Has anyone ever experienced the following situation in .net with forms authentication?
User logs into system.
User is allowed into the "default" page inside of the directory
controlled by forms authentication.
User attempts to click on another link also inside of the directory
controlled by forms authentication.
Application redirects them to the login page again as if they hadn't
already logged in.
It's an ASP.net 3.5 website application, running IIS7, hosted in a Server Farm with just 2 servers. Authentication is managed by cookies on the users system and server affinity is turned on...so "technically" they should arrive at one of the two servers and stay there.
Thanks for any help/insight.
If it's a server farm you're load balanced (I assume) so you have no idea what server you're going to end up on, when working in a farm with forms authentication you need to ensure that the encrypt / decrypt keys are the same or the cookie created on server A can not be read by server B. Here's an example of a machine key that can be added to the web config to ensure cookies can be read in the farm:
<machineKey decryption="AES" decryptionKey="3B9E54DB3BB7DC57FF7CFBD8570B7AA21CD71BF63C6A9B48,IsolateApps" validationKey="3A74D6A6BA4C0771232C24FEFF997337F8B9542C255F5EA8EF214918A320362528EDA984A5AA8D0C24FDF50A062718932293496572248668C30DC3FAE2BDA183,IsolateApps" />
Related
We have a main web page being hosted on IIS7. From a cursorary glance, it looks like ARR could be used to send the user to a web app hosted on JBoss 6.
On the IIS7 server, we have Basic and Windows Authentication enabled. Whenever a user wants access to our main page, they have to provide their AD login. My question is this: if the user clicks the link that sends them to the JBoss web app, will the session information from the login in IIS7 be passed along, when using ARR?
Basically I want a single signon, to avoid the user having to enter their AD information twice. The web app on JBoss is ldap/AD aware, so I would like to be able to grab the username from the session, look up in AD what their roles are, and use those for permissions. However, I'm not sure if moving from IIS7 to JBoss will persist this information.
Thanks for any help you can provide!
in default website i have 2 asp.net web application App1 and App2.both has same login control when user logins username and password is validated in users table in sql database.logined user information are stored in 3 session variables.
after login app1 redirects to profile.aspx and app2 redirects to dashboard.aspx.
profile.aspx has a link app2 and dashboard.aspx has link app1.if user clicks on the link he should be already login for that application.
if user logout from any one application he should get logout for both application.
how to put above sso feature in my App1 and App2
I suggest you take a look at Windows Identity Foundation.
Are the applications going to be in the same domain? If it is then all you need to do is set the forms authentication of App 2 to App 1 or the other way around, and make sure you have the same machine key specified for both applications. This article gives more explanation on how to implement SSO in sub-domain:
http://www.codeproject.com/Articles/27576/Single-Sign-on-in-ASP-NET-and-Other-Platforms
I am assuming forms authentication is used in your application. Forms authentication generates authentication ticket to validate consequent user requests and uses "machine key" to sign the authentication ticket. By having same machine key for all applications will resolve the issue. However, there are different scenarios to be considered depending on the scope of the applications which needs to be integrated.
Configured as virtual directories inside same domain
Configured as sub domains
Completely two different sites
1 and 2 can be resolved by specifying same machine key in web.config.
3 requires custom solution such as passing encrypted parameters via query string.
More information on machine key can be found here.
Short version:
For IIS 7.5 web applications with Windows Authentication does the end
user need to have Read file access?
Long version:
I have an intranet ASP.NET web app that uses windows authentication. It's installed at dozens of different companies and normally the authentication works fine: users navigate to the site e.g. http://appserver/MyApp, the app recognizes who they're logged in as and displays pages accordingly. I just installed it at a new client and encountered a problem:
When connecting e.g. to http://appserver/MyApp I'm prompted for windows credentials but after entering them I'm repeatedly prompted. After several re-entering credentials I'm shown a 401 error page saying "401 - Unauthorized: Access is denied due to invalid credentials.". So not only is it not passing through my identity but even when entering the username & password it's still denying access.
Giving Read & Execute permissions to the end users of the app solves this problem, but I don't think this should be necessary at all.
In the windows Application Event Log there's a message "File authorization failed for the request" along with Thread account name: NT AUTHORITY\NETWORK SERVICE and User: [the correct workstation users's domain account]. This suggests that the file access is being performed with the User's identity, not the AppPool identity of Network Service. Sure enough if I grant the end user Read & Execute permission (I didn't try Read only) to the application's directory then everything works correctly: when the user browses to the site they're authenticated automatically, not prompted, and the web site correctly recognizes their identity! Therefore my workaround solution is to give Read & Execute permission to Everybody on the application directory...but this is not an ideal solution.
