I'm trying to enable passthrough or impersonation authentication inside an ASP.NET website that uses the TFS2010 API.
I've got this working correctly with Cassini, however with IIS 7.5 (Windows 7) something is going wrong.
I found this blog post on the subject, and tried the following:
private static void Test()
{
TfsTeamProjectCollection baseUserTpcConnection =
new TfsTeamProjectCollection(new Uri(Settings.TfsServer));
// Fails as 'baseUserTpcConnection' isn't authenticated
IIdentityManagementService ims =
baseUserTpcConnection.GetService<IIdentityManagementService>();
// Read out the identity of the user we want to impersonate
TeamFoundationIdentity identity = ims.ReadIdentity(
IdentitySearchFactor.AccountName,
HttpContext.Current.User.Identity.Name,
MembershipQuery.None,
ReadIdentityOptions.None);
TfsTeamProjectCollection impersonatedTpcConnection = new
TfsTeamProjectCollection(new Uri(Settings.TfsServer),
identity.Descriptor);
}
When I use Cassini nothing is needed besides
collection = new TfsTeamProjectCollection(new Uri(server));
I have enabled the web.config settings (and have the Windows Auth module installed):
<authentication mode="Windows"/>
<identity impersonate="true" />
Is there something obvious that I've missed out?
Solution 1
This is the delegation method. As Paul points out it's a single setting in your active directory:
Find the IIS server in the computers node of the "Active Directory users and Computers" console.
Click on the delegation tab, and select the second option:
Create a 'Cache' directory in your IIS root folder
Add the following to your web.config:
<appSettings>
<add key="WorkItemTrackingCacheRoot" value="C:\path-to-web-root\Cache\"/>
</appSettings>
Make sure your web.config contains:
<system.web>
<identity impersonate="true" />
</system.web>
Turn on Windows authentication and impersatonation and disable everything else in IIS authentication:
Solution 2
Another solution to avoid the steps above is to simply run your application under the TFS:8080 site, as a new application. The hop issue is then removed as you are running in the same context as the web service that your app is calling.
Create a new app pool, use network identity.
Make sure your application has anonymous authentication turned off
Make sure it has windows authentication turned on.
Add <identity impersonate="true" /> to the web config.
I wonder if you're hitting the old Double-Hop issue here?
Related
I can't figure this out for the life of me. I'm trying to get the name of the current user logged onto Windows using the following line:
string user = System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString();
When I run this line after publishing and opening it through IIS, it gives me a name of "IIS APPPOOL/SiteName". However, when I run this through the Visual Studio 2013 debugger, the correct name appears.
I've fiddled around with the config, IIS settings, and the string...but I think this line is what I needed to use:
string user = System.Web.HttpContext.Current.User.Identity.Name;
Seems to be returning a domain/username which I can use instead. Looks like an alternative solution.
you have to enable windows auth/impersonation on an ASP.NET site, else it will run in the context of the whatever account configured for the app pool.
https://msdn.microsoft.com/en-us/library/ff647405.aspx
<system.web>
...
<authentication mode="Windows"/>
<identity impersonate="true"/>
...
</system.web>
Base on my test under IIS having Windows Authentication only enable and not impersonation on the web.config;
System.Web.HttpContext.Current.User.Identity.Name; return to me the current login user not the application pool user and System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString() return the application pool user.
I tried again and having he following on the config file:
<system.web>
<authentication mode="Windows" />
</system.web>
For System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString() I got:
Office\atorr
which is my login account
For System.Web.HttpContext.Current.User.Identity.Name; I got
IIS APPPOOL.NET v4.5 Classic
which is the account the application pool is running.
All mentioned in other answers are true, PLUS THIS:
In IIS Manager, click Basic Settings.
In the Edit Application window click Connect as...
Choose Application User (pass through authentication). Do not use a specific user because that will be the identity detected.
Click on the project name and press F4 and it will open project properties window:
Enable Windows authentication
Disable anonymous authentication
Add <identity impersonate="true"> in web.config
Now, deploy your code it should work fine.
Try This
(((System.Web.Security.RolePrincipal)(ClaimsPrincipal.Current)).Identity).Name
I have requirement to build windows authentication for our web applications. We plan to created local work groups (on Windows 2008 Server) to manage users instead of Active Directory. Our reason, it takes months to create groups and move users via AD (and our client would prefer we go this route). Is it possible to setup windows authentication for an asp.net application and validate the user credentials against the local workgroups? Keep in mind we would try to match their login names to our local workgroups.
