I'm trying to get a ASP.NET application to use windows authentication. I have disabled anonymous auth and enabled windows auth in IIS7. On my dev box (my workstation, localhost) I can use fiddler and see proper token is passed in through the header and I'm not prompted. Everything is working fine and I'm authenticated as my domain user.
However, on a remote server on our domain, with identical settings, I continually get prompted. We need it to automatically send the domain authentication for windows auth.
Does anything in IE need to be configured for this to happen for a remote machine on the same domain? Could someone explain why this may not be working and what needs to be checked? Thanks.
Check your IE zone settings, I don't think IE is set to automatically send DOMAIN\Username credentials in an non Intranet zone. You can set this with a group policy at some point but for now set it manually in your IE settings.
Hope this helps.
I would thinks so because the "dev" box probably, in most cases, would use RFC1918 address space. (10.0.0.x etc) which is not routeable on the Internet.
what is the name of the dev box?
Is it a RFC1918 IP?
If the Dev box is on the domain then AD DNS is most likely putting it in the Intranet zone.
In this case add it to the list of sites.
Related
I have an ASP.net web application that’s running on our intranet, it is using active directory for authentication. We recently migrated away from an old domain to a new domain. Some users are getting This Page Cannot Be Displayed error when connecting to the application.
The errors seem to persist on IE 11 but works in Chrome or Firefox. I suspect that IE is caching user credentials and trying to log users on using their stored credentials and passwords.
We have tried clearing cache and cookies with mixed results, the server has also been restarted but the problems persist.
Any thoughts on how to address this and force IE to users the use their actual credentials and not cached credentials?
Not to add confusion, but I have had some success with some users connecting using the IIS webserver IP address rather than the qualified name e.g. 10.x.x.x/appname.aspx instead of MyServerName/appname.aspx
Thanks
I suspect for those users with the problem that they have allowed IE to save their password. That is not in a cookie.
Have a look in Credential Manager on their workstations. Depending on the OS it would be: Control Panel\User Accounts\Credential Manager
Click "Web Credentials" and if there is a Web Password stored for your application, you will see the URL listed. Just delete it.
This would also explain why the IP works. Because the cached credential is tied to the URL.
I've set up a site using ASP.NET MVC 5 to use claims based security using our on premise ADFS server. The site performs the redirect to the ADFS server which asks for the users AD credentials to log in, and then redirects back to my site. At that point the user is authenticated and I have access to all the claims that ADFS is sending.
The issue is I don't my users to have to enter their credentials. I would assume their windows credentials could be sent to the server to make the sign in process seamless but I can't figure out how. I have attempted to set the authentication mode to windows but it has no effect.
Both the ADFS and my site are internal and the ADFS site appears in my Local Intranet Sites settings. I've tested with both IE9 & Chrome and they both have pop up a dialog box looking for credentials. I've spoken with the sysadmin and windows authentication is enabled for ADFS.
How can I authenticate with ADFS without my users being prompted for their credentials?
I encountered the same issue as well and finally figured out the cause. This may occur if the ADFS authentication page url is a non-intranet address.
To resolve the issue, change the wsfederation issuer address in application's web.config to one that would be treated by the browser as an intranet address.
Change the following
<wsFederation passiveRedirectEnabled="true" issuer="https://xyz.abc.com/adfs/ls/" realm="http://myapps/MVCpluADFS" requireHttps="true" />
to
<wsFederation passiveRedirectEnabled="true" issuer="https://xyz/adfs/ls/" realm="http://myapps/MVCpluADFS" requireHttps="true" />
where xyz is the machine name where ADFS is installed.
Do not change the adfs trust urls though. Keep them as they are since they would be used for matching and establishing trust between your application and ADFS.
The browser treats "xyz.abc.com" as an internet address, and hence displays a login prompt while "xyz" is treated as an intranet address so it automatically forwards logged in user credentials to the application without the user having to specify credentials himself/herself.
After this change, any intranet user would be directly logged in to the application if the browser used is Internet Explorer with default security settings (i.e. "Automatic logon only in Intranet zone" under Security tab -> Internet -> Custom level) or Chrome (since it picks up the settings set for Internet Explorer).
