I have a classic asp application that uses windows authentication.
We are now migrating this classic asp to MVC3. This will also be utilizing windows autnetication also.
When i access the mvc3 app (windows authentication) via direct link (http://mvcsite.domain.com), i am asked for windows authentication and then i can navigate the site without any problem.
When i create an application (NetSite) under classic asp virtual dir and try to get to it, i get 403 forbidden error. I have double checked authentication on NetSite application and windows authentication is enabled. So my link then becomes like http://classicasp.domain.com/NetSite. "NetSite" and mvc3 virtual dir both use the same app pool and working dir.
On 403 error i am getting following:
Logon Method Anonymous
Logon User Anonymous
I have set another mvc2 speciality application just like this some time back and that worked just fine. Why i am having aceess problems now, am i missing some thing?
Thanks.
Under the authentication for the NetSite, is the option for Anonymous turned off?
Sometimes if anon isn't turned off on the subsite, the client will try with anonymous first, leading to a 403 error, and it will stop there.
However, if anonymous is turned off, usually the client will still try with anon first, get a 401 error (which is expected), and then re-send with windows credentials.
Related
Goal
I am trying to deploy an MVC3 application that requires Windows Authentication (specifically Kerberos) as an Application within an older asp.net Anonymous Authentication Website.
Symptoms
In IIS 7.5 Express on my box it works perfect, obviously. When I deploy it to IIS 7.5 as its own site I get challenged for domain credentials, though none are accepted. When I deploy it as an application I get the custom error page back from the hosting site. To confirm - Kerbtray shows no ticket in either scenario.
Details
Both the Site and the new child Apps run on the same application pool, and the application pool runs as AppPoolIdentity. That built-in IIS app pool account (IIS AppPool\MyAppPoolName) has full Read/Execute permissions down both the Site's and the App's folder trees. No impersonation is used.
Question(s)
Is there anything special I need to do to get NTLM and Kerberos working on an App inside an anonymous auth Site?
If not, any advice on things/places to look would be great - the ApplicationHost.config and the app's web.config files look fine.
EDIT: For clarification, this is all on a corporate network that uses Kerberos extensively for other purposes. "Site" refers to an IIS Website and is distinguished from an "Application" that must be hosted within an IIS Site.
After working on this a bit more, I found the answer:
Nothing special is needed to host a Windows (Kerberos) authenticated IIS App within an Anonymous authenticated IIS Site on IIS 7.5 so long as:
a. Kernel Mode Authentication is On - No SPNs required.
b. The application uses the same App Pool Identity as the hosting parent. Different App Pools and their identities can be used, but this does require further NTFS permissions and is beyond the scope of this particular issue.
The issue with my error was something much more simple yet elusive... the parent Site had a custom set of error pages defined in <HttpErrors> including pages for 401 and 403.
This was the error page returned when the user requested a page from the nested Application because Kerberos sends a 401 first, to challenge the user for credentials and ask/him her to get and provide a Kerberos ticket... but because the parent Site returned a 200 response (the custom error page) the user never got a Kerberos ticket.
With these off, the user is now appropriately getting a Kerberos ticket and falls back to NTLM as by default.
This is bugging me, but think I traced the problem down to working on a Forms Authentication App and now I have switched back to trying to use Windows Authentication, but for some reason just wants to keep using Forms Authentication.
Have just the usual in the web.config, even tried Signing Out of Forms Authentication, but still insists on working in Forms Authentication.
So the up-shot is I get when trying System.Web.HttpContext.Current.User.Identity.Name is a nice Empty string and user is not Authenticated.
How do I get my Windows Authentication back ?
cheers
Michael
Check that the web application folder is configured to use Windows authentication in IIS, also check the content files, they should inherit the parent permissions. Also re-check the authentication mode in your web.config file, make sure it's set to Windows.
I have an ASP.NET MVC 3 application, which runs on a IIS 7.5. Everything works great if i access the application locally from the Windows Server, but if i try to access it from a remote client the browser throws an error.
