ASP.NET MVC 3 Allow intranet site access based on AD group - asp.net

Is there a way to allow site wide access to my intranet site based on an AD group without having to use the [Authorize] attibute on every controller?
I am using Windows Authentication.

In webconfig use
<system.web>
<authentication mode="Windows">
</authentication>
<authorization>
<allow users="groupname"/>
<deny users="*"/>
</authorization>
</system.web>

You can add the AuthorizeAttribute to the global filters collection, as described here.
public static void RegisterGlobalFilters(GlobalFilterCollection filters) {
filters.Add(new AuthorizeAttribute());
filters.Add(new HandleErrorAttribute());
}
It is usually not a good idea to use the Web.config authorization element for this since this restricts file-based access. But when you protect your entire site, using the Web.config file will work just as well.

IIS 7 & IIS 8
Open IIS Manager and navigate to your website.
In Features View, double-click Authentication.
On the Authentication page, select Windows authentication. If Windows authentication is not an option, you'll need to make sure Windows authentication is installed on the server.
To enable Windows authentication on Windows:
a) In Control Panel open "Programs and Features".
b) Select "Turn Windows features on or off".
c) Navigate to Internet Information Services > World Wide Web Services > Security and make sure the Windows authentication node is checked.
To enable Windows authentication on Windows Server:
a) In Server Manager, select Web Server (IIS) and click Add Role Services
b) Navigate to Web Server > Security and make sure the Windows authentication node is checked.
Finally
In the Actions pane, click Enable to use Windows authentication.
On the Authentication page, select Anonymous authentication.
In the Actions pane, click Disable to disable anonymous authentication.
IIS Express
Right click on the project in Visual Studio and select Use IIS Express.
Click on your project in the Solution Explorer to select the project.
If the Properties pane is not open, open it (F4).
In the Properties pane for your project:
a) Set "Anonymous Authentication" to "Disabled".
b) Set "Windows Authentication" to "Enabled".

Related

Setup windows authentication for ASP.NET using local workgroups?

I have requirement to build windows authentication for our web applications. We plan to created local work groups (on Windows 2008 Server) to manage users instead of Active Directory. Our reason, it takes months to create groups and move users via AD (and our client would prefer we go this route). Is it possible to setup windows authentication for an asp.net application and validate the user credentials against the local workgroups? Keep in mind we would try to match their login names to our local workgroups.
You can use AspNetWindowsTokenRoleProvider. This makes ASP.net use the Windows Local groups.
In your web config do something like this.
<authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
--> <authentication mode="Windows"/>
<identity impersonate="false"/>
<authorization>
</authorization>
<roleManager enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider"/>
then in your aspx you can check if user exists in role. I placed this in my master page.
If Not Roles.IsUserInRole(Context.Current.User.identity.name, "Managers") Then
'label1.Text = "You are not authorized to view user roles."
Response.Redirect(Request.ApplicationPath & "\logout.html")
end if
You can read more from this Link from Microsoft http://msdn.microsoft.com/en-us/library/ff647401.aspx
under Using WindowsTokenRoleProvider

Windows authentication doesn't work when I run project from Visual Studio

Windows authentication works good when I host my ASP.NET MVC project on IIS. But if I run it from Visual Studio - it doesn't.
Here is my Web.config:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
Am I missing something?
If you are hosting in IIS Express (which you probably should), make sure you have enabled Windows Authentication in the properties of your Web Application.
By the way if you create a new ASP.NET MVC 4 application in Visual Studio using the Intranet Application template you will be greeted with the following Readme on the screen. So go ahead, try it, read it and follow what's written there:
To use this template with Windows Azure authentication, refer to
http://go.microsoft.com/fwlink/?LinkID=267940.
Otherwise, to use this template with Windows authentication, refer to
the instructions below:
Hosting on IIS Express:
Click on your project in the Solution Explorer to select the project.
If the Properties pane is not open, open it (F4).
In the Properties pane for your project:
a) Set "Anonymous Authentication" to "Disabled".
b) Set "Windows Authentication" to
"Enabled".
Hosting on IIS 7 or later:
Open IIS Manager and navigate to your website.
In Features View, double-click Authentication.
On the Authentication page, select Windows authentication. If Windows authentication is not an option, you'll need to make sure
Windows authentication is installed on the server.
To enable Windows authentication on Windows:
a) In Control Panel open "Programs and Features".
b) Select "Turn Windows features on or off".
c) Navigate to Internet Information Services > World Wide Web Services > Security and make sure the Windows authentication node is checked.
To enable Windows authentication on Windows Server:
a) In Server Manager, select Web Server (IIS) and click Add Role Services.
b) Navigate to Web Server > Security and make sure the Windows authentication node is checked.
In the Actions pane, click Enable to use Windows authentication.
On the Authentication page, select Anonymous authentication.
In the Actions pane, click Disable to disable anonymous authentication.
I couldn't quite get the #Darin Dimitrov solution to work (mainly as I couldn't find the IIS Express setting described in Visual Studio!).
I found I had to edit the IIS Express application.config file:
in Visual Studio 2013 this is in %userprofile%\documents\iisexpress\config
in Visual Studio 2015 this is in the config folder in the hidden .vs folder in the solution (just add \.vs\config in Windows explorer to get there).
and amend:
<windowsAuthentication enabled="false">
to:
<windowsAuthentication enabled="true">
I know this is late to the game on this question but for Visual Studio 2019 it changed slightly. So if you find yourself sorting through this for that solution in debugger:
From : Microsoft Documentation
And taken from that page, which did work for me:
Existing project
The project's properties enable Windows Authentication and disable Anonymous Authentication:
Right-click the project in Solution Explorer and select Properties.
Select the Debug tab.
Clear the checkbox for Enable Anonymous Authentication.
Select the checkbox for Enable Windows Authentication.
Save and close the property page.

