After impersonation authentication screen keeps popping up in my ASP.NET Application - asp.net

I'm working on a program that has to archive (zip and delete files and folders) on a server. The servers that hosts the application (ASP.NET MVC) and the server that holds the files are two different servers. When I run the application without impersonation and the default web configuration everything works fine. The credential of the program is: NT AUTHORITY\NETWORK SERVICE. When I use impersonation by adding the following line in the web.config <authentication mode="Windows"/> the program runs fine with anonymous login. When I prevent anonymous login by adding the following code to the web.config, the authentication screen keeps popping up for every folder or file I want to access.
What's the problem?
<authentication mode="Windows"/>
<identity impersonate="true"/>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>

To get this to work, you need to disable anonymous authentication and enable Windows Authentication in IIS, otherwise it doesn't have an identity to impersonate being passed.
Here's how to do that :)

Related

Why Authorization element in web.config doesn't work with OWIN?

I have created web form application that uses OWIN and Azure AD for authentication as described here or here
I host this application in IIS under Default Web Site so i can access it as http://localhost
Then i added following configuration so that anonymous user cant access resources, except the starting page, ie. default.aspx
<authorization>
<deny users="?" />
</authorization>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Everything is working fine at this point, and user gets authenticated on Azure site and redirected to my application. I see HttpContext.Current.User.Identity.IsAuthenticated is true
then in IIS i created new application (not virtual directory) under Default Web Site, and point it to the physical location which has images. I name the child application "images"
Now AFTER authentication, when i try to access http://localhost/images/image1.jpg i get error
Error message 401.2.:
Unauthorized: Logon failed due to server
configuration. Verify that you have permission to view this directory
or page based on the credentials you supplied and the authentication
methods enabled on the Web server. Contact the Web server's
administrator for additional assistance.
Why the authentication is not propagated to child application?
The application is pool is running under windows account which is adminsitartor on that machine. I am using Windows 10 and IIS version 10.0.10586.0 nad VS 2013 Update 5

HttpContext, WindowsIdentity, Thread on Anonymous IIS

I've worked at this quite a bit, but cannot seem to find a good solution.
I have a ASP.NET app (.Net 3.5) with IIS which pulls the user machine name and username from the account. This works on my local machine, but when uploading using IIS it gives null or IIS APPPOOL/appname. On IIS I have "Integrated Windows Authentication" and "Anonymous" set and in my Web.config file
<authentication mode="Windows"/>
<identity impersonate="true"/>
And I am trying to access the user information a number of different ways, some are:
HttpContext.Current.User.Identity.Name
System.Threading.Thread.CurrentPrincipal.Identity.Name
System.Security.Principal.WindowsIdentity.GetCurrent().Name
Environment.UserName
Each of these work on my local machine, but when uploaded to the IIS server, everything gives invalid information. The app is internal, but I still need it to grab the Username without giving a login screen. Ideas?
Update: I've changed IIS to Anonymous Authentication Disabled and Windows Auth Enabled. And my web.config file I've tried the following
<authentication mode="Windows"/>
<!-- <identity impersonate="true"/> -->
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
Sorry about the update, but are there any ideas?
For anyone following this and needing an answer, the problem lies in IIS. In the Authentication area in IIS only have ASP.NET Impersonation and Windows Authentication enabled, the others should be disabled. And in Windows Authentication, go to Advanced Settings and UNCHECK the Enable Kernel-mode authentication. The Authorization Rules area should allow for all users (note this is done in IIS, not in the config file) And the following code in config is necessary.
<system.web><authentication mode="Windows"/><identity impersonate="true"/></system.web>
Hope this helps someone, here's a couple links that helped me. Good luck!
http://msdn.microsoft.com/en-us/library/aa302377.aspx
http://www.eggheadcafe.com/tutorials/aspnet/1f12cd61-6bb3-4ffd-bac1-124d40837006/aspnet-request-identity--an-analysis.aspx

