I have discovered that apparently even though encrypted identities are supported in ASP.NET (via encrypting in the web.config), IIS 7 will not allow you to change the authentication settings in the IIS Manager. You get a message like this
A workaround for this is to temporarily comment out (using "<!-- -->") the identity section in the web.config and then IIS 7 Manager will allow you to view/modify authentication section. Then remember to uncomment the section in web.config.
Related
I am having trouble using Mixed Forms Authentication and Windows Security.
I am not too familiar with IIS and security. I found this article today:
https://msdn.microsoft.com/en-us/library/ms972958.aspx#mixedsecurity_topic5
I first started by adding an authentication mode to my web.config file:
<authentication mode="Forms">
<forms loginUrl="~/Login"></forms>
</authentication>
the tutorial above says my loginURL should be WinLogin.aspx, I guess this is where my confusion starts.
As in the tutorial above it states the following:
Using the IIS Manager, right-click the WinLogin.aspx file, click Properties, and then go to the File Security tab to edit the authentication and access control for this single file. Then simply un-check Enable anonymous access and check Integrated Windows authentication.
I don’t see WinLogin.aspx in my IIS Manager.
My question is, do I need to create a site in my IIS Manager and create a WinLogin.aspx file my project?
I am using MVC, so if I add my project to IIS, do I follow the same steps for WinLogin.aspx but for my Login Controller file? LoginController.cs ? I am very confused on this subject.
Thanks,
According to the tutorial, you'll need two files, WebLogin.aspx and WinLogin.aspx. WinLogin.aspx just exists to test the Integrated Windows Authentication, otherwise users would login via WebLogin.aspx. The tutorial for WinLogin.aspx should be in the source code for the article (linked to at the top of the article).
Instead of WebLogin.aspx, you can provide a route to your MVC login page.
I have a very simple partial view in my header called AccountInfoPanel.
It only has one line:
Welcome: #HttpContext.Current.User.Identity.Name
And in my Web.Config I have
<authentication mode="Windows" />
But the identity name is always empty.
If I debug through VS 2012, and break on the index action, I see it is empty.
If I run it through IIS with Windows Authentication Enabled and Anonymous Authentication diabled, I get a challenge.
So I try to plug in My account or a test1 and test2 account.
It comes back and says:
HTTP Error 401.1 - Unauthorized
You do not have permission to view this directory or page using the credentials that you supplied.
I also tried setting Impersonation to true and get the same response from the challenge.
Does anyone know how to set this up?
And if all the setup has to done in IIS, how do you debug your code within Visual Studio?
One other question. My boss seems to think you don't even need a login box. IE would just know who you are. And you could "run as" in IE with a different account.
Check one of possible issues on my checklist
http://netpl.blogspot.com/2012/06/iis-75-integrated-security-with-no.html
In short:
First, make sure that Anonymous Authentication is turned OFF for the site:
Second, enable integrated security in Interner Explorer (Options/Advanced and checkin the “Enable Integrated Windows Authentication” option).
Third, add your website to Local Intranet zone and select at least “Automatic logon only in Intranet Zone” option under Options/Security Settings/Local intranet/Custom level).
Fourth, make sure the user and application server are in the same domain.
To solve the problem, you have to enable the Windows Authentication feature. Follow the below steps:
-Click Start, and then click Control Panel. Open the Programs group.
-Under Programs and -Features, click Turn Windows Features on or off.
-Expand the item labeled Internet Information Services.
-Expand the item labeled World Wide Web Services. -Expand the item Security ->
Make sure to select Windows Authentication
Also you need to disable Anonymous Authentication from the IIS as follows: -Click on your application in IIS -Double click Authentication under IIS group -Click on Anonymous Authentication -Click on Disable on the right side under Actions. Hope this helps
Visual Studio installs IIS Express to serve web applications, so you have to configure it to use Windows Authentication.
Configuration file for IIS Express is usually here (more info: Where is the IIS Express configuration / metabase file found?):
%userprofile%\documents\iisexpress\config\applicationhost.config
Disable Anonymous authentication (enabled by default):
<anonymousAuthentication enabled="false" userName="" />
Enable Windows Authentication (disabled by default):
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
I know this is an old question, but since it's not answered maybe someone could use my tip. I've been struggling with such an issue for some time and finally, I've discovered that one needs to have URL Authorization installed in order to make it work.
Navigate to the windows features and install the following feature:
Web Server (IIS) -> Web Server -> Security -> URL Authorization
I've also restarted IIS just in case, but I'm not sure if it's needed.
Is there something wrong with my IIS setup? I have a 64-bit IIS 7.0 installation. My site has a web.config, with authorization rules specified.
In IIS Manager, when I open the authorization rules, I had expected the rules from the web.config to be displayed and be editable, with any changes I make synced back to the web.config. This does not seem to be the case.
From what I can tell, the site obeys whatever rules are put into the authorization settings in IIS, but completely ignores any rules that are put into the web.config.
Is this correct? How is this supposed to work? Is there some way to force a sync?
It appears that IIS puts the rules into the system.webserver section of the web.config.
I dont have access to IIS server, but I need to make the ASPSession cookies created by IIS HttpOnly. So my question is that how can I make the cookies HttpOnly by coding and not by any setting on IIS ? Please help its urgent and I have been looking for the solution but didn't get anything that related to my problem. I know the server version is IIS 6. On my testing server I have used ISAPI filter and it solved my problem but for that I needed to access the IIS and add ASAPI filter there which I cant do on the live server.
If you're using ASP.NET 2.0 or greater, you can turn it on in the Web.config file. In the <system.web> section, add the following line:
<httpCookies httpOnlyCookies="true"/>
You can edit this programmatically : http://www.dotnetcurry.com/ShowArticle.aspx?ID=102
I'm building an intranet web site (asp.net 3.5) which has windows authentication. Two questions:
When the code behind makes a trusted connection to the SQL server, will it connect with app pool credentials or current page user credentials?
Right now, with a blank page, when the internal user (logged in to the domain) tries to hit the page they get challenged with windows login screen, and their credentials don't work.
Is there anything else I need to setup in web.config or IIS for the windows authentication to work, other than adding <authentication mode="Windows"/>?
You can configure the Windows identity of your ASP.NET application as the Windows identity supplied by IIS by enabling impersonation. That is, you instruct your ASP.NET application to impersonate the identity supplied by IIS for all tasks that the Windows operating system authenticates, including file and network access.
To enable impersonation for your Web application, in the application's Web.config file set the impersonate attribute of the identity element to true, as shown in the following code example.
<system.web>
<authentication mode="Windows"/>
<identity impersonate="true"/>
</system.web>
Source
You don't want to use imporsonate as suggested by kd7. Because then you will need to give your users rights on the database. Might be okay for SELECT operations, but I don't think your DBAs will go along if you also need to UDATE/DELETE operations. already addressed by kd7.
When you enable "Windows" authentication, you need to not only configure your application to use it, you also need to configure IIS as well.
You also need to make sure that your AppPool user has proper permissions on the File System for your site.
Depending on IIS version, the procedure for enabling windows authentication is different. You can google it.