I have an ASP.NET MVC 3 web site that uses Windows Authentication running under IIS7.5. This web site also checks manually for groups in AD using the GetRolesForUser method of a custom RoleProvider. This isn't anything special, and has been working fine for a few months now.
However, we now have a user that had their Active Directory user name changed. They still have the same actual AD account, but to them their login name is now different.
Unfortunately this has broken the web site for this user. I'm using Elmah to log errors, and I have noticed that REMOTE_USER is using the old account name, and LOGON_USER is using the new account name. It looks like the username parameter of the GetRolesForUser method is getting the old account name - so I assume it is using REMOTE_USER.
Should I be targeting the web server or the web site for a fix? I've read that LOGON_USER and REMOTE_USER are only different if there is an authentication filter installed. I'm not aware of anything like this on the web server (although I'm not sure exactly where to look), but does MVC3 add this somehow?
Typical, after I posted, my Google-Fu kicked in.
Seems like this is a known issue (by design) with the local sid cache:
http://support.microsoft.com/kb/946358
Resolution is to follow the registry change in article (and undo it again?), or reboot the web server. I have read that a IISRESET might fix this too.
Related
I have asp.net mvc3 application with forms authentication. But the our client request AD authentication as well. But the mvc3 app is hosted outside the clients network. What are the possible solutions for this.
Get permission to access the clients network from remote server.
Get an API to access the active directory data from webserver.
If we choose opt one how could we access active directory for authentication from outside the client network. I anybody have any idea or better options please let me know. Thanks in advance.
My guess is that the Microsoft security products can support this out of the box but I'm not sure how so I suggest that you direct your question to whoever supplies your client with their Microsoft product support.
If you'd rather build a solution so that you've got more control over how it works a quick search found an interesting approach at https://support.freshservice.com/support/solutions/articles/169196-setting-up-active-directory-single-sign-on-sso-for-remote-authentication where they created a simple ASP.Net web site that used AD authentication for sign-on. MVC 5 can build a WebApi site that does that just by creating a new project in Visual Studio with the right options.
That site wouldn't have to do anything except confirm that the credentials supplied were valid or not. Your application would ask the user to enter login / password details, then send a (properly secured) web request to the authentication site to determine whether they're valid. As long as you keep the communication between your server and the client web service tightly secured this should do what you need without much fuss. That approach removes the need for your server to communicate directly with the client's AD server.
I have a site which is built in ASP.net and C#. Let's call it webapp. it uses a Form system to log on into it, and cannot be changed easliy.
I got a request to change the log in to some kind of windows authentication. I'll explain.
Our windows login uses active directory for users to log into their windows account. their login name is sXXXXXXX. X are numbers.
in my webapp, I want to take the users numbers from their active directory login, and check if those exist in the webapp database. if it exists, they will automatically log in. If it doesn't, they will be referred to the regular login page for the webapp system which is currently in use.
I tried changing my IIS to disable anonymous login and enabling windows authentication, therefore making the user browser to send it's current logged in user name to my webapp. I changed the web config as well from "Forms" to "Windows", which made my whole webapp obsolete as the whole forms system did not work.
My question is this - is there a different way for the browser only to send the username to my webapp? I thought maybe javascript, I just don't know how to implement that, if it's even possible. I know it's not very secure, but all this platform and system is built outside the internet, it's on a private network.
<script language="javascript">
var username = '<%HttpContext.Current.User.Identity.Name %>';
</script>
The only way you could get at the user's domain credentials via javascript would be by deploying some type of ActiveX component to expose that data to the browser. I wouldn't recommend that.
I would look at implementing a Login page for forms authentication that authenticates the user on the page load using HttpContext.Current.User.
The way forms works is that if an unauthenticated user attempts to access an access-controlled page and have not logged in (no cookie), they will be redirected to a login page that gives the facility to log in (this sets a cookie on the client-side). The user is then directed to the page they initially requested. You would simply be automating the login part.
If you have a mixture of pass-through and user who need to manually login you could check their client IP address to see if it matches one on your domain or not.
The solution I found for getting the username sent to the server was:
string winlogon = Request.ServerVariables["LOGON_USER"];
After enabled Windows Authentication Mode in IIS.
I am working at a company which uses an intranet site as a portal to a bunch of other local sites. Unauthorized people in the company have been accessing it, so we want to secure it. Users, when accessing the website for the first time will have to enter a username and password. If they are on a certain group in the Active Directory, they will be given access and their credentials will be stored so that they don't need to enter their username/password again. I have looked into NTML, ASP.NET, but am not sure how to proceed.
Any thoughts/ideas are greatly appreciated.
Dump your solution. Use Integrated Windows Authentication, namely Kerberos, in IIS. It will automatically pass all credenentials to your server. Note that every participant must be part of your AD domain.
I am trying to setup a local Sharepoint Server 2010 for testing purposes. I have never worked wih SP before, but it is per request from a client. And I am a strong fan of "learning-by-doing".
Everything is setup fine but when I try to access the Central Administration site it keeps asking me for user and password and I have no idea what that is. Is there something I am missing somewhere or forgot to set up. I have enable anonymous login in the IIS settings but that doesn't seem to make any difference.
I am logged in with my standard Windows user "Morten".
are you using Domail Controller Active directory user to login ?
IF yes then check that your PC is available in Domain Controller
also check ,
Go to IIS > Your SIte > Right click on your site and go to advanced settings > Check for the Idenetiy under Process Model Section .
It should same as your login.
