Checklist for IIS 6/ASP.NET Windows Authentication? - asp.net

I've been having trouble getting my ASP.NET application to automatically log users into the Intranet site I'm building. No matter the googling or the experimentation I applied, there is always a login box displayed by IE7.
I've got Windows authentication mode set in the Web.config, disabled anonymous access and configured the correct default domain in IIS, but it's still asking the user to log in and, more annoyingly, the user is required to provide the domain too (DOMAIN\auser), which is causing problems with non-technical visitors. Thank Zeus for password remembering functionality.
I'm not the network administrator so it's possible that something about Active Directory is set up incorrectly, or it could just be me missing something very simple. Please note that I don't want to impersonate the user, I just need to know that the IPrincipal.Name property matches that of a valid record in my user database, hence authenticating the user to my application.
To this end, it would be very useful to have a checklist of all configuration requirements for AD, ASP.NET and IIS to work together in this manner as a reference for debugging and hopefully reducing some user friction.

It sounds like you've covered all the server-side bases--maybe it's a client issue? I assume your users have integrated authentication enabled in IE7? (Tools -> Internet Options -> Advanced -> Security). This is enabled by default.
Also, is your site correctly recognized by IE7 as being in the Local Intranet zone? The IE7 default is to allow automatic logon only in that zone, so users would be prompted if IE thinks your site is on the internet. I believe using a hostname with a dot in it causes IE to place the site into the Internet zone.

Open Active Directory Users and Computers MMC snap in
Expand computers section from TreeView (left side)
Check if the computer is registered in your domain.
Also, you have to login with a domain account on that computer, otherwise that authentication box will be shown.

In IIS, enable annonymous access and allow the web.config to handle user authentication.

Related

What's causing "Windows Security" login prompt to occur for just one user?

Details:
ASP.NET webforms
.NET 4.0
Windows Authentication
IIS 6
Windows Server 2003 SP2
Only one user is having an issue connecting to this one virtual directory. He says he sees this login form in IE, Chrome, and Firefox. He uses his Windows credentials and is unable to login. He is able to access other websites hosted in other virtual directories on the same domain. No others are experiencing this issue. He says he was able to access the site just fine a few weeks ago. What could be causing this dialog box to appear for just this user for just this site no matter what browser he's using?
Since it's all of the user's web browsers, this points to something with the user's permissions on the server for that particular website.
If it worked before as the user states, perhaps you can ask your server admins if anything was changed regarding user permissions on the server a few weeks ago.
Another path to go down would be to see if the user (or desktop admins) has installed any software on his/her machine that would disallow or alter Windows authentication in the browser for this site. This is far more unlikely than a simple user permissions issue on the server since he/she can still access other protected websites with Windows authentication, but it might be worth asking about if you've run out of options.
Yet another unlikely possibility would be a rule change on the user's network's firewall that would somehow disallow this user's IP address and Windows authentication to this website. Again, super unlikely, but I wanted to cover the bases here.

Access denied to Temporary ASP.NET Files folder after iisreset when browsing site using the server's own Internet Explorer

