AD / IIS Single sign-on issue with fully qualified domain name - asp.net

We have an issue for our intranet site that is running in our local network.
In a nutshell, we have integrated Active Directory authentication with our application and what to use IIS integrated authentication to allow users to sign on without entering any credentials.
Assume the AD domain is "domain.name", and the server our application is hosted on is "server-name". We are running in Windows 2008 and the Integrated Authentication role is set up in IIS.
We have managed to make this work for http:||server-name/, however when we enter http:||server-name.domain.name/, users are prompted for their credentials in the standard way and if they cancel, a "401 Unauthorised" message is displayed.
The issue is, that it seems to authenticate when the machine name is accessed, but browsers do not pass over credentials when the fully qualified address is accessed.
Has anyone seen this before? Is there any advice they can shed on the situation? I ask as a programmer who has little experience with network setup and Active Directory.
Thanks

Have a look in IE settings. Tools > Internet Options > Security > Local Intranet > Custom Level. Scroll down to the very last setting "Automatic login only in Intranet zone". By default IE will only automatically pass along windows authenticated credentials to a site it considers "intranet".

Related

What can cause incorrect user names when using IIS & Windows Authentication?

I'm currently experiencing an issue with some users of an ASP.NET 4.8 Web API application hosted on Windows Server 2012 and IIS. The following properties are not returning that user's correct user name, and instead returning the name of a service account used for this server:
HttpContext.Current.User.Identity.Name
HttpContext.Current.Request.LogonUserIdentity.Name
I have no idea how to begin troubleshooting this - myself and most other users do not experience this issue, but for a handful of users the above does not return the correct username, returning the username of a service account used to remotely connect to the server in question. Forcing a login via a browser private window does rectify the issue, and the application correctly returns the expected username for each of the above properties.
What could be a cause for Windows Authentication not returning the correct user name and what is the best way to troubleshoot an issue like this?
edit: I was able to resolve the issue, see my answer below
After some additional research and troubleshooting, I determined that the users experiencing the issue described above had the service account in question stored in the Windows Credential Manager:
Removing the service account in question allowed them to be authenticated with the Intranet site with their normal Windows domain\username. As #pcalkins suggested, at some point the affected users had used these credentials on their machine, and Chrome, Edge, IE were using that saved credential when authenticating with the Intranet site.
Please check the following steps:
Make sure that windows authentication is enable and Anonymous Authentication is disable for the website.
Enable integrated security in Interner Explorer (Options/Advanced and checkin the "Enable Integrated Windows Authentication" option).
Add your website to Local Intranet zone and select at least "Automatic logon only in Intranet Zone" option under Options/Security Settings/Local intranet/Custom level).
Aake sure the user and application server are in the same domain.

Using DNS to access ASP.NET with Windows Auth

Wondering if you can help me here, been battering away at this for days now.
i have an IIS site with windows authentication installed, which is working exactly the way it should do. This particular IIS Server houses approx 6 other sites so i have create a new Site called Helpdeskv6, with Application Pool Helpdeskv6 set to .NET 4 integrated using ApplicationPoolIndentity. We are currently working on a 2008 R2 domain, no windows firewall etc.
So i have now created a A Record that gives it a nice little name for our intranet users, the A record is called helpdesk (FQDN: helpdesk.my.domain). The IIS site is setup with bindings on standard port 80 for both helpdesk and the FQDN. but yet when i try and browse to the A record address it constantly prompts me for username and password. When i enter my details they work but i dont want users to be prompted.
i have ASP.NET Impersonation and Windows Authentiation enabled - Providers are NTLM and Negotiate. ASP Impersonation is Auth User. NTLM Authentication is ticked in my ASP Project Web Property page.
i have tried just enabling and disabling so many different settings, i have used setsnp -S HTTP/helpdesk.my.domain webserver001 and i have used setsmp -S HTTP/helpdesk webserver001 as i have read alot that apparently needs these in but nothing seems to work.
i have never used ASP Auth with a A Record before so i am at a severe loss please help, hope i supplied enough information as i do not want to have users entere their windows authentication constantly it should be auto so i am just fearfull i am missing a trick here as when i browse via netbios name it works but this is not appropriate for our environment
Forgot to close this out,
The issue was becuase the site wasnt being registered as a Intranet site and Auth details where not being transported over.

