I have a Blazor Server Side application which uses windows authentication. This works fine and I can see the correct user logged in.
But when I try to access another api which is internal to our network, it authenticates on the api as the AppPool user instead.
How would I be able to access the api resource as the logged in windows user and not as the App Pool user?
I had the same problem (Blazor Server App) and all it took was to change a little the ConfigureServices in Startup.cs:
From:
services.AddAuthentication();
To:
services.AddAuthentication(Microsoft.AspNetCore.Server.IISIntegration.IISDefaults.AuthenticationScheme);
Related
I implemented OpenIddict with ASP.NET Identity as a separate auth server and I use the client credentials and password flows. I also have a web api project as the resource server.
The resource server is deployed in IIS and needs to authenticate domain users as well as end users. All controllers have the [Authorize] attribute and the actions have a custom authentication filter inheriting from ActionFilterAttribute with which I check for permissions against the db. The resource server has integrated windows authentication.
Currently at this stage of the development I cannot use ADFS or AAD.
Domain users access the resource server using a Winforms app in which they pass their network credentials. End users have websites and native apps and will/should use password flow to get an access token.
So, my question is:
Should I have an endpoint with [Authorize] in the auth server with which the domain users can authenticate with? In this case I would also need to use integrated windows authentication (which I'd rather like to avoid).
And once the domain user is authenticated, should I use the client credentials flow to acquire an access token? Domain users do not need to be saved in ASP.NET Identity. End users will use password flow.
Is this the correct way to handle both Windows Authenication and OpenId?
I've created an OpenID Connect identity provider using ASP.NET Core and IdentityServer4 and published it to Azure. I can authenticate with the provider using an MVC app that's hosted on my Azure VM, however, when I try to run the same app and access my provider from my local PC I run in to a 404 error. My provider website partially displays and looking at the traffic in MS Edge, my client app is successfully authorized via the authorize endpoint. CORS is also enabled for my client app with a record in ClientCorsOrigins. Looking for any ideas on how to get past the 404 and to the login screen for my identity provider.
Is your IdentityServer really available and reachable outside Azure?
I have a WebAPI that I have successfully secured with Azure AD. When I run it locally (through Visual Studio), trying to access the WebAPI end point via a browser gives me
Authorization has been denied for this request.
Which is what I would expect. Accessing the WebAPI through a client with ADAL library works as it should. A forms login screen pops up, and authenticates me and passes back a token, which I can then use in my WebAPI requests.
Something I wouldn't expect happens if I deploy the WebAPI to an IIS server, and have Windows Authentication enabled for the site. When I try to hit it the IIS WebAPI end point through a browser, I get a Windows Authentication prompt. If I successfully authenticate the Windows Authentication, the WebAPI serves the response.
I guess I would expect that the WebAPI would return the same "Authorization has been denied for this request". Windows Authentication shouldn't authenticate me to the WebAPI if I've configured the WebAPI to use Azure AD authentication.
My question is, is this expected behaviour, and if so, why?
I can see from one perspective that the WebAPI can accept authentication from any method that I've configured. But part of me thinks that since the Azure AD authentication is configured in the WebAPI application, and not IIS, it should take precedence.
I am developing a intranet web application using ASP.NET MVC 4 that uses Windows-Authentication. I have integrated SharpSVN to do some SVN interactions and initially I was planning to use the username and the password from Windows Authentication, to authenticate the user on SVN, but as I found out, you can't get the password of the user when using Windows Authentication.
So is there any way to achieve this? To make SharpSVN use the Windows Authentication from the ASP.NET?
Thank you.
Look into identity inpersonation this will let you run each windows authenticated user in a thread under that user account. This will mean, that your clients must use machines that belong to the same AD domain as the Web server and as the SVN server.
I am getting window authentication window popup on some of my views in mvc4. It works fine when I host it on local server. But when I upload my code to my hosting server, all the views works fine except some views.
I am using form authentication in my application. And the views which given me such popups their controller class define with [Authorize] attribute. Is it an issue with IIS on hosted server or something else?
This is the popup message:
I suspect that you have Integrated Windows Authentication or Basic Authentication configured in IIS for your website or application (depending on how you are hosting it). Make sure you disable it and enable anonymous access to the website if you want to use Forms Authentication.
Open IIS Manager and navigate to your website or application.
In Features View, double-click Authentication.
On the Authentication page, disable Windows authentication and enable Anonymous authentication.