Windows Authentication - Chrome vs Internet Explorer - asp.net

I have an application deployed to IIS 6.1. When I enter my ASP app in Chrome, popup windows appear and I enter username and password to log into my app successfully. But when I login via Internet Explorer, I can't pass authentication. What could cause such behavior?

I'm not entirely sure exactly what behaviour you're after (you state in a comment that you've enabled anonymous access, however you appear happy with Chrome presenting a challenge response dialog to the user).
The issue is most likely that IE is passing your desktop credentials to the site, but they are being rejected, while Firefox/Chrome are not as doing this, hence the challenge response dialogs.
The options are:
Move the site out of the "Local Intranet" zone into (say) the "Trusted Sites" zone:
(For IE8 and below) Tools | Internet Options (IE9) Click on the Cog Icon | Internet Options
Switch to "Security" tab.
Click on "Trusted sites" and press the "Sites" button.
Add the Domain to the list - you may need to clear the "Require server verification (https:) for all sites in this zone" and OK.
Back on the Security tab, click the "Custom level..." button, scroll to the end of the Settings list, and make sure that the User Authentication | Logon is set to "Automatic Logon only in Intranet Zone".
Change all Intranet sites to prompt for credentials (I'd advise against this however, because it will cause you pain):
Open the Internet Options dialog as per steps 1.1 and 1.2 above.
Switch to the "Security" tab, and select "Local intranet".
Click on the "Custom level..." button, scroll to the end of the Settings list, and make sure that the User Authentication | Logon is set to "Prompt for user name and password".

Since the article linked by Xhalent shows a 404 now, I dug through Archive.org and found a version back from 2009.
I don't know how long this Archive.org version stays stable, so I'm quoting the article here:
Enabling NTLM Authentication in Firefox and Internet Explorer
This tip is useful for organizations who are standardized on Microsoft technologies (Active Directory, IIS, and ASP.NET) and need to provide minimal-intrusion authentication for their internal web applications. I was stumped for a long time on this one. Here’s the scenario:
All of my ASP.NET applications - at this point - are internal to the organization that I work for. We are a strictly Microsoft shop, and, because of this, I always leverage Active Directory in everyway possible. Well, this is great from my (a developer’s) perspective, as it means that I don’t have to build and maintain a login system. However, I recently started getting feedback from users across the country saying that they were being challenged with a login screen when they accessed the applications. This was okay, as they could still get in using their Active Directory accounts, but sometimes they had to append the domain to the beginning of their name, and it all became kind of a pain.
We are a diverse organization, in that we have many different network configurations. Some of our users are on high-quality T1 connections, while others are still on intermittent - at best - connections. Because of this disparity, I initially blamed the login problem on different network configurations (firewalls, distance to domain controller, etc.), but after doing a bit more research I found that the problem was actually browser related.
By the way, the Internet Explorer setting can also be implemented via group policy (thanks to Chris, James, and Marilyn for helping me figure this one out). Look in the registry at:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
So, here are the steps you need to take to enable NTLM pass-through authentication in Internet Explorer (6 & 7) and Firefox (2):
Internet Explorer
Note: These instructions apply to both IE 6 and IE 7, although there may be slight differences in the screenshots below.
Note2: For some reason, some of the entries that are added to the Local intranet zone seem to be persistent. You’ll delete them in the interface, close all the windows out, come back and they’ll reappear. The only way I found to permanently get rid of them was to manually delete the registry entry located at the location cited just above this section.
In Internet Explorer, click on Tools and select Internet Options.
Next, click on the Security tab at the top of the Internet Options window.
Once the contents of the Security tab are displayed, highlight Local intranet and click on the Sites button
In the Local intranet dialog that pops up, make sure that the last three boxes are checked and click on the Advanced button.
In the next dialog, type the following into the Add this website to the zone text box: "http://www.example.org" (without the quotes) and click on the Add button.
Note: If you’d like to enable Active Directory pass-through authentication for all the sites on a domain, type the following into the Add this website to the zone text box: "http://*.example.org" (without the quotes).
Mozilla Firefox
Note: These instructions have been tested on Firefox 2.0.0.1.
In the address bar of your Firefox browser window, type the following: "about:config" (without the quotes) and press Enter.
In the configuration page that displays, scroll down to the following entry: "network.automatic-ntlm-auth.trusted-uris" and double-click on it.
In the Enter string value that pops up, type "http://www.example.org" (without the quotes) into the text box and click OK.
Note: If you’d like to enable Active Directory pass-through
authentication for all of the sites on a domain, type the following
into the textbox: ".example.org_" (without the quotes).

You might need to ensure that the deployed site in the Local Intranet zone in IE. The following post discusses how to configure NTLM for IE and Firefox.

