the application without the user having to specify credentials himself/herself.
After this change, any intranet user would be directly logged in to the application if the browser used is Internet Explorer with default security settings (i.e. "Automatic logon only in Intranet zone" under Security tab -> Internet -> Custom level) or Chrome (since it picks up the settings set for Internet Explorer).
To make the automatic login work in Firefox, the following additional steps would have to be performed:
1) Type about:config into the firefox address bar. You might be warned about editing this section, go ahead anyway.
2) Type "fqdn" in the search bar. You should now see 2 settings i.e. "network.automatic-ntlm-auth.allow-non-fqdn" and "network.negotiate-auth.allow-non-fqdn". Change the values of both to true.
Are these intranet or extranet users?
Only intranet users can log in seamlessly with WIA.
This works OOTB with IE with the correct settings but other browsers need to be explicitly configured.
What browsers are you using?
Also the ADFS config needs to allow integrated auth.
Related
I'm currently experiencing an issue with some users of an ASP.NET 4.8 Web API application hosted on Windows Server 2012 and IIS. The following properties are not returning that user's correct user name, and instead returning the name of a service account used for this server:
HttpContext.Current.User.Identity.Name
HttpContext.Current.Request.LogonUserIdentity.Name
I have no idea how to begin troubleshooting this - myself and most other users do not experience this issue, but for a handful of users the above does not return the correct username, returning the username of a service account used to remotely connect to the server in question. Forcing a login via a browser private window does rectify the issue, and the application correctly returns the expected username for each of the above properties.
What could be a cause for Windows Authentication not returning the correct user name and what is the best way to troubleshoot an issue like this?
edit: I was able to resolve the issue, see my answer below
After some additional research and troubleshooting, I determined that the users experiencing the issue described above had the service account in question stored in the Windows Credential Manager:
Removing the service account in question allowed them to be authenticated with the Intranet site with their normal Windows domain\username. As #pcalkins suggested, at some point the affected users had used these credentials on their machine, and Chrome, Edge, IE were using that saved credential when authenticating with the Intranet site.
Please check the following steps:
Make sure that windows authentication is enable and Anonymous Authentication is disable for the website.
Enable integrated security in Interner Explorer (Options/Advanced and checkin the "Enable Integrated Windows Authentication" option).
Add your website to Local Intranet zone and select at least "Automatic logon only in Intranet Zone" option under Options/Security Settings/Local intranet/Custom level).
Aake sure the user and application server are in the same domain.
My intranet site has Windows Authentication enabled.
For me and a few other users, it works great, authentication happens in IE 'behind the scenes'.
But for some other (less privileged?) users (same domain), they receive a log-in prompt.
The computer settings/local intranet settings are the same.
When authentication is disabled, the page loads fine for everyone.
So that makes me think it's not a file permission issue.
What reasons could some users get authenticated and some not?
I've a sub-application that I want to use windows authentication.
I want that login box pops up even in the domain when the person first reaches the page.
When I turn off Kernel-mode authentication, the login box pops up, but fails with error 401 Not Authorized after 3 login attempts.
If I turn this on, It doesn't even asks for the password,I believe this is due the computer is in the servers domain and the credentials are passed automatically.
Is there any possibility to show login form for all users, including domain users?
In the image below are my server configs.
Windows Authentication is normally handled by IIS. This is the way it works:
Client requests the page.
IIS returns a HTTP 401 response, with a header saying that it accepts Windows auth.
The client's browser automatically resends the request with the users credentials (as long as the site is trusted).
IIS verifies the user and passes the credentials to the application.
This is all designed to be seamless.
If you want the user to be prompted for credentials all the time, then either:
Make sure your site is not trusted (not in the Internet Options Trusted Sites or Intranet Sites). But you may not be able to do that.
Don't use Windows authentication. Uses Forms authentication and make a login page where the users can enter their credentials. But that means that you will have to verify the credentials against Windows or Active Directory yourself in your code.
If you use #2, then also make sure to use SSL on your site since passwords will be sent in plain text.
You can use Basic authentication. It will prompt the user for credentials and once entered, it will give you a seamless experience.
However, the disadvantage with basic auth is that it sends the password in plain text to the server. You can use SSL certificate to encrypt this information.
I am developing an intranet MVC3 application that will be used by both domain and non domain computers.
Everyone has a domain account so whenever a non domain computer is to open the website a windows credentials prompt input box is expected to appear.
If i understand correctly this will be standard browser behavior since they won't pass windows credentials to a website unless they are in the same domain.
The problem however is that whenever i debug on my localhost i am in the same domain as the server(since i am the server obviously). This results in me being "logged in" with my workgroup windows account in stead of my domain account.
What i'm looking for is a way to trigger the prompt box so i can use my domain account to login rather then to get useless access with my workgroup account.
You can use Forms authentication with the ActiveDirectoryMembershipProvider.
Take a look to this tutorial on MSDN: http://msdn.microsoft.com/en-us/library/ms998360.aspx and this post: http://support.microsoft.com/kb/326340/en-us (sorry it's VB code).
Addendum: if you want just to test another user credentials you can use impersonation, just set-up your web.config.
We have an issue for our intranet site that is running in our local network.
In a nutshell, we have integrated Active Directory authentication with our application and what to use IIS integrated authentication to allow users to sign on without entering any credentials.
Assume the AD domain is "domain.name", and the server our application is hosted on is "server-name". We are running in Windows 2008 and the Integrated Authentication role is set up in IIS.
We have managed to make this work for http:||server-name/, however when we enter http:||server-name.domain.name/, users are prompted for their credentials in the standard way and if they cancel, a "401 Unauthorised" message is displayed.
The issue is, that it seems to authenticate when the machine name is accessed, but browsers do not pass over credentials when the fully qualified address is accessed.
Has anyone seen this before? Is there any advice they can shed on the situation? I ask as a programmer who has little experience with network setup and Active Directory.
Thanks
Have a look in IE settings. Tools > Internet Options > Security > Local Intranet > Custom Level. Scroll down to the very last setting "Automatic login only in Intranet zone". By default IE will only automatically pass along windows authenticated credentials to a site it considers "intranet".