I'm trying to set up Windows authentication in my web app, but I cannot make it work. The app run in my computer (Windows 7 x64), I am in a domain network, and the app is running on the real IIS, not the Cassini web server.
What I have done so far:
Enable basic authentication in IIS. (I have also tried to enable Windows Authentication)
Web.config <authentication mode="Windows"></authentication>
I have tried with and without <identity impersonate="true"/>
I have put the AuthorizeAttribute within my controllers.
I have tried also the <add key="autoFormsAuthentication"
value="false"/> fix for MVC3 Beta.
What I got:
I can open the page that has no AuthorizeAttribute, I put a breakpoint and this is what I get in different properties related with authentication:
System.Security.Principal.WindowsIdentity.GetCurrent().Name
"IIS APPPOOL\\ASP.NET v4.0 DefaultAppPool"
Environment.UserDomainName
"IIS APPPOOL"
Environment.UserName
"ASP.NET v4.0 DefaultAppPool"
User.Identity.Name
""
Of course I cannot open any page with the [Authorize] attribute.
The only thing I want is get the Windows user name of the user that is accessing the web application. How should I do it?
It worked after reboot the computer. No idea what was wrong.
I had the same problem, it got resolved after I added the following tag in my <appSettings> in my root web.config.
<add key="enableSimpleMembership" value="false"/>
along with this
<add key="autoFormsAuthentication" value="false"/>
Related
I installed version 6.3.0 of the bonobo server on a windows 2008 r2 box. I followed the instructions and all it was well with the out-of-the-box settings.
Now, I wanted to enable Windows Authentication. The goal is that the developers don't have to enter a password when they access the remote repository.
I started with this article. Firstly, I am not sure about the sequence of making the changes. Should it be done before running it the first time? Or after? It's not clear. Anyway, I did it both ways, and in both cases it doesn't work.
Scenario 1: Left everything out-of-the-box, I added myself as a user. After I made the web.config change I was still presented with the login page, and when I typed the password, I was redirected back to the login page.
Scenario 2: I shut down IIS, I made all the changes, and before restarting IIS, I updated the web.config as per the windows authentication article. I also disabled Anonymous Access and enabled Windows Authentication. After I restarted IIS, when I tried to access it, I got:
The request filtering module is configured to deny a request where the query string is too long. I fixed this by adding: maxQueryString="32768" to the requestLimits tag.
Now I get ERR_TOO_MANY_REDIRECTS when I try to access the root page.
The documentation is not clear on how you have to configure this thing for windows authentication. It looks to me that you need to leave the out-of-the-box settings, define your users, make sure one of them is admin, then change the setting to windows authentication. As soon as you turn on the windows authentication the admin user can't be used. I assume the server is trying to find the current user in its own database.
One other thing, if you turn on windows authentication in the web.config, do you need to enable the Windows Authentication in the IIS Authentication for the app and turn anonymous access off? I would think so, but the documentation doesn't specify anything. What happens if I am logged in with an account on different domain than the box with the bonobo server?
Is there someone that can clarify what has to be done exactly to get the windows authentication running?
Thanks
I hope you could solve the problem meanwhile
if not, change the "AuthenticationProvider" to "Windows" and "MembershipService" to "ActiveDirectory".
Check your Web.config if the following is uncommented
<appSettings>
...
<add key="AuthenticationProvider" value="Windows" />
<add key="MembershipService" value="ActiveDirectory" />
...
<add key="ActiveDirectoryDefaultDomain" value="<your.domain>" />
<add key="ActiveDirectoryBackendPath" value="~\App_Data\ADBackend" />
<add key="ActiveDirectoryMemberGroupName" value="Developer" />
<add key="ActiveDirectoryTeamMapping" value="Developers=Developer" />
<add key="ActiveDirectoryRoleMapping" value="Administrator=Developer" />
...
</appSettings>
...
<system.web>
...
<authentication mode="Windows" />
...
</system.web>
I have installed an ASP.NET 4 Web Forms app on a remote Win2K8R2 virtual machine. I cannot remotely deploy anything to this box, so I shipped a VS2012 Web Deployment Package which I installed locally. I installed the IIS Recommended Configuration through WebPI 4.6.
I started out using the Default Application Pool (mine will be the only web app on IIS) in Integrated Pipeline mode with LocalSystem identity. This is the exact same configuration that I successfully have used for other web apps on a Win2K8 VM and a Win2K8 physical box.
