I've been trying to resolve this question for a couple weeks now via Google and reading SO, and not had much luck, so I thought I'd finally try asking myself.
I'm setting up a very, very simple ASP.NET site on our intranet to generate some information for internal users. I'm using Windows authentication, rather than anonymous access, because based on what user hits the site I will be generating different information.
Long story short, this works perfectly in testing on my local Windows 7 machine where I developed the application. However, from the Windows 2008 R2 server where I want it to reside, when I hit the site I get a pop-up asking for my credentials, and even if I enter them it asks me for them again and again. This happens regardless if I'm hitting the site remotely or locally. If I try using anonymous access I can reach the site both ways but as I cannot identify the user I cannot generate the information I would like to provide.
Notes:
In IIS, I have Windows Authentication and ASP.NET Impersonation
enabled for the site. Everything else is disabled.
For the sake of figuring it out, I currently have the web.config set to allow all users and am not denying any.
The host/URL I'm using for it is toolName.organization.local
I was concerned that it was an issue of the 2008 R2 server admin user residing in a different domain then my remote user that I was testing with but again it does not work locally either.
In the AppHost file, I currently have windowsAuthentication enabled.
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
Admittedly, I typically use forms authentication on this server for all of our other internal sites so I'm a bit new to windows authentication and this issue. At this point I'm just not sure what to try or check next, so any advice would be helpful. Thanks.
I know this is a slightly old topic, but I had this exact same problem. Turns out I had the AppPool using Identity: ApplicationPoolIdentity instead of NetworkService. Once I switched that (under Advanced Settings in IIS7.5) I no longer got the server prompting for additional credentials and the pass-through worked perfectly.
Hope that helps!
First, you should realize that Windows passthrough authentication only works with Internet Explorer, and then only if the site is in the trusted sites, or intranet sites security group. Firefox, Chrome, etc.. will always prompt for credentials.
Having said that, you have a couple of issues.
You should have an <authentication mode="Windows" /> element in your web.config
You should decide if you want the app to run in the context of the user, in which case you would also need an <identity impersonate="true"/> tag. If not it should be false (although this is the default).
You do not need to have any authorization rules in your web.config if the site itself is completely guarded by windows authentication.
Just in case it's helpful, the problem for me was that I had left my application pool in Classic mode, in order to try to use NTFS permissions. I never got that to work, but once I switched it back to Integrated mode, I could use <allow> and <deny> tags to configure specific users' access.
Related
We are creating an intranet site and want to use SSO. The problem is however, that Internet Explorer (11) keeps asking for credentials. By specifying the username and password we are able to access it. Then the intranet application can be used without a problem. When Internet Explorer is closed however it asks for credentials again. The problem occurs on the testing machine (running in a domain) and also on my laptop at home which I also use to develop on. I access the test server with Remote Desktop and then test the site on the same machine as it is running on, which is Windows 2012R2 running IIS 8.5.
On the test server the application (ASP.NET MVC with SignalR and WebAPI) is using a URL that will not be automatically recognized as an intranet site although it is in the same IP range. Therefore I have added the site explicitely to the intranet zone in the settings of IE.
When I then right click on the site and request the properties I can see it is in the intranet zone. This is for as far as I could find the solution in these situations but for us there is something else going on.
This is the system.web section of web.config:
<system.web>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
In IIS I have tried enabling both Windows Authentication and Digest and also just one of those. The other authentication options are disabled, including Anonymous Authentication.
I also added the site to the trusted zone which did not help. Also changed the zone settings (for intranet and trusted) to do "Automatic logon on with the current username and password" but that didn't help either (I don't understand the setting Automatic logon only in Intranet zone though, because it seems a zone specific duplicate setting of the afore mentioned setting but ok). I also checked the advanced settings to be sure that Integrated Windows Security is enabled.
At the moment we're completely out of ideas.
Two more to your checklist:
make sure you have disabled anonymous authentication
make sure the domain controller is accessible from both the client PC and the IIS hosting the web app. Chances are the domain controller doesn't recognize the application server as coming from the same domain.
http://www.wiktorzychla.com/2012/06/iis-75-integrated-security-with-no.html
I have set the Full control to "Domain Users" in the Security Tab (NTFS permissions) of my Application Folder. Which resolved the problem in IE 11 but chrome is continuously asking for User name and password.
