I have encountered with a very peculiar for me thing. I started developing a Web site in Visual Studio 2010 and finished in 2012. It is VB.NET, framework 4.0. Throughout the Web site I use Request.ServerVariables("LOGON_USER"). Everything works as it should.
I recently started developing another Web site using 2012 from the beginning. What happens is Request.ServerVariables("LOGON_USER") does not return any value! It is simply empty! However, if I open this same application with Visual Studio 2010, it works!
Can anyone explain what is going on here and how do I fix it in VS2012? Thank you!
This problem occurs because the authentication-related variables in the ServerVariables collection are not populated if you use Anonymous Access security to access the .aspx page. This problem can also occur if you give the Anonymous user access in the section of the Web.config file.
To populate the LOGON_USER variable when you use any authentication mode other than None, you can deny access to the Anonymous user in the section of the web.config.
Just change the authentication mode in the Web.config file to anything other than None. For example, the following entry in the Web.config file sets the authentication mode to Forms-based authentication:
<authentication mode="Forms" />
<!-- To deny access to the Anonymous user in the Web.config file, use the following syntax: --!>
<authorization>
<deny users = "?" /> <!-- This denies access to the Anonymous/unregistered user -->
<allow users ="*" /> <!-- This allows access to all registered users -->
</authorization>
I'm not sure why this is different between VS 2010 & 2012, but this has happened to me before, and I used the above steps to remedy it. So as I said, just check your web.config file!
Hope this answers your question!
Related
We created a Web Site in our IIS that points to a folder with several simple HTML pages. The application pool is set to asp.net v4.0.
Only certain users can view these html pages, but everyone that logs on to the company's intranet can view them. I want to implement authorization rules, but the icon to add them is not displayed in IIS manager, even though Management Services is installed according to this MSDN link.
Is it possible to add these authorization rules without doing it through the IIS Manager? I know it wan be done by adding several keys to web.config, but what happens if web.config doesn't exist? This website doesn't have anything related to asp.net.
The server is running Windows Server 2008 and IIS 7.
Wanted to add that I created a web.config for this particular folder that is supposed to block everyone, but nothing changed:
<configuration>
<system.web>
<authorization>
<deny users="*"/> // deny everyone else
</authorization>
</system.web>
</configuration>
I have a simple ASP.Net page with VB code running on WIN7 Enterprise VM with IIS 7.5 on which I need to get the visitors domain username on load and store it in a string variable.
The page is hosted internally on our domain and IIS is setup to authenticate anonymously.
I am getting the username with the following code: Environment.Username but of course it always says that the logged on user is IUSR
I installed the Windows Authentication component for IIS but don't know how to get it to work properly. I only started with ASP and IIS last month so I am very new to this. I only want this to apply to a specific folder so I selected it and enabled Windows Authentication, set it NTLM, and disabled Anonymous + ASP Impersenation. That didnt work. I think I tried every combination possible and all I am getting is either error 500, 404 because it tries to redirect to some login page which doesnt exist and sometimes I would get a username/password prompt but even then it wont accept anything
I dont want to prompt users, I just want to pass their existing logon info and open the page. Can someone please tell me how to set this up. I spent all day looking at hundreds of forums and sites and could not get it to work.
I also added the following to the web.config file:
<Identify impersonate="true" />
Thanks
Make sure you specify authorized users in web.config:
<authentication mode="Windows" />
<authorization>
<allow roles="mydomain\someADgroup"/>
<allow users="mydomain\somuser"/>
<allow users="*" /> <!-- if you want it open to anybody, as long as they are authenticated-- on the domain!>
</authorization>
I am using HttpContext.Current.User.Identity.Name to get the user name when the web application is in use. During development I was using my local iis, with integrated windows authentication enabled and anonymous access enabled and disabled, and I was able to get the username.
Now, when I publish the web application, it comes back blank. The setup on the published server is the same, and I have tried using Page.User.Identity.Name, which also returned blank.
Does anyone know why this is and how to fix it?
You probably had Anonymous Authentication on as well as Windows Authentication. Turn off Anonymous off.
So,
<system.web>
<authentication mode="Windows" />
</system.web>
In IIS config for the app,
look in Authentication tab
Set **Anonymous Authentication** to **Disabled** and
Set **Windows Authentication** to **Enabled**
This should work and the Identity.UserName should now show up properly.
HttpContext.Current.Request.LogonUserIdentity.Name always work for me in VS 2012 environment and IIS 7
To solve the problem, you have to enable the Windows Authentication feature. Follow the below steps:
-Click Start, and then click Control Panel. Open the Programs group.
-Under Programs and -Features, click Turn Windows Features on or off.
-Expand the item labeled Internet Information Services.
-Expand the item labeled World Wide Web Services.
-Expand the item Security ->
Make sure to select Windows Authentication
Also you need to disable Anonymous Authentication from the IIS as follows:
-Click on your application in IIS
-Double click Authentication under IIS group
-Click on Anonymous Authentication
-Click on Disable on the right side under Actions.
Hope this helps
When working with WIF you should use Thread.CurrentPrincipal.Identity.Name instead of User.Identity.Name.
Read more here: http://msdn.microsoft.com/en-us/magazine/ff872350.aspx to learn more about Windows Identity Foundation
Similar question: User.Identity.Name is null after authenticate via WIF
set <authentication mode="Forms"> in web.config file & Your Problem Will solve.
Test your web-site by using below code
if (Page.User.Identity.Name != "" )
{
Label1.Text = "Hello";
}
else
{
Response.Redirect("login.aspx?url=Upload.aspx");
}
This will not solve the original post, but want to put this here anyways in case others stumble across this when searching for why user.identity is returning nothing...
