Develop Reference

How do you limit use of a web site to a particular company's active directory?

I've developed a web application in asp.net/MVC/RAZOR/C#. The client wants a user to go to this site and not have to enter a login/password if they are from a certain domain. Users outside that domain can use a standard logins screen entering their login and password. I've never worked with Active Directory before and my work with IIS is limited. Can someone explain how to set this up?
From this link, http://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication, I determined I need to use Windows Authentication option in IIS. However, all this does is prompt the user for a username and password when they go to the site. Right now Authentication is set so Windows Authentication enabled with response "HTTP 401 Challenge" and the enabled provider is "Negoiate: Kerberos". How do I avoid this login screen and pass the user's Active Directory username, group, and domain down to the website?
If I get past the login screen, I try to get the user's identity using WindowsIdentity.GetCurrent().Name. However, this shows "IIS APPPOOL" no matter who I log in as. How can I get the Active Directory username? (and group)
I added the following code to my web.config:
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="DOMAINNAME\*" />
<deny users="?"/>
</authorization>
...
Before I found the IIS link above I tried the code listed on these sites:
http://www.codeproject.com/Tips/458039/Application-Login-through-Active-Directory-LDAP
http://www.codeproject.com/Articles/5173/Web-based-Active-Directory-Login
These work to authenticate the user, but they require a password which I don't have. I couldn't find a way to get the password, which led me to look further and find the info on IIS. Unfortunately, I don't know how to set it up.
If anyone could give me some simple steps on how to set this up, I'd appreciate it. Thank you.

I recently had to limit a website, to be used only by users in a specific Active Directory group.
If you wanted to use the same method, you could just set the group name to "Domain Users" to allow all users. Like so:
var User = System.Web.HttpContext.Current.User;
var isUser = User.IsInRole(System.Configuration.ConfigurationManager.AppSettings.Get("SystemUsersADGroupname"));
I then added the following to web.config, to define the required group name:
<configuration>
<appSettings>
<add key="SystemUsersADGroupname" value="mydomain\Domain Users" />
</appSettings>
</configuration>
I could then check on the value of the isUser variable, to determine if a user was allowed to continue or not.

HTTP Error 404.15 - Not Found ...because the query string is too long

I've checked lots of posts about this error but not been able to fix the problem yet.
I have simple MVC5 website built in VS2013 running on Windows 8 pro. When the site was created the option for individual accounts was selected. I now need to enable windows authentication so that only AD account users can use the website and also authorisation so that I can limit access to certain views / controllers to particular AD groups.
Having selected the web project within VS I have updated the properties window (F4) so that Anonymous Authentication is set to disabled and Windows Authentication is set to Enabled.
The web.config for the project now contains the following sections:
<system.web>
<authentication mode="Windows" />
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
<system.webServer>
<modules>
<remove name="FormsAuthenticationModule" />
</modules>
</system.webServer>
I access the site from IIS or F5 I get the error: HTTP Error 404.15 - Not Found
The request filtering module is configured to deny a request where the query string is too long. I notice that something has looped to give a ReturnUrl which is a repeating long concatenation within the query string.
Within the IIS\Authentication section, I have set to disabled "Anonymous Authentication, ASP.Net Impersonisation, and Forms Authentication". Within the section IIS.Net Authorization Rules I have set to Deny "Anonymous Users" and Allow "All Users"
Where am I going wrong?

The only time I've personally run into this issue is when I accidentally added [Authorize] to a child action that was used in the layout. Adding [Authorize] to your sign in action would have the same effect or simply neglecting to add [AllowAnonymous] on your sign in action, when the controller it is in has [Authorize] on it. Long and short, this is being caused by something requiring authorization on the actual sign in page, which then causes you to be redirected to the sign in page, which needs authorization, causing you to be redirected to the sign in page, etc.
tl;dr
Make sure your sign in / login action does not have [Authorize].
Make sure your sign in / login action does have [AllowAnonymous].
Make sure no child actions used in your layout or sign in page have [Authorize] or have [AllowAnonymous] if they are in a controller decorated with [Authorize].