This seems very strange. I've never needed to do this before in IIS 7.5, so far as I recall, and definitely never needed to in IIS 6 or IIS 7. Is this a new IIS7.5 thing? The documentation says that Impersonation is turned off by default. I added a element to the web.config to be sure, removed file permissions other than Network Service, but the problem remained.
Any thoughts? Is it normal for Windows Authenticated sites on IIS 7.5 for end users to need file permissions on the web server files?
Some relevant details:
Network Service
has Full Control file permissions to the app folder.
When connecting from the server itself I was prompted for credentials
but after entering them i'm authenticated and the application works
correctly including displaying my windows login and connecting and
retrieving data from the db. I later determined that it was prompting
for credentials because http://localhost was in the trusted sites
and therefore not recognised as the Intranet Zone and thus not
passing identity through. I also determined that it was working as
this user identity because it's an admin user who has file
permissions.
The web server is running Windows Server 2008 R2 / IIS
7.5. It didn't have IIS on it until I installed it. I installed the default features as well as Windows Authentication, ASP.NET, and
possibly a couple of other items. A separate WCF app I installed that
uses IIS, anonymous authentication & .net 2.0 is working fine on
that web server.
The app install process is a manual copy of files,
creation of IIS App Pools & web apps, updating connection strings,
etc.
I checked the IE security settings. It was recognizing the
server as in the Intranet zone and had the option 'Automatic logon
only in Intranet zone' selected. Also on Advanced Settings the
'Enable Integrated Windows Authentication' option was checked.
After
installing IIS I ran aspnet_regiis -i for .net 2.0 and
aspnet_regiis -iru for .net 4.0.
Anonymous authentication is
disabled for my app and Windows Authentication enabled.
The app is
running on ASP.NET v4 but there's another app I installed
experiencing the same issue running ASP.NET v2.
The app is running
with Identity = Network Service and in 32-bit mode.
Database
connection string includes Trusted Connection=True and database
permissions are granted to the web server account [domain]\[server]$
e.g. DGM\MyServer$.
In IIS > Authentication > Windows Authentication > Providers the list was Negotiate first then NTLM. I tried reordering so NTLM is first.
In the Windows Security Event Log there
were a series of Microsoft Windows security auditing events: Logon
and Logoff. They indicated that the Logon was successful and was
displaying the User Id of the workstation user. This are from when
I'm connecting from another workstation and receive a 401
Unauthorized after several attempts.
I see someone has had this problem reported here but with no solution. Originally I posted in the ASP and then the IIS forums with no answers so far.
Update:
This msdn article says
When Windows authentication is enabled but impersonation is disabled, ASP.NET performs file access checks in the file authorization module using the credentials that are sent from the browser (my emphasis). Impersonation does not need to be enabled, because the FileAuthorizationModule module ensures that the requesting user is allowed read access or write access to the resource, depending on the request verb (for example, GET or POST) before executing the request. This behavior applies to any requests that enter managed code. In earlier versions of ASP.NET, accessing files based on URIs such as "Default.aspx" triggered the access check. In ASP.NET MVC applications, where access to resources is typically performed using extensionless URLs, this check typically does not apply, because there is not a physical file to check. In that case, the FileAuthorizationModule class falls back to checking access-control lists (ACLs) for the folder.
This does suggest that the end user needs permissions to the files (in the case of .aspx) or the folder (for MVC) ... although still this seems slightly tucked away and non-definitive. This article about App Pools says they're used as the identity for securing resources, which contradicts the idea of needing to grant privileges to end users. Unless the rules are different for App Pools and NETWORK SERVICE, which could be the case but would be surprising.
Are authenticated users allowed to the app folder?
We were also fighting with this issue, and started setting up security groups so we could give our users file level permissions. Then one of our server admins stumbled across a couple of new properties that allow the app to authenticate to the file system under set credentials, and resolved the need for the users to have access. Here is what he came up with…
There are two IIS settings that control this:
Physical Path Credentials Physical Path Credentials Logon type
By default, Physical Path Credentials is set to Application User
(Pass-through authentication). This means that IIS doesn’t do any
impersonation when handling Windows Authentication requests. This can,
however, be set to a specific user (though not, unfortunately, the
application pool identity, which would be ideal). Physical Path
Credentials Logon Type is set by default to Clear-Text. For my testing
I set this to Interactive (though this may not be the correct value).
Possible values are Clear-Text, Batch, Interactive, and Network.
