I am currently trying to migrate a legacy ASP application from Windows Server 2000 and IIS5 on to Windows Server 2008 and IIS7. The authentication for this application uses an ISAPI filter. Both the application and the ISAPI filter work in the new environment except for one problem. The application in question is set up to be the root application (as in you access it by going to http://hostname/application.asp). If I access it by the stated URL, it asks for my authentication details, the ISAPI filter gets passed the correct login details and then does its thing. Then I added a default document to IIS7 to point to application.asp. Now if I access the application by going to http://hostname, the ISAPI filter gets passed the wrong login details. The ISAPI filter implements this method:
DWORD CMyISAPIFilter::OnAuthentication(CHttpFilterContext* pCtxt, PHTTP_FILTER_AUTHENT pAuthent)
In it, the pAuthent object gets passed in by IIS when it calls the ISAPI filter and has the pszUser property which normally holds the value entered in the authentication dialog. In my case (when accessing the website by using the default document entry), the pszUser property holds the value of the Windows account that is running the application pool instead. Just to make things clear, the ISAPI filter gets passed the correct value if I type in the application.asp part.
I'm quite stumped at this problem and have no clue as to how to solve it. To make matters workse I can't really rebuild/modify the ISAPI filter and am quite the beginner when it comes to IIS administration.
I have also found that authentication works if IIS does not have the Default Document feature installed. Without this feature the default document does not work (naturally) but authentication does. It's only after I add the Default Document feature that authentication breaks.
Thanks for your help!
Sounds like the web site is configured to use integrated security on the root level. Make sure you remove the checkmark from the Integrated Windows Authentication checkbox in the Directory Security-Tab.
The Node "Web Sites" can be configured as well. So make sure you don't miss that one ;-)
EDIT: Damn i can't upload a picture. Would make it easier for you to find the setting.
Related
I have a windows forms based web application written on VB.NET and currently being used by a large number of users.
I currently am facing an issue where the application is being authenticated with an another user account instead of authenticating with the current user using the application.
I am using User.Identity.Name for user authentication and have only Windows Authentication enabled.
Other Details
The application is hosted in IIS on a windows 7 server machine from where it is accessible to everyone.
Strange thing is that the issue occurs only for 2 users and works fine for everyone else. Also it occurs only when using the hosted application(production url).
Also there is no default scenario set such as in case a user is not found, then a default user has to be filled in.
Observations
On debugging the application using the actual code on their local machines, their
respective user ids are fetched as expected.
Issue occurs in
Chrome regular mode
Chrome incognito mode
Firefox regular mode
Issue doesnt occur in
Firefox private mode
So I do not have a clue how to proceed here and what might be the root cause for the issue. Can anyone provide me some ideas to find the root cause of the issue and also a way to resolve it?
What I have tried:
I have made sure both Anonymous and Form Based modes of authentication are disabled.
Identity Impersonation is set to False.
I have also made sure there are no credentials set for the website in Credentials Manager.
I have also tried clearing browsing data including cache and other cookies.
Make sure you not setting the authentication method etc in your code behind, you'll want to set that in your web.config. Make sure one is not overwriting the other (set in 2 places). Also to get the user name you could also grab it from server variables, see what this returns
string user = Request.ServerVariables("LOGON_USER").ToString();
I have a site running in IIS 7.5 that is accessed using a DNS alias different from the actual server name. In IE 8, integrated authentication is failing, but in Firefox and Chrome everything works fine. (IE presents a credential challenge a few times, then displays a 401.1 error page.)
I have figured out that this is due to IE using Kerberos (aka "Negotiate") over NTLM, and Kerberos requires registering a Service Principal Name (using SETSPN) so that the mismatch between the DNS name and the server name is properly handled.
My web site, however, doesn't need impersonation--it is enough to have delegation. So instead of messing with SetSPN, I would just like to remove "Negotiate" from the list of WindowsAuthentication methods in IIS.
I have searched for quite some time to find out how to do this in IIS. I have played with many appcmd commands--but I just can't find online examples, or figure out how by reading MSDN documentation or using appcmd /? to make appcmd commands apply only to a particular application within a site rather than to the entire web server. A few search-hours later over two days, and at least 3 dozen web pages visited, I am still coming up fruitless.
How in tarnation do I get this done--it seems like it should be so easy!
Open the Configuration Editor in IIS. It comes with IIS 7.5, or you can download the IIS administration pack for IIS 7.0. Navigate to the scope you want to affect (server, site, or application) and then open the icon:
.
Change the Section to system.webServer/security/authentication/windowsAuthentication:
Click on the providers item, and then click Edit Items on the right. Select the "Negotiate" item and click "Remove":
Close the dialog and click Apply in the Actions pane on the right.
Your problem is solved! No more Kerberos/negotiate!
Note: you can also click Generate Script in the actions pane to display the code that will make the change in either C#, javascript, or with appcmd from the command line.
For reference, here is the appcmd statement to do the job without using the Configuration Editor.
appcmd.exe set config "Virtual/path/to/application" -section:system.webServer/security/authentication/windowsAuthentication /-"providers.[value='Negotiate']" /commit:apphost
I have been trying to implement a webDAV connection on an existing IIS ASP.NET web site. This issue surrounds permissions and connectivity when "Enable anonymous access" is unchecked and disabled.