I have a very simple partial view in my header called AccountInfoPanel.
It only has one line:
Welcome: #HttpContext.Current.User.Identity.Name
And in my Web.Config I have
<authentication mode="Windows" />
But the identity name is always empty.
If I debug through VS 2012, and break on the index action, I see it is empty.
If I run it through IIS with Windows Authentication Enabled and Anonymous Authentication diabled, I get a challenge.
So I try to plug in My account or a test1 and test2 account.
It comes back and says:
HTTP Error 401.1 - Unauthorized
You do not have permission to view this directory or page using the credentials that you supplied.
I also tried setting Impersonation to true and get the same response from the challenge.
Does anyone know how to set this up?
And if all the setup has to done in IIS, how do you debug your code within Visual Studio?
One other question. My boss seems to think you don't even need a login box. IE would just know who you are. And you could "run as" in IE with a different account.
Check one of possible issues on my checklist
http://netpl.blogspot.com/2012/06/iis-75-integrated-security-with-no.html
In short:
First, make sure that Anonymous Authentication is turned OFF for the site:
Second, enable integrated security in Interner Explorer (Options/Advanced and checkin the “Enable Integrated Windows Authentication” option).
Third, add your website to Local Intranet zone and select at least “Automatic logon only in Intranet Zone” option under Options/Security Settings/Local intranet/Custom level).
Fourth, make sure the user and application server are in the same domain.
To solve the problem, you have to enable the Windows Authentication feature. Follow the below steps:
-Click Start, and then click Control Panel. Open the Programs group.
-Under Programs and -Features, click Turn Windows Features on or off.
-Expand the item labeled Internet Information Services.
-Expand the item labeled World Wide Web Services. -Expand the item Security ->
Make sure to select Windows Authentication
Also you need to disable Anonymous Authentication from the IIS as follows: -Click on your application in IIS -Double click Authentication under IIS group -Click on Anonymous Authentication -Click on Disable on the right side under Actions. Hope this helps
Visual Studio installs IIS Express to serve web applications, so you have to configure it to use Windows Authentication.
Configuration file for IIS Express is usually here (more info: Where is the IIS Express configuration / metabase file found?):
%userprofile%\documents\iisexpress\config\applicationhost.config
Disable Anonymous authentication (enabled by default):
<anonymousAuthentication enabled="false" userName="" />
Enable Windows Authentication (disabled by default):
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
I know this is an old question, but since it's not answered maybe someone could use my tip. I've been struggling with such an issue for some time and finally, I've discovered that one needs to have URL Authorization installed in order to make it work.
Navigate to the windows features and install the following feature:
Web Server (IIS) -> Web Server -> Security -> URL Authorization
I've also restarted IIS just in case, but I'm not sure if it's needed.
I'm building an intranet web site (asp.net 3.5) which has windows authentication. Two questions:
When the code behind makes a trusted connection to the SQL server, will it connect with app pool credentials or current page user credentials?
Right now, with a blank page, when the internal user (logged in to the domain) tries to hit the page they get challenged with windows login screen, and their credentials don't work.
Is there anything else I need to setup in web.config or IIS for the windows authentication to work, other than adding <authentication mode="Windows"/>?
You can configure the Windows identity of your ASP.NET application as the Windows identity supplied by IIS by enabling impersonation. That is, you instruct your ASP.NET application to impersonate the identity supplied by IIS for all tasks that the Windows operating system authenticates, including file and network access.
To enable impersonation for your Web application, in the application's Web.config file set the impersonate attribute of the identity element to true, as shown in the following code example.
<system.web>
<authentication mode="Windows"/>
<identity impersonate="true"/>
</system.web>
Source
You don't want to use imporsonate as suggested by kd7. Because then you will need to give your users rights on the database. Might be okay for SELECT operations, but I don't think your DBAs will go along if you also need to UDATE/DELETE operations. already addressed by kd7.
When you enable "Windows" authentication, you need to not only configure your application to use it, you also need to configure IIS as well.
You also need to make sure that your AppPool user has proper permissions on the File System for your site.
Depending on IIS version, the procedure for enabling windows authentication is different. You can google it.
