I have configured my ASP.NET website to use windows auth (and disabled annon auth), and setup some authorization rules. The website is deployed on the Intranet and all users have a windows identity.
When a user navigates to the website, the typical "Windows Security" window pops up, asking the user for his identity. I want to disable this, since the user is already logged in with a domain account. The browser should submit the current identity and IIS can use this to auth.
Any ideas?
Note: I am using IE and the Enable Integrated Windows Authentication is checked
In which browser is this happening? Internet Explorer has an option that explicitly defines whether the browser tries to authenticate users automatically.
You can find it in Tools - Internet Options - Advanced - Enable Integrated Windows Authentication.
Where I've seen this symptom happening before, I've had to add the URL the website is on explicitly into the Local Intranet zone in IE.
Related
I've an asp.net webforms application running on our intranet (same Active Directory).
I want to auto authenticate .
So i'm using on my C# code :
HttpContext.Current.Request.LogonUserIdentity.Name
to get user name and doing some stuff.
In my web.config i'm not specifying any authentication mode.
In IIS 10.0 in default website and also in virtual directory i've
The problem is that from my development PC it works well, but from any other pc's of my organization, Windows keep continue to ask for user and password.
What can it be ?
Thanks
As far as I know, the reason why you achieve the auto authenticate for your web application is the IE security setting.
If your customer doesn't enable this setting, the IE browser will not auto send the username and password to the server to login in the user. So you will face your customer need to type in the username and password.
To solve this issue, you should suggest client side to enable the security setting to auto login in.
More details about how to enable the auto log in you could refer to below steps:
1.Open the IE and find the internet options.
2.Modify the user authentication
I'm building an Intranet application based on Ext JS and webservices. Users are authorized using Integrated Windows Authentication, which works fine in IE.
Because my application is in JavaScript, it is loaded in Firefox, but then when I request some data from server I get 'access denied' in Firebug, because all webservices are checking user rights.
Can I request the user to enter his username and password (like login to FTP or a simple login page) in all browsers that don't support Integrated Windows Authentication?
I know there are plugins for Firefox, but I would like a secure solution that don't require plugins.
Windows Authentication is performed via NTLM. If a browser doesn't automatically supply the credentials then a username/password dialog should be shown in all browsers which would prompt the user to enter their credentials. This should happen automatically.
If you can edit the config settings in FireFox then you can make the credentials be submitted automatically by adding the domain to network.automatic-ntlm-auth.trusted-uris in about:config.
Wiki article about windows authentication
Configuration:
Windows Server 2008 R2/IIS 7.5
ASP.NET web application using Windows Integrated Authentication. Application pool identity is set to NetworkService. Targeting .NET Framework 2.0. Managed Pipeline mode = Classic.
Full permissions granted to the Temporary ASP.NET Files folder for the Users group and the Internet Guest Account
Logged into server as a test user account (let's call it testuser) which is a member of the Administrators group
User Account Control is on
Internet Enhanced Security is off
Internet Explorer is using all the default security settings and all Compatibility View settings are off
Now I do the following:
iisreset.exe
clear Temporary ASP.NET Files folder
open Internet Explorer
browse to the local ASP.NET web site => success
close Internet Explorer
iisreset.exe
open Internet Explorer
browse to the local ASP.NET web site => FAIL
So far, I have found a few things I can do to keep the site working after an iisreset.exe (each of these work individually, i.e. they do not have to be combined):
Turn off User Account Control
Log in as the Administrator
Run Internet Explorer "As Administrator..." (instead of defaulting to the testuser account)
Use Google Chrome or Mozilla Firefox instead of Internet Explorer(?!?) Those two browsers do not have to be run using the Administrator account but work perfectly well running under the user account and with User Account Control turned on.
Browse the site using an Internet Explorer instance running on an external machine
This problem does not exist on Windows Server 2003. It would appear to be related to User Account Control somehow.
It makes no difference if the user is a member of the Administrators group or not.
Using Process Monitor, it would appear that the access denied problem happens when NetworkService (w3wp.exe) is impersonating the user, but given all the permissions granted to the Temporary ASP.NET Files folder, this still does not make much sense.
The question is:
Why does this only occur with the local Internet Explorer browser, running as a non-administrator user? I would like to use the local Internet Explorer browser for testing, but having to clear the Temporary ASP.NET Files folder after an iisreset is annoying.
What makes Internet Explorer different from Chrome or Firefox (which both work) in this scenario? I could understand if this was something that affected all local browsers, but this is not the case.
I could understand if my web application was doing something special when detecting that Internet Explorer is being used as the client browser, but I do not believe that to be the case and we are talking about an assembly binding failure here - I am not trying to access some arbitrary folder.
EDIT:
The tests above were done using Internet Explorer 8. I have since tried Internet Explorer 9 on the same machine, but with the same results.
If I enable ASP.NET Impersonation for the web site, the problem goes away - but I still would like to know why it does not work for a local Internet Explorer when ASP.NET Impersonation is disabled.
EDIT 2:
What I failed to mention the first time around is that logging in is a two-step process: When accessing the application (let's call it "MyWebApp"), you are redirected to a MyWebApp/Login directory where you will be prompted for your Windows credentials before granted access to the login page residing in that Login directory.
This always works.
After entering your application credentials (in case the code in the login page does not recognize your Windows credentials), you are redirected to a page in the root folder.
