IIS Configuration:
Anonymous Authentication Enabled
ASP.NET Impersonation Enabled
Windows Authentication Enabled
*the rest is disabled
Web.Config:
<add name="ADConn" connectionString="LDAP://192.168.0.21" />
.
.
.
<authentication mode="Windows" />
<authorization>
<allow users="*"/>
<deny users="?" />
</authorization>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"/>
<identity impersonate="true"/>
<membership defaultProvider="ADMembership">
<providers>
<add name="ADMembership"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADConn"
connectionUsername="dominic"
attributeMapUsername="sAMAccountName"
connectionPassword="p#ssw0rd" />
</providers>
</membership>
And in my web application:
[Authorize]
public class HomeController : Controller
{
I'm trying to convert my application from Form to Windows Authentication. With this configuration, the page prompts me with login dialog. When I use my AD account, I can't login, but when I use my local account, I can visit the page. Why? How would I tell my application to use a specific AD? Is my configuration correct?
Important notes:
My IIS and AD are on different machines and they are not on the same domain.
My IIS and client is on the same machine.
My application works with Form Authentication using AD.
IIS version: 6.1
MVC version: 4
AD OS: Windows 2008
Client and IIS OS: Windows 7
Here is what I think is happening
When you try to open the application, the browser will send your current AD credentials (if IE is configured to do this automatically)
Since you are using asp.net impersonation, If the AD account doesn't have access to the application folder it will try to use the anonymous user account instead which also doesn't have access.
You might need to add security access to application folder for the anonymous user defined in IIS otherwise remove the anonymous access from IIS
you can check the following link for the setting permission guidelines
Guidelines for Resolving IIS Permissions Problems
Related
I have a web application that allows the users to access the pages if their Windows login name to the domain is in the web config's app settings.
For example:
Logged on username: SampleDomain\SampleUser
on Web.config:
<appSettings>
<add key=AuthorizedUsers value="SampleUser,SampleBooger" />
</appSettings>
<authentication mode="Windows"/>
*successful scenario: SampleUser should be able to browse the website.
I was able to do it successfully during development (locally on my machine), but when I deployed it to a server then I try to browse it from my local machine, the Windows login that it gets is NT AUTHORITY\NETWORK SERVICE so it redirects to my customized error page. I, SampleUser, am in the AuthorizedUsers. I should be able to browse it.
Please help me.
Thank you very much.
You need to use ASP.NET impersonation feature.
When using impersonation, ASP.NET applications can execute with the Windows identity (user account) of the user making the request. Impersonation is commonly used in applications that rely on Microsoft Internet Information Services (IIS) to authenticate the user.
Such behavior can be configured in web config using the following code:
<configuration>
<system.web>
<identity impersonate="true"/>
</system.web>
</configuration>
More info: http://msdn.microsoft.com/en-us/library/xh507fc5%28v=vs.100%29.aspx
I have an ASP.NET MVC 3 application running on both my local dev box (Win7) and staging server (W2k8r2). The application operates fine in both environments until ASP.NET Windows authorization security is enabled.
After securing the web-app, it continues operates correctly on the staging server but generates 401.2 access denied's on my local dev box. The only significant difference I can see is on local dev box, I'm using Cassini via Visual Studio whereas the server is IIS7.5.
Windows authorization + impersonation is being used. What could cause Cassini to generate these 401.2 access denied?
Web.config is:
<system.web>
<authentication mode="Windows" />
<identity impersonate="true" />
<!-- replication of system.webServer security settings for cassini which doesn't process them... -->
<authorization>
<allow roles=".\Test Application - Users" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="true" />
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="" roles="Test Application - Users" />
</authorization>
</security>
FYI Relevant users are in the 'Test Application - Users' Windows security group on each system.
Solution
The underlying issue on the dev box turned out to be that:
Cassini doesn't support identity impersonation and
Whilst the user had been added to relevant NT groups, they had not logged off/on and thus the group SID's associated with their Windows token had not been refreshed
If impersonation had been supported by Cassini I doubt this would have been an issue because a new token would have been established within the impersonation context. Thanks to #x0n for pointing in the right direction.
i'm not entirely sure, but I don't think cassini can impersonate (iis express can, however.)