I am using Forms/Anonymous Authentication. The Account directory Authorization is configured this way:
My application Authorization is configured like this:
UPDATE:
My application Authentication is configured like this:
My Membership Provider is configured like this:
<membership defaultProvider="ActsMembershipProvider">
<providers>
<clear />
<add connectionStringName= [myString]
name= [providerName]
type= [assemblyName].[providerName] />
</providers>
</membership>
My Forms Auth is configured like this:
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="~/Account/Login.aspx" defaultUrl="~/" protection="All" timeout="30" path="/" requireSSL="false" slidingExpiration="true" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" />
</authentication>
UPDATED: After searching SO, here's what I have tried:
Re-registering ASP.NET with IIS. (aspnet_regiis -ir)
With IUSR as Anonymous Authentication user, granted full web app directory rights to IUSR.
Switched App Pool identity to NetworkService and granted app directory rights to NETWORKSERVICE.
Switched Anonymous Authentication user from IUSR to my server username (xxxx/s_usr_acts, as shown in previous screenshots) and gave s_usr_acts full rights to web app directories.
aspnet_regiis at the app level.
I can reach my Login page, but I keep getting the 401.2 error when I try to log in. Anything else I can check or try?
Additional Info:
UPDATE: I have this same application successfully configured on a Rackspace Win2k8 production box and an in-house Win2k8 VM.
I am authenticating via the ASP.NET Membership Provider.
I am running EF5 against Oracle's Data Provider.
UPDATE2: When I ran my Web Deployment Package from root of the C: drive on our client's server, I encountered the 401.2. However, when I ran it from the Desktop, I no longer encountered the 401.2, and "progressed" to Oracle connection errors. I have this as an answer because my findings addressed the specific problem, although I don't consider this canonical in any way. I am still hoping for something closer to a canonical answer.
I had the same problem and I solved it when changing Anonymous Authentication Credentials at IIS Authentication panel. When I selected "Aplication pool Identity" the error dissapeared. I don't know why this is the solution. Although I don't know what is the origin of this mistake neither, because I only wanted to update my web application copying the files from the deploy folder except the web.config file.
Now, after putting out fire, i'll investigate why it happens. For the moment i think that can help somebody.
I am using HttpContext.Current.User.Identity.Name to get the user name when the web application is in use. During development I was using my local iis, with integrated windows authentication enabled and anonymous access enabled and disabled, and I was able to get the username.
Now, when I publish the web application, it comes back blank. The setup on the published server is the same, and I have tried using Page.User.Identity.Name, which also returned blank.
Does anyone know why this is and how to fix it?
You probably had Anonymous Authentication on as well as Windows Authentication. Turn off Anonymous off.
So,
<system.web>
<authentication mode="Windows" />
</system.web>
In IIS config for the app,
look in Authentication tab
Set **Anonymous Authentication** to **Disabled** and
Set **Windows Authentication** to **Enabled**
This should work and the Identity.UserName should now show up properly.
HttpContext.Current.Request.LogonUserIdentity.Name always work for me in VS 2012 environment and IIS 7
To solve the problem, you have to enable the Windows Authentication feature. Follow the below steps:
-Click Start, and then click Control Panel. Open the Programs group.
-Under Programs and -Features, click Turn Windows Features on or off.
-Expand the item labeled Internet Information Services.
-Expand the item labeled World Wide Web Services.
-Expand the item Security ->
Make sure to select Windows Authentication
Also you need to disable Anonymous Authentication from the IIS as follows:
-Click on your application in IIS
-Double click Authentication under IIS group
-Click on Anonymous Authentication
-Click on Disable on the right side under Actions.
Hope this helps
When working with WIF you should use Thread.CurrentPrincipal.Identity.Name instead of User.Identity.Name.
Read more here: http://msdn.microsoft.com/en-us/magazine/ff872350.aspx to learn more about Windows Identity Foundation
Similar question: User.Identity.Name is null after authenticate via WIF
set <authentication mode="Forms"> in web.config file & Your Problem Will solve.
Test your web-site by using below code
if (Page.User.Identity.Name != "" )
{
Label1.Text = "Hello";
}
else
{
Response.Redirect("login.aspx?url=Upload.aspx");
}
This will not solve the original post, but want to put this here anyways in case others stumble across this when searching for why user.identity is returning nothing...
In my case User.Identity started returning nothing after updating a users ad username (specifically the pre-windows 2000 username).