Configuration:
Windows Server 2008 R2/IIS 7.5
ASP.NET web application using Windows Integrated Authentication. Application pool identity is set to NetworkService. Targeting .NET Framework 2.0. Managed Pipeline mode = Classic.
Full permissions granted to the Temporary ASP.NET Files folder for the Users group and the Internet Guest Account
Logged into server as a test user account (let's call it testuser) which is a member of the Administrators group
User Account Control is on
Internet Enhanced Security is off
Internet Explorer is using all the default security settings and all Compatibility View settings are off
Now I do the following:
iisreset.exe
clear Temporary ASP.NET Files folder
open Internet Explorer
browse to the local ASP.NET web site => success
close Internet Explorer
iisreset.exe
open Internet Explorer
browse to the local ASP.NET web site => FAIL
So far, I have found a few things I can do to keep the site working after an iisreset.exe (each of these work individually, i.e. they do not have to be combined):
Turn off User Account Control
Log in as the Administrator
Run Internet Explorer "As Administrator..." (instead of defaulting to the testuser account)
Use Google Chrome or Mozilla Firefox instead of Internet Explorer(?!?) Those two browsers do not have to be run using the Administrator account but work perfectly well running under the user account and with User Account Control turned on.
Browse the site using an Internet Explorer instance running on an external machine
This problem does not exist on Windows Server 2003. It would appear to be related to User Account Control somehow.
It makes no difference if the user is a member of the Administrators group or not.
Using Process Monitor, it would appear that the access denied problem happens when NetworkService (w3wp.exe) is impersonating the user, but given all the permissions granted to the Temporary ASP.NET Files folder, this still does not make much sense.
The question is:
Why does this only occur with the local Internet Explorer browser, running as a non-administrator user? I would like to use the local Internet Explorer browser for testing, but having to clear the Temporary ASP.NET Files folder after an iisreset is annoying.
What makes Internet Explorer different from Chrome or Firefox (which both work) in this scenario? I could understand if this was something that affected all local browsers, but this is not the case.
I could understand if my web application was doing something special when detecting that Internet Explorer is being used as the client browser, but I do not believe that to be the case and we are talking about an assembly binding failure here - I am not trying to access some arbitrary folder.
EDIT:
The tests above were done using Internet Explorer 8. I have since tried Internet Explorer 9 on the same machine, but with the same results.
If I enable ASP.NET Impersonation for the web site, the problem goes away - but I still would like to know why it does not work for a local Internet Explorer when ASP.NET Impersonation is disabled.
EDIT 2:
What I failed to mention the first time around is that logging in is a two-step process: When accessing the application (let's call it "MyWebApp"), you are redirected to a MyWebApp/Login directory where you will be prompted for your Windows credentials before granted access to the login page residing in that Login directory.
This always works.
After entering your application credentials (in case the code in the login page does not recognize your Windows credentials), you are redirected to a page in the root folder.
The Authentication settings for MyWebApp and MyWebApp/Login are as follows:
MyWebApp MyWebApp/Login
-------- --------------
Anonymous Authentication Enabled Disabled
ASP.NET Impersonation Disabled Enabled
Basic Authentication Disabled Disabled
Digest Authentication Disabled Disabled
Forms Authentication Enabled Enabled
Windows Authentication Enabled Enabled
In both cases, I am getting the "Challenge-based and login redirect-based authentication cannot be used simultaneously" warning.
These settings date back to before I got involved with the project, but that is besides the point. Right now I am only interested in what it takes to get it right - preferably a set of settings that will work for IIS 6.0 and 7.x alike.
Setting ASP.NET Impersonation = Disabled for "MyWebApp/Login" appears to be another way of making my problem go away, but clearly there is more to be done here.
The issue is almost certainly related to Internet Explorer using Windows authentication rather than Basic Authentication (what you'd likely get with FF or Chrome). The combination of Windows authentication and ASP.NET impersonation. If you enable NTLM authentication in Firefox, you will likely see the same behavior there. Likewise, disabling Windows authentication (forcing IE to use basic) or disabling impersonation will likely cause IE to behave like Firefox.
I cannot imagine that browsers have anything to do with it, but if you experienced differences, it must be true.
For ASP.NET to be able to compile an ASPX file, 2 things are imported (as we found out today:
Write access to the ASP.NET Temporary files dir (where the compiled DLL is written)
Write access to the Windows TEMP (where csc.exe writes intermediate files like *.obj)
Which user should have acces there? Depends. In our case the Application Pool user. In your case maybe the impersonated user. Or the IUSR. To me, that part is still obscure.

