Windows authentication inconsistencies with "LOGON_USER" server variable - asp.net

Another developer and I are both working on the same ASP.NET web app. The application uses Forms authentication, but the IIS virtual directory is configured with both "anonymous access" and "integrated Windows authentication". This mirrors the production site which authenticates as required.
A potentially key difference between our two setups is that he is on Windows 7 and IIS 7, whereas I'm on Windows XP and IIS 5 (for my sins).
Initially when we both run the app, the variable... HttpContext.Current.User.Identity.IsAuthenticated ...is false. This I'd expect because we're configured with Forms authentication. The app then redirects to a WindowsAuth.aspx page. That page checks the Request.ServerVariables["LOGON_USER"] server variable and, if this isn't null or empty, uses it to automatically sign in.
The issue is, on my PC Request.ServerVariables["LOGON_USER"] is always empty. To me this is correct since we have anonymous access enabled. But on my colleague's PC, and in production, the variable holds the user's username. I cannot understand why this is. Is there a difference between IIS 5 and 7 in this regard? Otherwise, can you explain this? Obviously I want my setup to reflect other environments but upgrading to Windows 7 is a last resort at this point.

https://support.microsoft.com/en-us/kb/306359
To populate the LOGON_USER variable when you use any authentication mode other than None, you can deny access to the Anonymous user in the section of the Web.config file. To deny access to the Anonymous user in the section, follow these steps:
Change the authentication mode in the Web.config file to anything other than None. For example, the following entry in the Web.config file sets the authentication mode to Forms-based authentication:
<authentication mode="Forms" />
To deny access to the Anonymous user in the Web.config file, use the following syntax:
<authorization>
<deny users = "?" /> <!-- This denies access to the Anonymous user -->
<allow users ="*" /> <!-- This allows access to all users -->
</authorization>
If you are using Windows authentication, you can also use the following steps to resolve this problem:
Change the authentication mode in the Web.config file to Windows as follows:
<authentication mode="Windows" />
In the Internet Services Manager, right-click the .aspx file or the Web Project folder, and then click Properties.
If you clicked Properties for the Web Project folder, click the Directory Security tab. If you clicked Properties for the .aspx file, click the File Security tab.
Under Anonymous Access and authentication control, click Edit.
In the Authentication methods dialog box, clear the Anonymous Access check box, and then select either the Basic, the Digest or the Integrated (NT Challenge/Response) check box.
Click OK to close both dialog boxes.

Related

Debugging an ASP.NET site with Windows Authentication using different users

I'm working on a ASP.NET MVC intranet site that uses windows authentication. My web.config is set up with:
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
Access to some parts of the site is also restricted using roles.
My main account is given the site administrator role, meaning that I have access to everything. This is fine for normal testing, but there are certain parts of the site that have more complex restrictions (e.g. user has role administrator or (user has role X and user is assigned to a group Y in the database)).
I've tried running site through Visual Studio, then opening another web browser as a different user, and when I access the site it pops up a windows authentication box but it won't accept any other logins - only when I enter my main account will it allow access. Roles don't have any affect on this, even when I add my second account as a site administrator it's denied access using this method.
^^If you think this is a duplicate of Testing intranet site that uses Windows authentication you didn't read the previous paragraph.^^
What am I doing wrong here? Is there some other method to test using multiple users?
Create a Virtual PC and attach it to your network, then log in as various users and test your site on there. I had the same issue and this did the trick.
Virtual PC download here - https://www.microsoft.com/en-us/download/details.aspx?id=3702
I eventually stumbled on the answer to this. The second user account that you want to test with needs to be given permissions to read the directories where the Visual Studio project is stored. Once that's done, running another browser instance with a different account works fine.

Setup windows authentication for ASP.NET using local workgroups?