The LSA cache on IIS was the issue. Even after restarting the IIS server while troubleshooting the issue persisted. It was not until adding the registry setting outlined here the the issue was fixed:
https://support.microsoft.com/en-us/help/946358/the-lsalookupsids-function-may-return-the-old-user-name-instead-of-the
For a blank return, my solution ended up being the web.config. I'm using Visual Studio 2010, and the default web.config did not work. I replaced it with a nearly empty web.config and then success! Perhaps the default vs2010 web.config called too many references or configured the IIS incorrectly for the use of User.Identity.Name. My system is Windows7.
Default asp.net web site web.config from vs2010 was about 100-115 lines long. As you can see below the nearly empty web.config is about 20 lines long.
the web.config that i used:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="Doman Name\Group Name" users="" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<security>
<authorization>
<add accessType="Allow" users="" roles="Doman Name\Group Name" />
</authorization>
</security>
</system.webServer>
</configuration>
In IIS: click on your Site.
In Home Page: Authentication.
In Action menu: Open Feature.
Disable Anonymous Authentication.
Restart Site.
steps 1,2,3
step 4
I have a web application that allows the users to access the pages if their Windows login name to the domain is in the web config's app settings.
For example:
Logged on username: SampleDomain\SampleUser
on Web.config:
<appSettings>
<add key=AuthorizedUsers value="SampleUser,SampleBooger" />
</appSettings>
<authentication mode="Windows"/>
*successful scenario: SampleUser should be able to browse the website.
I was able to do it successfully during development (locally on my machine), but when I deployed it to a server then I try to browse it from my local machine, the Windows login that it gets is NT AUTHORITY\NETWORK SERVICE so it redirects to my customized error page. I, SampleUser, am in the AuthorizedUsers. I should be able to browse it.
Please help me.
Thank you very much.
You need to use ASP.NET impersonation feature.
When using impersonation, ASP.NET applications can execute with the Windows identity (user account) of the user making the request. Impersonation is commonly used in applications that rely on Microsoft Internet Information Services (IIS) to authenticate the user.
Such behavior can be configured in web config using the following code:
<configuration>
<system.web>
<identity impersonate="true"/>
</system.web>
</configuration>
More info: http://msdn.microsoft.com/en-us/library/xh507fc5%28v=vs.100%29.aspx
I'm trying to enable passthrough or impersonation authentication inside an ASP.NET website that uses the TFS2010 API.
I've got this working correctly with Cassini, however with IIS 7.5 (Windows 7) something is going wrong.
I found this blog post on the subject, and tried the following:
private static void Test()
{
TfsTeamProjectCollection baseUserTpcConnection =
new TfsTeamProjectCollection(new Uri(Settings.TfsServer));
// Fails as 'baseUserTpcConnection' isn't authenticated
IIdentityManagementService ims =
baseUserTpcConnection.GetService<IIdentityManagementService>();
// Read out the identity of the user we want to impersonate
TeamFoundationIdentity identity = ims.ReadIdentity(
IdentitySearchFactor.AccountName,
HttpContext.Current.User.Identity.Name,
MembershipQuery.None,
ReadIdentityOptions.None);
TfsTeamProjectCollection impersonatedTpcConnection = new
TfsTeamProjectCollection(new Uri(Settings.TfsServer),
identity.Descriptor);
}
When I use Cassini nothing is needed besides
collection = new TfsTeamProjectCollection(new Uri(server));
I have enabled the web.config settings (and have the Windows Auth module installed):
<authentication mode="Windows"/>
<identity impersonate="true" />
Is there something obvious that I've missed out?
Solution 1
This is the delegation method. As Paul points out it's a single setting in your active directory:
Find the IIS server in the computers node of the "Active Directory users and Computers" console.
Click on the delegation tab, and select the second option:
Create a 'Cache' directory in your IIS root folder
Add the following to your web.config:
<appSettings>
<add key="WorkItemTrackingCacheRoot" value="C:\path-to-web-root\Cache\"/>
</appSettings>
Make sure your web.config contains:
<system.web>
<identity impersonate="true" />
</system.web>
Turn on Windows authentication and impersatonation and disable everything else in IIS authentication:
Solution 2
Another solution to avoid the steps above is to simply run your application under the TFS:8080 site, as a new application. The hop issue is then removed as you are running in the same context as the web service that your app is calling.
Create a new app pool, use network identity.
Make sure your application has anonymous authentication turned off
Make sure it has windows authentication turned on.
Add <identity impersonate="true" /> to the web config.
I wonder if you're hitting the old Double-Hop issue here?