My feeling says it's not posible but anyway I am curious if there is at least a workaround for accomplish this.
Basically I am working at my client site and my machine is not connected to the domain.
What I want to do is running a web application locally under a domain account, and using the webdev server.
The webapp uses the default authentication, windows authentication that is.
I tried using impersonation with domain\user & password but I got the following error
Could not create Windows user token from the credentials specified in the config file. Error from the operating system 'Logon failure: unknown user name or bad password.
I have to mention that the username and the password are correct.
Thanks in advance
Iulian
If you cannot access the domain controller (or your computer does not know what domain controller to use), there is no way finding out if the password is correct or not. What normally Windows does, is asking the DC "does this password match this account" (simply speaking). Now in your scenario, there is no DC. Hence, "unknown username".
Related
I am trying to create an authentication system that works within the limitations of my organisation's network infrastructure both when inside the local network and outside.
When inside the local network I want people to be able to access this ASP.NET Web Forms application without having to log in using their Windows login.
Externally I want people to have to log in through a custom login form.
The reason is that Windows authentication does not work outside of our local network, due to the local infrastructure.
So, I created a password protected folder by disabling anonymous authentication just for that folder, and then on every page request I check if the user is flagged as being logged in (details on how I do this are unimportant) and if they aren't I redirect to a page that does an AJAX request to a web service located inside the password protected folder to see if they are logged in on the local network. If they aren't then it redirects to the custom login form page.
Now this all sounded like a good idea at the time but in practice it does something undesirable... When an external user attempts to access and the AJAX request is made, I get a browser username and password prompt which has to be cancelled to continue.
I appreciate that this type of authentication is part of HTTP and probably can't be bypassed, even using AJAX, but any ideas how I can get this working without the username/password prompt or an alternate way of checking whether local network or external access?
I know I could check the IP address but I understand this can be faked (although that would only cause an issue to the user attempting to do this).
I also know I could have a different entry point for internal or external but I wanted to avoid this.
I couldn't find a solution for exactly what I wanted to do, so I opted to check if the user was on the local network by checking their IP address.
Although this is sent via a HTTP header and can be faked, it will only result in the user being prompted for username and password via Windows authentication.
I use Windows Authentication with a load balanced website. The load balance is based on two IIS web servers. There is a feature in my site which allow users to relogon like Sharepoint sign-in as different user.
But I notice that while I relogon, the User.Identity in one site is changed but the other site still keep the prior account.
I suspect there are something in the cookie should be clear.
Has anyone faced this problem while playing with loading balance? Or do you know some related article which might help?
I don't know how to fix the problem. Any help will be appreciated.
by the way
I use this method to archieve the relogon it works on single server. http://www.roelvanlisdonk.nl/?p=825.
Hello guys,
I still work on this feature.
I print the User.Identity.Name in my home page. when I change the account, the User.Identity.Name output is changed correctly. but when I refresh the home page, sometimes the prior account will be displayed on the home page.
If I'm reading your comments correctly, your setup involves two web servers, each with a local user with the same name (and presumably the same password), and you're attempting to use Windows authentication in the web farm scenario.
In your situation, each computer has it's own account with a name - assume your username is "AuthorizedUser". Bear in mind that if AuthorizedUser is a local account on both machines, then these are two completely different user accounts. Each computer checks it's own user account information to verify the identity of the person, and in a non-Domain situation, Computer A has no reason to trust a user that was authenticated on Computer B.
If it were possible that computer A trusted computer B without a domain scenario - just two random computers that happen to have a user with the same name, imagine how easy it would be to hack into anyone's web server that's using Windows Authentication. All you'd have to do is guess a valid username, rather than a valid username/password combination. It's easy to see why this is a bad idea.
For Windows Authentication to work in a web farm scenario, you need to be using a Domain user (A Windows NT Domain) and that Domain User needs to have the same permissions set up on two servers. This way, there is only one AuthorizedUser, and both web servers can verify the identity against the domain. Both web servers will automatically trust that the Domain Controller has authorized the user properly and will trust the domain.
We have been running an ASP application in local intranet using IIS7 and now have requirement to get Client computer name and logged user name, so that we can show his home page according to his setting. I did search on internet but did not find any solution yet. I also tried using LOGON_USER server variables but it works fine when I run using localhost but not when use IP Address (Return blank value). I also enabled window authentication and disabled anonymous but I prompt for user name and password even I did not set user name and password.
You will not be able to determine the computername directly. You will need to perform a reverse DNS lookup on the client's IP. Check out the link below from ASP101 to accomplishing this in ASP classic.
As far as the username, you will need to enable authentication in IIS otherwise all incoming requests will be anonymous. If you are running in a trusted environment, setup IIS for "Integrated Windows Authentication". This will allow the client's current user information to be used to authenticate to your website without a userid/password prompt. Note that integrated authentication is not part of the default IIS7 install.
Good luck.