Receiving login prompt using integrated windows authentication

I have a .NET 3.5 application running under IIS 7 on Windows 2003 server and cannot get integrated windows authentication working properly as I continue to get prompted for a login. I have set Windows Authentication to enabled in IIS with all other security types disabled and my application web.config file authentication/authorization is set up as:
<system.web>
<compilation debug="true" strict="false" explicit="true" targetFramework="3.5" />
<authenticationmode="Windows"/>
<authorization>
<deny users = "?" />
</authorization>
</system.web>
With this setup, I'm expecting behind the scene verification of the Windows user to allow access and deny anonymous users. However, what I'm getting is a Windows login pop-up when I try to access the site.
I have been troubleshooting this issue for a few days now and cannot figure out the problem. Based on posts with similar problems, I confirmed my URL does not include any periods, double checked that my IE settings are set to Enable Integrated Windows Authentication, and also added my URL to my intranet sites, but still getting the pop-up.
To troubleshoot it further, I enabled Anonymous Authentication in IIS and modified my web.config file to which lets me right in and then added Response.Write(System.Security.Principal.WindowsIdentifity.getcurrent().user.name.toString()) to try to see what user is being used in the authentication. The result I'm getting is IIS APPPOOL\myapp which is obviously the IIS application pool for my application.
I really appreciate any help anyone can provide so that I'm still using only windows authentication but don't get the pop-up and the windows authentication is performed against the actual Windows user.
Thanks.
Additional note after troubleshooting further:
Just noticed that when the login fails and the Windows login prompt displays again, it is showing the username that attempted to login as "SERVERNAME"\"USERNAME" which led me to believe it was trying to validate the user against the server vs. the domain. To confirm this, I created a local user account directly on the app server with the same username and password as the network domain user and tried to login again. The result was that I received the login prompt again but when I entered the username and password this time, I was able to successfully login. The network user and app server are on the same domain so really not sure why IIS authentication is pointing to the local app server accounts and not to the domain accounts. I realize this is an IIS question at this point so posting on forums.iis.net as well but appreciate any advice anyone may have since have been troubleshooting this for days.
I have a Windows 2008 server that I'm working on, so my answer is not completely the same as what the OP has on a Windows 2003 server.
Here is what I did (recording this here so I can find it later).
I was having this same issue:
In my Web.config file, I had this section:
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
</system.web>
Under IIS, all of these seems to be solved under the Authentication icon.
Edit Permissions: Make sure your ASP.NET account has permission. Mine was not originally added.
Now go into the features of Authentication:
Enable Anonymous Authentication with the IUSR:
Enable Windows Authentication, then Right-Click to set the Providers.
NTLM needs to be FIRST!
Next, check that under Advanced Settings... the Extended Protection is Accept and Enable Kernel-mode authentication is CHECKED:
Once I did this, I went back to my web application, clicked the Browse link, and logged in without having to provide my credentials again.
I hope this proves beneficial to many of you, and I hope it is useful for me later as well.
Just for other people's benefit. If the error is a 401.1 Unauthorized and your error code matches 0xc000006d, then you're actually running into to a security "feature" that blocks requests to FQDN or custom host headers that don't match your local machine name:
Follow this support article to fix the issue:
https://webconnection.west-wind.com/docs/_4gi0ql5jb.htm (original, now defunct: http://support.microsoft.com/kb/896861)
From the support article, to ensure it doesn't get lost:
The work around is a registry hack that disables this policy
explicitly.
To perform this
configuration manually find this key in the registry on the server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
and edit or add a new key:
DisableLoopbackCheck (DWORD)
then sent the value to 1 to disable the loopback check (local
authentication works), or to 0 (local authentication is not allowed).
Or more easily you can use Powershell:
New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name
"DisableLoopbackCheck" -Value "1" -PropertyType dword
It looks like
recent builds of Windows 10 (1803 and later?) also require this
configuration setting in order to authenticate locally.
This one took me awhile because everyone else's comments here failed to help me. I found this article and it fixed it!
I had a similar issue whereby I wanted to protect only a certain part of my website. Everything worked well except in IE. I have both Anonymous and Windows Authentication enabled.