To make the automatic login work in Firefox, the following additional steps would have to be performed:
1) Type about:config into the firefox address bar. You might be warned about editing this section, go ahead anyway.
2) Type "fqdn" in the search bar. You should now see 2 settings i.e. "network.automatic-ntlm-auth.allow-non-fqdn" and "network.negotiate-auth.allow-non-fqdn". Change the values of both to true.
Are these intranet or extranet users?
Only intranet users can log in seamlessly with WIA.
This works OOTB with IE with the correct settings but other browsers need to be explicitly configured.
What browsers are you using?
Also the ADFS config needs to allow integrated auth.
I am developing an intranet MVC3 application that will be used by both domain and non domain computers.
Everyone has a domain account so whenever a non domain computer is to open the website a windows credentials prompt input box is expected to appear.
If i understand correctly this will be standard browser behavior since they won't pass windows credentials to a website unless they are in the same domain.
The problem however is that whenever i debug on my localhost i am in the same domain as the server(since i am the server obviously). This results in me being "logged in" with my workgroup windows account in stead of my domain account.
What i'm looking for is a way to trigger the prompt box so i can use my domain account to login rather then to get useless access with my workgroup account.
You can use Forms authentication with the ActiveDirectoryMembershipProvider.
Take a look to this tutorial on MSDN: http://msdn.microsoft.com/en-us/library/ms998360.aspx and this post: http://support.microsoft.com/kb/326340/en-us (sorry it's VB code).
Addendum: if you want just to test another user credentials you can use impersonation, just set-up your web.config.
We have been running an ASP application in local intranet using IIS7 and now have requirement to get Client computer name and logged user name, so that we can show his home page according to his setting. I did search on internet but did not find any solution yet. I also tried using LOGON_USER server variables but it works fine when I run using localhost but not when use IP Address (Return blank value). I also enabled window authentication and disabled anonymous but I prompt for user name and password even I did not set user name and password.
You will not be able to determine the computername directly. You will need to perform a reverse DNS lookup on the client's IP. Check out the link below from ASP101 to accomplishing this in ASP classic.
As far as the username, you will need to enable authentication in IIS otherwise all incoming requests will be anonymous. If you are running in a trusted environment, setup IIS for "Integrated Windows Authentication". This will allow the client's current user information to be used to authenticate to your website without a userid/password prompt. Note that integrated authentication is not part of the default IIS7 install.
Good luck.
ASP based Reverse DNS Lookup
http://www.asp101.com/articles/jason/reversedns/default.asp
Integrated Windows Authentication in IIS6 and IIS7
http://blogs.iis.net/nitashav/archive/2010/03/12/iis6-0-ui-vs-iis7-x-ui-series-integrated-windows-authentication.aspx
You can also achieve this by using WMI, however the remote computer and logged on user must be part of a domain that you have the administration credentials for. You will also need to use reverse DNS to find out the computer name, which #jking89 has given a great reference to above. Take a look at the WMI Win32_ComputerSystem class, here http://msdn.microsoft.com/en-us/library/aa394102(VS.85).aspx. Hope this helps as an alternate solution.
We have an issue for our intranet site that is running in our local network.
In a nutshell, we have integrated Active Directory authentication with our application and what to use IIS integrated authentication to allow users to sign on without entering any credentials.
Assume the AD domain is "domain.name", and the server our application is hosted on is "server-name". We are running in Windows 2008 and the Integrated Authentication role is set up in IIS.
We have managed to make this work for http:||server-name/, however when we enter http:||server-name.domain.name/, users are prompted for their credentials in the standard way and if they cancel, a "401 Unauthorised" message is displayed.
The issue is, that it seems to authenticate when the machine name is accessed, but browsers do not pass over credentials when the fully qualified address is accessed.
Has anyone seen this before? Is there any advice they can shed on the situation? I ask as a programmer who has little experience with network setup and Active Directory.
Thanks
Have a look in IE settings. Tools > Internet Options > Security > Local Intranet > Custom Level. Scroll down to the very last setting "Automatic login only in Intranet zone". By default IE will only automatically pass along windows authenticated credentials to a site it considers "intranet".