You can use AspNetWindowsTokenRoleProvider. This makes ASP.net use the Windows Local groups.
In your web config do something like this.
<authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
--> <authentication mode="Windows"/>
<identity impersonate="false"/>
<authorization>
</authorization>
<roleManager enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider"/>
then in your aspx you can check if user exists in role. I placed this in my master page.
If Not Roles.IsUserInRole(Context.Current.User.identity.name, "Managers") Then
'label1.Text = "You are not authorized to view user roles."
Response.Redirect(Request.ApplicationPath & "\logout.html")
end if
You can read more from this Link from Microsoft http://msdn.microsoft.com/en-us/library/ff647401.aspx
under Using WindowsTokenRoleProvider
I would like to get some help in my strange issues,
I have an ASP.Net 2.0 application with VB.NET Code behind,
I set up my application to enable only Win authentication
So in IIS all disabled except Windows auth,
In My Web.Config i have the following under system.web:
The Web.Config contains the following :
authentication mode="Windows"
authorization>
deny users="?"/>
/authorization>
identity impersonate="false"/>
Now some users when they enter to my ASP application they get prompted for user name and password , then they logged in successfully,
some users the application fails on Page.User.Identity.Name
and return Object Reference Error,
Im using VS2010 and ASP.NET 2.0 frameword 2.0 and IIS 7 under Win 2k8 R2 latest SP's installed.
All users are Domain users.
Thank you,
Can you access the username by HttpContext.Current.User.Identity.Name? You can also check if authentication was successful, and what method of auth was used.
Windows authentication uses kerberos by default in iis I believe, which may not work for a lot of reasons (I think there are problems in Firefox for example ), when this fails, it is falling back to ntlm. Try removing the negotiate authentication provider and use just ntlm. If this works, you will have the fun of diagnosing kerberos problems :-)
Trogvara,
Thank you for your posting ,
I'm new to the site and tried to formatted but it did what we see now,
the Web config setting is :
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
<authorization/>
<identity impersonate="false"/>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
</system.webServer>
Hope that clears the setting in Web.config
Thank you,
I have a web application that allows the users to access the pages if their Windows login name to the domain is in the web config's app settings.
For example:
Logged on username: SampleDomain\SampleUser
on Web.config:
<appSettings>
<add key=AuthorizedUsers value="SampleUser,SampleBooger" />
</appSettings>
<authentication mode="Windows"/>
*successful scenario: SampleUser should be able to browse the website.
I was able to do it successfully during development (locally on my machine), but when I deployed it to a server then I try to browse it from my local machine, the Windows login that it gets is NT AUTHORITY\NETWORK SERVICE so it redirects to my customized error page. I, SampleUser, am in the AuthorizedUsers. I should be able to browse it.
Please help me.
Thank you very much.
You need to use ASP.NET impersonation feature.
When using impersonation, ASP.NET applications can execute with the Windows identity (user account) of the user making the request. Impersonation is commonly used in applications that rely on Microsoft Internet Information Services (IIS) to authenticate the user.
Such behavior can be configured in web config using the following code:
<configuration>
<system.web>
<identity impersonate="true"/>
</system.web>
</configuration>
More info: http://msdn.microsoft.com/en-us/library/xh507fc5%28v=vs.100%29.aspx
My web app (asp VB 2005) uses Windows authentication. If the user isn't part of a specific AD security group they don't get to edit the data; instead I redirect the user to a read-only page.
The program works fine in the IDE.
I published the web app to my laptop and Disabled anonymous access. When I ran the program I got redirected to the read-only page. I added a write event to the application event log to see what was going on, and found that the WindowsPrincipal.Identity.Name contained my laptop's ID, not my user name.
I reassert: anonymous access is disabled in IIS and the web.config file has Windows Authentication.
Can anyone suggest what else to check? Or can you explain what's going on?
You probably need to set <identity impersonate="true" /> in your web.config:
<configuration>
<system.web>
<identity impersonate="true" />
See http://msdn.microsoft.com/en-us/library/72wdk8cc.aspx for more details.