Confusion about impersonation, authentication, and authorization in web.config - asp.net

I'm trying to retrieve the windows login username for the current user in my asp.net website project.
my web.config file has the following items
<identity impersonate="true"/>
<authentication mode="Forms">
<forms name="app" path="/path" loginUrl="/path/login.aspx" protection="All" timeout="100" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*"/>
</authorization>
My understanding is that with this configuration I should be able to retrieve Domain\username from WindowsIdentity.GetCurrent().Name. However, this property returns NT AUTHORITY\IUSR which is the user for anonymous access. If I am not mistaken, I am denying anonymous access to the site in my authorization section. What am I missing?
Also of note:
System.Web.HttpContext.Current.Request.LogonUserIdentity.Name also returns NT AUTHORITY\IUSR and Request.ServerVariables["LOGON_USER"] returns an empty string, which goes against the information found in this KB article http://support.microsoft.com/kb/306359
I am using .net 4.0 and a windows 7 development environment.
Some resources that led me to this point:
http://msdn.microsoft.com/en-us/library/ff647076.aspx
http://support.microsoft.com/kb/306158
http://forums.asp.net/t/1121780.aspx/1?Getting+a+users+DOMAIN+username+from+a+web+application
Thanks for your time.
Edit
It should be noted that I am locked into forms authentication (windows authentication is not an option), as this is a multi tennant site, and the majority of users will not be using this single sign on feature.

If you're using forms authentication then impersonation is meaningless - it only works with Windows authentication. The same applies for Request.ServerVariables["LOGON_USER"].
The reason you're seeing IUSR_ is because that's the Windows account the web site is running as, instead you should use Page.CurrentUser (WebForms) or the User property (MVC Controllers), with no casting. This will return the Forms Auth username.

Related

Why does HttpContext.Current.User for Forms Authentication have Windows Username

I have a web application that uses custom (forms) authentication and authorization. After the user logs in i setup the GenericPrincipal using the username supplied. Authorization worked fine on Visual Studio 2012 IDE using IIS Express. However, I was getting authorization failures for users that seemed inexplicable on the web server I published to. I did a
Response.Write(HttpContext.Current.User.Name)
and published to the web server and I saw that my windows ID was returned instead of the custom user name I logged on with onto the site.
My configuration settings are not the problem, here is a sample of them
<system.web>
<authentication mode="Forms" >
<forms loginUrl="Login.aspx" timeout="30" defaultUrl="Default.aspx" cookieless="AutoDetect" ></forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
Can anyone help me resolve this
I found that this problem was caused by IIS configuration on the web server.
In my site's Authentication Settings in IIS, I had to disable all authentication modes(in my case Windows Authentication) except for Anonymous and Forms authentication.
I need Anonymous authentication to enable users to land on the Login page (otherwise IIS throws 401 Authorization Error)

Prompting the user for login authentication

ASP.NET: I have created a website with login authentication. Before the user can visit any of the pages in it he needs to login first. How do I prompt the user to login first before he can view any of the contents of the website?
The Examining ASP.NET's Membership, Roles, and Profile series is a good starting point. It covers all the security part of ASP.NET and your required stuff, Login before visiting the page via LoginUrl as your login page. starting doing this How To: Use Forms Authentication with SQL Server in ASP.NET 2.0
Some setting to be made in web.config and then handle of these things on code behind.
<forms name=".ASPXAUTH" loginUrl="login.aspx"
defaultUrl="default.aspx" protection="All" timeout="30" path="/"
requireSSL="false" slidingExpiration="true"
cookieless="UseDeviceProfile" domain=""
enableCrossAppRedirects="false">
<credentials passwordFormat="SHA1" />
</forms>
Add the following element under the element in the Web.config file. This allows all authenticated users to access your Web site.
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>`
code behind
if (Membership.ValidateUser(username, password))
{
// User has supplied valid credentials
// In the following method call, the second Boolean parameter
// determines whether a persistent authentication cookie
// is created.
FormsAuthentication.RedirectFromLoginPage(username, rememberMeIsChecked);
}
Reference:
Starting ASP.NET Forms Authentication
ASP.NET Authentication
Explained: Forms Authentication in ASP.NET 2.0
Try to do this in your web.config
If we want to deny access to anonymous users, configure the Authorization section in the following manner,
<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
For more info look here
This is huge subject to cover on posting code example here so I would recommend following steps.
Use asp.net mvc3, learn how membership provider work, customize it if to fit your needs, user role provider to assign users to specific groups which you will use to protect specific area of site.
Create roles and assign them to user and after that you can secure pages using decorated [Authorize] attributes or secure for selected users like this
[Authorize(Roles = "Admin, Super User")]
Use your web.config in configuration system.web section to indicate what membership and role provider is used in app.
This is short info, but I hope that you have concise mental picture now.

