Get Client Computer and user name in local intranet site - iis-7

We have been running an ASP application in local intranet using IIS7 and now have requirement to get Client computer name and logged user name, so that we can show his home page according to his setting. I did search on internet but did not find any solution yet. I also tried using LOGON_USER server variables but it works fine when I run using localhost but not when use IP Address (Return blank value). I also enabled window authentication and disabled anonymous but I prompt for user name and password even I did not set user name and password.

You will not be able to determine the computername directly. You will need to perform a reverse DNS lookup on the client's IP. Check out the link below from ASP101 to accomplishing this in ASP classic.
As far as the username, you will need to enable authentication in IIS otherwise all incoming requests will be anonymous. If you are running in a trusted environment, setup IIS for "Integrated Windows Authentication". This will allow the client's current user information to be used to authenticate to your website without a userid/password prompt. Note that integrated authentication is not part of the default IIS7 install.
Good luck.
ASP based Reverse DNS Lookup
http://www.asp101.com/articles/jason/reversedns/default.asp
Integrated Windows Authentication in IIS6 and IIS7
http://blogs.iis.net/nitashav/archive/2010/03/12/iis6-0-ui-vs-iis7-x-ui-series-integrated-windows-authentication.aspx

You can also achieve this by using WMI, however the remote computer and logged on user must be part of a domain that you have the administration credentials for. You will also need to use reverse DNS to find out the computer name, which #jking89 has given a great reference to above. Take a look at the WMI Win32_ComputerSystem class, here http://msdn.microsoft.com/en-us/library/aa394102(VS.85).aspx. Hope this helps as an alternate solution.

Related

SSO with Windows Authentication across multiple REST-APIs? (Kerberos Double hop)

I have the following scenario:
(Client/Browser) => (Web Service/Web API) => (SharePoint REST-Api).
Basically what I want to achive is to have the middle application (WebService/Web API) to act as a facade infront of the SharePoint-REST-API to ease the development for anybody that needs to communicate with our SharePoint-application. (Basically we wrap a few SharePoint-request-calls into one single call in the Web API/Facade).
Now the problem is that I also want to be able to send the logged in Windows user (AD-user) from the Client to the Web Service, and then the web service should act on behalf of that Windows user and perform whatever actions needed in the SharePoint REST-API (this is to make sure that permissions to files and so on are actually set based on the authenticated user).
What we have tried so far is setting uo the Web Service on one server, and SharePoint on a different server.. and then we have tried to setup authentication using Kerberos and delegation, but we could not get this working.
Based on the information I have provided, do you guys think that a "double hop" like this would work if we manage to get Kerberos setup properly?
Another thought that hit me is that maybe we dont have to host the Web Service and the SharePoint applications in two different servers, but we could actually host them both on the same server within one single IIS-server with two sites.
Would this still require Kerberos to be setup with a double hop? Or does a "hop" only count once the ticket actually leaves one server to another.. cause in the case described here, the request from the Web Service to the SharePoint-REST-API would never leave the actual server, but it might cross domains (as in web-domains.. not AD-domains).
Could this work, instead of having to hassle with Kerberos double hop, SPNs and what not..?
when you use integrated authentication, anonymous is disabled at that time and impersonate is enabled.so security settings will not allow your site to access resources on any network servers.
When you authenticate to the IIS server using Integrated Authentication, that uses up your first 'hop'. When IIS tries to access a network device, that would be the double or second hop which is not allowed. iis will not pass those credential to the next network device.
if you use anonymous enable and impersonate off this issue will not occur.
to configure Kerberos Authentication in iis you could follow the below steps:
1)open iis manager and select site.
2)select the authentication feature from the middle pane.
3)enable windows authentication and disable anonymous.
4)With Windows Authentication, click on the Providers from the Action pane.
5)set the provider in below manner:
Negotiate
NTLM
save the changes.
6)go back and select the configuration editor.
from section dropdown select system.webServer/security/authentication/windowsAuthentication.
“useAppPoolCredentials” set to true.
"useKernelMode" to "True" and save the settings.
7)restart the iis.
8)Configure SPNs
open the command prompt as administrator and run below command to check the machine name:
hostname
When you have a custom hostname and you want to register it to a domain account, you need to create a SPN a below.
setspn -a HOST/${FQDN_HOST} ${MACHINE_NAME}
setspn -a http/${FQDN_HOST} ${MACHINE_NAME}
9)after doing that set application pool identity to the custom account and set the username and password.
You could refer this below article for more detailed information:
https://weblogs.asp.net/owscott/iis-windows-authentication-and-the-double-hop-issue
https://active-directory-wp.com/docs/Networking/Single_Sign_On/SSO_with_IIS_on_Windows.html
https://techcommunity.microsoft.com/t5/IIS-Support-Blog/Setting-up-Kerberos-Authentication-for-a-Website-in-IIS/ba-p/324644