I have requirement to build windows authentication for our web applications. We plan to created local work groups (on Windows 2008 Server) to manage users instead of Active Directory. Our reason, it takes months to create groups and move users via AD (and our client would prefer we go this route). Is it possible to setup windows authentication for an asp.net application and validate the user credentials against the local workgroups? Keep in mind we would try to match their login names to our local workgroups.
You can use AspNetWindowsTokenRoleProvider. This makes ASP.net use the Windows Local groups.
In your web config do something like this.
<authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
--> <authentication mode="Windows"/>
<identity impersonate="false"/>
<authorization>
</authorization>
<roleManager enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider"/>
then in your aspx you can check if user exists in role. I placed this in my master page.
If Not Roles.IsUserInRole(Context.Current.User.identity.name, "Managers") Then
'label1.Text = "You are not authorized to view user roles."
Response.Redirect(Request.ApplicationPath & "\logout.html")
end if
You can read more from this Link from Microsoft http://msdn.microsoft.com/en-us/library/ff647401.aspx
under Using WindowsTokenRoleProvider

Windows authentication for intranet site pages

I'm building an intranet web site (asp.net 3.5) which has windows authentication. Two questions:
When the code behind makes a trusted connection to the SQL server, will it connect with app pool credentials or current page user credentials?
Right now, with a blank page, when the internal user (logged in to the domain) tries to hit the page they get challenged with windows login screen, and their credentials don't work.
Is there anything else I need to setup in web.config or IIS for the windows authentication to work, other than adding <authentication mode="Windows"/>?
You can configure the Windows identity of your ASP.NET application as the Windows identity supplied by IIS by enabling impersonation. That is, you instruct your ASP.NET application to impersonate the identity supplied by IIS for all tasks that the Windows operating system authenticates, including file and network access.
To enable impersonation for your Web application, in the application's Web.config file set the impersonate attribute of the identity element to true, as shown in the following code example.
<system.web>
<authentication mode="Windows"/>
<identity impersonate="true"/>
</system.web>
Source
You don't want to use imporsonate as suggested by kd7. Because then you will need to give your users rights on the database. Might be okay for SELECT operations, but I don't think your DBAs will go along if you also need to UDATE/DELETE operations. already addressed by kd7.
When you enable "Windows" authentication, you need to not only configure your application to use it, you also need to configure IIS as well.
You also need to make sure that your AppPool user has proper permissions on the File System for your site.
Depending on IIS version, the procedure for enabling windows authentication is different. You can google it.

IIS 6 Windows Authentication Issue

The issue is I can't view the page using Window Authentication.
This is my steps.
I created a website in my server Windows Server 2003 IIS 6 with .Net Framework 2.
Then Inside the root folder, I created a folder. Let's call it "FolderA".
In "FolderA", I created a page. Let's call it "fileA.aspx".
The website is running fine. As I turn on the Anonymous Access.
But for "fileA.aspx", I need to turn on the Window Authentication coz I don't want everyone to go in and view that page.
So, I select "FolderA", go to Properties,
So, I turn off the Anonymous Access and make sure Window Authentication is turned on.
Then I browse from my PC. It prompted me the Login Diaglog Box.
I key in my credentials I used to log in for the server and I can access the page.
That is working fine.
However, when I view it from the server itself, it prompted me the Login Diaglog Box.
But when I key in my credentials, it is saying "Access Denied".
I even tried using Administrator credentials.
It is still access denied.
Is there any setting to set or anything to change in web.config?
http://support.microsoft.com/kb/896861
Review event logs on the server to see if you happen to hit this.
Did you allow authenticated users and deny not authenticated users?
<authorization>
<allow users="*"/>
<deny users="?"/>
</authorization>

anonymous access disabled but

My web app (asp VB 2005) uses Windows authentication. If the user isn't part of a specific AD security group they don't get to edit the data; instead I redirect the user to a read-only page.
The program works fine in the IDE.
I published the web app to my laptop and Disabled anonymous access. When I ran the program I got redirected to the read-only page. I added a write event to the application event log to see what was going on, and found that the WindowsPrincipal.Identity.Name contained my laptop's ID, not my user name.
I reassert: anonymous access is disabled in IIS and the web.config file has Windows Authentication.
Can anyone suggest what else to check? Or can you explain what's going on?
You probably need to set <identity impersonate="true" /> in your web.config:
<configuration>
<system.web>
<identity impersonate="true" />
See http://msdn.microsoft.com/en-us/library/72wdk8cc.aspx for more details.

Resources