I am working on ASP.NET web application that will be used on intranet and need to implement authentication using Active Directory domain accounts.
From what I understand there are 2 possible options:
Integrated Windows Authentication
Windows Digest Authentication
Can I use either of them? It is clear that Windows Digest Authentication supports authentication using Active Directory domain accounts. Integrated Windows Authentication definitely can use local Windows accounts but I am not sure about AD accounts.
I can now answer my own question because I completed my implementation for this: Integrated Windows Authentication can use AD account just the same way as local Windows account.
Related
I'm working on on-premise web application (front end hosted on IIS) that currently uses traditional form-based authentication. Our client wants the application to support "single sign on", which basically means he wants the users to automatically log in to the application. AFAIK there are two ways I can take to achieve the desired effect:
Most articles that I found suggest using some kind of Identity Provider system (like Active Directory Federated Services), which my application can communicate with over SAML/OIDC in order to obtain user's claims.
On the other hand, I could set up IIS to use Integrated Windows Authentication and get user claims directly from Active Directory through Kerberos/NTLM. This approach seems easier.
Given that my application will not be used outside of intranet, it is hosted in environments using Microsoft products (Active Directory, Windows Server, users using Windows machines), is there any reason I should consider the first approach?
I have to develop a ASP.net application and need to authenticate users using LDAP.
I don't have a windows server installed . I wonder how I can test my code from my local laptop
Any suggestions ??
You can install Active Directory Lightweight Directory Services (AD LDS) It has almost the same features that an AD server. http://msdn.microsoft.com/en-us/library/bb897400.aspx
It's quite easy to install it. You can download it for windows 7 or it's already in windows 8, you just have to turn the feature on from "Program and Features".
Then you can manage the ad instance using a tool called ADSI Edit, and for aspnet authentication just the ActiveDirectoryMembershipProvider.
I want to rely on Windows Identity foundation for my web site and web services authentication. Is ACS available for Windows Server? Do I have to rely on Azure or can I run it at my hosting environment?
The functional equivalent of ACS on-premises is ADFS (Active Directory Federation Services). Look at V2. It is a component of the OS.
I say "equivalent" because it is an STS, but there's no parity between ACS and ADFS. Some things are the same, but not everything.
I'm relatively new to using IIS 7. I'm getting confused by the various options that IIS 7 provides.
What does setting authentication mode="Windows" do in the web.config of my ASP.net site do?
What does enabling Windows authentication in the Authentication module in IIS 7 do?
What is the difference between these two? Does one override the other? Does this change whether you run in integrated vs classic mode?
IIS7 leverages web.config files. There is tight integration in IIS7 and ASP.NET any changes made in the web.config are reflected in the management console and changes in the management console write changes into the web.config.
As far as windows authentication it uses the servers local Windows users as its user store. This is typically more useful for an intranet application that has tight security requirements and existing active directory user base.
Most internet facing applications should use Forms authentication or a custom authentication provider. You user store can be in the web.config but most applications would keep their userstore in a database
I've recently had my PC upgraded to Vista, which means it includes IIS7. The problem is that the ASP.NET website we're working on doesn't work anymore. I get an error because the application is trying to connect to the SQL Server with NT AUTHORITY/ANONYMOUS LOGON instead of my domain user, and anonymous isn't authorized. I've tried several things, but no solution yet:
- install and enable the 'IIS Metabase and IIS 6 configuration compatibility'
- enable Windows Authentication for this website
- created a different Application Pool with managed pipeline mode set to Classic
- enabled IIS6 WMI compatibility and IIS6 management console (getting desperate here)
In our web.config there's and in our machine.config there's . I've tried putting impersonate to false and entering my domain user and password in the machine.config (it used to be like this) but that didn't help either.
Are there things I'm missing? Has anyone else had a similar problem?
How does your application authenticate with SQL Server? Does it use SQL or Windows Auth? I hope you are trying to use Windows Auth. In that case, your IIS worker process should be running under that Windows user account. If not, it should at the least impersonate a Windows user account that has necessary access rights to SQL Server. If you have impersonation enabled and if you are using the right Windows user account and if SQL Server authenticates using Windows auth and if you are still unable to access SQL Server, you may be running into the classic double hop issue. In other words, you are trying to authenticate to IIS once and you are using the same crdentials to authenticate to the SQL Server over a network next(which is your second hop) and Windows does not allow that for security reasons.
I believe I have found a/the solution. At least it's working now. This is what I did:
The website is now running in a seperate application pool with Managed Pipeline mode set to classic, Load userprofile set to False and Identity set to custom and using a domain user (and password) that has access to the database.
Under 'authorization' of the website itself, I have Anonymous set to enabled and ASP.NET impersonate set to disabled.
in the web.config of the site is also set.
Credit where it's due, this site helped me.
I'm sorry to say I can't look into the issue any further. Indeed, it probably is something with the way we connected to SQL Server (Win Auth) because we've changed it now. Now we connect with username and password in the connection string and it's solved.
So I can't really say if you provided the answer, msvcyc, but I did vote on your solution. Thanks for the time and trouble.
Well, I recommend you migrate to Integrated mode if there is not too many troubles to enjoy the innovation it brings. :)
http://mvolo.com/blogs/serverside/archive/2007/12/08/IIS-7.0-Breaking-Changes-ASP.NET-2.0-applications-Integrated-mode.aspx