I have a .NET 4 application that I am taking to IIS 7.5. In it, I have the following code:
HttpContext.Current.Request.ServerVariables["LOGON_USER"]
This code is in my global.asax file and is in my Application_BeginRequest method.
For my application, this is returning an empty string. That makes me think that I don't have my authentication setup. I go into the IIS admin manager, and I have Anonymous, Digest, and Forms Authentication disabled. I have ASP.NET Impersonation, Basic, and Windows Authentication enabled.
Any ideas regarding what I need to do to get the actual windows auth userid would be appreciated.
Wally
Take a look at this page http://msdn.microsoft.com/en-us/library/ms178473.aspx (somewhere in the middle)
It explains which events are executed when a request comes in. BeginRequest is one of the first events that are raised when a request comes in and this means that not every piece of information you might need is available yet. In your case try capturing the PostAuthenticateRequest and see if that works. Also, you might be interested in User.Identity.Name.
Related
I am playing with Asp.Net Web Api 2 creating a REST service with token authentication (under normal IIS 7.5, not express). Therefore, I've used the standard generated template that comes with Visual Studio 2015.
I understand the concept and the code too, did some testing wth Fiddler, getting the token, try to register etc. and I like the approach.
But there's 1 thing I don't understand and I miss that in about every article I've read about it:
what should be the IIS authentication setting(s) for the service?
By default, anonymous authentication is turned on and the other options
(forms, windows, basic) off.
If I understood correctly it shouldn't matter (because the OAuth Authorization Server and OWIN in the WebApi service should take over the complete authentication mechanism for the service, right?), or else all IIS authentication options should be turned off.
But I see that it does matter. Because if I want to execute a '/api/Register' POST method, it only works if I have anonymous authentication turned ON. If I turn it off, I get a 401.2 Unauthorized result.
But it seems so unlogic / unsafe to me to keep the anonymous authentication turned ON. I'd like to turn that off. Or do I have to have it turned on? And if so, why? Am I missing something?
I've also set the authentication method in my web.config to 'None':
(Only thing I changed in my web.config is the database connectionstring.)
I have a diagnostic web application hosted in IIS7 that has Windows Authentication enabled and Anonymous auth disabled. This application generated some kind of a report where it includes information about what kind of authentication was used to view the site. Every time I browse to this site I get a message that I connected using Anonymous authentication which for me is unbelievable. The report works fine (tested on other machine) and the fact is that I do not get a credentials popup. How is this possible and how can I fix this?
First, i'm not knocking your diagnostic application, but it may be worth looking at the IIS logs (or indeed switching them on for your site) to see what IIS thinks is going on. If you're not familiar with IIS logs, I'd suggest writing them in Microsoft format (at least while you're sorting this problem). One of the key fields you get is the user id. If you really are hitting the pages anonymously, this id will be the id you configured to field anonymous requests. Otherwise, it will normally be the calling user's id (at least in a simple scenario).
Second, how many sites are you running? Are you sure you're going in through the expected site? Or maybe you're hitting the default site instead?
Third, bear in mind that authentication can be set at the site level but anso at the page level. Are you sure one isn't overriding the other?
I have an ASP.NET MVC 3 application that is using windows authentication, configured in IIS 7.5. It prompts the user for their Windows Credentials when they first load the
page.
Now, I want to have the "session" timeout in XX minutes, so that the page
will again prompt them for their credentials if this timeout has elapsed.
I have tried setting the "Session.timeout = XX" in the page_load method of
the page I want to secure.
I notice that the "Session_End" method in Global.Asax does fire, but the
Authentication Ticket appears to "stay valid" even after the Session has
ended.
Is there a way to force the page to prompt again for Windows Credentials at
specified timeouts either by changing configurations in Web.Config or thru IIS?
Please let me know.
You don't have control over the allowed session duration when using Windows Authentication, as this is part of the authentication protocol (Kerberos). There are ways and workarounds, but none of them straightforward.
It seems that forcing a client-side document.execCommand("ClearAuthenticationCache"); might come closest to your needs.
As far as I know there is no easy way to achieve this. I've read on people trying to manually control when 401s are sent but from what I remember, I haven't found any reliable solution.
I created an ASP.NET application for an internal purpose, where the domain user accesses a simple web form, fills in the form and submits. The application impersonates the user and sends an email as the logged on domain user to our ticketing system where a ticket is generated from the user who filled out the form. Now, everything works when I test by logging onto the same server that IIS (7.5) is located and submit the form, but when I try to do the same from my desktop (opening browser and pointing to web server), it does not work. After investigating the issue, I discovered that this is likely a double-hop issue (which I confirmed when the exchange admin checked logs after a few failed attempts and found that site was trying to send email as NTAuthority/Anonymous.)
I've combed the web and found a lot of info on this issue, but all I can seem find are articles detailing the issue in relation to earlier versions of IIS (IIS 5 or 6.) I’m using 7.5 so I’m not certain of how the process for resolving this would differ. Could someone who has had this issue on IIS 7.5 post the basic step by step instructions for resolving double-hop as it relates to IIS 7.5 and sending impersonated email to an Exchange server? Something to the effect of, step one – do this, step 2 – do this, etc…
Another question that I have is the following: Many articles that I have read specify setting up a service account for delegation, and then create SPNs...However with IIS 7.5, I have the option of using application pool identities. Would application pool identities work with delegating impersonation, or would a service account be required to fix the issue?
Thanks all!
From your description, it sounds like your ASP.NET application is trying to determine the logged in user by their Windows network login credentials?
If so, all you should need to do is turn off "Enable Anonymous Access" in your IIS site and make sure that "Authenticated Access" has the "Integrated Windows Authentication" turned on. Then IIS should properly query the browser for their login info and the session should use the user's credentials. This assumes a few things about the client browser used and if something other than Internet Explorer is used, then you might also need to turn on one of the other authentication methods so that the other browsers will properly prompt the user for their network login credentials. Sorry I don't have a running IIS 7.5 server at the moment to give you the exact site properties and descriptions to look at. So if you cannot determine it from my description here, hopefully someone else might add on with that or I can try to follow up later if you need.
Here's what I want to do (which I've done before but I'm clearly doing something that is not obvious to me...):
ASP .NET 3.5 Intranet Application
Want to have Windows Authentication against AD setup on the website
When the user requests the page, fetch the user's username with the following code:
System.Web.HttpContext.Current.User.Identity.Name
I have IIS 7.5 and have setup the web application, disabled anonymous access and enabled Windows Authentication.
When the page is requested, the prompt for username / password is entered.
I entered the details but the prompt keeps coming up and eventually comes back with 401.
What on earth have I missed?
It seems to be a broblem with the Authorization (dond confuse with Authentication they completely diffrent), becuse the Authentication has been passed successfully after you've written the right user name and password, please try to set the appropriate privilegs to the user you try to login with, then try again. You can do that by set ting the right roles in the Authorization tab in the Security/Application tool of ASP.NET or by defining it manually by creating the right class... You'd better also chack the IIS policy if you deal with production code on IIS. If this is not working please post the Authentication code you've written.
Figured out what was wrong. Was nothing to do with Authorization at all but I stupidly had written code a few days back throwing a 401 error when a certain condition was not met. Removing that proved that the setup done worked perfectly :)