HttpContext, WindowsIdentity, Thread on Anonymous IIS

I've worked at this quite a bit, but cannot seem to find a good solution.
I have a ASP.NET app (.Net 3.5) with IIS which pulls the user machine name and username from the account. This works on my local machine, but when uploading using IIS it gives null or IIS APPPOOL/appname. On IIS I have "Integrated Windows Authentication" and "Anonymous" set and in my Web.config file
<authentication mode="Windows"/>
<identity impersonate="true"/>
And I am trying to access the user information a number of different ways, some are:
HttpContext.Current.User.Identity.Name
System.Threading.Thread.CurrentPrincipal.Identity.Name
System.Security.Principal.WindowsIdentity.GetCurrent().Name
Environment.UserName
Each of these work on my local machine, but when uploaded to the IIS server, everything gives invalid information. The app is internal, but I still need it to grab the Username without giving a login screen. Ideas?
Update: I've changed IIS to Anonymous Authentication Disabled and Windows Auth Enabled. And my web.config file I've tried the following
<authentication mode="Windows"/>
<!-- <identity impersonate="true"/> -->
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
Sorry about the update, but are there any ideas?
For anyone following this and needing an answer, the problem lies in IIS. In the Authentication area in IIS only have ASP.NET Impersonation and Windows Authentication enabled, the others should be disabled. And in Windows Authentication, go to Advanced Settings and UNCHECK the Enable Kernel-mode authentication. The Authorization Rules area should allow for all users (note this is done in IIS, not in the config file) And the following code in config is necessary.
<system.web><authentication mode="Windows"/><identity impersonate="true"/></system.web>
Hope this helps someone, here's a couple links that helped me. Good luck!
http://msdn.microsoft.com/en-us/library/aa302377.aspx
http://www.eggheadcafe.com/tutorials/aspnet/1f12cd61-6bb3-4ffd-bac1-124d40837006/aspnet-request-identity--an-analysis.aspx

ASP.net quick and dirty authentication

I'm currently working on a page within one of my company's internet sites that is in response to some production issues we have. The page will be published with the rest of the web site to our DMZ, however I'd like to set-up some quick authentication so only users on our domain (assuming they access the site internally) can access the page. I'd like to use Windows authentication to do so.
Is there a quick way to accomplish this?
If I understand the question correctly, you want to enable security just on one page in your application - not the entire app.
Under IIS, you can manage the security settings on a page by page basis. In the IIS manager, pick the page, and change the security settings so that anonymous is off, and only Windows auth is accepted. You should get prompted for a login when you visit that page.
From Scott Gu's blog
To enable Windows Authentication
within an ASP.NET Application, you
should make sure that you have
“Integrated Windows Authentication”
(formerly called NTLM authentication)
enabled within IIS for the application
you are building. You should then
add a web.config file to the root
directory of your ASP.NET application
that contains an
section which sets the mode to
“Windows”.
You should also then add an
section to the same
web.config file that denies access to
“anonymous” users visiting the site.
This will force ASP.NET to always
authenticate the incoming browser user
using Windows Authentication – and
ensure that from within code on the
server you can always access the
username and Windows group membership
of the incoming user.
The below web.config file demonstrates
how to configure both steps described
above:
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
EDIT:
You can apply the auth settings to just a path in this way:
<location path="mypath.axd">
<system.web>
<authorization>
<allow roles="MyRole, AnotherRole" />
<deny users="*" />
<deny users="?" />
</authorization>
</system.web>
</location>
You can simply use Windows Authentication settings in IIS. Just turn off Anonymous Access in IIS and set your NTFS permissions on the Web folder to the users whom you want to have access to the site. Your IIS admin should be able to handle this quite easily.

After impersonation authentication screen keeps popping up in my ASP.NET Application

I'm working on a program that has to archive (zip and delete files and folders) on a server. The servers that hosts the application (ASP.NET MVC) and the server that holds the files are two different servers. When I run the application without impersonation and the default web configuration everything works fine. The credential of the program is: NT AUTHORITY\NETWORK SERVICE. When I use impersonation by adding the following line in the web.config <authentication mode="Windows"/> the program runs fine with anonymous login. When I prevent anonymous login by adding the following code to the web.config, the authentication screen keeps popping up for every folder or file I want to access.
What's the problem?
<authentication mode="Windows"/>
<identity impersonate="true"/>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
To get this to work, you need to disable anonymous authentication and enable Windows Authentication in IIS, otherwise it doesn't have an identity to impersonate being passed.
Here's how to do that :)

Resources