I have a web application that allows the users to access the pages if their Windows login name to the domain is in the web config's app settings.
For example:
Logged on username: SampleDomain\SampleUser
on Web.config:
<appSettings>
<add key=AuthorizedUsers value="SampleUser,SampleBooger" />
</appSettings>
<authentication mode="Windows"/>
*successful scenario: SampleUser should be able to browse the website.
I was able to do it successfully during development (locally on my machine), but when I deployed it to a server then I try to browse it from my local machine, the Windows login that it gets is NT AUTHORITY\NETWORK SERVICE so it redirects to my customized error page. I, SampleUser, am in the AuthorizedUsers. I should be able to browse it.
Please help me.
Thank you very much.
You need to use ASP.NET impersonation feature.
When using impersonation, ASP.NET applications can execute with the Windows identity (user account) of the user making the request. Impersonation is commonly used in applications that rely on Microsoft Internet Information Services (IIS) to authenticate the user.
Such behavior can be configured in web config using the following code:
<configuration>
<system.web>
<identity impersonate="true"/>
</system.web>
</configuration>
More info: http://msdn.microsoft.com/en-us/library/xh507fc5%28v=vs.100%29.aspx
Related
I have requirement to build windows authentication for our web applications. We plan to created local work groups (on Windows 2008 Server) to manage users instead of Active Directory. Our reason, it takes months to create groups and move users via AD (and our client would prefer we go this route). Is it possible to setup windows authentication for an asp.net application and validate the user credentials against the local workgroups? Keep in mind we would try to match their login names to our local workgroups.
You can use AspNetWindowsTokenRoleProvider. This makes ASP.net use the Windows Local groups.
In your web config do something like this.
<authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
--> <authentication mode="Windows"/>
<identity impersonate="false"/>
<authorization>
</authorization>
<roleManager enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider"/>
then in your aspx you can check if user exists in role. I placed this in my master page.
If Not Roles.IsUserInRole(Context.Current.User.identity.name, "Managers") Then
'label1.Text = "You are not authorized to view user roles."
Response.Redirect(Request.ApplicationPath & "\logout.html")
end if
You can read more from this Link from Microsoft http://msdn.microsoft.com/en-us/library/ff647401.aspx
under Using WindowsTokenRoleProvider
I am trying to setup an asp.net website in localhost. Fitst, I enabled IIS server and created website in
C:\inetpub\wwwroot folder and ran to ensure IIS is properly setup. In this case I used a existing website I created from visualstudio IDE. Everything was perfect. In this case I heavily used the following article.
http://forums.asp.net/t/1689133.aspx
Now the problem is I have a web site I downloaded from a remoteserver and I want to host it in localhost.
When I compare the site I downloaded and the working site, I noticed that some files are missing. Howevere, the site in remote sever is working properly.
I didnt see a bin folder and there is no much information on web.config file.
Here is the code in web.config file
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<staticContent>
<mimeMap fileExtension=".json" mimeType="application/json" />
</staticContent>
</system.webServer>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
When I try to do the same process I did for the previous website and tried the browser then I get following erro.
Access is denied.
Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.
Where is the error ? How to fix this issue? If you want more information let me know?
I would suggest you to first allow all users in WebConfig
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
EDIT : As Mentionned by David Thompson, this is highly insecure. Use this only to unblock your test sample code scenario. Never in Production, please.
This is an old question but the answer is seriously insecure, you should add and enable the authentication provider that you require rather than giving anyone authorization.
To add the provider:
https://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication/providers/add
To enable the method:
Open the IIS Management Console on the web server
Expand the Sites folder
Double-Click the IIS - Authentication option
Under Authentication, select the Anonymous Authentication and click 'Disable' in the Actions pane on the right
For Windows Authentication: Select the Windows Authentication and click 'Enable' in the Actions pane on the right
For Basic Authentication: Select the Basic Authentication and click 'Enable' in the Actions pane on the right
What solved this for my was enabling 32-bit applications in the app pool's advanced settings.
Open IIS
Expand server and click Application Pools in the Connections pane
Select your application pool and click Advanced Settings...
Under General switch Enable 32-Bit Applications to True
I would like to get some help in my strange issues,
I have an ASP.Net 2.0 application with VB.NET Code behind,
I set up my application to enable only Win authentication
So in IIS all disabled except Windows auth,
In My Web.Config i have the following under system.web:
The Web.Config contains the following :
authentication mode="Windows"
authorization>
deny users="?"/>
/authorization>
identity impersonate="false"/>
Now some users when they enter to my ASP application they get prompted for user name and password , then they logged in successfully,
some users the application fails on Page.User.Identity.Name
and return Object Reference Error,
Im using VS2010 and ASP.NET 2.0 frameword 2.0 and IIS 7 under Win 2k8 R2 latest SP's installed.