In my case User.Identity started returning nothing after updating a users ad username (specifically the pre-windows 2000 username).
The LSA cache on IIS was the issue. Even after restarting the IIS server while troubleshooting the issue persisted. It was not until adding the registry setting outlined here the the issue was fixed:
https://support.microsoft.com/en-us/help/946358/the-lsalookupsids-function-may-return-the-old-user-name-instead-of-the
For a blank return, my solution ended up being the web.config. I'm using Visual Studio 2010, and the default web.config did not work. I replaced it with a nearly empty web.config and then success! Perhaps the default vs2010 web.config called too many references or configured the IIS incorrectly for the use of User.Identity.Name. My system is Windows7.
Default asp.net web site web.config from vs2010 was about 100-115 lines long. As you can see below the nearly empty web.config is about 20 lines long.
the web.config that i used:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="Doman Name\Group Name" users="" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<security>
<authorization>
<add accessType="Allow" users="" roles="Doman Name\Group Name" />
</authorization>
</security>
</system.webServer>
</configuration>
In IIS: click on your Site.
In Home Page: Authentication.
In Action menu: Open Feature.
Disable Anonymous Authentication.
Restart Site.
steps 1,2,3
step 4
I'm developing a public web site in vs2010,
can I keep the authentication as windows authentication and just enable anon access
or should I leave it with the default forms authentication.
The site will NOT require any type of logging in mechanism...so really I dont see a point in forms authentication, but most users will not have windows authentication either.
So I am confused, in my asp.net web.config file what authentication do I use for a public website?
I also asked this question which is kind of related: developing site in vs2010 but changed to local IIS and prompts
But I am not having any luck with this :(. The site when using local IIS keeps prompting for a user name and password (See the stackoverflow question I posted above), ive checked the app pools, the security, and the permissions and it still prompts me for a user name and password. It prompts me about 10 times and if I keep cancelling out of it the page comes up but the images are not displayed nor is the CSS rendered. So it looks like it prompts for each image on the site, but all folders inherit from the parent and I've added Network, Network service, ASPNET user, the default app pool user...I dont know what else to do.
So two issues:
1) What do I specify in my web config for a public site
2) How do I get rid of this prompting!
Thanks
You don't need to specify specify any authentication. Just deploy it as is, with the Web.Config out of the box.
<authentication mode="None" />
Go here for more reading.
Because it is prompting you with a login dialog, try using an authorization element in your web.config file with any authentication you like. Use "*" to allow access to all users by default. Refer to this article for more detail.
<authorization>
<allow users="*" />
</authorization>
Your web.config file has two sections that control requests for login. These are
<authentication> ... </authentication>
and
<authorisation> --- </authorization>
Authorization controls who can access what, and Authentication determines how the credentials of a particular user are established to see if they have the correct authorization to access your site.
An example of their usage might be
<authorization>
<allow users="*" />
</authorization>
<authentication mode="Forms">
<forms loginUrl="login.aspx" timeout="40320" cookieless="UseCookies" slidingExpiration="true" />
</authentication>
which allows access to all users to the root of my applications and their credentials are determined using forms authentication.
Other parts of your site are allowed to have alternate authorization requirements through the use of a location tag in your web.config
However, neither section is required if no part of your site requires this functionality. However, you should be aware that there other places that this might be determined. There is a file called machine.config that determines the settings for the machine. Your web.config has priority over the machine.config, but if the authorization and authentication settings are made in the machine.config and not in you web.config then the machine.config wins.
Hope that helps. If you can post your web.config that might help us to point you in the right direction.
I'm working on a website built with pure HTML and CSS, and I need a way to restrict access to pages located within particular directories within the site. The solution I came up with was, of course, ASP.NET Forms Authorization. I created the default Visual Studio log in form and set up the users, roles, and access restrictions with Visual Studio's wizard. The problem is, I can't log in to the website with the credentials that I have set.
I'm using IIS 7.
I'd guess (since I don't have IIS7 handy ATM) that you'd need to turn off Anonomyous Auth, and enable Forms Auth in the IIS7 sections.
At what point did you insert your login/password? Did you have a look at the tables that where created? Althought your password must be encrypted, maybe it's worth just checking if your user was actually created.
At what point did you insert your login/password? Did you have a look at the tables that where created? Althought your password must be encrypted, maybe it's worth just checking if your user was actually created.
Forms Authentication does not require any form of user database.
Steve, can you please paste in your forms authentication web.config section, also any relevant code to the ASP.NET Login control you were using.
There is not enough information to troubleshoot here yet :)
The web.config section is pretty useless as far as I can tell:
<authentication mode="Forms" />
I looked in IIS 7, and in the Authentication section it says: Anonymous Authentication = Enabled, ASP.NET Impersonation = Disabled, Basic Authentication = Disabled, Forms Authentication = Disabled.
Also, I have made no changes to the code other than dragging a Login object onto the designer and changing the page it points at to index.html.
Currently, the log in fails by displaying the log in failed text.
EDIT: Earlier when I would try to navigate directly to a page that is restricted, I would receive a blue page saying that I had insufficient permissions. Now I can see the pages that are restricted without logging in even though I have anon access denied.
Steve,
I don't think the issue is with your IIS settings. Because forms authentication does not rely on IIS authentication, you should configure anonymous access for your application in IIS if you intend to use forms authentication in your ASP.NET application.
Try this in your web.config:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="~/login.aspx" defaultUrl="~/">
<credentials passwordFormat="Clear">
<user name="YourUsername" password="superSecret" />
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<system.web>
</configuration>
There are better ways to implement forms authentication than hardcoding a username and password into your web.config, but this should work for getting you started.