I am running an ASP.NET MVC 5 application on a Windows 2019 server with IIS 10. Now I want to set the IIS to pop up a window asking for a specific user with password before loading the web application in the browser. It is important that the prompt appears before the application accepts the client's requests. So actually before the application is started on the web server.
I can remember that something like this used to be possible with a .htaccess file. Is it possible to implement this in IIS 10 with the Web.config file somehow? In my Web.config I have already entered a http to https rule. So it would not be a security leak, because the connection is encrypted. Is it possible to configure IIS to ask for a specific password and username before starting the web application?
Thanks.
As can also be seen in the comments under the question, there is no IIS build-in solution for this requirement. The integration of third-party software for this requirement has not been considered.
Related
I have the following architecture:-
Active directory server
IIS which will host asp.net MVC
Both the Active directory and the MVC web application are inside our company intranet.
I set the Asp.net MVC authentication type to be windows based.
But I have these questions:-
If our company employees tries to access the asp.net MVC web application from their home using their personal PC; will windows authentication work?
If the above answer is Yes; then how they will be typing their usernames, Something similar to username# domain.com ?
According to my above requirements, should I consider having form based authentication that is connected to AD? Instead of using windows based authentication?
Thanks for any help and advice
Best Regards
Assuming your website in IIS is visible to the outside through the firewall, then yes it will be accessible from home
depending on the browser, you should get a pop up asking for username and password, and the username should be typed
MYDOMAIN\JOEBLOGGS
This setup may well work fine but it depends on your needs - is your network admin happy to open this server up to the outside world
There can be a quirk if using Internet explorer externally, where IE does not display a pop up box, and instead tries to authenticate with the local windows username, which may not match AD username if it is a personal PC (to get around this on the client, go to Internet Options > Security > Custom Level then scroll down to User Authentication and select 'Prompt for username and password'
Recently I have been using IIS Express and it works really great. However, I have on scenario I am unable to solve.
I am developing a webapp where users should be able to login with their AD account. Since the server which will run the webapp is outside the domain I use ADFS 2.0 as a SSO solution to solve this problem.
To make development for this project easier, I have chosen to use IIS Express when developing.
To be able to exchange claims information with the ADFS 2.0 server from my development environment, I have to configure the application pool for the site to have Load User Profile set to true (like i.e. IIS 7.5). I have searched around the web, and have so far found very little documentation on how to configure application pools in IIS Express.
This has nothing to do with ADFS but it's the way WIF uses to sign and encrypt the cookie that will be used to identify the user after the initial sign in. The default implementation in WIF uses DPAPI which relies om the user profile to get key material.
You can override that default and use the machinekey as key material instead. Indeed thats the way it works in NET 4.5 by default precisely because all the issues with DPAPI. Here you have the way to do it in Net 4
http://leastprivilege.com/2012/07/12/machinekey-based-session-protection-for-wif/
I have an odd situation occurring that I am trying to diagnose and would appreciate any advice on where to look.
I have an ASP.NET application using WIF that contains another ASP.NET application as a child in IIS 7.5. This child application contains a REST based web service. Accessing this service directly by pasting a URL into a browser will redirect to an ADFS sign in page. This is how I expect it to work. The odd part is that I have a second environment with the same applications and service deployed, and in this environment I am never redirected to the sign in page.
I have checked that all web.config files are identical, and also checked all IIS settings that I thought might be related. Browsing to web pages on the second environment requires a login, but not when browsing directly to the REST .svc file. I checked all HttpModules and Handler Mappings in IIS. I also enabled tracing of Microsoft.IdentityModel events and on the first environment can see a basic entries for a redirect to the STS. On the second environment I don't see any WIF events. The SessionAuthenticationModule appears to be called when I examine the data flow using IIS failed event tracing, but am not sure why it isn't requiring authentication.
I am familiar with cookie related issues with WIF and made sure that all cookieHandler settings were correct. I also closed browser windows and cleared all cookies to make sure the SessionAuthenticationModule wasn't seeing previous WIF cookies.
If you can think of anything else I should check please let me know.
If you have the same application in two separate environments bound to the same instance of ADFS, the URL's must be different so I am puzzled by the statement "all web.config files are identical"?
Have you tried re-running FedUtil on the application that doesn't work?
Also check AppPool settings.
After a lot of trial and error and carefully examining the applicationHost.config files between the two servers I found out this was caused by a difference in the ordering of HTTP handlers. The ExtensionlessUrl-Integrated-4.0 handler was picking up the request on one server and redirecting to ADFS. On the other server the svc-Integrated-4.0 handler was responding to the request first. You can read more about this behavior here: http://support.microsoft.com/kb/2520479
I've got WCF web services hosted in an ASP.NET application. For the asp.net
part I'm using Forms authentication for the web services I want to use
Windows authentication. After configuring this the caller of the
service is getting redirected to the login page of the web app. I have tried to
exclude the folder hosting the WCF web services but could not get it working.
Can this be configured or do I have to host my WCF as separate site in iis?
Edit
After some more googling I found that its is posible but its not as easy as i would like it to be :) The part I especialy dislike is that my app has to have this wrapper in GC or app has to have full trust permisions :(
http://mvolo.com/blogs/serverside/archive/2008/02/11/IIS-7.0-Two_2D00_Level-Authentication-with-Forms-Authentication-and-Windows-Authentication.aspx
Ill try it and let you know how it went.
Did you setup your WCF bindings correctly in the web.config?
Here's a link on how to configure this:
http://www.codeproject.com/KB/WCF/WCFBasicHttpBinding.aspx
Do you have the ASP.NET compatibility mode disabled for the WCF Services ?. If it's enabled, ASP.NET will try to authenticate the user first. Otherwise, it should go straigh to WCF.
The solution I googled works, but Im not going to use it because application I made is not supposed to have full trust permisions and I also dont want to place the wrapper in GAC. So the solution I ended up with is split WS and asp.mvc app into two sites on iis.
I have a pretty simple ASP.NET MVC Site Application. (MVC 1.0)
I have NO authorization sections in my web.config because I use the [Authoize] attribute on my controllers.
The default web.config for the server allows * for forms authentication, as expected.
I have 2 existing Windows 2008 dedicated (hosted) servers. The site works well.
I have a new dedicated server, seems identical except the site just won't work. Every resource, even images/javascript is redirecting to the login page.
I tried adding explicit authorization rules to allow * and location rules, same result. I checked the .NET Trust level, Internal/Full Trust. Everything runs perfectly on two servers, just this one is ignoring all rules for authorization.
Any ideas?
thanks
I found the issue :) Unless something has changed in Windows 2008 I would have expected this to show as an error but as stated above, it was being hidden by Forms Authentication.
The issue was the hosting company now adds data drives to all servers for your websites/storage. There were no permissions set to allow IIS to read the files. The reason I couldn't find it was I already added permission for the application pool user, in my case I just went ahead and added ASPNET, Network Service, IIS Anon User etc to have full permissions.
I needed to allow Everyone to have at least Read to the website folders and then IIS showed the non-secured content. I still think it is odd that forms auth. was kicking in and ignoring all web.config rules but anyway.
I found the error by turning off Forms Auth support in the IIS 7 manager. Then I got the process failure error because of file permissions.