Whether you have anonymous access enabled (which you don't appear to), whether you have integrated security enabled, and which type of authentication you have selected for integrated security. Whether you have integrated security enabled in IE.

Related

Remove NEGOTIATE from WindowsAuthentication in IIS

I have a site running in IIS 7.5 that is accessed using a DNS alias different from the actual server name. In IE 8, integrated authentication is failing, but in Firefox and Chrome everything works fine. (IE presents a credential challenge a few times, then displays a 401.1 error page.)
I have figured out that this is due to IE using Kerberos (aka "Negotiate") over NTLM, and Kerberos requires registering a Service Principal Name (using SETSPN) so that the mismatch between the DNS name and the server name is properly handled.
My web site, however, doesn't need impersonation--it is enough to have delegation. So instead of messing with SetSPN, I would just like to remove "Negotiate" from the list of WindowsAuthentication methods in IIS.
I have searched for quite some time to find out how to do this in IIS. I have played with many appcmd commands--but I just can't find online examples, or figure out how by reading MSDN documentation or using appcmd /? to make appcmd commands apply only to a particular application within a site rather than to the entire web server. A few search-hours later over two days, and at least 3 dozen web pages visited, I am still coming up fruitless.
How in tarnation do I get this done--it seems like it should be so easy!
Open the Configuration Editor in IIS. It comes with IIS 7.5, or you can download the IIS administration pack for IIS 7.0. Navigate to the scope you want to affect (server, site, or application) and then open the icon:
.
Change the Section to system.webServer/security/authentication/windowsAuthentication:
Click on the providers item, and then click Edit Items on the right. Select the "Negotiate" item and click "Remove":
Close the dialog and click Apply in the Actions pane on the right.
Your problem is solved! No more Kerberos/negotiate!
Note: you can also click Generate Script in the actions pane to display the code that will make the change in either C#, javascript, or with appcmd from the command line.
For reference, here is the appcmd statement to do the job without using the Configuration Editor.
appcmd.exe set config "Virtual/path/to/application" -section:system.webServer/security/authentication/windowsAuthentication /-"providers.[value='Negotiate']" /commit:apphost

Opening windows explorer via link

I want to provide a means to open up Windows Explorer (or at least view the directory contents) via an internal webpage I've developed for our business. There are several machines which we share over the internal network. I've provided a text entry field for allow the user to enter the folder path they want to associate with a given row in a DB table and I can store that info off and create the file://///10.10.5.10/Recipes/Pie link to the Pie recipe folder on one of our shared machines.
The link renders correctly on the page and if I copy the link info and paste it into the address bar it will display a navigable page in FireFox or open Windows Explorer if using IE.
However, the link does nothing if you click on it directly on my page. I suspect this might have something to do with security and the brower, right? I've seen a SharePoint page in someone else's system that did work, but I'd guess that has to do with some differences between SharePoint and a webpage in a browser. The work-around of right-clicking the link and copy/pasting it into another tab will work and I might have to live with this, but I was wondering if anyone had any suggestions or ways to deal with this issue. Perhaps I'm just doing something wrong, but I'm pretty sure it's browser-security related.
It seems for me as a pure Internet Explorer setting issue.
First of all I would recommend you better use UNC or DNS names in the path to the server instead of the usage of IP addresses: use file://///myserver/Recipes/Pie or file://///myserver.mydomain.com/Recipes/Pie instead of file://///10.10.5.10/Recipes/Pie.
Second you should better include the file://///myserver, file://///myserver.mydomain.com or even file://///10.10.5.10/ to the "Local intranet" or at least to "Trusted sites" zone:
Then you should verify the setting of the Security Zone to which you map the url. Look at the "Miscellaneous" group for the "Display mixed contain":
If you would has "Prompt" setting you will see the warning:
at every attempt to open the link file://///myserver/Recipes/Pie
If you would has some problems I recommend you to reset the IE settings in "Advanced" tab:
Most likely it's a permission issue.
ASP.net runs under the ASP.net process account. Look for the ASPNET user and apply permissions to the folder for the user in question.
It definitely sounds like a security issue. Try one or both of the following:
Try using impersonation to impersonate a domain user with sufficient priveleges to access explorer on the client's machine
If this is a small intranet application, give the application full trust on the client
Here's a link to a class you can use for impersonation - see my answer:
Invoke or call C# console app from C# web service?