I got this error when I enabled Windows authentication. I wanted to authorize the user based on Windows login and I do not want login page in my application.
I got the error fixed by adding the below in my Web config file.
Under the tag system.web, changed authentication mode="None" to authentication mode="Windows"
Under tag appSettings, added add key="owin:AutomaticAppStartup" value="false"

You may have a function in startup that redirects you to a login page. You must disable it.
I created the project by default authentication method which creates an account controller and its dependencies. When I changed the authentication method to Windows, the mentioned error was raised.
What I did was comment out the ConfigureAuth(app) function in my Startup.cs file to resolve the issue.

I had the same problem..
Check under Project Properties..
Anonymous Authentication=False
Windwos Authentication=True

We ran into a similar issue and our authorize filters were correctly implemented. I am leaving this here in case someone else runs into same problem with IIS 10.
After working with Microsoft support, we determined that the .Net Authorization Rule was not enabled on the server level.

ASP.NET MVC intranet app with windows authentication, how to get the current domain user automatically?

I need my MVC4 app to get the current domain user that is logged on to the machine automatically logged in in my index.cshtml page.
the rest of the application works as intended by using the Authorize attribute the actions i need secured.
I just need to say to the app "get the current machine logged in user , dont secure anything and take the user to the landing page".
web.config:
<authentication mode="Windows" />
like this the user is BLANK on the landing page.
If i try to put just [Authorize] on my index action then it asks for credentials and then continues as i want, without securing anything on the landing page.
Is there any way around this?
UPDATE:
No matter what you do , it seems that there is no way to bypass the login prompt and make the application automatically get the current domain user and log him in the app.

Check this from MSDN
add impersonate="true" along with it
<identity impersonate="true"/>
<authentication mode="Windows" />
Then use
((HttpContext)context).User.Identity as WindowsIdentity

Use Windows Authentication and for ASP.NET and IIS and specify the ASP.NET URL Authorization in the web.config as shown in this answer. Whenever the current user is authorised, the user will be silently logged in.
Tested using IE 11, IIS 8.5, Windows Server 2012 R2.

i just finished fighting with this problem. i should preface that this is with iis 7 running on win 2k8r2. the fix for me was to go to authentication menu in iis -> select windows authentication -> click providers in the right pane -> adjust so that only ntlm is in the list of available providers. negotiate seems to be the culprit for forcing the log-in prompt.

You may also try adding the following to your <appSettings>:
<add key="enableSimpleMembership" value="false" />

Why is my style sheet redirecting me to login?

I am sure this has something to do with IIS but I can't figure it out.
I have a website using forms authentication. When my website tries to access any file resources (javascript files, css, etc), I am redirected to the forms login page set in my web.config. I also get redirected if I just type the address into the address bar.
The web.config entry for forms auth is pretty basic:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
There are also two location nodes to deny users from other parts of the site:
<location path="n2">
<system.web>
<authorization>
<allow roles="Editors" />
</authorization>
</system.web>
</location>
<location path="web.config">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
I am using the standard IIS7 install on Windows Server 2008 R2.
Edit
So, if I add a random auth cookie (FormsAuthentication.SetAuthCookie()), the resources become available, I know it has to be my authentication model that's messed up somehow. It works on another server (I just copied it over). Any ideas how I can track the problem down?

I had the same error, in my case the trick was setting Anonymous Authentication to use the App Pool identity instead of IUSR in IIS
Open IIS
Expand Sites
Select [YourWebSite]
Double click Authentication (will be under the IIS "Area" or the Security "Category")
Select Anonymous Authentication
Click Edit in the Actions pane
Click the 'Application pool identity' radio button

Don't use <location> tags in web.config to handle authorization in an ASP.NET MVC application as locations have no longer any sense. All you need in web.config is the authentication tag. In MVC authorization could be achieved by decorating proper controllers and/or actions with the [Authorize] attribute.

I use allow * for my Content folder. That will prevent any authorization from happening for static content.
<location path="Content">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Rick

In IIS, my Anonymous Authentication was on correctly and the user was set to IUSR. Therefore, I needed to go into Windows Explorer, navigate to my web app directory, right-click for Properties, Security tab, Edit button, and give IUSR Read, List, and Read & Execute permissions (the default set). Ensure the changes will be inherited by all children, apply, possibly wait, and you're good to go.