For Anonymous, the Identity is set to the Application Pool identity. The problem was with the Windows Authentication. After some digging around I fired up fiddler and found that it was using Kerberos as the provider (actually it is set to Negotiate by default). I switched it to NTLM and that fixed it.
HTH
Daudi
Add permission [Domain Users] to your web security.
Right click on your site in IIS under the Sites folder
Click Edit Permissions...
Select the Security tab
Under the Group or usernames section click the Edit... button
In the Permissions pop up, under the Group or user names click Add...
Enter [Domain Users] in the object names to select text area and click OK to apply the change
Click OK to close the Permissions pop up
Click OK to close the Properties pop up and apply your new settings
If your URL has dots in the domain name, IE will treat it like it's an internet address and not local. You have at least two options:
Get an alias to use in the URL to replace server.domain. For example, myapp.
Follow the steps below on your computer.
Go to the site and cancel the login dialog. Let this happen:
In IE’s settings:
Don't create mistakes on your server by changing everything. If you have windows prompt to logon when using Windows Authentication on 2008 R2, just go to Providers and move UP NTLM for each your application.
When Negotiate is first one in the list, Windows Authentication can stop to work property for specific application on 2008 R2 and you can be prompted to enter username and password than never work. That sometime happens when you made an update of your application. Just be sure than NTLM is first on the list and you will never see this problem again.
This fixed it for me.
My Server and Client Pc is Windows 7 and are in same domain
in iis7.5-enable the windows authentication for your Intranet(disable all other authentication.. also No need mention windows authentication in web.config file
then go to the Client PC .. IE8 or 9- Tools-internet Options-Security-Local Intranet-Sites-advanced-Add your site(take off the "require server verfi..." ticketmark..no need
IE8 or 9- Tools-internet Options-Security-Local Intranet-Custom level-userauthentication-logon-select automatic logon with current username and password
save this settings..you are done.. No more prompting for username and password.
Make sure , since your client pc is part of domain, you have to have a GPO for this settings,.. orelse this setting will revert back when user login into windows next time
WindowsIdentity.GetCurrent is correct: you should get the APPPOOL user. This is because the ASP.NET process, which is executing your code, is the current identity. If you want it to return the user hitting the site's identity, you'll need to add the following line in your web.config:
<identity impersonate="true" />
This causes the process to assume the identity of the user requesting the page. All actions will be performed on their behalf, so any attempts to read folders on the network or access database resources and the like will mean the current user will need permissions to those things. You can read more about impersonation here. Note that depending on how your web/database server topology is set up, you may run into delegation issues with impersonation turned on.
But your original issue is that it appears the identity cannot be determined and you're getting a login popup. I'll note that you do not need the <deny> block if you have disabled anonymous authentication in IIS. We never include it (except in special <location> blocks and such) so I would say you might try removing it and trying again. Everything else sounds right, though.
You didn't specify what user is running the application pool in IIS. Is it a custom account or is it the default one? If it is custom, is it a domain account or a local account on the web server? Custom accounts can sometimes require a few more steps, such as registering a SPN. Also, it may be a problem with the custom account not having permission in AD for resolving the incoming user's account.
You might also check the IIS logs to see what response is being returned. It'll most likely be a 401, but it should have a sub number after it like 401.2 or something. That sub-number can sometimes help determine the root problem. This KB article lists five.
Can be browser related. If you are using IE, you can go to Advanced Settings and check you the "Enable Windows Integrated Authentication" checkbox is checked.
In my case the authorization settings were not set up properly.
I had to
open the .NET Authorization Rules in IIS Manager
and remove the Deny Rule
In our Intranet the issue was solved on the client side by tweaking settings in security as shown here. Either of the check boxes on the right worked for us.
I just solved a similar problem with an ASP.Net application.
Symptoms:
I could log in to my app using a local user, but not a domain user, even if the machine was correctly joined to the domain (as you say in your Additional Note). In the Security event viewer, there was an event with ID=4625 "Domain sid inconsistent".
Solution:
I found the solution here. The problem was that my test machines where cloned virtual machines (Windows Server 2008 R2; one Domain Controller, and one web server). Both had the same machine SID, which apparently caused problems. Here is what I did:
Remove the web server from the domain.
Run c:\Windows\System32\Sysprep\Sysprep.exe in the VM.
Reboot the VM.
Join the web server to the domain.
You loose some settings in the process (user preferences, static IP, recreate the self-signed certificate), but now that I have recreated them, everything is working correctly.
I also had the same issue. Tried most of the things found on this and other forums.
Finally was successful after doing a little own RnD.
I went into IIS Settings and then into my website permission options added my Organizations Domain User Group.
Now as all my domain user have been granted the access to that website i did not encounter that issue.
Hope this helps
I tried the above IIS configuration tricks and loopback registry hack, and I reviewed and recreated app pool permissions and a dozen other things and still wasn't able to get rid of the authentication loop running on my development workstation with IIS Express or IIS 7.5, from a local or remote browsing session. I received four 401.2 status responses and a blank page. The exact same site deployed to my IIS 8.5 staging server works flawlessly.
Finally I noticed markup in the Response Body that was rendered blank by the browser contained the default page for a successful log in. I determined that Custom Error handling for ASP.NET and HTTP for the 401 error was preventing/interfering with Windows Authentication my workstation but not the staging server. I spent several hours fiddling with this, but as soon as I removed custom handling for just the 401 error, the workstation was back to normal. I present this as yet one another way to shoot your own foot.
I was having this issue on .net core 2 and after going through most suggestions from here it seems that we missed a setting on web.config
<aspNetCore processPath="dotnet" arguments=".\app.dll" forwardWindowsAuthToken="false" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" />
The correct setting was forwardWindowsAuthToken="true" that seems obvious now but when there are so many situations for same problem it's harder to pinpoint
Edit: i also found helpful the following Msdn article that goes through troubleshooting the issue.
Have you tried logging in with your domain prefix, e.g. DOMAIN\Username? IIS 6 defaults to using the host computer as the default domain so specifying the domain at logon may solve the problem.
add to registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa solved my problem.
Create the Local Security Authority host names that can be referenced in a NTLM authentication request.
To do this, follow these steps for all the nodes on the client computer:
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Right-click MSV1_0, point to New, and then click Multi-String Value.
In the Name column, type BackConnectionHostNames, and then press
ENTER.
Right-click BackConnectionHostNames, and then click Modify.
In the Value data box, type the CNAME or the DNS alias, that is used
for the local shares on the computer, and then click OK.
Note
Type each host name on a separate line. If the
BackConnectionHostNames registry entry exists as a REG_DWORD type,
you have to delete the BackConnectionHostNames registry entry. Exit
Registry Editor, and then restart the computer.
Source: Error message when you try to access a server locally by using its FQDN or its CNAME alias after you install Windows Server 2003 Service Pack 1: Access denied or No network provider accepted the given network path
For what it's worth, I did not need to restart after making the change on Windows Server 2019.
Windows authentication in IIS7.0 or IIS7.5 does not work with kerberos (provider=Negotiate)
when the application pool identity is ApplicationPoolIdentity
One has to use Network Service or another build-in account.
Another possibility is to use NTLM to get Windows Authenticatio to work (in Windows Authentication, Providers, put NTLM on top or remove negotiate)
chris van de vijver
I had the same problem cause the user (Identity) that I used in the application pool was not belowing to IIS_IUSRS group. Added the user to the group and everything work
In my case the solution was (on top of adjustments suggested above) to restart my/users' local development computer / IIS (hosting server).
My user has just been added to the newly created AD security group - and policy didn't apply to user AD account until I logged out/restarted my computer.
Hope this will help someone.
I encountered the same credential prompting issue, and did a quick search and nothing on the internet would fix it. It took some time to find the problem, a silly one.
In IIS -> Advance Setting -> Physical Path Credential (is empty)
As soon as i added a machine ID (domain/user) that has access to the VM/server, the password prompting would stop.
Hope this helps
I got the same issue and it was resolved by changing the Application pool identity of the application pool under which the web application is running to NetworkService

