I'm working on a simple ASP.Net page (handler, actually) where I check the value of the LOGON_USER server variable. This works using Visual Studio's built-in web server and it works in other sites deployed to the live intranet site. But it doesn't work on the IIS instance on my local XP machine. How can I fix it, or what's going on if I can't?
What authentication do you have enabled in IIS? Anonmyous, Basic, Digest, Integrated Windows? Sounds to me like anonymous access is enabled/allowed, and nothing else. This would means that LOGON_USER is not populated.
When you access your local IIS, trying using http://127.0.0.1 in particular if you use IE. IE will recognize "localhost" as being in your local trusted zone and will automatically pass your XP login credentials through when Integrated Windows auth is enabled.
In addition to Jon's answer, IIRC even if you have Integrated Authentication enabled, if Anonymous Authentication is enabled it will take precedence...
Related
I have migrated a asp.net web site from IIS6 to IIS8.5. Almost all issues are fixed. But it seems that the identity of the user gets lost.
Related questions I found:
Cannot get authentication working in IIS 8.5
Configure windows Authentication in IIS 8.5 on Windows Server 2012
Receiving login prompt using integrated windows authentication
When I open the webpage from the server IE browser there is no login prompt (which would be fine if the integrated authentication was used)
When I open the webpage from a remote client I should get a login prompt for authentication (since the user on the client does not exist on the server). But there is none.
On the old platform IE6 was used. On the new platform IE is used with compatibility mode
In the old web page integrated windows authentication (only) is enabled and working.
In the new web page on IIS 8.5 I tried all kind of settings but none seem to do the trick.
Found out that actually the authentication itself is working.
This link was very helpful finding this out:
https://forums.asp.net/t/1179997.aspx?Get+Username+for+logged+in+user
But the user name gets lost in a different way. I will close this question and post another one.
We're setting up an ASP.NET 4.0 website on Windows Server 2008. The site uses Integrated Windows Authentication for authentication. (It does not use ASP.NET authentication or authorization.)
In IIS, we have only Windows Authentication enabled.
When we browse to the site using localhost as the host header, the site works fine. When we browse to it using the FQDN, the site prompts for username/password but doesn't accept the validly entered credentials.
Some items to note:
IE does have Integrated Windows Authentication enabled
The site with FQDN is entered in the Intranet zone in IE
We've tried adding the site to the Trusted sites to no avail
We did change the Identity on the AppPool from ApplicationPoolIndentity to Network Service with no success
We verified that IUSR has read and execute access to the directory and files
We've set NTAuthenticationProviders to both "NTLM" and "Negotiate,NTLM"
What are we missing?
Thanks.
We were informed finally that the server is not on the same domain as we had been led to believe so it couldn't authenticate against Active Directory. (We had been testing with a local account.)
I have been trying to implement a webDAV connection on an existing IIS ASP.NET web site. This issue surrounds permissions and connectivity when "Enable anonymous access" is unchecked and disabled.
I have tried every combination available. The server is w2k3 Web Edition, no AD, IIS6, so "Digest authentication for Windows domain servers" is not an option in the Authenticated Access section of Authentication Methods of the Virtual Directory I am sharing in the web site.
I have read about and tested the Registry Edit of the following key, \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\services\WebClient\Parameters\BasicAuthLevel
and change the value to 2
agianst each possible authentication method. It seems to disable connectivity more then helping.
I am trying to map a path to a virtual directory on the web server, a function of the webDAV protocol, works great if anonymous access is enabled, but obviously can not be for this project.
I would like to at least get the Windows Authentication to work and disbale Anonymous Access.
I have been testing this on both a development server and production server and the behavior is consistent. On a Win7 OS I can not get the Windows Authentication dialog box to appear.
A few tests on XP, the box appeared but would not authenticate, but this may have been related to other config issues.
I have also tested with Permissions to the Everyone group just to see if I can connect.
Any further suggestions would be appreciated.
UPDATE: I found this article that explains a portion of the problem and work around though not entirely fitting for the issue explained above.
http://support.microsoft.com/kb/943280/en-us
Try adding permissions for Network_services and the IIS User on that box. that has always gotten me over the permissions issues I have faced. You need to add these from within IIS as at least with IIS 7 it seems to over rule the permissions from windows explorer. Not sure if IIS 6 does the same but I just do it by default now.
UPDATE: I found this article that explains a portion of the problem and work around though not entirely fitting for the issue explained above. http://support.microsoft.com/kb/943280/en-us
Newly installed IIS on a clean windows Server 2008 R2. Installed all security option. Then for the default web site authentication, enabled windows authentication and disabled all others. Then when access the default page iisstart.htm, it should give me a popup for authentication message.
but when I access the test page like: http://localhost/iisstart.htm, there is no popup. same as enabled Anonymous Authentication.
How to fix it?
I think your webservice is accessing files via your app pool identity, remove this user from the security access list on the file.
If you go to "localhost", then IE will see this as part of the "Intranet Zone". In the "Intranet Zone", IE will by default automatically send your current credentials to sites that use "Windows Authentication".
The result is that everything is probably working correctly.
First of all make sure you check if the app pool user can access the files of the website (NTFS security settings). See: IIS7 Permissions Overview - ApplicationPoolIdentity
After that (and double checking that only Windows Authentication is enabled in IIS) take into account that your URL must not contain dots! You can make an extra binding (see: https://technet.microsoft.com/en-us/library/cc731692(v=ws.10).aspx) that contains only letters and numbers and then add that binding to your local hosts file (open a text editor as administrator and then edit the file hosts in C:\Windows\System32\drivers\etc) to check.
Can you please post a small explanation of the prerequisites of using Windows Authentication?
I know that you have to turn Windows Authentication on from web.config or IIS and define domain.
Does the web server have to be connected to the Active Directory server or not, and how to get user info from Active Directory like name and description?
You don't have to be on a domain. The local server user accounts can be used with windows authentication. If the machine is on a domain, then either AD users OR local users can be used with windows authentication.
The minimum that has to be in place to use windows authentication in asp.net is that IIS has to have Windows Authentication enabled for the web site. IIS can still have other authentications enabled for the site too, even anonymous authentication can be used in conjunction with windows auth... as long as windows authentication is enabled also asp.net can use it.
Otherwise, your question is too broad for a good answer here. Authentication in asp.net is a very big topic; and when you add AD to the mix it gets bigger. I recommend checking out the MSDN documentation, reading through it, experimenting with it, then coming back here with more specific questions.