Here's what I want to do (which I've done before but I'm clearly doing something that is not obvious to me...):
ASP .NET 3.5 Intranet Application
Want to have Windows Authentication against AD setup on the website
When the user requests the page, fetch the user's username with the following code:
System.Web.HttpContext.Current.User.Identity.Name
I have IIS 7.5 and have setup the web application, disabled anonymous access and enabled Windows Authentication.
When the page is requested, the prompt for username / password is entered.
I entered the details but the prompt keeps coming up and eventually comes back with 401.
What on earth have I missed?
It seems to be a broblem with the Authorization (dond confuse with Authentication they completely diffrent), becuse the Authentication has been passed successfully after you've written the right user name and password, please try to set the appropriate privilegs to the user you try to login with, then try again. You can do that by set ting the right roles in the Authorization tab in the Security/Application tool of ASP.NET or by defining it manually by creating the right class... You'd better also chack the IIS policy if you deal with production code on IIS. If this is not working please post the Authentication code you've written.
Figured out what was wrong. Was nothing to do with Authorization at all but I stupidly had written code a few days back throwing a 401 error when a certain condition was not met. Removing that proved that the setup done worked perfectly :)
Related
Dear stackoverflow community,
Is there any way to retrieve windows username/identity even before authentication?
To make you all understand the situation, I am currently migrating an old ASP.net application. Previous code works no problem but due to recent code migration, old code won't work anymore. I want this application to be a single sign-on instead of the user need to key in their username and password WHILE using Forms authentication method.
It involves:
Index.aspx
HomePage.aspx
Login.aspx
Global.asax
The application flow:
Enter global.asax and check whether isAuthenticated is true or
false, if false, enter Index.aspx, if true, extract all the user
accessright into .isInroles
If not authenticated, get the windows username, check the user
exist in the application, and
FormsAuthentication.RedirectFromLoginPage(username, False/True)
and it will redirect to global.asax and redirect to Homepage. (This
is where single sign-on should be. And if there's no identity it
will return to Login.aspx page.
User provide username and password and authenticate like normal.
(This one works)
The thing is, when you are using Forms Authentication, the identity will return blank until the user provide one. For example HttpContext.Current.User.Identity.Name and other few more. Is there any way to get the windows identity before authentication?
If I change the web.config to windows authentication, it works perfectly fine but it require me to change the whole structure of the system because the way the system gave access right is very outdated using cookies .IsInRoles and my team won't agree because of time consuming process. Sorry I can't post the code snippet due to data confidentiality...
Any logical/pseudocode advice would be great.
The answer to this question, I restructured back the whole program authentication by using Windows authentication, and removed the current global.asax and replace with the new one since the previous global.asax was corrupted that if I comment the whole code in the global.asax it enters. That solves my problem.
I'm very new to ASP.NET and I've been struggling trying to get the username of the client sending requests to a web service script on the server side.
After searching online I found two properties that supposedly gives the server page access to the client username;
User.Identity.Name
and then I got another piece of code from an ex-senior colleague who left before figuring this problem out, his function used UserPrincipal.Current.DisplayName
and for both of these I'm getting a blank string.
I've searched for what my problem could be and I'm suspecting it's because I don't authenticate the user on the server side somehow.
I just accessed those two properties/variables directly (UserPrincipal.Current.DisplayName and User.Identity.Name)
can anyone help shed some light on this issue please? I haven't a clue what I'm doing wrong/ not doing.
Your suspicions are correct; you have to explicitly authenticate the user via a built-in .NET mechanism such as Forms Authentication or Windows Authentication for User.Identity to be populated by the framework.
You didn't specify from where the requests are coming (web, windows app, windows service, etc), but this article provides nice overview of getting Forms Authentication set up with asmx.
I created an ASP.NET application for an internal purpose, where the domain user accesses a simple web form, fills in the form and submits. The application impersonates the user and sends an email as the logged on domain user to our ticketing system where a ticket is generated from the user who filled out the form. Now, everything works when I test by logging onto the same server that IIS (7.5) is located and submit the form, but when I try to do the same from my desktop (opening browser and pointing to web server), it does not work. After investigating the issue, I discovered that this is likely a double-hop issue (which I confirmed when the exchange admin checked logs after a few failed attempts and found that site was trying to send email as NTAuthority/Anonymous.)