Let me know the outcome
I have made an ASP.NET MVC 3 Intranet site with Windows Authentication enabled:
in the Visual Studio project file properties
in the web.config, i.e. <authentication mode="Windows"/>
on the site properties in the IIS 7.5. server
Anonymous access is disabled for all these three above, the web.config says <deny users="?"/>. Impersonation is disabled in the web.config by identity <impersonate="false"/> and on the site properties in the IIS 7.5 server. And finally, the NETWORK SERVICE is set to run the app pool and also has Read on the site folder (not sure if it's needed though, you tell me, but it sure ain't enough to solve my problem below).
Now, when logging in through the standard Windows Authentication dialog box, domain users are presented with a 401.3 error after three valid login attempts. This seems to be before even reaching my MVC site's code, i.e. it seems completely IIS related. The event log gives the following kind of entry (it's an Information entry, not an Error, and I've obfuscated it a bit to protect my client) for all the users that has tried to log in:
Event code: 4008
Event message: File authorization failed for the request.
Event time: 2012-02-20 18:45:41
Event time (UTC): 2012-02-20 17:45:41
Event ID: 6dd3b4bf99784ba1a0fe06694dd89691
Event sequence: 3
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/2/ROOT-1-129742335229554599
Trust level: Full
Application Virtual Path: /
Application Path: D:\Public\BlahblahManager\
Machine name: HUB01-XYZ123
Process information:
Process ID: 2920
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Request information:
Request URL: http://blahblahmanager.user.ad.blah.com/
Request path: /
User host address: 134.XXX.XXX.XXX
User: USER-AD\teh-user
Is authenticated: True
Authentication Type: Negotiate
Thread account name: NT AUTHORITY\NETWORK SERVICE
Custom event details:
It is only when I specifically grant USER-AD\teh-user or USER-AD\Domain users the Read permission on the site's root folder (D:\Public\BlahblahManager) that the user can log in and actually see the site.
Why is this? There must be some kind of configuration that I'm missing. Shouldn't it be enough that the NETWORK SERVICE has Read on the site's root folder? I've Googled this for a while, and impersonation is mentioned here and there, but the jury is still out it seems. Some sites claims that you should go with impersonation and they provide examples on how to do it, but when I try out the examples it still doesn't work. Other sites says that impersonation is NOT the way to go and that you NEED to grant the folder permissions in these cases. But that seems such an odd thing to do. Users have no business on the actual server, they should be working through the website only.
Any suggestions? What is usually the minimum amount of configuration needed to get this to work? Any tips on how to troubleshoot this kind of problem and get to the root cause?
I refer you to see this post that declares all of MVC authentication methods. but make sure you have enabled minimum required authentication on your mvc application. Notice that Anonymous Authentication works with your group policies. you can config that by following : Internet Options -> Security Tab -> Local Intranet -> Custom Level, on your browser.
1- Another thing that may causes the problem is IIS may configured not to authorized related users. Some of them are :
iisservice
IUSR
IIS_IUSRS
Network Service
2- Also Check allowed verbs in IIS.
3- On the root folder of your application Give read access to IIS AppPool\YourAppPool.
4- Another cause could be hierarchical access rules in your application depends on what application services you are using, like web site panel access rules.
5- Setting the clientaccesspolicy.xml file.
6- Check InitializeService() Method, do you set entity access rules properly? For example:
config.SetEntitySetAccessRule("*", EntitySetRights.All);
7- Check FileAuthentication module at the web site level.
Double check Anonymous authentication is enabled on IIS.
Also, have a look at this post.
We were also fighting with this issue, and started setting up security groups so we could give our users file level permissions. Then one of our server admins stumbled across a couple of new properties that allow the app to authenticate to the file system under set credentials, and resolved the need for the users to have access. Here is what he came up with…
There are two IIS settings that control this:
Physical Path Credentials Physical Path Credentials Logon type
By default, Physical Path Credentials is set to Application User
(Pass-through authentication). This means that IIS doesn’t do any
impersonation when handling Windows Authentication requests. This can,
however, be set to a specific user (though not, unfortunately, the
application pool identity, which would be ideal). Physical Path
Credentials Logon Type is set by default to Clear-Text. For my testing
I set this to Interactive (though this may not be the correct value).
Possible values are Clear-Text, Batch, Interactive, and Network.
To set this up I did the following:
Created a local account (IIS-AccessUser)
Granted IIS-AccessUser read and execute access to the /home directory of the site.
Added IIS-AccessUser to IIS_IUSRS group (necessary for accessing .NET temporary files)
Set IIS-AccessUser as the Physical Path Credentials
Set Physical Path Credentials Logon Type to Interactive
Doing the above allowed me to log in to the application directly,
without having to allow Authenticated Users, or me having to be a
member of any of the groups in the /home folder. It also still
preserved .NET Authorization roles, so I still could not access parts
of the site that I was not allowed to.
I also faced this same issue on iis7 with windows authentication, but with with MVC4.
Finally found this post. Hope this might help someone in the future.
You are not required to grant file access permissions when using Windows Authentication in IIS 7.0 and IIS 7.5.
There's a better way that we were only able to discover this because our server admin smelled the security and management issues that arise from taking the route of granting file level access to users and groups.
For anyone dealing with this issue or if you are setting up a new IIS7/IIS7.5 server and/or moving from IIS 6, here is an article that gives you all of the Windows Authentication options and configurations that need to be modified to avoid granting file level access to individuals or groups.
Please read the two comments in at the end of the POST for some valid critiques of the methods used in this article.
http://weblogs.asp.net/owscott/iis-using-windows-authentication-with-minimal-permissions-granted-to-disk
In addition to the information in the article, please be aware that IIS 7.5 is not using the web configuration tags for system.web (at least not in my MVC 4 application).
It is looking in the system.webserver tags for authorization configuration (where you will need to list the windows domain\groups a user needs to be in to access your application).
-- DSB