ASP based Reverse DNS Lookup
http://www.asp101.com/articles/jason/reversedns/default.asp
Integrated Windows Authentication in IIS6 and IIS7
http://blogs.iis.net/nitashav/archive/2010/03/12/iis6-0-ui-vs-iis7-x-ui-series-integrated-windows-authentication.aspx
You can also achieve this by using WMI, however the remote computer and logged on user must be part of a domain that you have the administration credentials for. You will also need to use reverse DNS to find out the computer name, which #jking89 has given a great reference to above. Take a look at the WMI Win32_ComputerSystem class, here http://msdn.microsoft.com/en-us/library/aa394102(VS.85).aspx. Hope this helps as an alternate solution.
I am trying to write to a file on a server (web05) from a classic asp site running on Windows 2008 serer on IIS7 (webadmin). This fails and web05 logs an anonymous logon attempt during the course of the save operation.
Webadmin's site is running on an app pool in classic mode with a domain user as the process account. The process account has rights to "Trust this user for delegation to any service (Kerberos only)". The same applies for the web05 and webadmin servers.
The site is using Windows Authentication and the idea is that when I log on the site with my domain user, the rights of my user should define what I am allowed to do in the context of the IIS site. If I turn on Basic Authentication, everything works fine.
I have also used setspn.exe to add an SPN for the URL. If I type setspn.exe -L webadmin, I get:
HTTP/webadmin.companyname.com
TERMSRV/webadmin
TERMSRV/webadmin.companypub.local
HOST/webadmin
HOST/webadmin.companypub.local
So from what I understand the SPNs are set up correctly.
If I run processmonitor on webadmin while the save operation is executed, it says that the process is indeed impersonating my domain user - but getting "Access denied" (and as I said before, web05 logs an anonymous logon attempt).
Any idea what causes this?
Kind regards,
Simon
It sounds to me like you're a little confused over impersonation. The process isn't impersonating the domain user account its simply running as that user. There is a difference.
When a request arrives into ASP it will then impersonate a user and the thread handling the request will be running under the security token of the impersonated user. Its quite possible to have the same process impersonating multiple different users in multiple threads. In most cases where the anonymous user access is enabled this user is the Guest level IUSR account. Its most likely that its under this user your code is attempting and failing to run.
However if anonymous is turned off for the resource being accessed or the IUSR account does not have access to the resource then the a 401 response is sent back, with some indication of what authentication protocols it will accept. The browser may then attempt to authenticate the connection using either the current users credentials or request some credentials from the user.
You don't specify exactly how you are attempting to save file. Its worth pointing out couple of things though.
ASP code exection which may subsequently result in an access denied will not use the above mechanism to try to resolve the user.
Once a connection is authenticated it often continues to be re-used for subsequent requests (which is counter-intuative to the knowledge the HTTP is a "connection-less" protocol).
I am trying to clean up my previous questions. This answer is not sufficient to answer the question above, but I concluded that it is better to provide some insight than none. If op disagrees, please take necessary action.
This is a way back - but I recall wanting to run kerberos authentication on this app. The problem turned out to be that I tried to do kerberos outside the firewall. The app would work fine within the domain and firewall of the server's home domain but failed whenever requests came from outside.
I did a lot of chatting with an Irish technician in Microsoft, and he taught me a little about the limitations when using Kerberos. The reason I wanted to use Kerberos was that I didn't like the thought of Basic Windows authentication being unencrypted.
Good luck with your Kerberos quest :-)
I ran into this same issue and it turned out to be a simple change to the application pool. If enable 32-bit applications is set to FALSE then I recieved a prompt to login to the machine. Setting this value to true fixed the issue.
I have an ASP.NET website on a Windows 2003 Server, that needs to access files from a network share. The network share is password protected and needs a username and password to be provided.
I use forms based authentication on the website and not windows based.
So my problem is, when I try to read any file from the networkshare using the code below, it throws access denied
DirectoryInfo networkShare = new DirectoryInfo("\\TestServer\Share");
So I tried using Impersonate by providing the username and password of the network share to the impersonate function call, however the call obviously fails since that username does not exists on the ASP.NET webserver. So then I passed the username and password of a login that does exist on the webserver, so this time the impersonate call works however it still can not access the network share 'cuz the network share username and password are different.
So finally, I created the exact same username/password on the webserver which matches the network share. This time impersonate function call works and so does network share. I'm able to successfully read from the share.
So my question is, is there a way I can read the network share without adding the username in the webserver. 'Cuz everytime the network share login changes, I'll have to again make a new username in the webserver too. Which is not ideal.
Any ideas?
The "right" way to do this is to run the webserver's AppPool as the identity that can access the share. That way, the only credential storage is done securely in the IIS config (rather than in your code or in readable config files). Putting the webserver and fileserver in the same Windows domain (or different domains with trust) is the easiest way, but the "same username/password" thing should work there as well.
If you don't care about putting usernames/passwords in your code or config, you can P/Invoke to WNetAddConnection2 and pass the username/password- then you should be able to access the share. This doesn't require the webserver to have a matching account, but you really should secure the password (look into System.Security.Cryptography.ProtectedData for encrypted registry storage).