I have tried every combination available. The server is w2k3 Web Edition, no AD, IIS6, so "Digest authentication for Windows domain servers" is not an option in the Authenticated Access section of Authentication Methods of the Virtual Directory I am sharing in the web site.
I have read about and tested the Registry Edit of the following key, \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\services\WebClient\Parameters\BasicAuthLevel
and change the value to 2
agianst each possible authentication method. It seems to disable connectivity more then helping.
I am trying to map a path to a virtual directory on the web server, a function of the webDAV protocol, works great if anonymous access is enabled, but obviously can not be for this project.
I would like to at least get the Windows Authentication to work and disbale Anonymous Access.
I have been testing this on both a development server and production server and the behavior is consistent. On a Win7 OS I can not get the Windows Authentication dialog box to appear.
A few tests on XP, the box appeared but would not authenticate, but this may have been related to other config issues.
I have also tested with Permissions to the Everyone group just to see if I can connect.
Any further suggestions would be appreciated.
UPDATE: I found this article that explains a portion of the problem and work around though not entirely fitting for the issue explained above.
http://support.microsoft.com/kb/943280/en-us
Try adding permissions for Network_services and the IIS User on that box. that has always gotten me over the permissions issues I have faced. You need to add these from within IIS as at least with IIS 7 it seems to over rule the permissions from windows explorer. Not sure if IIS 6 does the same but I just do it by default now.
UPDATE: I found this article that explains a portion of the problem and work around though not entirely fitting for the issue explained above. http://support.microsoft.com/kb/943280/en-us
I have several development sites on my wix XP laptop (all classic asp). Doe anyone know why i need to type localhost/site/default.asp (i keep getting a 405 error on iis 5.1) and not just localhost/site
You need to add "Default.asp" as a default document. From this page ...
With iis 4.0 and iis 5.0 the change is
performed as follows:
Start the Internet Service Manager (Start - Programs - Administrative
Tools - Internet Services Manager).
Expand the computer and select the web site.
Right click on it and select Properties.
Select the documents tab.
Check the Enable default document box and click Add to add a new default
name. The order of the search can be
changed by clicking the up and down
arrows.
Click Apply and then OK.
Per comment ... okay, check your script map settings, per this article.
Sounds like you need to configure your default document type in IIS to be default.asp.
First off we need to clear up the web site thing. You only have one web site, the default web site. (It is possible to munge the metabase on XP to create multiple web sites but IIS 5.1 will only serve one of them, the others will have to be stopped).
You have multiple applications which are virtual directories under a common default website.
Have you checked that Default.asp is in the list of default documents for the application not the website? In IIS manager open properties dialog on each applications virtual directory and check the config there.
If you have then you've got a strange one on your hands. At this point I would always advise checking permissions. Does the application allow anonymous access, if so does the anonymous user have access to the folder and files?
This might seem strange advice since accessing the default.asp directly works but in my experience when the configuration looks good and should work but isn't 90% of the time its the result of permissions not correctly set up.
A 405 http response status code means "Method Not Allowed". The Wikipedia article List of HTTP Status Codes has this definition for the error:
A request was made of a resource using
a request method not supported by that
resource; for example, using GET on
a form which requires data to be
presented via POST, or using PUT on a
read-only resource.
You can try the third XP PRO IIS Admin, which can add more than one site to the IIS 5.1, you can switch the site with no difficulty.
I am trying to create a very simple ASP.NET application that presents information retrieved from a database based on the URL, in a similar way to a wiki, but in this case the site is read-only. An example of a URL I'd like would be:
http://www.foo.com/bar
The application would then use "bar" as a SQL query parameter to show information from the database that matches "bar".
I've looked into many URL re-writer options for IIS6 (and this would be on a dedicated server), but I'm still not sure which one to use for this application.
To perhaps clarify, I only need to run the site from a single default.aspx file, but I want it to work as described above. The overall site logic will be very simple.
I am hoping that someone with more experience in this area can help me out -- I am looking for the simplest solution that will address this one scenario.
IIS6 only directs requests to the asp.net engine if that extension has been registered. By default the registered extensions are aspx ascx asmx etc...
If you cannot base you database query on a query string parameter (e.g. foo.com/default.aspx?query=bar) then the best you can do on IIS6 is a wildcard mapping. Basically this means that every request will be directed over to asp.net (including images scripts and styles.) obviously this will degrade performance.
To enable wildcard mapping right click on your site in IIS manager and go to Properties -> Home Directory -> Configuration -> Mappings at the bottom click insert and type in the path to the asp.net isapi dll (you can copy it from the aspx extension above) and uncheck 'Verify that file exists'.
After making the changes you'll be able to request foo.com/bar
(another method might be to make a request to foo.com/default.aspx/bar)
Just for the record, IIS URL Rewrite 2 supports this, you can install the extensibility samples that include a DB provider. Works on IIS 7+ only.
http://www.iis.net/download/urlrewrite
http://code.msdn.microsoft.com/rewriteextensibility