I have a very simple partial view in my header called AccountInfoPanel.
It only has one line:
Welcome: #HttpContext.Current.User.Identity.Name
And in my Web.Config I have
<authentication mode="Windows" />
But the identity name is always empty.
If I debug through VS 2012, and break on the index action, I see it is empty.
If I run it through IIS with Windows Authentication Enabled and Anonymous Authentication diabled, I get a challenge.
So I try to plug in My account or a test1 and test2 account.
It comes back and says:
HTTP Error 401.1 - Unauthorized
You do not have permission to view this directory or page using the credentials that you supplied.
I also tried setting Impersonation to true and get the same response from the challenge.
Does anyone know how to set this up?
And if all the setup has to done in IIS, how do you debug your code within Visual Studio?
One other question. My boss seems to think you don't even need a login box. IE would just know who you are. And you could "run as" in IE with a different account.
Check one of possible issues on my checklist
http://netpl.blogspot.com/2012/06/iis-75-integrated-security-with-no.html
In short:
First, make sure that Anonymous Authentication is turned OFF for the site:
Second, enable integrated security in Interner Explorer (Options/Advanced and checkin the “Enable Integrated Windows Authentication” option).
Third, add your website to Local Intranet zone and select at least “Automatic logon only in Intranet Zone” option under Options/Security Settings/Local intranet/Custom level).
Fourth, make sure the user and application server are in the same domain.
To solve the problem, you have to enable the Windows Authentication feature. Follow the below steps:
-Click Start, and then click Control Panel. Open the Programs group.
-Under Programs and -Features, click Turn Windows Features on or off.
-Expand the item labeled Internet Information Services.
-Expand the item labeled World Wide Web Services. -Expand the item Security ->
Make sure to select Windows Authentication
Also you need to disable Anonymous Authentication from the IIS as follows: -Click on your application in IIS -Double click Authentication under IIS group -Click on Anonymous Authentication -Click on Disable on the right side under Actions. Hope this helps
Visual Studio installs IIS Express to serve web applications, so you have to configure it to use Windows Authentication.
Configuration file for IIS Express is usually here (more info: Where is the IIS Express configuration / metabase file found?):
%userprofile%\documents\iisexpress\config\applicationhost.config
Disable Anonymous authentication (enabled by default):
<anonymousAuthentication enabled="false" userName="" />
Enable Windows Authentication (disabled by default):
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
I know this is an old question, but since it's not answered maybe someone could use my tip. I've been struggling with such an issue for some time and finally, I've discovered that one needs to have URL Authorization installed in order to make it work.
Navigate to the windows features and install the following feature:
Web Server (IIS) -> Web Server -> Security -> URL Authorization
I've also restarted IIS just in case, but I'm not sure if it's needed.
Related
I installed version 6.3.0 of the bonobo server on a windows 2008 r2 box. I followed the instructions and all it was well with the out-of-the-box settings.
Now, I wanted to enable Windows Authentication. The goal is that the developers don't have to enter a password when they access the remote repository.
I started with this article. Firstly, I am not sure about the sequence of making the changes. Should it be done before running it the first time? Or after? It's not clear. Anyway, I did it both ways, and in both cases it doesn't work.
Scenario 1: Left everything out-of-the-box, I added myself as a user. After I made the web.config change I was still presented with the login page, and when I typed the password, I was redirected back to the login page.
Scenario 2: I shut down IIS, I made all the changes, and before restarting IIS, I updated the web.config as per the windows authentication article. I also disabled Anonymous Access and enabled Windows Authentication. After I restarted IIS, when I tried to access it, I got:
The request filtering module is configured to deny a request where the query string is too long. I fixed this by adding: maxQueryString="32768" to the requestLimits tag.
Now I get ERR_TOO_MANY_REDIRECTS when I try to access the root page.
The documentation is not clear on how you have to configure this thing for windows authentication. It looks to me that you need to leave the out-of-the-box settings, define your users, make sure one of them is admin, then change the setting to windows authentication. As soon as you turn on the windows authentication the admin user can't be used. I assume the server is trying to find the current user in its own database.
One other thing, if you turn on windows authentication in the web.config, do you need to enable the Windows Authentication in the IIS Authentication for the app and turn anonymous access off? I would think so, but the documentation doesn't specify anything. What happens if I am logged in with an account on different domain than the box with the bonobo server?
Is there someone that can clarify what has to be done exactly to get the windows authentication running?
Thanks
I hope you could solve the problem meanwhile
if not, change the "AuthenticationProvider" to "Windows" and "MembershipService" to "ActiveDirectory".
