I Have to different servers one for web api and the other is for push notifications(signalR). I am hosting both on iis7, both are working fine independently but when the api is trying to connect to the push server (as a signalrClient) I get 401 Unauthorized response. Both the api and the push are running by the same user, both have kerberos authentication.
When I allow anonymuse in my push server it works perfectly. Unfortentally it can't be anonymose.
Thak you
Enable Windows authentication, Impersonation and disable rest in both the app.
here is the web.config code:
<system.web>
<authentication mode="Windows"/>
<identity impersonate="true" />
</system.web>
Related
My website has Windows Authentication enabled with Negotiate provider listed first as I want to use Kerberos for delegating. It works fine when I run the website from a browser on the web server itself. When I use IE from another machine in the domain, I get the login box. After 3 tries I get a HTTP 401.2 error: Unauthorized.
I've made sure the domain account used by the Application Pool has Read and Execute rights to the website folder, and so does the domain account I'm logging in under when hitting the website (and I've also thrown in 'Authenticated Users' for good measure).
Interestingly if I try to access the site using the web server's IP instead of the name, it loads fine.
Anyone have thoughts?
One year after my first encountering this problem I've solved it.
Got the tip from http://blogs.technet.com/b/proclarity/archive/2011/03/08/useapppoolcredentials-true-with-kerberos-delegation-on-2008.aspx
Need to set useAppPoolCredentials="true" on the windowsAuthentication element in applicationHost.config (can set via IIS Manager)
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">
<providers>
<clear />
<add value="Negotiate" />
</providers>
<extendedProtection tokenChecking="None" />
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
The reason you're getting a 401.2 when using a DNS name is most likely due to the fact register the name you're using as a service principle name (SPN) in AD.
Here's a couple of links that should help you out:
Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5
http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx
Register a Service Principal Name for Kerberos Connections:
http://technet.microsoft.com/en-us/library/ms191153.aspx
I have the following structure for my web application:
In my root web config, not in the Areas/Admin/Web.Config I have the following:
<location path="Areas/Admin">
<system.web>
<authentication mode="Windows"></authentication>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
I have my own authentication working on the main root of the web site no problems by using the [Authorize] tag.
Now for the Areas/Admin I'd like to use Windows Authentication.
In IIS (Server 2008 R2 Machine), I have the Admin folder configured as an application:
And when I click on Areas/Admin in IIS, under Authentication, I have Anonymous disabled, and Windows Authentication Enabled.
However, when I attempt to access this folder via the web site, it does not prompt me for my domain username/password. It just loads up the page.
If I go to www.website.com/Areas/Admin, it then prompts me for the username/password. But I need it to use the AreaRegistration, and have it prompt when I go to www.website.com/Admin.
I've been able to configure an entire site as Windows Authentication, and that works like a charm.
Any thought to lead me in the right direction? Or, if you need more information, please leave me a comment and I will be more than happy to give you what I can.
From doing research, I found that the only way to make this work, is to create a 2nd "admin" site which runs as an application under the main site. Doing so, allowed me to setup permissions on that site.
I have a developed a Restful webservice using Asp.net WebAPI and used the windows authentication in the web.config file. This WebService is called by inhouse windows application in the internal network. Now the problem is when i send the request from
the IE browser to the webService it authentication and authorization works fine.
but when i send the request through the Widows application the user are not authenticated.
scenario :
When i use below config, The Request from the webbrowser is authenticated correctly, But request from windows application are not authenticated even if users are in correct AD group with correct roles.
<authentication mode="Windows"/>
<authorization>
<allow roles = "someGroup1"/>
<allow roles = "Somegroup2"/>
<deny users="*" />
</authorization>
what could be the problem please provide any suggestion.
I found out the problem, The windows client was not sending the User Information to the Webhost so the authentication and Authorization was failing. Since I was using NTML Authentication, so to resolve this issue i had to add a Authenticator to the restClient as below:
var client = new RestClient();
client.BaseUrl = ServiceUrl;
client.RemoveHandler("application/json");
client.RemoveHandler("text/json");
**client.Authenticator = new NtlmAuthenticator();**
I have an MVC3 Intranet app that uses Windows authentication. I'm now using a third party service that will make notification calls to my app. I've already created a listener for these API calls but not sure how I can allow anonymous access to that single view in my app.
My IIS7 settings are as follows:
Anonymous - Enabled <---------- Use Domain User
ASP.NET Impersonation - Disabled
Basic Authentication - Disabled
Digest Authentication - Disabled
Forms Authentication - Disabled
Windows Authentication - Enabled - HTTP 401 Challange
Additionally, in my web.config file, authentication mode is set to Windows.
With that said, is there a way to allow anonymous access to a single view in my MVC app?
Where path is your end url, add this your web.config.
<location path="MyController/MyAction">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
Or decorate the action with AllowAnonymousAttibute http://msdn.microsoft.com/en-us/library/system.web.http.allowanonymousattribute(v=vs.108).aspx.
Since we moved from IIS 7.0 to IIS 7.5 the Windows Authentication doesn't work anymore from remote requests. If I open the website on the webserver everything works fine.
web.config:
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
IIS Settings:
Authentication (enabled): ASP.NET Impersonation, Windows Authentication (all others are disabled)
ApplicationPool: Managed Pipeline Mode -> Classic, Identity -> ApplicationPoolIdentity
Failed Request Trace:
MODULE_SET_RESPONSE_ERROR_STATUS
ModuleName: WindowsAuthenticationModule
Notification: 2
HttpStatus: 401
HttpReason: Unauthorized
HttpSubStatus: 1
ErrorCode: 2148074254
ConfigExceptionInfo:
Notification: AUTHENTICATE_REQUEST
ErrorCode No credentials are available in the security package (0x8009030e)
Any suggestions?
We had a two-hop problem I think. If I move our SQL/Oracle DB to the server which is running IIS it works.
So here is an article to which describes a solution.
How to configure SQL and IIS for two hop kerberos authentication 2
or
SSRS Reportviewer ASP.NET Credentials 401 Exception
Thanks
Which client are you using? you might be running a client that is trying to pre-authenticate, but in IIS 7 we use Kernel Mode authentication by default which requires a challenge. If that is the case you can disable Kernel Mode auth by selecting the Windows Authentication entry and clicking Advanced Settings, you should see a checkbox that allows you to Disable that for the specific application and it should work if this is the problem.