This is a follow on to a previous post about being unable to impersonate a currently logged in Windows user. There were many good suggestions, but the previous thread was getting messy, so I am resetting with this post. Hopefully with the current state documented below it will be obvious what the issue is. This is a well worn path, so I have to believe all I am missing is a little configuration step.
PROBLEM: I need to have ASP.NET impersonate the currently logged in user. When I run under IIS 7.5, it doesn't work. IIS Express works fine, but I believe that is because the debugging session is running under my user id.
I am using Environment.Username to determine who this user is. There was a suggestion that this property always returns the logged in user name, but from my testing it returns the impersonated user from IIS.
For example, if my web.config has…
<identity impersonate="true" />
When I run under IIS 7.5 with that setting, Environment.Username returns IUSR. I believe this is the IIS anonymous user account.
If I change web.config to…
<identity impersonate="true" userName="domain\jlivermore" password="mypassword" />
… then Environment.Username returns jlivemore. However, I need it to return jlivermore without me explicitly setting it in web.config.
Here are my IIS settings…
.NET Authorization Rules
Authentication
One question, if I disable Anonymous Authentication, then I am prompted to login to the site. I thought if you were logged in with an Active Directory account on a domain then this challenge wouldn't appear? Even if I enter my username/password into this prompt, I still don't get the impersonation to work.
Basic Settings
I'm not sure if you've found an answer, but if anyone is having problems with it you will need the following in your web.config file
<authentication mode="Windows"/>
<identity impersonate="true"/>
And in IIS you will need Asp.net Impersonation enabled as well as Windows Authentication enabled, the others should be disabled. And in Windows Authentication, go to Advanced Settings and UNCHECK the Enable Kernel-mode authentication. That should do it. Your site should now be set for Local Intranet apps and using any of the following will work
System.Security.Principal.WindowsIdentity.GetCurrent().Username()
HttpContext.Current.User.Identity.Name
System.Threading.Thread.CurrentPrincipal.Identity.Name
But using Environment.Username will only return the server name, hopefully this helps anyone struggling with this
I had a similar problem as you describe. The basic crux of the matter is that there is a difference between impersonation and delegation. My simple understanding of this is that impersonation will work when the client and server are on the same machine. If however, the client is on a different machine, you need delegation.
MSDN Reference
What is the difference between impersonation and delegation?
Impersonation flows the original
caller's identity to back-end
resources on the same computer.
Delegation flows the original caller's
identity to back-end resources on
computers other than the computer
running the service.
Related SO questions
Impersonation in ASP.NET MVC
Starting a console application from asp.net using authenticated user credentials
Have you tried using
HttpContext.Current.User.Identity.Name ?
If you have a web application that will run inside a network, it makes sense for it to support windows authentication (active directory?).
Would it make sense to use AD security model as well, or would I make my own roles/security module that some admin would have to configure for each user?
I've never dealt with windows security before, so I am very confused as to how I should be handling security for a web application that runs within a windows network.
I guess there are 2 major points I have to tackle:
1. authentication
2. authorization
I have a feeling that best-practice would say to handle authorization myself, but use AD authentication right?
Basically windows handles everything, you never store usernames or passwords, AD and IIS do all the work for you
add this to your web.config
<system.web>
...
<authentication mode="Windows"/>
...
</system.web>
To configure Windows authentication
Start Internet Information Services
(IIS).
Right-click your
application's virtual directory, and
then click Properties.
Click the
Directory Security tab.
Under
Anonymous access and authentication
control, click Edit.
Make sure the
Anonymous access check box is not
selected and that Integrated Windows
authentication is the only selected
check box.
You can then deal with the business or authorization using web.config again. for example
<authorization>
<deny users="DomainName\UserName" />
<allow roles="DomainName\WindowsGroup" />
</authorization>
Read more here: http://msdn.microsoft.com/en-us/library/ms998358.aspx
This problem is solved in detail by Mr. Scott Guthrie in
Link 1 and Link 2
I used windows security on some of my internal sites.
Basically the way I set it up is I remove anonymous access in IIS, then assign permissions on the sites files though the standard windows security model.
I'm not sure if this is the best practices, but it has always worked well for me.