Check your Web.config if the following is uncommented
<appSettings>
...
<add key="AuthenticationProvider" value="Windows" />
<add key="MembershipService" value="ActiveDirectory" />
...
<add key="ActiveDirectoryDefaultDomain" value="<your.domain>" />
<add key="ActiveDirectoryBackendPath" value="~\App_Data\ADBackend" />
<add key="ActiveDirectoryMemberGroupName" value="Developer" />
<add key="ActiveDirectoryTeamMapping" value="Developers=Developer" />
<add key="ActiveDirectoryRoleMapping" value="Administrator=Developer" />
...
</appSettings>
...
<system.web>
...
<authentication mode="Windows" />
...
</system.web>
My projects folder is on a network drive, and I'm running Windows 8.1. If I create a brand new web site in Visual Studio 2013 that consists entirely of a single static file, test.js, and launch it using the IIS Express 8.5 that came with visual studio, I am able to view the contents of that file in my browser.
But, if I then go into Web.Config and turn on Windows Authentication using the code below, that same path now becomes a 404.0 error.
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false"/>
<windowsAuthentication enabled="true"/>
</authentication>
</security>
</system.webServer>
If, however, I follow this same procedure on a local path, it works just fine. It also works if I open the site in Visual Studio 2010 and run it with the ASP.NET Development Server.
Since it is Windows 8, which prevents other users (and by extension anything running as Administrator) from seeing my network drives, one possibility that occurred to me was that IIS might elevate itself when I turn on Windows Auth, but according to the task manager the IIS worker process is still running as me.
So far, I have tried:
Switching to a "Classic" app pool so that I can turn on on <identity impersonate="true"/>. (had no effect)
Changing the physicalPath of the <virtualDirectory/> to the UNC path of the share. (changes the error to 401.3, not authorized)
Giving Everyone full control of the folder on the file server. (had no effect)
Changing the default <processModel /> so the app pools run as me. (no effect)
One thing that has worked is giving "Everyone" access to the share itself, but for obvious security reasons I can't leave it like that. This also only solves the problem with physicalPath set to the UNC path (which Visual Studio likes to overwrite).
How can I get Windows Authentication to work on IIS Express without it trying to access my networked files as a different user?
Is your computer a member of a domain? Perhaps it's your browser set to autologin using windows credentials for all intranet sites. You can turn this off in Internet explorer and force it to prompt for the user id and password. In internet explorer go to tools, internet options, security, click Local Intranet, then click the Custom Level button at the bottom. Scroll all the way to the bottom of the settings list and change the Logon option from Automatic Logon to Prompt for user name and password. Then it should prompt for login the next time you go, and login using an account you know has access.
Windows authentication works good when I host my ASP.NET MVC project on IIS. But if I run it from Visual Studio - it doesn't.
Here is my Web.config:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
Am I missing something?
If you are hosting in IIS Express (which you probably should), make sure you have enabled Windows Authentication in the properties of your Web Application.
By the way if you create a new ASP.NET MVC 4 application in Visual Studio using the Intranet Application template you will be greeted with the following Readme on the screen. So go ahead, try it, read it and follow what's written there:
To use this template with Windows Azure authentication, refer to
http://go.microsoft.com/fwlink/?LinkID=267940.
Otherwise, to use this template with Windows authentication, refer to
the instructions below:
Hosting on IIS Express:
Click on your project in the Solution Explorer to select the project.
If the Properties pane is not open, open it (F4).
In the Properties pane for your project:
a) Set "Anonymous Authentication" to "Disabled".
b) Set "Windows Authentication" to
"Enabled".
Hosting on IIS 7 or later:
Open IIS Manager and navigate to your website.
In Features View, double-click Authentication.
On the Authentication page, select Windows authentication. If Windows authentication is not an option, you'll need to make sure
Windows authentication is installed on the server.
To enable Windows authentication on Windows:
a) In Control Panel open "Programs and Features".
b) Select "Turn Windows features on or off".
c) Navigate to Internet Information Services > World Wide Web Services > Security and make sure the Windows authentication node is checked.
To enable Windows authentication on Windows Server:
a) In Server Manager, select Web Server (IIS) and click Add Role Services.
b) Navigate to Web Server > Security and make sure the Windows authentication node is checked.
In the Actions pane, click Enable to use Windows authentication.
On the Authentication page, select Anonymous authentication.
In the Actions pane, click Disable to disable anonymous authentication.
I couldn't quite get the #Darin Dimitrov solution to work (mainly as I couldn't find the IIS Express setting described in Visual Studio!).