The Authentication settings for MyWebApp and MyWebApp/Login are as follows:
MyWebApp MyWebApp/Login
-------- --------------
Anonymous Authentication Enabled Disabled
ASP.NET Impersonation Disabled Enabled
Basic Authentication Disabled Disabled
Digest Authentication Disabled Disabled
Forms Authentication Enabled Enabled
Windows Authentication Enabled Enabled
In both cases, I am getting the "Challenge-based and login redirect-based authentication cannot be used simultaneously" warning.
These settings date back to before I got involved with the project, but that is besides the point. Right now I am only interested in what it takes to get it right - preferably a set of settings that will work for IIS 6.0 and 7.x alike.
Setting ASP.NET Impersonation = Disabled for "MyWebApp/Login" appears to be another way of making my problem go away, but clearly there is more to be done here.
The issue is almost certainly related to Internet Explorer using Windows authentication rather than Basic Authentication (what you'd likely get with FF or Chrome). The combination of Windows authentication and ASP.NET impersonation. If you enable NTLM authentication in Firefox, you will likely see the same behavior there. Likewise, disabling Windows authentication (forcing IE to use basic) or disabling impersonation will likely cause IE to behave like Firefox.
I cannot imagine that browsers have anything to do with it, but if you experienced differences, it must be true.
For ASP.NET to be able to compile an ASPX file, 2 things are imported (as we found out today:
Write access to the ASP.NET Temporary files dir (where the compiled DLL is written)
Write access to the Windows TEMP (where csc.exe writes intermediate files like *.obj)
Which user should have acces there? Depends. In our case the Application Pool user. In your case maybe the impersonated user. Or the IUSR. To me, that part is still obscure.
I just uploaded a project to my hosting, is a asp.net mvc project with authentication.
Just when i enter the web internet explorer prompts a credential windows. If I cancel, the web works correctly. The web works correctly also in local using the visual studio server.
More information:
"Allow Anonymous Access" is checked and the "Basic Authentication" too, but the promt is shown with Basic authentication checked or not.
Also I uploaded a very basic mvc application with authentication and the prompt is not showing, so it does'nt seem's to be an IIS configuration problem.
Also the prompt is showing in both Internet Explorer and firefox, but isn't in Chrome.
Do you have any clues?
Thanks!
It sounds like you have set the authentication mode to Windows? Can you check the Web.config file. If you are intent is to use Forms authentication, you should change it accordingly
Most likely is that you need to allow anonymous access in the IIS configuration manager. Even if your web.config specifies Forms Authentication (or Authentication is set to "None") if IIS is set to disallow anonymous access, then users will be prompted by IIS before the ASP.Net authentication mechanism kicks in.
Edit
I see this behavior if the "Allow Anonymous Access" is checked and the "Windows Authentication" is also checked.
This is all under the "Directory Security" task in the properties for your web site in the IIS manager.
See info below about IIS:
IIS Authentication
Anonymous
Anonymous authentication gives users access to the public areas of your Web site without prompting them for a user name or password....
Basic(uncheck this)
IIS implements Basic authentication, which is part of the HTTP 1.0 specification, using Windows user accounts. When using Basic authentication, the browser prompts the user for a user name and password. This information is then transmitted across HTTP where it is encoded using Base64 encoding. Although most Web servers, proxy servers, and Web browsers support Basic authentication, it is inherently insecure. Because it is easy to decode Base64 encoded data, Basic authentication is essentially sending the password as plain text.
http://msdn.microsoft.com/en-us/library/aa292114%28VS.71%29.aspx
For this to work only anonymous access should be checked in IIS. Otherwise the browser will try to authenticate if possible.
If you are serving "static content" with your site, the default webroot from which the application is configured under needs these settings as well. (Usually "Anonymous" as only-checked-box).
I've been having trouble getting my ASP.NET application to automatically log users into the Intranet site I'm building. No matter the googling or the experimentation I applied, there is always a login box displayed by IE7.
I've got Windows authentication mode set in the Web.config, disabled anonymous access and configured the correct default domain in IIS, but it's still asking the user to log in and, more annoyingly, the user is required to provide the domain too (DOMAIN\auser), which is causing problems with non-technical visitors. Thank Zeus for password remembering functionality.
I'm not the network administrator so it's possible that something about Active Directory is set up incorrectly, or it could just be me missing something very simple. Please note that I don't want to impersonate the user, I just need to know that the IPrincipal.Name property matches that of a valid record in my user database, hence authenticating the user to my application.
To this end, it would be very useful to have a checklist of all configuration requirements for AD, ASP.NET and IIS to work together in this manner as a reference for debugging and hopefully reducing some user friction.
It sounds like you've covered all the server-side bases--maybe it's a client issue? I assume your users have integrated authentication enabled in IE7? (Tools -> Internet Options -> Advanced -> Security). This is enabled by default.
Also, is your site correctly recognized by IE7 as being in the Local Intranet zone? The IE7 default is to allow automatic logon only in that zone, so users would be prompted if IE thinks your site is on the internet. I believe using a hostname with a dot in it causes IE to place the site into the Internet zone.
Open Active Directory Users and Computers MMC snap in
Expand computers section from TreeView (left side)
Check if the computer is registered in your domain.
Also, you have to login with a domain account on that computer, otherwise that authentication box will be shown.
In IIS, enable annonymous access and allow the web.config to handle user authentication.