Windows authentication inconsistencies with "LOGON_USER" server variable

Another developer and I are both working on the same ASP.NET web app. The application uses Forms authentication, but the IIS virtual directory is configured with both "anonymous access" and "integrated Windows authentication". This mirrors the production site which authenticates as required.
A potentially key difference between our two setups is that he is on Windows 7 and IIS 7, whereas I'm on Windows XP and IIS 5 (for my sins).
Initially when we both run the app, the variable... HttpContext.Current.User.Identity.IsAuthenticated ...is false. This I'd expect because we're configured with Forms authentication. The app then redirects to a WindowsAuth.aspx page. That page checks the Request.ServerVariables["LOGON_USER"] server variable and, if this isn't null or empty, uses it to automatically sign in.
The issue is, on my PC Request.ServerVariables["LOGON_USER"] is always empty. To me this is correct since we have anonymous access enabled. But on my colleague's PC, and in production, the variable holds the user's username. I cannot understand why this is. Is there a difference between IIS 5 and 7 in this regard? Otherwise, can you explain this? Obviously I want my setup to reflect other environments but upgrading to Windows 7 is a last resort at this point.
https://support.microsoft.com/en-us/kb/306359
To populate the LOGON_USER variable when you use any authentication mode other than None, you can deny access to the Anonymous user in the section of the Web.config file. To deny access to the Anonymous user in the section, follow these steps:
Change the authentication mode in the Web.config file to anything other than None. For example, the following entry in the Web.config file sets the authentication mode to Forms-based authentication:
<authentication mode="Forms" />
To deny access to the Anonymous user in the Web.config file, use the following syntax:
<authorization>
<deny users = "?" /> <!-- This denies access to the Anonymous user -->
<allow users ="*" /> <!-- This allows access to all users -->
</authorization>
If you are using Windows authentication, you can also use the following steps to resolve this problem:
Change the authentication mode in the Web.config file to Windows as follows:
<authentication mode="Windows" />
In the Internet Services Manager, right-click the .aspx file or the Web Project folder, and then click Properties.
If you clicked Properties for the Web Project folder, click the Directory Security tab. If you clicked Properties for the .aspx file, click the File Security tab.
Under Anonymous Access and authentication control, click Edit.
In the Authentication methods dialog box, clear the Anonymous Access check box, and then select either the Basic, the Digest or the Integrated (NT Challenge/Response) check box.
Click OK to close both dialog boxes.

Windows authentication for intranet site pages

I'm building an intranet web site (asp.net 3.5) which has windows authentication. Two questions:
When the code behind makes a trusted connection to the SQL server, will it connect with app pool credentials or current page user credentials?
Right now, with a blank page, when the internal user (logged in to the domain) tries to hit the page they get challenged with windows login screen, and their credentials don't work.
Is there anything else I need to setup in web.config or IIS for the windows authentication to work, other than adding <authentication mode="Windows"/>?
You can configure the Windows identity of your ASP.NET application as the Windows identity supplied by IIS by enabling impersonation. That is, you instruct your ASP.NET application to impersonate the identity supplied by IIS for all tasks that the Windows operating system authenticates, including file and network access.
To enable impersonation for your Web application, in the application's Web.config file set the impersonate attribute of the identity element to true, as shown in the following code example.
<system.web>
<authentication mode="Windows"/>
<identity impersonate="true"/>
</system.web>
Source
You don't want to use imporsonate as suggested by kd7. Because then you will need to give your users rights on the database. Might be okay for SELECT operations, but I don't think your DBAs will go along if you also need to UDATE/DELETE operations. already addressed by kd7.
When you enable "Windows" authentication, you need to not only configure your application to use it, you also need to configure IIS as well.
You also need to make sure that your AppPool user has proper permissions on the File System for your site.
Depending on IIS version, the procedure for enabling windows authentication is different. You can google it.

IIS ignores authorization in web.config

I have a problem using windows authentication and the authorization-tag in web.config for my asp.net application. When I host the application in IIS (both in IIS 6 and IIS 7) the authorization-tag is ignored. When I run the application in asp.net development server that comes with visual studio 2010, it works perfect.
Why will it not work in IIS? And how to solve it?
<system.web>
<identity impersonate="true" />
<authentication mode="Windows" />
<authorization>
<deny users="*"/>
</authorization>
</system.web>
Without seeing the web.config it sounds like you haven't configured IIS. When you use Windows authentication what ASP.NET is expecting is for the web server to do the authentication - so you must configure it to do so, simply putting it in web.config is not enough.
For IIS6:
In IIS Manager, double-click the
local computer; right-click the Web
Sites folder, an individual Web site
folder, a virtual directory, or a
file; and then click Properties.
Click the Directory Security or File
Security tab, and then, in the
Authentication and access control
section, click Edit.
In the Authenticated access section,
select the Windows Integrated
Authentication check box.
Click OK twice.
For IIS7:
Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).
In Features View, double-click Authentication.
On the Authentication page, select Windows Authentication.
In the Actions pane, click Enable to use Windows authentication.

Resources