It's been along time since I did any asp.net forms work but the first questions would be - are you sure your user is a member of the "Editors" role. You can use the Web Site Administration tool to set this up I think?
http://msdn.microsoft.com/en-us/library/ssa0wsyf.aspx

That is because you have set deny to everyone. In IIS 7, because of the integrated pipeline you will get redirected even when you try to browse CSS or any static page.
Put the static content inside a folder if you like and allow access to it.

I had exactly the same and found it was because I had forgotten to allow anonymous access to the website from inside IIS! This meant that the FormsAuthentication was always kicking in, even for the static resources that were not protected.

User.Identity.Name blank in ASP.Net MVC

Exactly as per the title.
Simply in my HomeController I have:
string Username = User.Identity.Name;
Why is this value always blank?
Is there something special I have to place in the web.config to get this value to come through. I've tried on both the VS dev web server as well as on a windows server 2003 IIS server.
It's got to be something simple, a server setting in IIS or something as the code is so simple and seems to be the correct way to reference this value.
Thx a lot

If you are wanting to use windows authentication it's not enough to just add
...
<system.web>
...
<authentication mode="Windows"/>
...
</system.web>
...
You also want to check the readme file instructions for the MVC project, especially if your running in IIS Express and using Visual Studio 2012.
See below:
Hosting on IIS Express:
Click on your project in the Solution Explorer to select the project.
If the Properties pane is not open, open it (F4).
In the Properties pane for your project:
a) Set "Anonymous Authentication" to "Disabled".
b) Set "Windows Authentication" to
"Enabled".
Hosting on IIS 7 or later:
Open IIS Manager and navigate to your website.
In Features View, double-click Authentication.
On the Authentication page, select Windows authentication. If Windows authentication is not an option, you'll need to make sure
Windows authentication is installed on the server.
To enable Windows authentication on Windows:
a) In Control Panel open "Programs and Features".
b) Select "Turn Windows features on or off".
c) Navigate to Internet Information Services > World Wide Web Services > Security
and make sure the Windows authentication node is checked.
To enable Windows authentication on Windows Server:
a) In Server Manager, select Web Server (IIS) and click Add Role Services.
b) Navigate to Web Server > Security
and make sure the Windows authentication node is checked.
In the Actions pane, click Enable to use Windows authentication.
On the Authentication page, select Anonymous authentication.
In the Actions pane, click Disable to disable anonymous authentication.

Sure is mate. You need to authenticate with the website. That's the name used for authentication.
You are authenticating, right?
It's not a setting, etc.
Click the LOG IN link, if you're using the stock standard ASP.NET MVC template (if my memory serves me right).
UPDATE (as the posted has added more info/comments)
So what you're after is Windows Authentication. A quick google search came up with this post. It's pretty helpful (though a bit old, but still relevant) .. check that out.
Found a better post with MVC code for Windows Authentication. Check that out instead.
Config setting that is important, is...
...
<system.web>
...
<authentication mode="Windows"/>
...
</system.web>
...

If you do not wish to Authorize on every controller or action, you can do a blanket authorization in the web.config file. This should work as long as you are using Windows authentication. If you allow ASP.NET to control the authentication, then you would not need to configure any IIS setting. It should then work well with whatever web server that you are running on. I do not know or assume what u have tried so far I'll try to be complete in my answer. First remark off the forms authentication tag in web.config. All following settings are placed in the system.web configuration section.
<!--
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
-->
Replace with the Windows authentication tag.
<authentication mode="Windows" />
Then add the authorization tag to deny access to anonymous users. If the users are using Internet Explorer and are connecting from an Intranet zone, IE automatically will login the user. But if the user is connecting from the Internet zone, IE will still display a login box though for safety. But these are options that can be set from IE.
<authorization>
<deny users="?" />
</authorization>
Setting authentication mode alone without authorization does not force the user to be authenticated in ASP.NET. If you want to control the security from IIS, I cannot help much with IIS settings but I know basically you can disable Basic Authentication , then enable Integrated Windows Authentication and then disable the Anonymous Login Account which will achieve the same or better results.
I am also working on an MVC project at the moment and I tested the above settings with my project and it works. You would not need the Authorize attribute since we have the authorization tag in the configuration. I hope this can be of help to you and not get another -1.

Have you attached Authorize attribute to ur action or controller?
public class HomeController : Controller {
[Authorize]
public ActionResult Index() {
string userName = User.Identity.Name;
return View();
}
}