Enable cross domain integrated windows authentication - asp.net

I have a web application (say app1) which is hosted in a IIS server virtual directory.
This web application needs Integrated Windows Authentication for its functioning.
I need to integrate this web application with another product which does not use supply me windows credentials.
This application sends me an http request in a specific format.
I need to validate the request and redirect it to app1 with valid windows credentials so that it logs in smoothly.
I have created another application for this purpose
This is hosted on a separate virtual directory.
It has IIS anonymous and asp.net anonymous authentication enabled.
the pseudo code is as follows :
app2
parse request
if request sucessful
get windows credentials
get identity using credentials
reponse.redirect(app1.aspx)
But app1 authentication fails, IE asks me for credentials again.
Ideally IE should not ask me for credentials.
What would be the security context sent in the request to app1.
How can I trace the authentication failure at iis and asp.net?

To do this you need a trust relationship between the domains.
The response.redirect just sends a response back to the browser which then makes a request for the page in the redirect. So the identity is the identity of the browser.

Related

.Net Framework Identity Server 3 - Windows Authentication

We are using Identity Server 3 in our tool that has the following structure. One (AngularJs) Spa with 10 Web APIs . We use the WindowsAuthWebHost mini project to do the windows handshake to get the windows(domain) identity of the user, based on which we build a complex(with custom claims) token that it's used by the client Web APIs. All the 10 Web APIs have anonymous authentication set in the IIS. And it works smoothly.
Now, we are trying to expose this tool outside the company network and a perquisite is to have windows authentication on all the Web APIs in the IIS. If we set this time of authentication, now all the calls are unauthorized.
Do you know if there is a way to keep the same flow, but also validated the windows authentication?
Windows authentication will not work outside of the network. The user needs to have a valid user account in your domain (username/password), or even a local account on your IIS server.
Note that NTLM doesn't work through some proxy servers, so this is one reason that Windows AuthN isn't used so much on the public internet.
To achieve your requirement you could use the form authentication with active directory.you may need to enable both form and anonymous authentication. then create deny authorization rule for anonymous users and allow rule for all users.
How To: Use Forms Authentication with Active Directory in ASP.NET 2.0

Asp.Net Web Form calling same domain WCF service without need for authentication

I have a aspnetcompatibility=true WCF service (http binding) in the same domain of my Asp.Net website.
I want to make a call from my Asp.Net server side code to the WCF service.
I have tried to make a web request to http://testDomain/mySite/services/mySvc.svc but got the login page instead.
Is there a way to call the wcf service from the same domain asp.net site so that the service knows to not authenticate again?
Note: I use IIS7, and I'm open to change by binding as long as I can make a call to it w/o authentication. I'm hoping to host the svc in IIS.
Try to enable windows authentication in IIS for your hosted service and disable anonymous authentication (if it is enabled). Besides, pass security credentials (domain credentials perhaps in your case) from the client to the service.

Can access asp.net pages and wcf services remotely, though not locally

We've deployed an asp.net site and WCF services in IIS, and can access the site and services remotely with no issues. We have site bindings set up in order that for remote calls we're using https, and we use the URL Rewrite IIS add-in to redirect requests to https if they are http requests. All requests are working remotely, however when we actually log onto the Windows 2008 Server, open up IIS 7.5 and try to browse the content locally on the server we get a credential challenge Title: "Windows Security" Message: "Connecting to {server name}" with ok/cancel buttons.
I'm logged into the server with the same credentials that I'm accessing the web site on from my local machine.
Any ideas?
The error message that come is as below:
The HTTP request is unauthorized with client authentication scheme 'Negotiate'.
The authentication header received from the server was 'NTLM,Negotiate'.
As mentioned this error does not come when the service is accessed remotely. This only happens while calling the service from the server where it is hosted. Probably some setting in IIS?
As the Exception says, the authentication schemes do not match. Your client does not offer NTLM. Please check the internet explorer enhanced security configuration and see if it is active or see if it is restricted otherwise to use NTLM.

I don't have access to webservice, what to do?

The request failed with HTTP status 401: Unauthorized.
When I test in the browser it works, but when I call it from another application I don't have access. What to do? The application where the webservice is using windows authentication. It's propably there the problem is, I suppose!
I solved it:
They are on the same domain but not on the same application. I pass
the authentication with the webservice call:
cm.Credentials = System.Net.CredentialCache.DefaultCredentials;
Windows Authentication for a web service provides some challenges; the web service would need to be on the same domain for that to work I believe, so that it could use the user's credentials.
Do you have to use windows credentials? Using a ticketing system, which requires the user to first login through another web service method, can work just as well.

Cannot authorize with different server name

I have a web service running in IIS 6.0 on Windows 2003. It's authentication mode is Integrated Windows security (anonymous disabled), and authorization is done with Authorization Manager and an XML authorization store. My test user is a domain user (admin, actually) with membership in an authorized role.
I am testing this (for now) on the web server (localhost), and using (for now) Internet Explorer to access the web service (.asmx).
I can successfully open the web service (wsdl) page through localhost, like this:
http://localhost:8080/MyService/MyService.asmx
Using this url, integrated windows authentication succeeds (silently), and I am sucessfully authorized by AzMan to access the service. The same goes for the server name:
http://myserver:8080/MyService/MyService.asmx
Now I need to use the external host name (www.mysite.no) to access the service (this in order to get ssl to work with a certificate issued to that sitename). To do this, I add the host name to my HOSTS file, like this:
127.0.0.1 www.mysite.no
...then type this into IE:
http://www.mysite.no:8080/MyService/MyService.asmx
What happens then is that authorization fails. I get the IE/Windows login box and enter my correct credentials three times. Then I get a 401.1:
HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.
Internet Information Services (IIS)
How is authorization through AzMan influenced by the host name?
Edit: I have reason to believe AzMan has nothing to do with it - it seems to be the authentication that fails.
I have reproduced the problem on another server. The essence seems to be that accessing localhost via an entry in the local host file somehow messes up the integrated windows authentication between the browser and IIS.
I have worked around the problem, now my curiosity is all that's left...
Enable audit login failure auditing & check the security event log on the host.
1) On the webserver, go to Control Panel, Administrative Tools, Local Security Policy.
2) Go to local policies, audit policy. Add failure for 'audit logon events'.
3) Close the MMC. Open a command prompt and type gpupdate.
4) browse to http://www.mysite.no. You will get the error again.
5) Launch event viewer (control panel, admin tools, event viewer). Navigate to the security event log and look for the login failure(s).They shoudl tell you something descriptive, like 'the user has not been granted the specified logon type'. Unfortunately the login type itself is not descriptive; logon type 2 is interactive (locally), 3 is 'access this computer over the network', 5 is 'logon as a service' (NT service, not WCF service). The rights required can be granted in the local security policy.
Also, check to see if you have a proxy enabled in IE. If your traffic is being routed to the proxy, it is possible that the proxy does not support NTLM. Add the host as a proxy exception while you test using IE.
My first guess is that it's not the host name.
The first thing to do is narrow down the problem as there are a couple things that could be going wrong.
First set the IIS site to anonymous access, and make sure you can pull up the web service. That will verify that you're accessing the right IIS web site and it's truly narrowed down to an authorization problem.
Also, check the Application Pool credentials, and the security settings on the file folder containing the web service as these could be contributors.

Resources