I just uploaded a project to my hosting, is a asp.net mvc project with authentication.
Just when i enter the web internet explorer prompts a credential windows. If I cancel, the web works correctly. The web works correctly also in local using the visual studio server.
More information:
"Allow Anonymous Access" is checked and the "Basic Authentication" too, but the promt is shown with Basic authentication checked or not.
Also I uploaded a very basic mvc application with authentication and the prompt is not showing, so it does'nt seem's to be an IIS configuration problem.
Also the prompt is showing in both Internet Explorer and firefox, but isn't in Chrome.
Do you have any clues?
Thanks!
It sounds like you have set the authentication mode to Windows? Can you check the Web.config file. If you are intent is to use Forms authentication, you should change it accordingly
Most likely is that you need to allow anonymous access in the IIS configuration manager. Even if your web.config specifies Forms Authentication (or Authentication is set to "None") if IIS is set to disallow anonymous access, then users will be prompted by IIS before the ASP.Net authentication mechanism kicks in.
Edit
I see this behavior if the "Allow Anonymous Access" is checked and the "Windows Authentication" is also checked.
This is all under the "Directory Security" task in the properties for your web site in the IIS manager.
See info below about IIS:
IIS Authentication
Anonymous
Anonymous authentication gives users access to the public areas of your Web site without prompting them for a user name or password....
Basic(uncheck this)
IIS implements Basic authentication, which is part of the HTTP 1.0 specification, using Windows user accounts. When using Basic authentication, the browser prompts the user for a user name and password. This information is then transmitted across HTTP where it is encoded using Base64 encoding. Although most Web servers, proxy servers, and Web browsers support Basic authentication, it is inherently insecure. Because it is easy to decode Base64 encoded data, Basic authentication is essentially sending the password as plain text.
http://msdn.microsoft.com/en-us/library/aa292114%28VS.71%29.aspx
For this to work only anonymous access should be checked in IIS. Otherwise the browser will try to authenticate if possible.
If you are serving "static content" with your site, the default webroot from which the application is configured under needs these settings as well. (Usually "Anonymous" as only-checked-box).
Related
I'm building an Intranet application based on Ext JS and webservices. Users are authorized using Integrated Windows Authentication, which works fine in IE.
Because my application is in JavaScript, it is loaded in Firefox, but then when I request some data from server I get 'access denied' in Firebug, because all webservices are checking user rights.
Can I request the user to enter his username and password (like login to FTP or a simple login page) in all browsers that don't support Integrated Windows Authentication?
I know there are plugins for Firefox, but I would like a secure solution that don't require plugins.
Windows Authentication is performed via NTLM. If a browser doesn't automatically supply the credentials then a username/password dialog should be shown in all browsers which would prompt the user to enter their credentials. This should happen automatically.
If you can edit the config settings in FireFox then you can make the credentials be submitted automatically by adding the domain to network.automatic-ntlm-auth.trusted-uris in about:config.
Wiki article about windows authentication
I have configured my ASP.NET website to use windows auth (and disabled annon auth), and setup some authorization rules. The website is deployed on the Intranet and all users have a windows identity.
When a user navigates to the website, the typical "Windows Security" window pops up, asking the user for his identity. I want to disable this, since the user is already logged in with a domain account. The browser should submit the current identity and IIS can use this to auth.
Any ideas?
Note: I am using IE and the Enable Integrated Windows Authentication is checked
In which browser is this happening? Internet Explorer has an option that explicitly defines whether the browser tries to authenticate users automatically.
You can find it in Tools - Internet Options - Advanced - Enable Integrated Windows Authentication.
Where I've seen this symptom happening before, I've had to add the URL the website is on explicitly into the Local Intranet zone in IE.
Newly installed IIS on a clean windows Server 2008 R2. Installed all security option. Then for the default web site authentication, enabled windows authentication and disabled all others. Then when access the default page iisstart.htm, it should give me a popup for authentication message.
but when I access the test page like: http://localhost/iisstart.htm, there is no popup. same as enabled Anonymous Authentication.
How to fix it?
I think your webservice is accessing files via your app pool identity, remove this user from the security access list on the file.
If you go to "localhost", then IE will see this as part of the "Intranet Zone". In the "Intranet Zone", IE will by default automatically send your current credentials to sites that use "Windows Authentication".
The result is that everything is probably working correctly.
First of all make sure you check if the app pool user can access the files of the website (NTFS security settings). See: IIS7 Permissions Overview - ApplicationPoolIdentity
After that (and double checking that only Windows Authentication is enabled in IIS) take into account that your URL must not contain dots! You can make an extra binding (see: https://technet.microsoft.com/en-us/library/cc731692(v=ws.10).aspx) that contains only letters and numbers and then add that binding to your local hosts file (open a text editor as administrator and then edit the file hosts in C:\Windows\System32\drivers\etc) to check.
Can you please post a small explanation of the prerequisites of using Windows Authentication?
I know that you have to turn Windows Authentication on from web.config or IIS and define domain.
Does the web server have to be connected to the Active Directory server or not, and how to get user info from Active Directory like name and description?
You don't have to be on a domain. The local server user accounts can be used with windows authentication. If the machine is on a domain, then either AD users OR local users can be used with windows authentication.
The minimum that has to be in place to use windows authentication in asp.net is that IIS has to have Windows Authentication enabled for the web site. IIS can still have other authentications enabled for the site too, even anonymous authentication can be used in conjunction with windows auth... as long as windows authentication is enabled also asp.net can use it.
Otherwise, your question is too broad for a good answer here. Authentication in asp.net is a very big topic; and when you add AD to the mix it gets bigger. I recommend checking out the MSDN documentation, reading through it, experimenting with it, then coming back here with more specific questions.
Anyone aware of how to get the ASP.NET Dev Server to challenge for basic authentication credentials instead of assuming my current login?
If using Cassini then according to paragraph at bottom of this link - Limitations of the Cassini Web Server, you cant.
If using IIS, then update IIS authentication.
In IIS,
in the virtual directory of your site right click on your virtual directory,
select the Directory Security tab
select Edit button next to Anonymous access and authentication control
uncheck allow anonymous and integrated windows authentication
check basic authentication
Not an answer to your question, per se, but consider configuring your web project's properties to "Don't open a page. Wait for a request from an external application", and then hit your server with a browser that's been launched with alternative credentials.
Do you have Integrated Windows authentication checked off under Directory Security in IIS, instead of (or in addition to) Basic?