I found I had to edit the IIS Express application.config file:
in Visual Studio 2013 this is in %userprofile%\documents\iisexpress\config
in Visual Studio 2015 this is in the config folder in the hidden .vs folder in the solution (just add \.vs\config in Windows explorer to get there).
and amend:
<windowsAuthentication enabled="false">
to:
<windowsAuthentication enabled="true">
I know this is late to the game on this question but for Visual Studio 2019 it changed slightly. So if you find yourself sorting through this for that solution in debugger:
From : Microsoft Documentation
And taken from that page, which did work for me:
Existing project
The project's properties enable Windows Authentication and disable Anonymous Authentication:
Right-click the project in Solution Explorer and select Properties.
Select the Debug tab.
Clear the checkbox for Enable Anonymous Authentication.
Select the checkbox for Enable Windows Authentication.
Save and close the property page.
I've been trying to resolve this question for a couple weeks now via Google and reading SO, and not had much luck, so I thought I'd finally try asking myself.
I'm setting up a very, very simple ASP.NET site on our intranet to generate some information for internal users. I'm using Windows authentication, rather than anonymous access, because based on what user hits the site I will be generating different information.
Long story short, this works perfectly in testing on my local Windows 7 machine where I developed the application. However, from the Windows 2008 R2 server where I want it to reside, when I hit the site I get a pop-up asking for my credentials, and even if I enter them it asks me for them again and again. This happens regardless if I'm hitting the site remotely or locally. If I try using anonymous access I can reach the site both ways but as I cannot identify the user I cannot generate the information I would like to provide.
Notes:
In IIS, I have Windows Authentication and ASP.NET Impersonation
enabled for the site. Everything else is disabled.
For the sake of figuring it out, I currently have the web.config set to allow all users and am not denying any.
The host/URL I'm using for it is toolName.organization.local
I was concerned that it was an issue of the 2008 R2 server admin user residing in a different domain then my remote user that I was testing with but again it does not work locally either.
In the AppHost file, I currently have windowsAuthentication enabled.
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
Admittedly, I typically use forms authentication on this server for all of our other internal sites so I'm a bit new to windows authentication and this issue. At this point I'm just not sure what to try or check next, so any advice would be helpful. Thanks.
I know this is a slightly old topic, but I had this exact same problem. Turns out I had the AppPool using Identity: ApplicationPoolIdentity instead of NetworkService. Once I switched that (under Advanced Settings in IIS7.5) I no longer got the server prompting for additional credentials and the pass-through worked perfectly.
Hope that helps!
First, you should realize that Windows passthrough authentication only works with Internet Explorer, and then only if the site is in the trusted sites, or intranet sites security group. Firefox, Chrome, etc.. will always prompt for credentials.
Having said that, you have a couple of issues.
You should have an <authentication mode="Windows" /> element in your web.config
You should decide if you want the app to run in the context of the user, in which case you would also need an <identity impersonate="true"/> tag. If not it should be false (although this is the default).
You do not need to have any authorization rules in your web.config if the site itself is completely guarded by windows authentication.
Just in case it's helpful, the problem for me was that I had left my application pool in Classic mode, in order to try to use NTFS permissions. I never got that to work, but once I switched it back to Integrated mode, I could use <allow> and <deny> tags to configure specific users' access.
I'm building an intranet web site (asp.net 3.5) which has windows authentication. Two questions:
When the code behind makes a trusted connection to the SQL server, will it connect with app pool credentials or current page user credentials?
Right now, with a blank page, when the internal user (logged in to the domain) tries to hit the page they get challenged with windows login screen, and their credentials don't work.
Is there anything else I need to setup in web.config or IIS for the windows authentication to work, other than adding <authentication mode="Windows"/>?
You can configure the Windows identity of your ASP.NET application as the Windows identity supplied by IIS by enabling impersonation. That is, you instruct your ASP.NET application to impersonate the identity supplied by IIS for all tasks that the Windows operating system authenticates, including file and network access.
To enable impersonation for your Web application, in the application's Web.config file set the impersonate attribute of the identity element to true, as shown in the following code example.
<system.web>
<authentication mode="Windows"/>
<identity impersonate="true"/>
</system.web>
Source
You don't want to use imporsonate as suggested by kd7. Because then you will need to give your users rights on the database. Might be okay for SELECT operations, but I don't think your DBAs will go along if you also need to UDATE/DELETE operations. already addressed by kd7.
When you enable "Windows" authentication, you need to not only configure your application to use it, you also need to configure IIS as well.
You also need to make sure that your AppPool user has proper permissions on the File System for your site.
Depending on IIS version, the procedure for enabling windows authentication is different. You can google it.