I have a .NET 6 application (asp mvc) running under IIS 10 on Windows 2016 server and cannot get integrated windows authentication working properly as I continue to get prompted for a login. I have set Windows Authentication to enabled in IIS with all other security types disabled and my application web.config file authentication/authorization is set up as:
***<system.web>
<authenticationmode="Windows"/>
<authorization>
<deny users = "?" />
</authorization>
</system.web>***
With this setup, I'm expecting behind the scene verification of the Windows user to allow access and deny anonymous users. However, what I'm getting is a Windows login pop-up when I try to access the site.
I really appreciate any help anyone can provide so that I'm still using only windows authentication but don't get the pop-up and the windows authentication is performed against the actual Windows user.
Related
Assumptions:
Client is a Web application (ASP.NET) configured for STS Passive Issue
Server is a MVC Application with 2 services (1. Issues a token and other gets metadata)
Server on the other hand configured for Forms authentication and should redirect to Login page if unauthenticated access is made.
Workflow:
end user tries to load client.
It contact the STS by redirecting to the STS server.
The server is configured with Forms authentication with a redirect URL.
But Server does not redirect to login page. instead it allows to call the Issue end point.
I tried to restrict via authorization tag in web.config. Also, i tried location tag to set authorization explicitly. But it still allows the call.
i referred many blogs
How to: Enable the WCF Authentication Service
How to: Customize User Login When Using the WCF Authentication Service
But no luck.
This is easy to achieve with ADFS. Use the following steps if ADFS is your STS:
Navigate to the folder where ADFS web application is located (normally C:\inetpub\adfs\ls)
Make a copy of the current web.config for safety
Open web.config in notepad
Locate
In , change the order of authentication to assure that it lists Forms Authentication first
The order must look like this:
<add name="Forms" page="FormsSignIn.aspx" />
<add name="Integrated" page="auth/integrated/" />
<add name="TlsClient" page="auth/sslclient/" />
<add name="Basic" page="auth/basic/" />
Save the changes (you do not need to restart ADFS)
Navigate to your application and click on Login. Instead of sending the login request to ADFS, a page containing a login dialog will pop up. Please enter your credential and click ok. Then, you will get the same result as above.
Reference articles:
Claims Aware MVC4 App using WIF Identity and Access tool in .Net 4.5 Part I
Claims Aware MVC4 App using WIF Identity and Access tool in .Net 4.5 Part II
I have a web site that works fine with Chrome and FF but chokes on IE 10 and 11.
I have googled the issue but can't find a solution that fixes this problem. I checked the serve event logs, IIS log, set compatibility mode on, nothinf fixes it. I keep getting:
"Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. "
I checked IIS and it does allow script access, Keep Alive is checked, not using jQuery, ...
I am using form authentication (against AD) and have the following in web.config:
<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="Account/Login.aspx" timeout="15"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
Any other ideas on how to tackle this is appreciated.
I don't think this is a one size fit solution but for my settings this worked:
I removed <deny users="?"> and it works in IE. In IIS Directory Security, under Authentication and Access Control, I had enabled "Enable Anonymous Access", using a Windows user account and password (with access to AD). I needed that to authenticate users against AD using forms authentication. It might be a conflict (at least in IE's point of view) between in web.config and "Enable Anonymous Access" in IIS.
HI all I am developing a web API that will be using identity impersonation (using always the same functional identity valid in my domain) to check the status of configuration files of some servers. To do that, I add this to my web.config file
I also set my IIS server to neglate anonymous authentication and accept windows authentication for web service. However when I try to access the status of the files from a browser I noticed that the API is still using NT AUTHORITY\NETWORK SERVICE as the user and, of course, the access to the remote files is denied. Does anyone have an idea of what am I missing?
Thanks
My fault, forgot to set the Authentication mode to Windows in web.config
I use ReportViewer web server control on a web page. The goal is to have a page that will allow anonymous access. I'm creating a dummy FormsAuthentication cookie that expires in 5 seconds and try to call the report. I also derive from IReportServerCredential and pass in Domain administrator's credentials to the report server. Weird thing is that this approach works fine if i run the web site on VS 2008 and access it from Firefox or IE. I get reports to display. I am also able to host the web site on my Dev box in IIS and view the report in both FF and IE. But as soon as i deploy the web site to production box, I can no longer view reports on IE, but still can on FF. Reports are shown both in IE and FF if a user logs in and opens the page afterward. Web Server and Report Server are two different machines on the same network, same domain. IIS on the production box has impersonation enablet to impersonate domain admin. IIS on both, Dev and Prod boxes has correct http handler mapped for report cpontrol .axd
Any thoughts and suggestions are welcome. Thanks
After closely examining the request in Fiddler it appeared that Reserved.ReportViewerWebControl.axd was treated as a separate physical file by IE and it couldn't access it due to permissions. After adding
<location path="Reserved.ReportViewerWebControl.axd">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
to web config, it worked
i've got a stock standard ASP.NET web site, deployed to our development machine (internal machine in our server room).
Now, this dev site can be accessed by both INTERNAL and EXTERNAL users. Now, in IIS6 we used to have it so that Anonymous Authentication was turned off and something else was turned on .. giving the users a popup model box for username and password. I think they had to type some username or password that was defined in a web.config file? (not their website account username/password)/
Now, with IIS7, when i turn Anon Auth off, and turn on Basic or Windows Auth, i get access to the site BUT it's trying to log me in with those credentials .. and not the account the user signed up with (using some stock standard asp.net webform page).
So ... is it possible to 'lock' the entire site and get the testers to get general access to the site .. which is different to their website username and password. Those usernames and passwords are for use in the site instead.
does that make sense?
cheers!
<authentication mode="Forms">
<forms loginUrl="~/Pages/Login.aspx" protection="Validation" timeout="1000000000" requireSSL="false" slidingExpiration="true" defaultUrl="Default.aspx">
</forms>
</authentication>
there is no authorization section.
also, when i add 'Digest Auth' to iis7 and enable that (and disable everythign else), i get the pop up window (kewl!) but i'm not sure what credentials i need to pass in. Where can i define those credentials manually (so they are seperate from the website's users) ??
IIS7 integrated mode does not support the two phase authentication that IIS6 does. Basically, IIS6 would perform its authentication (windows), followed by asp.net performing its authentication (forms). But with IIS7, everything is equal in integrated mode, so you can only have one or the other authentication methods.
You can either convert the app pool to use classic mode or follow this workaround to get it working with Integrated mode.