Login to ADFS without prompting for credentials

I've set up a site using ASP.NET MVC 5 to use claims based security using our on premise ADFS server. The site performs the redirect to the ADFS server which asks for the users AD credentials to log in, and then redirects back to my site. At that point the user is authenticated and I have access to all the claims that ADFS is sending.
The issue is I don't my users to have to enter their credentials. I would assume their windows credentials could be sent to the server to make the sign in process seamless but I can't figure out how. I have attempted to set the authentication mode to windows but it has no effect.
Both the ADFS and my site are internal and the ADFS site appears in my Local Intranet Sites settings. I've tested with both IE9 & Chrome and they both have pop up a dialog box looking for credentials. I've spoken with the sysadmin and windows authentication is enabled for ADFS.
How can I authenticate with ADFS without my users being prompted for their credentials?
I encountered the same issue as well and finally figured out the cause. This may occur if the ADFS authentication page url is a non-intranet address.
To resolve the issue, change the wsfederation issuer address in application's web.config to one that would be treated by the browser as an intranet address.
Change the following
<wsFederation passiveRedirectEnabled="true" issuer="https://xyz.abc.com/adfs/ls/" realm="http://myapps/MVCpluADFS" requireHttps="true" />
to
<wsFederation passiveRedirectEnabled="true" issuer="https://xyz/adfs/ls/" realm="http://myapps/MVCpluADFS" requireHttps="true" />
where xyz is the machine name where ADFS is installed.
Do not change the adfs trust urls though. Keep them as they are since they would be used for matching and establishing trust between your application and ADFS.
The browser treats "xyz.abc.com" as an internet address, and hence displays a login prompt while "xyz" is treated as an intranet address so it automatically forwards logged in user credentials to the application without the user having to specify credentials himself/herself.
After this change, any intranet user would be directly logged in to the application if the browser used is Internet Explorer with default security settings (i.e. "Automatic logon only in Intranet zone" under Security tab -> Internet -> Custom level) or Chrome (since it picks up the settings set for Internet Explorer).
To make the automatic login work in Firefox, the following additional steps would have to be performed:
1) Type about:config into the firefox address bar. You might be warned about editing this section, go ahead anyway.
2) Type "fqdn" in the search bar. You should now see 2 settings i.e. "network.automatic-ntlm-auth.allow-non-fqdn" and "network.negotiate-auth.allow-non-fqdn". Change the values of both to true.
Are these intranet or extranet users?
Only intranet users can log in seamlessly with WIA.
This works OOTB with IE with the correct settings but other browsers need to be explicitly configured.
What browsers are you using?
Also the ADFS config needs to allow integrated auth.

Disable integrated windows security while browsing on localhost

I am developing an intranet MVC3 application that will be used by both domain and non domain computers.
Everyone has a domain account so whenever a non domain computer is to open the website a windows credentials prompt input box is expected to appear.
If i understand correctly this will be standard browser behavior since they won't pass windows credentials to a website unless they are in the same domain.
The problem however is that whenever i debug on my localhost i am in the same domain as the server(since i am the server obviously). This results in me being "logged in" with my workgroup windows account in stead of my domain account.
What i'm looking for is a way to trigger the prompt box so i can use my domain account to login rather then to get useless access with my workgroup account.
You can use Forms authentication with the ActiveDirectoryMembershipProvider.
Take a look to this tutorial on MSDN: http://msdn.microsoft.com/en-us/library/ms998360.aspx and this post: http://support.microsoft.com/kb/326340/en-us (sorry it's VB code).
Addendum: if you want just to test another user credentials you can use impersonation, just set-up your web.config.

Get Client Computer and user name in local intranet site

We have been running an ASP application in local intranet using IIS7 and now have requirement to get Client computer name and logged user name, so that we can show his home page according to his setting. I did search on internet but did not find any solution yet. I also tried using LOGON_USER server variables but it works fine when I run using localhost but not when use IP Address (Return blank value). I also enabled window authentication and disabled anonymous but I prompt for user name and password even I did not set user name and password.
You will not be able to determine the computername directly. You will need to perform a reverse DNS lookup on the client's IP. Check out the link below from ASP101 to accomplishing this in ASP classic.
As far as the username, you will need to enable authentication in IIS otherwise all incoming requests will be anonymous. If you are running in a trusted environment, setup IIS for "Integrated Windows Authentication". This will allow the client's current user information to be used to authenticate to your website without a userid/password prompt. Note that integrated authentication is not part of the default IIS7 install.
Good luck.
ASP based Reverse DNS Lookup
http://www.asp101.com/articles/jason/reversedns/default.asp
Integrated Windows Authentication in IIS6 and IIS7
http://blogs.iis.net/nitashav/archive/2010/03/12/iis6-0-ui-vs-iis7-x-ui-series-integrated-windows-authentication.aspx
You can also achieve this by using WMI, however the remote computer and logged on user must be part of a domain that you have the administration credentials for. You will also need to use reverse DNS to find out the computer name, which #jking89 has given a great reference to above. Take a look at the WMI Win32_ComputerSystem class, here http://msdn.microsoft.com/en-us/library/aa394102(VS.85).aspx. Hope this helps as an alternate solution.

Resources