asp.net web application fails to recognize user identity - asp.net

We have a web application and it uses System.Web.UI.Page.User.Identity to determine who the current user is. We are experiencing an intermittent problem, where a user is not recognized (their identity is blank or empty). Anonymous authentication is disabled so I don't see how they can fully access the web application without it recognizing who they are. This happens like once a month for half a day, and then it fixes itself. So it's really hard to diagnose but I would really like to track down the issue. Any suggestions? Thank you!

Make sure you have anonymous authentication turned off & windows authentication enabled for the application in IIS.

Related

Issue with my VB.NET web application authentication

I have a windows forms based web application written on VB.NET and currently being used by a large number of users.
I currently am facing an issue where the application is being authenticated with an another user account instead of authenticating with the current user using the application.
I am using User.Identity.Name for user authentication and have only Windows Authentication enabled.
Other Details
The application is hosted in IIS on a windows 7 server machine from where it is accessible to everyone.
Strange thing is that the issue occurs only for 2 users and works fine for everyone else. Also it occurs only when using the hosted application(production url).
Also there is no default scenario set such as in case a user is not found, then a default user has to be filled in.
Observations
On debugging the application using the actual code on their local machines, their
respective user ids are fetched as expected.
Issue occurs in
Chrome regular mode
Chrome incognito mode
Firefox regular mode
Issue doesnt occur in
Firefox private mode
So I do not have a clue how to proceed here and what might be the root cause for the issue. Can anyone provide me some ideas to find the root cause of the issue and also a way to resolve it?
What I have tried:
I have made sure both Anonymous and Form Based modes of authentication are disabled.
Identity Impersonation is set to False.
I have also made sure there are no credentials set for the website in Credentials Manager.
I have also tried clearing browsing data including cache and other cookies.
Make sure you not setting the authentication method etc in your code behind, you'll want to set that in your web.config. Make sure one is not overwriting the other (set in 2 places). Also to get the user name you could also grab it from server variables, see what this returns
string user = Request.ServerVariables("LOGON_USER").ToString();

Select permission denied

I am hoping this will be a simple question. I am using IIS 7.5 / Visual Web Dev 2010 Express.
I know why this error appears :) it's a security/user issue. The problem is, I don't know what account/permissions this intranet is using that's causing the issue.
I use a simple authentication method that detects the user ID. If they're on that list, they are allowed to look at the page. This is done through:
[allow users] and [deny users]
(Brackets substituted for arrows.)
Authentication mode is set to Windows.
There is another intranet site that users can access- I have read and write permissions on that database that this web site uses. That intranet site works for me, but this gives me a security error.
I'm thinking that by using this authentication method, that it switches to a system profile which tries to access it and gets denied. Is there a generic system profile you guys know of that would cause such an error? Is that even a right assumption or is it a security setting that's related to my username?
Thanks in advance...
Well, maybe this could be helpful for someone in the future who is also facing the same problem. I am not sure where to find this, but apparently I had left out or there was not a tag called identity impersonate. By just having the authentication mode set to Windows, I thought it would take care of everything.
I am assuming that if you use Windows authentication, a system account will try and access the SQL database. Because that system account (whatever it may be, there is one defined somewhere but I forgot the name of it) does not have access, that permission error gets thrown.
What will make the web page use the user permission is with this tag:
[identity impersonate="true"/]
Substitute brackets with arrows.

ASP.NET site with Anonymous authentication

I have am asp.net 3.5 web site with a asmx web service and a test aspx page (the page tests the web service using javascript).
I need to run this site with anonymous authentication, so I setup the site in IIS as such.
Now, if I am trying to open the test page in the browser, I get 401.3-Unauthorized error.
Any ideas what should I do to fix it? Do I have to give read access for the physical file to Anonymous Login?
Also, what version of IIS are you using? Also if you are using the IIS mgr and you check anonymous authentication, you need to give it a valid username and password, have you done this?
A 403 can mean several things. It can mean you don't have authentication correctly configured, or it can mean that the ASP.NET worker process does not have rights to access the pages (the security is set to only allow you to access them, for instance). There are other scenarios as well, but these are the two most common.

IIS generates same Session.SessionID

I have deployed two web applications on my IIS7.
The problem is, IIS is generating the same Session.SessionID if I request both application using the same browswer (different tabs).
This is causing some problem with ASP.Net user authentication, it is some how overlapping with each other and the flag "User.Identity.IsAuthenticated" returns false whenever the user logs in on to the other site. It works fine as long as user is working on one of the site.
Please help me out, I cant seem to find the reason for this, I mean the session is application specific so why is sessionID from one web app is conflicting with the other.
Thanks
They are running in the same application pool. Just separate the application pools.
Problem is your browser is treating these applications the same. Session in ASP.NET is implemented by the session cookie. These need to have different website names so that they do not share the same session.
UPDATE
This is how session cookie works.
But one solution is to access them as mysite.com/1 and mysite.com/2. That I believe should also work.
Did you checked application pools, if you want to isolate web application you should define different application pools.
Is each application running in a separate IIS Application? If they are, then the session will be separate, as Session is scoped to the AppDomain. If they are in the same IIS application, they are loaded in the same AppDomain, and will share Session.
In the same browser session (regardless of using tabs), the same Session cookie will be sent.

Starting a Process as a Different User in ASP.NET

I have an ASP.NET MVC web app and in one of the controller actions I want to start process (exe file). The process needs to run under a domain user, because it accesses other resources on the domain. This can either be a single hard coded user, or the user that is currently on the web page. The web.config is using Windows authentication.
I have tried turning impersonation on and tried turning impersonation on specifying a specific user. Both of these scenarios will cause permission issues.
I have also tried starting the process as a specific domain/user/password, but this will give me an error "Logon failure: unknown user name or bad password". I'm positive that the username/password is correct, and doing a "runas" works fine.
I'm not even sure of the "correct" way to do this. Any help is appreciated.
Thanks.
The correct way is to not launch a process from a Web app. Use something like MSMQ in WCF instead.

Resources