I have setup an ASP.NET MVC3 website using Windows Authentication and am getting a 401.1. The error code is 0x8009030e on the 401 page. Users should be able to access the site using their domain credentials.
I don't get the error if I logon to the machine and hit the website via localhost (http://localhost/mysite). However, even logged onto the server, if I hit the website through the server name (ie http://machinename.com/mysite) I still get the error.
The website uses it's own .net 4.0 app pool and using integrated mode. The site is configured for Windows Authentication only in the config.
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
...and in IIS. I don't have extended properties configured, and have enabled kernel-mode authentication (both are the default). I've tried toggling "IIS Manager Permissions" without any luck.
Any ideas?
I had to do two things to get this working properly:
Make the app pool use "Classic" instead of "Integrated" mode. After making, the change I was getting a 403.x error.
I solved the 403.x error by granting (Read/Execute) NTFS permissions to the "Domain Users" group.
Related
I am running an ASP.NET (VB) 4.6.1 Web Forms application. I am using Windows Authentication ( <authentication mode="Windows" /> ).
The scenario is to allow any authenticated Windows user to the landing page. Any user in the “Check Admins” active directory security group should get access to any of the pages in the Admin sub-folder.
The root web.config has:
<authorization>
<deny users="?" />
</authorization>
The Admin web.config has:
<authorization>
<allow roles="domain\Check Admins" />
<deny users="*" />
</authorization>
On the landing page, I enumerate through all the roles the user has with:
test &= "<br/><h3>You have the following roles:</h3>"
For Each r In Roles.GetRolesForUser()
test &= r & "<br/>"
Next
I’ve gone through several setting and web.config changes (most outlined below). I can get it to work as expected on my dev PC but cannot get it to work when deployed to the test server running Windows 2008 R2 and IIS 7.5. I can get the site to come up some times, but only if I go to http://localhost. It doesn’t come up when I use the fully qualified name: http:// test.mysite.net
Here are the changes & settings I’ve tried:
When running without impersonation:
Dev Machine:
User.Identity.Name: domain\me
Principal.WindowsIdentity.GetCurrent.Name: domain\me
Landingpage: Runs
Admin page: Runs
Enumerated roles: All for me except admin roles
All works as expected.
When deployed to the server with IIS Settings
IIS 7.5 Server (http://localhost):
User.Identity.Name: domain\me
Principal.WindowsIdentity.GetCurrent.Name: IIS APPPOOL\Test.mysite.net
Landing page: Runs
Admin page: Runs
Enumerated roles: Shows roles (presumably) for IIS APPPOOL\Test.mysite.net
IIS 7.5 Server (FQDN: http:// Test.mysite.net):
Never-ending security challenge
Changing IIS Settings on the server
Both server sites return
HTTP Error 500.24 - Internal Server Error
An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode.
Adding <identity impersonate="true"/> on dev machine:
HTTP Error 500.24 - Internal Server Error
An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode.
Most likely causes:
• system.web/identity#impersonate is set to true.
Adding
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
</system.webServer>
with the impersonate above gives:
Dev Machine: (Same as first run)
User.Identity.Name: domain\me
Principal.WindowsIdentity.GetCurrent.Name: domain\me
Landing page: Runs
Admin page: Runs
Enumerated roles: All for me except admin roles
IIS 7.5 Server (localhost):
User.Identity.Name: domain\me
Principal.WindowsIdentity.GetCurrent.Name: domain\me
Landing page: Runs
Admin page: Never-ending security challenge
Enumerated roles: Shows roles (presumably) for IIS APPPOOL\Test.mysite.net
IIS 7.5 Server (FQDN: http:// Test.mysite.net):
Never-ending security challenge
I’ve spent several hours combing through the posts here and elsewhere on Google. I don’t know if this is a .Net 4.5+ thing or if I just missed something. How can I get it to properly read the roles and authenticate to the folders?
And why when I try to get to the page using the full URL does it completely fail authentication?
For 90% of this, it turns out the Active Directory server had an expired certificate, so refused to authenticate requests from the web server. Strangely, it did authenticate all the users signing in to the Windows accounts on the PC's. I'm posting this in case anyone else comes across a similar problem.
Though, I still can't figure out why on the server itself, navigating to the full URL still does not authenticate, but going to Localhost works just fine.
We are creating an intranet site and want to use SSO. The problem is however, that Internet Explorer (11) keeps asking for credentials. By specifying the username and password we are able to access it. Then the intranet application can be used without a problem. When Internet Explorer is closed however it asks for credentials again. The problem occurs on the testing machine (running in a domain) and also on my laptop at home which I also use to develop on. I access the test server with Remote Desktop and then test the site on the same machine as it is running on, which is Windows 2012R2 running IIS 8.5.
