Can you please post a small explanation of the prerequisites of using Windows Authentication?
I know that you have to turn Windows Authentication on from web.config or IIS and define domain.
Does the web server have to be connected to the Active Directory server or not, and how to get user info from Active Directory like name and description?
You don't have to be on a domain. The local server user accounts can be used with windows authentication. If the machine is on a domain, then either AD users OR local users can be used with windows authentication.
The minimum that has to be in place to use windows authentication in asp.net is that IIS has to have Windows Authentication enabled for the web site. IIS can still have other authentications enabled for the site too, even anonymous authentication can be used in conjunction with windows auth... as long as windows authentication is enabled also asp.net can use it.
Otherwise, your question is too broad for a good answer here. Authentication in asp.net is a very big topic; and when you add AD to the mix it gets bigger. I recommend checking out the MSDN documentation, reading through it, experimenting with it, then coming back here with more specific questions.
Related
i'm developing an asp.net application.
The app will be used mainly in intranet environment, from intranet users.
I've enabled Windows auhtentication and my app works:
In developing environment, it logged me automatically without asking username
In a Windows Server production environment, with Windows authentication, it ask username and password (of active directory) then log correctly user
My question is:
- Is it possible to automatically recognize windows user already logged in Windows, without asking username and password ?
Depending on what your domain is setup like you might need to add the domain name entires for the internal site to the intranet zone.
So if you have http://oursite.company.domain/ you might need to add it to the intranet sites
http://blog.thesysadmins.co.uk/group-policy-internet-explorer-security-zones.html
Note the numbering of the Security Zones. 1 for Intranet Zone, 2
for Trusted Sites, 3 for Internet Zone and 4 for Restricted Sites
Zone.
You can set your application to use Windows authentication in web.config. Have you tried this?
<system.web>
...
<authentication mode="Windows"/>
...
</system.web>
More info can be found here:How To: Use Windows Authentication in ASP.NET
<-- Edit --->
You will also need to configure your website in IIS to use Windows Authentication. In IIS, go to your website, double click on Authentication, disable Anonymous Authentication, Enable Windows Authentication. In Windows Authentication, open Providers...(right hand side), ensure that NTLM is visible and moved to the top of the list. Restart your app pool and now you should be able to automatically get users logged in on the server as well.
I have the following requirement: if a user in domain 2 goes into an ASP.NET site that is in domain 1, then the site should display a customised login form to validate the user. But if a user from domain 1 surfs to same the ASP.NET site (on domain 1), then Windows authentication (using Active Directory) takes place, so the user should goes straight through to the site content without seeing the login form.
How would I go about doing that?
Would I first need to detect the request domains? I have tried HttpContext.Current.Request in Page_Load() but have not yet been successful in detecting which domain a request is from.
Also, how should I setup the site authentication mode? Would I need Windows authentication for domain 1 users, and forms authentication for domain 2 users? I have also not been able to succeed in this, since IIS 7.5 complains that I cannot have both Windows and Forms authentication turned on.
Thanks.
Surely not an answer but due to the length, I am adding it as answer not comment.
AFAIK, IIS 7.5 allows both authentications to be enabled but no through web.config, you have to do it through IIS Management console, furthermore the scenario you described is handled through claims authentication (windows for intranet and forms for extranet) in Sharepoint 2010. I think same approach can be used in ASP.NET application since Sharepoint is also built on top of ASP.NET 3.5. More over you can look into Federated Authentication APIs present in .Net. You can explore the following links Claims Aware ASP.NET Applications and Federated Authentication and Enabling Federated Authentication for ASp.NET in Azure. Hope this helps.
Goal
I am trying to deploy an MVC3 application that requires Windows Authentication (specifically Kerberos) as an Application within an older asp.net Anonymous Authentication Website.
Symptoms
In IIS 7.5 Express on my box it works perfect, obviously. When I deploy it to IIS 7.5 as its own site I get challenged for domain credentials, though none are accepted. When I deploy it as an application I get the custom error page back from the hosting site. To confirm - Kerbtray shows no ticket in either scenario.
Details
Both the Site and the new child Apps run on the same application pool, and the application pool runs as AppPoolIdentity. That built-in IIS app pool account (IIS AppPool\MyAppPoolName) has full Read/Execute permissions down both the Site's and the App's folder trees. No impersonation is used.
Question(s)
Is there anything special I need to do to get NTLM and Kerberos working on an App inside an anonymous auth Site?
If not, any advice on things/places to look would be great - the ApplicationHost.config and the app's web.config files look fine.
EDIT: For clarification, this is all on a corporate network that uses Kerberos extensively for other purposes. "Site" refers to an IIS Website and is distinguished from an "Application" that must be hosted within an IIS Site.
After working on this a bit more, I found the answer:
Nothing special is needed to host a Windows (Kerberos) authenticated IIS App within an Anonymous authenticated IIS Site on IIS 7.5 so long as:
a. Kernel Mode Authentication is On - No SPNs required.
b. The application uses the same App Pool Identity as the hosting parent. Different App Pools and their identities can be used, but this does require further NTFS permissions and is beyond the scope of this particular issue.
The issue with my error was something much more simple yet elusive... the parent Site had a custom set of error pages defined in <HttpErrors> including pages for 401 and 403.
This was the error page returned when the user requested a page from the nested Application because Kerberos sends a 401 first, to challenge the user for credentials and ask/him her to get and provide a Kerberos ticket... but because the parent Site returned a 200 response (the custom error page) the user never got a Kerberos ticket.
With these off, the user is now appropriately getting a Kerberos ticket and falls back to NTLM as by default.
We have a SharePoint web application that uses Windows Authentication e.g. extranet.test.com.
We also have an ASP.NET web application that uses Windows Authentication e.g. webapp.test.com
However when navigating between the two applications, users must authenticate a second time. Is there a way to prevent this?
I have searched the web but have been unable to find a suitable answer. I have seen many examples using Forms Based Authentication but this is not a viable option since we are using the Active Directory.
Thanks in advance.
What is the authentication scheme you are using: NTLM / Kerberos ?
If you are using Kerberos, you can simply enable credential delegation between two applications.
If you are using NTLM, the only solution is to put them in Intranet zone. You can enforce it using Domain policy. Not that this will work only if the users are logged on to domain.
We have IIS 7 running on the Windows 2008 Server which hosts many intranet websites. We want to use windows authentication for the website and its url will be http://pay
So, I add the C:\InetPub\pay folder and bind it to the IIS7.
Disable the Anonymous Authentication mode.
Enable the Windows Authentication mode.
When I access the website http://pay from the other computer, I got the message that
Unauthorized You do not have permission to view this directory or page
using the credentials that you supplied.
So, I go to the Windows Explorer and Add the Local\IUSR account and give access to the folder. But I still got the same error.
Finally, I added Everyone account and give access to the folder. This time, it works and windows authentication is also working well.
What I am afraid is that, does it open the read access to Everyone to the \MyServer\C$\Inetpub\pay folder? It contains the web.config which contains server and users credential and it would be the big security breach.
How can I achieve to use Windows Authentication without giving access to Everyone account?
Thanks in advance.
I believe what you you're looking for is the IIS_IUSRS group which you should give read access to your website folders when using Windows Authentication. The IUSR account you tried would be used in an Anonymous Authentication scenario.
More info on these groups in IIS7 here:
Understanding Built-In User and Group Accounts in IIS 7