Using DNS to access ASP.NET with Windows Auth

Wondering if you can help me here, been battering away at this for days now.
i have an IIS site with windows authentication installed, which is working exactly the way it should do. This particular IIS Server houses approx 6 other sites so i have create a new Site called Helpdeskv6, with Application Pool Helpdeskv6 set to .NET 4 integrated using ApplicationPoolIndentity. We are currently working on a 2008 R2 domain, no windows firewall etc.
So i have now created a A Record that gives it a nice little name for our intranet users, the A record is called helpdesk (FQDN: helpdesk.my.domain). The IIS site is setup with bindings on standard port 80 for both helpdesk and the FQDN. but yet when i try and browse to the A record address it constantly prompts me for username and password. When i enter my details they work but i dont want users to be prompted.
i have ASP.NET Impersonation and Windows Authentiation enabled - Providers are NTLM and Negotiate. ASP Impersonation is Auth User. NTLM Authentication is ticked in my ASP Project Web Property page.
i have tried just enabling and disabling so many different settings, i have used setsnp -S HTTP/helpdesk.my.domain webserver001 and i have used setsmp -S HTTP/helpdesk webserver001 as i have read alot that apparently needs these in but nothing seems to work.
i have never used ASP Auth with a A Record before so i am at a severe loss please help, hope i supplied enough information as i do not want to have users entere their windows authentication constantly it should be auto so i am just fearfull i am missing a trick here as when i browse via netbios name it works but this is not appropriate for our environment
Forgot to close this out,
The issue was becuase the site wasnt being registered as a Intranet site and Auth details where not being transported over.

Disable integrated windows security while browsing on localhost

I am developing an intranet MVC3 application that will be used by both domain and non domain computers.
Everyone has a domain account so whenever a non domain computer is to open the website a windows credentials prompt input box is expected to appear.
If i understand correctly this will be standard browser behavior since they won't pass windows credentials to a website unless they are in the same domain.
The problem however is that whenever i debug on my localhost i am in the same domain as the server(since i am the server obviously). This results in me being "logged in" with my workgroup windows account in stead of my domain account.
What i'm looking for is a way to trigger the prompt box so i can use my domain account to login rather then to get useless access with my workgroup account.
You can use Forms authentication with the ActiveDirectoryMembershipProvider.
Take a look to this tutorial on MSDN: http://msdn.microsoft.com/en-us/library/ms998360.aspx and this post: http://support.microsoft.com/kb/326340/en-us (sorry it's VB code).
Addendum: if you want just to test another user credentials you can use impersonation, just set-up your web.config.

Run asp.net application under domain account without joining the domain?

My feeling says it's not posible but anyway I am curious if there is at least a workaround for accomplish this.
Basically I am working at my client site and my machine is not connected to the domain.
What I want to do is running a web application locally under a domain account, and using the webdev server.
The webapp uses the default authentication, windows authentication that is.
I tried using impersonation with domain\user & password but I got the following error
Could not create Windows user token from the credentials specified in the config file. Error from the operating system 'Logon failure: unknown user name or bad password.
I have to mention that the username and the password are correct.
Thanks in advance
Iulian
If you cannot access the domain controller (or your computer does not know what domain controller to use), there is no way finding out if the password is correct or not. What normally Windows does, is asking the DC "does this password match this account" (simply speaking). Now in your scenario, there is no DC. Hence, "unknown username".

AD / IIS Single sign-on issue with fully qualified domain name

We have an issue for our intranet site that is running in our local network.
In a nutshell, we have integrated Active Directory authentication with our application and what to use IIS integrated authentication to allow users to sign on without entering any credentials.
Assume the AD domain is "domain.name", and the server our application is hosted on is "server-name". We are running in Windows 2008 and the Integrated Authentication role is set up in IIS.
We have managed to make this work for http:||server-name/, however when we enter http:||server-name.domain.name/, users are prompted for their credentials in the standard way and if they cancel, a "401 Unauthorised" message is displayed.
The issue is, that it seems to authenticate when the machine name is accessed, but browsers do not pass over credentials when the fully qualified address is accessed.
Has anyone seen this before? Is there any advice they can shed on the situation? I ask as a programmer who has little experience with network setup and Active Directory.
Thanks
Have a look in IE settings. Tools > Internet Options > Security > Local Intranet > Custom Level. Scroll down to the very last setting "Automatic login only in Intranet zone". By default IE will only automatically pass along windows authenticated credentials to a site it considers "intranet".

Resources