All users are Domain users.
Thank you,
Can you access the username by HttpContext.Current.User.Identity.Name? You can also check if authentication was successful, and what method of auth was used.
Windows authentication uses kerberos by default in iis I believe, which may not work for a lot of reasons (I think there are problems in Firefox for example ), when this fails, it is falling back to ntlm. Try removing the negotiate authentication provider and use just ntlm. If this works, you will have the fun of diagnosing kerberos problems :-)
Trogvara,
Thank you for your posting ,
I'm new to the site and tried to formatted but it did what we see now,
the Web config setting is :
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
<authorization/>
<identity impersonate="false"/>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
</system.webServer>
Hope that clears the setting in Web.config
Thank you,
I'm trying to enable passthrough or impersonation authentication inside an ASP.NET website that uses the TFS2010 API.
I've got this working correctly with Cassini, however with IIS 7.5 (Windows 7) something is going wrong.
I found this blog post on the subject, and tried the following:
private static void Test()
{
TfsTeamProjectCollection baseUserTpcConnection =
new TfsTeamProjectCollection(new Uri(Settings.TfsServer));
// Fails as 'baseUserTpcConnection' isn't authenticated
IIdentityManagementService ims =
baseUserTpcConnection.GetService<IIdentityManagementService>();
// Read out the identity of the user we want to impersonate
TeamFoundationIdentity identity = ims.ReadIdentity(
IdentitySearchFactor.AccountName,
HttpContext.Current.User.Identity.Name,
MembershipQuery.None,
ReadIdentityOptions.None);
TfsTeamProjectCollection impersonatedTpcConnection = new
TfsTeamProjectCollection(new Uri(Settings.TfsServer),
identity.Descriptor);
}
When I use Cassini nothing is needed besides
collection = new TfsTeamProjectCollection(new Uri(server));
I have enabled the web.config settings (and have the Windows Auth module installed):
<authentication mode="Windows"/>
<identity impersonate="true" />
Is there something obvious that I've missed out?
Solution 1
This is the delegation method. As Paul points out it's a single setting in your active directory:
Find the IIS server in the computers node of the "Active Directory users and Computers" console.
Click on the delegation tab, and select the second option:
Create a 'Cache' directory in your IIS root folder
Add the following to your web.config:
<appSettings>
<add key="WorkItemTrackingCacheRoot" value="C:\path-to-web-root\Cache\"/>
</appSettings>
Make sure your web.config contains:
<system.web>
<identity impersonate="true" />
</system.web>
Turn on Windows authentication and impersatonation and disable everything else in IIS authentication:
Solution 2
Another solution to avoid the steps above is to simply run your application under the TFS:8080 site, as a new application. The hop issue is then removed as you are running in the same context as the web service that your app is calling.
Create a new app pool, use network identity.
Make sure your application has anonymous authentication turned off
Make sure it has windows authentication turned on.
Add <identity impersonate="true" /> to the web config.
I wonder if you're hitting the old Double-Hop issue here?
I hope this is not to paradoxal, but I don't know how this should be done...
I have a VS2008 ASP.NET MVC Project with the following Web.Config entry:
<authentication mode="Windows">
<forms name=".ADAuthCookie" timeout="10" />
</authentication>
This makes the visitor logon automatically with their DOMAIN\username login which they used to logon to Windows. (Right?)
This works with my development server (http://localhost:xxxx), but not with my IIS server (http://localhost). Probably because the development server is 'started' by my local user (which has ActiveDirectory read-rights on the domain) and because IIS is 'started' by the IUSR_WORKSTATION user which does not. (Right?)
If all of the above is true, how can I impersonate the IIS user (for instance to my own username) to solely authenticate the current user with the Windows login name? (like the example below)?
Or should the IUSR_WORKSTATION user be granted ActiveDirectory? read-rights (not preferred as I will be switching servers / IUSR_ users a lot)
<identity impersonate="true" userName="DOMAIN\myuser" password="mypass"/>
<authentication mode="Windows">
<forms name=".ADAuthCookie" timeout="10" />
</authentication>
<identity impersonate="false"/>
Windows authentication is poorly named (IMO). It's not using Windows as the authentication, but rather it delegates the authentication process to IIS. So you need to configure IIS's authentication, which then flows down to ASP.NET
How you do this depends on your version of IIS, in IIS7 expand out the tree and click your web site, then click Authentication and enable Windows Authentication