Browser pops up window asking for username/password with ASP.NET app

This application is using windows integrated authentication in IIS. No anonymous login.
It's also using an application pool defined to log on with a domain user.
If a try to browse any page, it pops up the username and password dialog box and even though I entered a valid user (including the domain administrator) it doesn't log on into the app. I keep getting the username/password dialog. If I logon locally (in the IIS box), it works OK.
Also, if I change the application pool to use Network Services, it works OK.
The domain user is already a member of the local IIS_WPG group in the IIS box.
Am I missing something here?
If you use a domain account for the Application Pool you have to run a series of scripts on the domain controller. So, apparently it's not recommended to use a domain account, rather a local server account. Microsoft has this issue documented on a case:
http://support.microsoft.com/default.aspx/kb/871179
I suspect the NTFS file persmissions on the .aspx files don't allow the users you are logging in as the needed access to read/execute them. What are the file permissions on the files you are trying to view? What do your authorization and authentication elements in web.config look like?
This sounds like it's related to the privilges assigned to the domain user. i.e. whether they, or indeed the server, are permitted to impersonate the user that is logging in. Or, something regarding "Trusted for delegation" in the server's settings in AD. Either way, you'll probably get a better response on serverfault =)
Try entering the same user of the appPool as the anonymous user (Web Site Security tab)
I had the same user/pwd Popup problem in Svr 2003.
I solved it by CHECKING ANONYMOUS ACCESS in directory security of DEFAULT WEB SITE.
It promps you if you want to also affect your sites you click OK.
That did it.

Temporarily granting elevated administrator privileges to ASP.NET code

We're trying to run a set of administrative tasks on the server via a web administration console. The console runs with impersonation as the currently logged-in user, and only administrators on the local machine are allowed to log in. Right now it works for most cases but we're having trouble when running under UAC.
The first issue is a blocker: it seems like admins do not get the "BUILTIN\Administrators" role even if they are an admin on the local box. This can prevent them from even getting into the admin console, since we're using the web.config <allow roles="BUILTIN\Administrators"> notation to specify security. I suspect that the only solutions here are to either run the ASP.NET app as SYSTEM, or to allow more users and do a more granular permissions check in code. Any other ideas? Is there any way to inject an elevation request into the built-in ASP.NET permissions check?
The other problem is that we want to run some commands that require administrator access. The user visiting the site is an administrator, and is correctly impersonated, but when we spawn a process it fails due to lack of administrator privileges. The clear answer is to elevate for the duration of that command. There are solutions that will let me temporarily elevate by impersonating a specific username and password, but I'd prefer not to have to ask the already-validated user for his password. Are there any tricks for elevating the current user?
(I can understand why the ASP.NET team might try to make this hard, so that web pages can't take invisible advantage of an administrator visiting the web site... but surely there must be some way to pro grammatically declare that your code needs full Administrator rights, appropriately warning the IIS admin of its intentions?)
There are a series of answers for Windows Forms apps, such as:
How to elevate privileges only when required?
and File.Exists returning false from a network share
but I'm hoping to find one that will work with ASP.NET...
Thanks
Steve
We were able to achieve a "higher" impersonation level from the user currently accessing the website by enabling the server for delegation in Active Directory. Per Microsoft, You can think of delegation as a more powerful form of impersonation, as it enables impersonation across a network. You may not need to go across the network, but it may resolve your security issues.
Here are a few resources on setting up delegation, hopefully this will help you.
Impersonation and Delegation
Impersonation and Delegation in ASP.NET
http://support.microsoft.com/kb/810572
http://msdn.microsoft.com/en-us/library/aa291350(v=vs.71).aspx (older article)
http://msdn.microsoft.com/en-us/library/ms998351#paght000023_delegation

Resources