I had to relocate to another office due to weather related issues. In our old office, when we started an IIS application using windows authentication the application would pull your windows info and immediately sign in using your credentials. At our new location I have the same app and same settings, or so I thought and when a user starts the application a windows username/pass box opens. The correct information is stored there and the user can just hit enter and move on but I was wondering why it doesn't just auto-log in like at my other location? Does something need to be set in web.config?
The cached credentials on Windows will impact this. If the IP changes or machine name changes, you can easily fix by going into CredentialManager in the control panel and deleting the old ones, then when you tell it to save credentials next time, it takes you right in.
https://security.stackexchange.com/questions/15574/how-do-i-clear-cached-credentials-from-my-windows-profile
Related
I have a windows forms based web application written on VB.NET and currently being used by a large number of users.
I currently am facing an issue where the application is being authenticated with an another user account instead of authenticating with the current user using the application.
I am using User.Identity.Name for user authentication and have only Windows Authentication enabled.
Other Details
The application is hosted in IIS on a windows 7 server machine from where it is accessible to everyone.
Strange thing is that the issue occurs only for 2 users and works fine for everyone else. Also it occurs only when using the hosted application(production url).
Also there is no default scenario set such as in case a user is not found, then a default user has to be filled in.
Observations
On debugging the application using the actual code on their local machines, their
respective user ids are fetched as expected.
Issue occurs in
Chrome regular mode
Chrome incognito mode
Firefox regular mode
Issue doesnt occur in
Firefox private mode
So I do not have a clue how to proceed here and what might be the root cause for the issue. Can anyone provide me some ideas to find the root cause of the issue and also a way to resolve it?
What I have tried:
I have made sure both Anonymous and Form Based modes of authentication are disabled.
Identity Impersonation is set to False.
I have also made sure there are no credentials set for the website in Credentials Manager.
I have also tried clearing browsing data including cache and other cookies.
Make sure you not setting the authentication method etc in your code behind, you'll want to set that in your web.config. Make sure one is not overwriting the other (set in 2 places). Also to get the user name you could also grab it from server variables, see what this returns
string user = Request.ServerVariables("LOGON_USER").ToString();
This question:
IIS application pool access to remote directory on network ask how to allow iis to have the ability to access a file on a network drive. The answer is to set up a user with the appropriate rights and set the application pool identity to that user. We've done that and when we restart the app pool we get a 503 error on our web app.
It appears that the app isn't actually starting.
Here are more details which may help you analyze the problem:
This is Windows Server 2008 R2, iis 7
Our username is abc123\_svc_OSAT (Domain name isn't actually abd123 but I need to obscure it rather than risk publishing internal company information)
As abc123\_svc_OSAT I can map a drive to \\FPIAPPS01\Logs which is a directory on a network server so we know that this user has network access.
In iis we click on our app pool, select Advanced Settings, select Identity, Select the .. button, select "Custom Account" and set it to the user abc123\_svc_OSAT and use the proper password. We then stop and start that application pool.
When looking at the app in a browser we get a 503 error. Checking the logs at C:\inetpub\logs\LogFiles\W3SVC1 we don't see any error. However, the application appears not to have actually started.
Does abc123_svc_OSAT need a specific permission which we may be
missing?
Is there any other place with a log file which we should
look to get a better idea of what is causing the problem?
Thank you.
Does abc123_svc_OSAT have access to directory that hosts your ASPX files? The log files you are looking at are only for logging access to your website. You will want to check the event viewer to see the actual IIS error.
We ended up making the user an administrator and that worked. That's probably too broad for sufficient security rights. We'll keep looking. But it does show that the issue was somehow related to user roles rather than a password issue.
Details:
ASP.NET webforms
.NET 4.0
Windows Authentication
IIS 6
Windows Server 2003 SP2
Only one user is having an issue connecting to this one virtual directory. He says he sees this login form in IE, Chrome, and Firefox. He uses his Windows credentials and is unable to login. He is able to access other websites hosted in other virtual directories on the same domain. No others are experiencing this issue. He says he was able to access the site just fine a few weeks ago. What could be causing this dialog box to appear for just this user for just this site no matter what browser he's using?
Since it's all of the user's web browsers, this points to something with the user's permissions on the server for that particular website.
If it worked before as the user states, perhaps you can ask your server admins if anything was changed regarding user permissions on the server a few weeks ago.
Another path to go down would be to see if the user (or desktop admins) has installed any software on his/her machine that would disallow or alter Windows authentication in the browser for this site. This is far more unlikely than a simple user permissions issue on the server since he/she can still access other protected websites with Windows authentication, but it might be worth asking about if you've run out of options.
Yet another unlikely possibility would be a rule change on the user's network's firewall that would somehow disallow this user's IP address and Windows authentication to this website. Again, super unlikely, but I wanted to cover the bases here.
I have a web application on a public facing web site that requires a username and password to log into. Users log in from locations in many different countries and depending on their login location different settings are applied.
Certain users have asked for integration from this web application to another running on the same machine as they are using. They require an XML file to be saved down to a specific folder whenever a transaction occurs on the web application. They don't want the user to have to click any button or have a save dialog appear.
Obviously this is not possible using normal browser functionality for security reasons. What I want to know is this: is it possible to write some application or service that runs on those users' computers that could somehow take the transaction information from the browser and generate the file? I can modify the web application to know when it needs to do this so there can be work on both ends.
One way of doing this that I was thinking of was to have a web service running locally on all PCs where this is required, and the application will call this service when required.(e.g. a localhost url that would be setup on all required pcs ) Has anybody any other suggestions?
I’m not an expert on programming but I don’t think that would be possible. It would create a security risk and if it were possible then anyone could have it download a virus to your computer.
This application is using windows integrated authentication in IIS. No anonymous login.
It's also using an application pool defined to log on with a domain user.
If a try to browse any page, it pops up the username and password dialog box and even though I entered a valid user (including the domain administrator) it doesn't log on into the app. I keep getting the username/password dialog. If I logon locally (in the IIS box), it works OK.
Also, if I change the application pool to use Network Services, it works OK.
The domain user is already a member of the local IIS_WPG group in the IIS box.
Am I missing something here?
If you use a domain account for the Application Pool you have to run a series of scripts on the domain controller. So, apparently it's not recommended to use a domain account, rather a local server account. Microsoft has this issue documented on a case:
http://support.microsoft.com/default.aspx/kb/871179
I suspect the NTFS file persmissions on the .aspx files don't allow the users you are logging in as the needed access to read/execute them. What are the file permissions on the files you are trying to view? What do your authorization and authentication elements in web.config look like?
This sounds like it's related to the privilges assigned to the domain user. i.e. whether they, or indeed the server, are permitted to impersonate the user that is logging in. Or, something regarding "Trusted for delegation" in the server's settings in AD. Either way, you'll probably get a better response on serverfault =)
Try entering the same user of the appPool as the anonymous user (Web Site Security tab)
I had the same user/pwd Popup problem in Svr 2003.
I solved it by CHECKING ANONYMOUS ACCESS in directory security of DEFAULT WEB SITE.
It promps you if you want to also affect your sites you click OK.
That did it.