To set this up I did the following:
Created a local account (IIS-AccessUser)
Granted IIS-AccessUser read and execute access to the /home directory of the site.
Added IIS-AccessUser to IIS_IUSRS group (necessary for accessing .NET temporary files)
Set IIS-AccessUser as the Physical Path Credentials
Set Physical Path Credentials Logon Type to Interactive
Doing the above allowed me to log in to the application directly,
without having to allow Authenticated Users, or me having to be a
member of any of the groups in the /home folder. It also still
preserved .NET Authorization roles, so I still could not access parts
of the site that I was not allowed to.
The short answer is NO. You are not required to grant file access permissions when using Windows Authentication in IIS 7.0 and IIS 7.5.
We were only able to discover this because our server admin smelled the security and management issues that arise from taking the route of granting file level access to users and groups.
For anyone dealing with this issue or if you are setting up a new IIS7/IIS7.5 server and/or moving from IIS 6, here is an article that gives you all of the Windows Authentication options and configurations that need to be modified to avoid granting file level access to individuals or groups.
Please read the two comments in at the end of the POST for some valid critiques of the methods used in this article.
http://weblogs.asp.net/owscott/iis-using-windows-authentication-with-minimal-permissions-granted-to-disk
In addition to the information in the article, please be aware that IIS 7.5 is not using the web configuration tags for system.web (at least not in my MVC 4 application).
It is looking in the system.webserver tags for authorization configuration (where you will need to list the windows domain\groups a user needs to be in to access your application).
-- DSB
I need clarification how to apply domain login in my asp.net application.
So I have following architecture: Three machines: at one is working asp.net application, another one is database server, and from last machine I am accessing application.
My application should work like this: I am accessing application from last machine it takes my domain name check if it exists in the user table and it should authenticate me.
But it works only when application is running at one machine and I am accessing application from the same one. It is connected with that impersonation in web.config file give me access only to local resources.
I find some articles at MSDN but they are too complex to apply and understand:
Explained: Windows Authentication in ASP.NET 2.0
How To: Use Protocol Transition and Constrained Delegation in
ASP.NET 2.0
How To: Create a Service Account for an ASP.NET 2.0 Application
Building Secure ASP.NET Applications: Authentication, Authorization,
and Secure Communication
From these articles I know that solution should use kerberos, delegation and impersonation. But I have no idea how to apply it.
What I have to do to implement domain login in my application? Do you have a nice tutorial how to do it? Do I have to modify only my application code or configuration of server (second machine)?
Update 1
I logged some information:
On my machine:
System.Security.Principal.WindowsIdentity.GetCurrent().Name
Returns: [myDomainName][myUserName]
System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationType
Returns: Kerberos
On three machines architecture:
System.Security.Principal.WindowsIdentity.GetCurrent().Name
Returns: [IIS APPPOOL][ApplicationName]
System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationType
Returns: Negotiate
You need to set up ASP.Net to use Windows Authentiation and impersonation (it sounds like you've done this). Then, you need to set up the web server for kerberos delegation and make sure you have the proper spn's configured for IIS and the application server.
It's working in the 2 machine case because there's no delegation involved there. It's the second authentication hop that requires kerberos.
My production environment involves a pair of IIS 6 web servers, one running legacy .NET 1.1 applications and the other running .NET 2.0 applications. We cannot install .NET 2.0 alongside 1.1 on the same machine because it is a tightly-regulated 'Validated System' and would present a bureaucratic nightmare to revalidate.
Websites on both servers use Basic Authentication against Active Directory user accounts.
Is it possible for a web application on the 1.1 server to securely redirect a user to a page served on the 2.0 server, without requiring users to re-authenticate?
No, because you're not using cookies for authentication in that scenario, so ScaleOvenStove's link won't help.
Basic authentication sends the login information in the HTTP headers with every request, but it's the browser that does this, when it sees a new server, new password request.
(Or indeed as suggested change the authentication on both systems to support single signon)
In order to achieve this you could implement a single sign-on solution.
This solution would have one server be your master authentication server. This server would be responsible for authentication and creating a cookie for the user. When you redirect to the other server (on the same domain) check to see if the authentication cookie exists that was created by the authentication server, and if it exists, and has valid data, auto login the user. Make sure that you set the domain on the forms authentication ticket and cookie, and then both servers which exist on the same domain will be able to access this cookie.
I would google single sign on asp.net. There's a number of ways to achieve it, but it's definitely achievable.
yes, check out here
http://weblogs.asp.net/scottgu/archive/2005/12/10/432851.aspx