The HTML loads fine when i try to access the site remotely, but when it make AJAX calls it fails with this msg:
POST 403 (Forbidden: header 'Content-Type' value denied)
I have tried:
- using jQuery jsonp
- Granting webfolder accees to "Everyone" in Folder security and sharing
Do you have any other suggentions for a solution?
Check if the file global.asax exists.
I had get the same problem because I forgot to upload this file.
Does your web server have ASP.NET 4 installed? You may need to run this command:
%windir%\Microsoft.NET\Framework64\v4.0.30128\aspnet_regiis.exe -ir
Edit: OK, so this wasn't the problem... Security is the next thing to check: This article might help you... http://learn.iis.net/page.aspx/624/application-pool-identities/
Generally when I've seen stuff like this, IIS is running your site under it's limited user instead of the application pool user.
To check this configuration you need to access IIS Manager, expand the computer name, expand sites, expand the web site that contains your application, select your application in the tree view.
Under the IIS settings region, select Authentication (double click it, or click open feature)
Select Anonymous Authentication, click edit... from actions on the right. In the dialog that opens check the setting for Anonymous user identity: it should be set to application pool identity.
Original Answer by Mmerrell at Getting 404.0 error for ASP.NET MVC 3 app on IIS 7.0 / Windows Server 2008
You actually just reminded me that I needed to fix this issue in an
enviroment here. If your situation is the same as mine then it's a
simple fix.
Just add the following to your web config:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
My host is having issues getting my MVC3 app to work on their server, so I though I'd check it out myself. Until now I've been too busy developing under the built in server to worry about IIS, but today I tried my first deployment to the host with no joy. Then I tried one to my local IIS, with no joy. Then I tried telling VS to use IIS for debugging, to maybe resolve some local issues, with no joy.
What steps and configuration are required to use local IIS 7.5 to debug an MVC3 application?
EDIT: Going through a browser, after clearing up a permission problem for my Windows user on Temp ASP.NET Files, I now site with a I get a HTTP Error 403 (Forbidden), but the occassional basic auth login dialogue. Here I have tried a Forms auth user, my normal Windows user, and my Windows admin user, all to no avail.
When I try and debug under VS, I get a 500, internal error.
THE PLOT THICKENS: When I enable directory browsing on the site, I get a proper directory listing for the site root url. This suggests the the MVC3 routing is not working, but why not?
If you're getting a directory listing that means there's not a default file set (for IIS6). It usually means the request wasn't routed to IIS to deal with. thing are slightly different with II7 & it's integrated pipeline.
Simon
I'm new to IIS 7.5 and I am trying to get a site working with Windows Authentication. It's an ASP.NET 4.0 application which is set up as an application under the default website and it is running the ASP.NET 4 app pool. The application is set up with Anonymous Authentication disabled and Windows Authentication enabled.
The site is not authenticating properly - I can see an error in the event log (this is a Null Reference error to do with some code that uses Context.User) and the detail says IsAuthenticated=False and the User is blank.
I have set Authentication Mode = Windows under <system.web> in my Web.config and have tried various other config settings without success.
I've tried using the ASP.NET classic app pool but get an error
Handler "ExtensionlessUrl-ISAPI-4.0_64bit" has a bad module
"IsapiModule" in its module list
I'd prefer to get it working using the ASP.NET 4 app pool if possible. Can anyone advise what I need to do?
Sorry, I forgot to post the answer when I found it. In actual fact there was nothing wrong with the authentication configuration, it was to do with my referencing Context.User too early in Global.asax.
In the new integrated mode the authentication works differently to classic mode and in the Application_AuthenticateRequest event in Global.asax the authentication hasn't happened yet so Context.User is null hence the exception I got and the fact that the log shows IsAuthenticated as false. I moved the line of code that calls Context.User into Application_PostAuthenticateRequest and it's working now.
Take a look at IIS Express Windows Authentication
Only difference is, IIS 7.5 applicationhost.config file is located at %systemroot%\System32\inetsrv\config\applicationHost.config