In solution explorer pane select the Web Project and hit F4. (not right click+properties, thats different) - this will show property pane
In properties Pane then set:
Windows Authentication: Enable
Anonymous Authentication: Disabled
Run your project, Happy Days!
I would like my asp .net web application to only allow users belonging to DomainName\Domain Users to access the site. Right now I have "Anonymous access" disabled and "Windows Integrated Security" enabled on IIS. I also have the following code in my web config:
<authentication mode="Windows" />
<authorization>
<allow roles="DomainName\Domain Users" />
<deny users="*" />
</authorization>
When I attempt to access the website it prompts me for the username and password to connect to webserver.example.com. I am a member of the domain users group but it does not allow me access. What am I doing wrong either in the syntax or in my IIS settings?
Is Anonymous Authentication Disabled in IIS ? Only Integrated Windows Auth should be enabled on the web application.
EDIT from comments:
I see you have Anonymous disabled. Try adding <identity impersonate="true" /> within <system.web> and see if your behavior changes.
I'm trying to retrieve the windows login username for the current user in my asp.net website project.
my web.config file has the following items
<identity impersonate="true"/>
<authentication mode="Forms">
<forms name="app" path="/path" loginUrl="/path/login.aspx" protection="All" timeout="100" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*"/>
</authorization>
My understanding is that with this configuration I should be able to retrieve Domain\username from WindowsIdentity.GetCurrent().Name. However, this property returns NT AUTHORITY\IUSR which is the user for anonymous access. If I am not mistaken, I am denying anonymous access to the site in my authorization section. What am I missing?
Also of note:
System.Web.HttpContext.Current.Request.LogonUserIdentity.Name also returns NT AUTHORITY\IUSR and Request.ServerVariables["LOGON_USER"] returns an empty string, which goes against the information found in this KB article http://support.microsoft.com/kb/306359
I am using .net 4.0 and a windows 7 development environment.
Some resources that led me to this point:
http://msdn.microsoft.com/en-us/library/ff647076.aspx
http://support.microsoft.com/kb/306158
http://forums.asp.net/t/1121780.aspx/1?Getting+a+users+DOMAIN+username+from+a+web+application
Thanks for your time.
Edit
It should be noted that I am locked into forms authentication (windows authentication is not an option), as this is a multi tennant site, and the majority of users will not be using this single sign on feature.
If you're using forms authentication then impersonation is meaningless - it only works with Windows authentication. The same applies for Request.ServerVariables["LOGON_USER"].
The reason you're seeing IUSR_ is because that's the Windows account the web site is running as, instead you should use Page.CurrentUser (WebForms) or the User property (MVC Controllers), with no casting. This will return the Forms Auth username.
I'm currently working on a page within one of my company's internet sites that is in response to some production issues we have. The page will be published with the rest of the web site to our DMZ, however I'd like to set-up some quick authentication so only users on our domain (assuming they access the site internally) can access the page. I'd like to use Windows authentication to do so.
Is there a quick way to accomplish this?
If I understand the question correctly, you want to enable security just on one page in your application - not the entire app.
Under IIS, you can manage the security settings on a page by page basis. In the IIS manager, pick the page, and change the security settings so that anonymous is off, and only Windows auth is accepted. You should get prompted for a login when you visit that page.
From Scott Gu's blog
To enable Windows Authentication
within an ASP.NET Application, you
should make sure that you have
“Integrated Windows Authentication”
(formerly called NTLM authentication)
enabled within IIS for the application
you are building. You should then
add a web.config file to the root
directory of your ASP.NET application
that contains an
section which sets the mode to
“Windows”.
You should also then add an
section to the same
web.config file that denies access to
“anonymous” users visiting the site.
This will force ASP.NET to always
authenticate the incoming browser user
using Windows Authentication – and
ensure that from within code on the
server you can always access the
username and Windows group membership
of the incoming user.
The below web.config file demonstrates
how to configure both steps described
above:
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
EDIT:
You can apply the auth settings to just a path in this way:
<location path="mypath.axd">
<system.web>
<authorization>
<allow roles="MyRole, AnotherRole" />
<deny users="*" />
<deny users="?" />
</authorization>
</system.web>
</location>
You can simply use Windows Authentication settings in IIS. Just turn off Anonymous Access in IIS and set your NTFS permissions on the Web folder to the users whom you want to have access to the site. Your IIS admin should be able to handle this quite easily.