I've combed the web and found a lot of info on this issue, but all I can seem find are articles detailing the issue in relation to earlier versions of IIS (IIS 5 or 6.) I’m using 7.5 so I’m not certain of how the process for resolving this would differ. Could someone who has had this issue on IIS 7.5 post the basic step by step instructions for resolving double-hop as it relates to IIS 7.5 and sending impersonated email to an Exchange server? Something to the effect of, step one – do this, step 2 – do this, etc…
Another question that I have is the following: Many articles that I have read specify setting up a service account for delegation, and then create SPNs...However with IIS 7.5, I have the option of using application pool identities. Would application pool identities work with delegating impersonation, or would a service account be required to fix the issue?
Thanks all!
From your description, it sounds like your ASP.NET application is trying to determine the logged in user by their Windows network login credentials?
If so, all you should need to do is turn off "Enable Anonymous Access" in your IIS site and make sure that "Authenticated Access" has the "Integrated Windows Authentication" turned on. Then IIS should properly query the browser for their login info and the session should use the user's credentials. This assumes a few things about the client browser used and if something other than Internet Explorer is used, then you might also need to turn on one of the other authentication methods so that the other browsers will properly prompt the user for their network login credentials. Sorry I don't have a running IIS 7.5 server at the moment to give you the exact site properties and descriptions to look at. So if you cannot determine it from my description here, hopefully someone else might add on with that or I can try to follow up later if you need.
I have a .NET 4 application that I am taking to IIS 7.5. In it, I have the following code:
HttpContext.Current.Request.ServerVariables["LOGON_USER"]
This code is in my global.asax file and is in my Application_BeginRequest method.
For my application, this is returning an empty string. That makes me think that I don't have my authentication setup. I go into the IIS admin manager, and I have Anonymous, Digest, and Forms Authentication disabled. I have ASP.NET Impersonation, Basic, and Windows Authentication enabled.
Any ideas regarding what I need to do to get the actual windows auth userid would be appreciated.
Wally
Take a look at this page http://msdn.microsoft.com/en-us/library/ms178473.aspx (somewhere in the middle)
It explains which events are executed when a request comes in. BeginRequest is one of the first events that are raised when a request comes in and this means that not every piece of information you might need is available yet. In your case try capturing the PostAuthenticateRequest and see if that works. Also, you might be interested in User.Identity.Name.
I have an application we bought that I need to integrate, and it uses jakarta connection to get to the application from IIS.
So, the basic operation is:
user goes to the url
Gets redirected to the application
SSO is enabled, so redirected back
to IIS for fetching of domain
credentials
Back to application
If username is blank show login
page, else let user in.
This is a simplification of all the steps, but the basic idea is here.
My difficulty is that I need both Windows Integrated Auth and anonymous on, as some users won't have credentials, and need to be prompted for a username/password.
I have looked at: IIS Windows Authentication before Anonymous already, but the user doesn't get to click on a link to decide. The application goes back to IIS looking for login.aspx and from there I want to either get their domain credentials or pass back to the application empty strings to signify that there are no credentials.
It seems this isn't going to be possible though as if anonymous is on it doesn't make the 401 request so the credentials aren't passed.
If I can't get this to work with just using an ASP.NET page, could it be done using an ISAPI filter, or a module?
UPDATE:
I found a possible solution, but I need to figure out how to get it to work, as my login page is on the JBoss server.
http://mvolo.com/blogs/serverside/archive/2008/02/11/IIS-7.0-Two_2D00_Level-Authentication-with-Forms-Authentication-and-Windows-Authentication.aspx
Keep the Authentication in the IIS as the Anonymous.
When loading the home page check the ACTIVE DIRECTORY for the current logged in USERNAME if exist
provide the extra functionality to current user or else with fewer options.
Refer --> Active Directory Cheking