Confusion about impersonation, authentication, and authorization in web.config

I'm trying to retrieve the windows login username for the current user in my asp.net website project.
my web.config file has the following items
<identity impersonate="true"/>
<authentication mode="Forms">
<forms name="app" path="/path" loginUrl="/path/login.aspx" protection="All" timeout="100" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*"/>
</authorization>
My understanding is that with this configuration I should be able to retrieve Domain\username from WindowsIdentity.GetCurrent().Name. However, this property returns NT AUTHORITY\IUSR which is the user for anonymous access. If I am not mistaken, I am denying anonymous access to the site in my authorization section. What am I missing?
Also of note:
System.Web.HttpContext.Current.Request.LogonUserIdentity.Name also returns NT AUTHORITY\IUSR and Request.ServerVariables["LOGON_USER"] returns an empty string, which goes against the information found in this KB article http://support.microsoft.com/kb/306359
I am using .net 4.0 and a windows 7 development environment.
Some resources that led me to this point:
http://msdn.microsoft.com/en-us/library/ff647076.aspx
http://support.microsoft.com/kb/306158
http://forums.asp.net/t/1121780.aspx/1?Getting+a+users+DOMAIN+username+from+a+web+application
Thanks for your time.
Edit
It should be noted that I am locked into forms authentication (windows authentication is not an option), as this is a multi tennant site, and the majority of users will not be using this single sign on feature.
If you're using forms authentication then impersonation is meaningless - it only works with Windows authentication. The same applies for Request.ServerVariables["LOGON_USER"].
The reason you're seeing IUSR_ is because that's the Windows account the web site is running as, instead you should use Page.CurrentUser (WebForms) or the User property (MVC Controllers), with no casting. This will return the Forms Auth username.

ASP.net quick and dirty authentication

I'm currently working on a page within one of my company's internet sites that is in response to some production issues we have. The page will be published with the rest of the web site to our DMZ, however I'd like to set-up some quick authentication so only users on our domain (assuming they access the site internally) can access the page. I'd like to use Windows authentication to do so.
Is there a quick way to accomplish this?
If I understand the question correctly, you want to enable security just on one page in your application - not the entire app.
Under IIS, you can manage the security settings on a page by page basis. In the IIS manager, pick the page, and change the security settings so that anonymous is off, and only Windows auth is accepted. You should get prompted for a login when you visit that page.
From Scott Gu's blog
To enable Windows Authentication
within an ASP.NET Application, you
should make sure that you have
“Integrated Windows Authentication”
(formerly called NTLM authentication)
enabled within IIS for the application
you are building. You should then
add a web.config file to the root
directory of your ASP.NET application
that contains an
section which sets the mode to
“Windows”.
You should also then add an
section to the same
web.config file that denies access to
“anonymous” users visiting the site.
This will force ASP.NET to always
authenticate the incoming browser user
using Windows Authentication – and
ensure that from within code on the
server you can always access the
username and Windows group membership
of the incoming user.
The below web.config file demonstrates
how to configure both steps described
above:
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
EDIT:
You can apply the auth settings to just a path in this way:
<location path="mypath.axd">
<system.web>
<authorization>
<allow roles="MyRole, AnotherRole" />
<deny users="*" />
<deny users="?" />
</authorization>
</system.web>
</location>
You can simply use Windows Authentication settings in IIS. Just turn off Anonymous Access in IIS and set your NTFS permissions on the Web folder to the users whom you want to have access to the site. Your IIS admin should be able to handle this quite easily.

Calling Secure Web Service from Anonymous web site

I am hoping someone can help me. I have a web service that is set as secure via the web config:
<authentication mode="Windows" />
<authorization>
<allow roles="MET\Web-Admin"/>
<deny users="*"/>
<allow users="MET\JoeUser;MET\JoeSmith"/>
</authorization>
And also in IIS 7 (Windows Server 2008) it has the following set for Authentication:
Anonymous Authentication:Disabled
ASP.NET Impersonation: Disabled
Basic Authentication Disabled
Forms Authentication: Disabled
Windows Authentication: Enabled
The anonymous site I am calling it from in IIS7 is:
Anonymous Authentication:Enabled
ASP.NET Impersonation: Disabled
Basic Authentication Disabled
Forms Authentication: Enabled
Windows Authentication: Disabled
In the Anonymous web site, I call the secure web service via:
moms.momService myMom = new moms.momService();
NetworkCredential netCred = new NetworkCredential(#"username", "password");
strStatus = myMom.createBackupDirectoryAndPrivs(sData);
Everytime I run this, it returns as Unauthorized. I have made sure this user is in the Web-Admin AD Group. I also tried adding the user as an Allow User but still unauthorized. I am pretty sure the problem lies somewhere in IIS but not sure what else to check.
BTW: For what it's worth, if I run the Anonymous site via VS2010 development on my dev box, and call the secure site using above code, it works fine. This is why I am thinking IIS on the PROD server.
Any help is greatly appreciated. Thanks in advance.
Geo...
Try moving the deny setting after the allow settings since they are processed in order from top to bottom:
<allow roles="MET\Web-Admin"/>
<allow users="MET\JoeUser;MET\JoeSmith"/>
<deny users="*"/>

Resources