ASP.NET Development Server 403 Error

I'm developing a web application in Visual Studio 2010 on Win 7, and now seem to have a new error that has just popped up. When I try to access the site which uses Windows Authentication, in Firefox, I get a 403 error, with no subcodes. Up until this poijnt, it has been working this way just fine. Firefox prompts me for my credentials, and I enter them and then I get the 403 error. No problems with it in IE, just Firefox.
I've checked the network-trusted-ntlm-automatic key in Firefox and deleted my session cookie, but still no luck. The problem seems to be limited only to Firefox.
If I set the app to be Anon access, it works with no problems, but the app needs to be Windows Auth.
I attempted Local IIS, but there wasn't an option for Windows Auth for the app on my local IIS, so that kind of removed that option for the time being.
Any ideas out there for how to get this working correctly again? I'll take answers that get me the Windows Auth option in my local IIS as well, because that would also fix the problem for me.
Check to make sure directory browsing is not enabled for the site. Also, make sure your default documents are setup so when you go to: http://www.yoursite.com/ (notice the slash at the end of the url) a default document is loaded. I have seen in some cases where IIS thinks you want to browse the directory rather than load a page. See if you still get the 403 error by going to a specific page.
I'm running windows 7, 64bit with IIS 6.1.
To turn on Windows Authentication, go to Control Panel -> Administrative tools and select IIS Manager.
In the left panel, expand Sites, Default Web Site, and select your Virtual Directory. You should see Asp.Net in the top panel and IIS in the middle. The first icon under the IIS section is Authentication, double click this. You can then disable annon and enable windows by selecting from the drop down list and clicking Enable / Disable from the actions on the right side of the page.
Hope this helps.
After some digging I finally found the answer, but it wasn't where I expected it.
I was digging through Event Viewer trying to figure out why I kept getting Account Lockout messages when trying to load the site with Firefox and did some searching came across an article that specified how to add multiple servers to the Firefox network.automatic-ntlm-auth.trusted-uris key in about:config.
I had specified:
http://host1; http://host2
and instead should have separated with commas
http://host1, http://host2
I changed it to commas and reloaded and it is now working correctly with the Windows Authentication in Firefox.
Hopefully someone else finds this particular fix useful. Small typo, big headache.

How to open localhost server on computer

I am making project on a asp.net(c#). I have completed my project and also i have make a software disc of my project. But when i am trying to access localhost.it show authentication required dialog box.which contain username and password.But i have not set any username and password. How can i overcome from this problem.
This might help. Especially the solution by nramsey34
In IIS, you can right click on either
the Website, or any virtual directory
under a website and bring up the
properties page. Under the 'Directory
Security' tab, click the Edit button
under 'Anonymous Access and
Authentication Control'. This will
bring up a window where you can
configure the authentication method
for your website. To stop it from
asking for a password, make sure that
Anonymous Access is selected. The
username should look like this -
IUSR_YOURPCNAME, and you should let
IIS control the password. You should
still be able to leave Windows
Authentication selected as well, but
to be certain it will not ask for a
password you can also uncheck that
box.
or this one, the solution by boyban
The Login Popup is due to a setting in
your IE Browser. In your IE Browser:
Go to the Top menu "Tools" -> "Internet Options".
Then choose the "Advanced" Tab.
Then Scroll all the way down and "Uncheck" the Checkbox corresponding
to "Enable Integrated Windows
Authentication".
Then Click the button that says "Apply" and then "OK".
Close the browser and in a new browser try http://localhost.

Checklist for IIS 6/ASP.NET Windows Authentication?

I've been having trouble getting my ASP.NET application to automatically log users into the Intranet site I'm building. No matter the googling or the experimentation I applied, there is always a login box displayed by IE7.
I've got Windows authentication mode set in the Web.config, disabled anonymous access and configured the correct default domain in IIS, but it's still asking the user to log in and, more annoyingly, the user is required to provide the domain too (DOMAIN\auser), which is causing problems with non-technical visitors. Thank Zeus for password remembering functionality.
I'm not the network administrator so it's possible that something about Active Directory is set up incorrectly, or it could just be me missing something very simple. Please note that I don't want to impersonate the user, I just need to know that the IPrincipal.Name property matches that of a valid record in my user database, hence authenticating the user to my application.
To this end, it would be very useful to have a checklist of all configuration requirements for AD, ASP.NET and IIS to work together in this manner as a reference for debugging and hopefully reducing some user friction.
It sounds like you've covered all the server-side bases--maybe it's a client issue? I assume your users have integrated authentication enabled in IE7? (Tools -> Internet Options -> Advanced -> Security). This is enabled by default.
Also, is your site correctly recognized by IE7 as being in the Local Intranet zone? The IE7 default is to allow automatic logon only in that zone, so users would be prompted if IE thinks your site is on the internet. I believe using a hostname with a dot in it causes IE to place the site into the Internet zone.
Open Active Directory Users and Computers MMC snap in
Expand computers section from TreeView (left side)
Check if the computer is registered in your domain.
Also, you have to login with a domain account on that computer, otherwise that authentication box will be shown.
In IIS, enable annonymous access and allow the web.config to handle user authentication.

Resources