I have a developed a Restful webservice using Asp.net WebAPI and used the windows authentication in the web.config file. This WebService is called by inhouse windows application in the internal network. Now the problem is when i send the request from
the IE browser to the webService it authentication and authorization works fine.
but when i send the request through the Widows application the user are not authenticated.
scenario :
When i use below config, The Request from the webbrowser is authenticated correctly, But request from windows application are not authenticated even if users are in correct AD group with correct roles.
<authentication mode="Windows"/>
<authorization>
<allow roles = "someGroup1"/>
<allow roles = "Somegroup2"/>
<deny users="*" />
</authorization>
what could be the problem please provide any suggestion.
I found out the problem, The windows client was not sending the User Information to the Webhost so the authentication and Authorization was failing. Since I was using NTML Authentication, so to resolve this issue i had to add a Authenticator to the restClient as below:
var client = new RestClient();
client.BaseUrl = ServiceUrl;
client.RemoveHandler("application/json");
client.RemoveHandler("text/json");
**client.Authenticator = new NtlmAuthenticator();**
Related
I Have to different servers one for web api and the other is for push notifications(signalR). I am hosting both on iis7, both are working fine independently but when the api is trying to connect to the push server (as a signalrClient) I get 401 Unauthorized response. Both the api and the push are running by the same user, both have kerberos authentication.
When I allow anonymuse in my push server it works perfectly. Unfortentally it can't be anonymose.
Thak you
Enable Windows authentication, Impersonation and disable rest in both the app.
here is the web.config code:
<system.web>
<authentication mode="Windows"/>
<identity impersonate="true" />
</system.web>
I have the following structure for my web application:
In my root web config, not in the Areas/Admin/Web.Config I have the following:
<location path="Areas/Admin">
<system.web>
<authentication mode="Windows"></authentication>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
I have my own authentication working on the main root of the web site no problems by using the [Authorize] tag.
Now for the Areas/Admin I'd like to use Windows Authentication.
In IIS (Server 2008 R2 Machine), I have the Admin folder configured as an application:
And when I click on Areas/Admin in IIS, under Authentication, I have Anonymous disabled, and Windows Authentication Enabled.
However, when I attempt to access this folder via the web site, it does not prompt me for my domain username/password. It just loads up the page.
If I go to www.website.com/Areas/Admin, it then prompts me for the username/password. But I need it to use the AreaRegistration, and have it prompt when I go to www.website.com/Admin.
I've been able to configure an entire site as Windows Authentication, and that works like a charm.
Any thought to lead me in the right direction? Or, if you need more information, please leave me a comment and I will be more than happy to give you what I can.
From doing research, I found that the only way to make this work, is to create a 2nd "admin" site which runs as an application under the main site. Doing so, allowed me to setup permissions on that site.
I have an MVC3 Intranet app that uses Windows authentication. I'm now using a third party service that will make notification calls to my app. I've already created a listener for these API calls but not sure how I can allow anonymous access to that single view in my app.
My IIS7 settings are as follows:
Anonymous - Enabled <---------- Use Domain User
ASP.NET Impersonation - Disabled
Basic Authentication - Disabled
Digest Authentication - Disabled
Forms Authentication - Disabled
Windows Authentication - Enabled - HTTP 401 Challange
Additionally, in my web.config file, authentication mode is set to Windows.
With that said, is there a way to allow anonymous access to a single view in my MVC app?
Where path is your end url, add this your web.config.
<location path="MyController/MyAction">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
Or decorate the action with AllowAnonymousAttibute http://msdn.microsoft.com/en-us/library/system.web.http.allowanonymousattribute(v=vs.108).aspx.
I have an ASP.NET MVC 3 application with a self hosted ServiceStack API that provides the data. After I added the API location path in Web.Config the API is callable by my code and works well:
<location path="api">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
The problem I have is that when the application is running the API is accessible via the browser - I can simply type http:\localhost:xxxx\api into the browser. What would be a good approach to restricting access to my self hosted API so that I can continue to call it within the MVC 3 application but prevent users from accessing the API via the browser?
Note that at some point in the future I will want to expose some areas of the API to make them publicly accessible.
Note: the Authorization and Authentication support built-into ServiceStack is independent and decoupled from ASP.NET's Authentication.
You can generically restrict access to all your services by inheriting from a base class which contains one or more of:
[Authenticate] - Only allow access to Authenticated users
[RequiredRole] - Only allow access to users in the specified roles
[RequiredPermission] - Only allow access to users with the specified permissions
Note: These attributes also work in your MVC Controllers that inherit from ServiceStackController or Controllers marked with the [ExecuteServiceStackFilters] attribute.
You can inspect a MVC + ServiceStack demo that uses these attributes in the Social Bootstrap Api example project.
Another way you can generically restrict access is by registering a global Request filter which get executed on every request.
One possibility is to use a specific user for accessing the API:
<location path="api">
<system.web>
<authorization>
<allow users="api_user" />
</authorization>
</system.web>
</location>
Then configure your API to be accessible only by the api_user. This way any other authenticated user in the browser won't be able to access this API. In your ASP.NET MVC 3 application you could create an authentication ticket with the given user before sending an HTTP request to the API.
Also notice that using the <location> tag in web.config to control authorization in ASP.NET MVC application is a very bad idea. The reason for this is that you are relying on some url (api). But ASP.NET MVC works with routes. So you should be using the [Authorize] or a custom authorization attribute to decorate the corresponding controllers/actions that you want to protect. This way your authorization is no longer dependent on your routing configuration.
Another possibility is to use a custom authoriza attribute and implement an access token.
Since we moved from IIS 7.0 to IIS 7.5 the Windows Authentication doesn't work anymore from remote requests. If I open the website on the webserver everything works fine.
web.config:
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
IIS Settings:
Authentication (enabled): ASP.NET Impersonation, Windows Authentication (all others are disabled)
ApplicationPool: Managed Pipeline Mode -> Classic, Identity -> ApplicationPoolIdentity
Failed Request Trace:
MODULE_SET_RESPONSE_ERROR_STATUS
ModuleName: WindowsAuthenticationModule
Notification: 2
HttpStatus: 401
HttpReason: Unauthorized
HttpSubStatus: 1
ErrorCode: 2148074254
ConfigExceptionInfo:
Notification: AUTHENTICATE_REQUEST
ErrorCode No credentials are available in the security package (0x8009030e)
Any suggestions?
We had a two-hop problem I think. If I move our SQL/Oracle DB to the server which is running IIS it works.
So here is an article to which describes a solution.
How to configure SQL and IIS for two hop kerberos authentication 2
or
SSRS Reportviewer ASP.NET Credentials 401 Exception
Thanks
Which client are you using? you might be running a client that is trying to pre-authenticate, but in IIS 7 we use Kernel Mode authentication by default which requires a challenge. If that is the case you can disable Kernel Mode auth by selecting the Windows Authentication entry and clicking Advanced Settings, you should see a checkbox that allows you to Disable that for the specific application and it should work if this is the problem.