On the test server the application (ASP.NET MVC with SignalR and WebAPI) is using a URL that will not be automatically recognized as an intranet site although it is in the same IP range. Therefore I have added the site explicitely to the intranet zone in the settings of IE.
When I then right click on the site and request the properties I can see it is in the intranet zone. This is for as far as I could find the solution in these situations but for us there is something else going on.
This is the system.web section of web.config:
<system.web>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
In IIS I have tried enabling both Windows Authentication and Digest and also just one of those. The other authentication options are disabled, including Anonymous Authentication.
I also added the site to the trusted zone which did not help. Also changed the zone settings (for intranet and trusted) to do "Automatic logon on with the current username and password" but that didn't help either (I don't understand the setting Automatic logon only in Intranet zone though, because it seems a zone specific duplicate setting of the afore mentioned setting but ok). I also checked the advanced settings to be sure that Integrated Windows Security is enabled.
At the moment we're completely out of ideas.
Two more to your checklist:
make sure you have disabled anonymous authentication
make sure the domain controller is accessible from both the client PC and the IIS hosting the web app. Chances are the domain controller doesn't recognize the application server as coming from the same domain.
http://www.wiktorzychla.com/2012/06/iis-75-integrated-security-with-no.html
I have set the Full control to "Domain Users" in the Security Tab (NTFS permissions) of my Application Folder. Which resolved the problem in IE 11 but chrome is continuously asking for User name and password.
We have an issue where forms authentication works correctly locally when run from Visual Studio but not remotely from a server running IIS 7. We have also determined that it works correctly on the remote server if we browse to the local site from the server. More specifically, when logging in using the login screen sometimes we are taken into the application and sometimes we are redirected back to the login screen. For the times when we are taken in we are at a one click maximum situation where, if we click on any item inside the site, we are immediately sent back out to the login page. We are using .NET 4.0 We are using location to set permissions on a per directory basis in the web.config:
<location path="Admin">
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
We have tested that the issue must have something to do with this setting because as soon as we change deny users="" to allow users="" it works when testing remotely to the test server. Again, the issue only occurs when promoting to the test environment and testing remotely and works perfectly when running in Visual Studio or when browsing to the localhost site from the remote server. My guess is an IIS 7 setting but we have played around with a few of the settings to no success.
It has a simple solution. in your IIS 7 click on the top most node(Your server node) then click on "Modules" in IIS part of the home page.
Double click Default Authentication and uncheck the "Invoke only for ..." option
Double click Forms Authentication and uncheck the "Invoke only for ..." option
your forms authentication will work perfectly
I have my c# asp.net web application set up for windows authentication.
<authorization>
<deny users="?" /> <!-- Denies access to the anonymous user. -->
</authorization>
I have 2 issues.
Firstly, if I navigate to my site from my local PC, I get asked for a username/password to which I enter the credentials I use to log on to the server and these are successful and I gain access. However if I navigate to the site on the server via the internet browser, I get asked for the credentials to which I supply same - but it never lets me access, keep getting pop up to re enter my credentials. Any ideas why this might be so? Do I have incorrect configuration?
Secondly, is it possible to set up windows authentication when access the site from my local PC asking for username/password, but when accessing it on the server, I am not asked for such and can access the site without providing any details?
Have you selected "Integrated Windows Authentication" in the IIS for your web site?
What mode you have for the authentication in your web.config?
I have a webpage that emits files (images) (through Response.TransmitFile) that is working ok.
However, when I publish the site to IIS (5.1), it starts randomly to emit 401 and 403 status codes instead of the expected files(images)
The IIS site is supposed to have Windows Integrated Authentication without allowing anonymous users, however, I configured the locations on my web.config to allow users to get the files
<location path="ViewFile.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I have set permissions for The users \IUSR_, \ASPNET, My own domain user, and even for everyone, but i don't get to solve the problem.
Any suggestions at how can I handle the problem?
Edit 1:
When I activate anonymous authentication in IIS, the site works fine, but then the domain authentication doesn't appear. I understand that the anonymous authentication prevails over anyother authentication
Some points to get you started:
What do you see in the Windows Event
log?
If you take out the authorization
configuration, does it work OK -- or
do you still get 401 and 403 codes?
You mentioned that it happens
'randomly' -- is it connected with
certain users? Or times of heavier
load? Or certain files?
TransmitFile doesn't buffer in memory
-- are these large files?
Update 6/29/2011 5:02pm - You didn't mention you were publishing locally before. Have you tried this configuration hack? I have had to use it when using Windows Authentication and IIS locally.