I'm working on a web application that works with the TFS API and I would like to make sure that any users that use it have the proper authentication to use TFS.
To do so I use the following code:
TfsTeamProjectCollection teamProjectCollection = configServer.GetTeamProjectCollection(collectionId);
teamProjectCollection.EnsureAuthenticated;
I'm going to host the website on IIS.
When a user uses the web app, will EnsureAuthenticated use their credentials, or will it use the credentials of the remote desktop I'm hosting the application on?
It depends.
If you have configured ASP.NEt to use impersonation, it will use the account of the logged user.
If ASP.NET is configured with default settings there are a number of things that can happen
If there is a credential stored in the Credentials Manager it will use that
If the application pool is running under a real account it will try to do that
If the application pool is running an application pool account, it will probably try to authenticate with the System's account (COMPUTER$)
I'd say, try it and look at the IIS logs of your TFS server or use something like fiddler to capture the traffic.
Related
I am writing an iOS application that I would like to send a login and password through a WCF service residing on an IIS server developed in C#. I would like to verify that the USERNAME and PASSWORD is a valid Active Directory account. If so, then I will log them into the application on the iOS device and continue on. Is this possible? My ASP.NET application that will be hosting this WCF service could be either in Windows or Forms authentication mode depending on the client. Any code example that would allow me to use the passed credentials to verify that they are valid AD user credentials would be great.
Thanks
I am running this MVC 4 site on iis express initiated through visual studio 2012. If I change the impersonate to false it works fine. Any ideas what I could be doing wrong?
Use ASP.NET impersonation when you want to run your ASP.NET application under a security context different from the default security context for ASP.NET application.
If you enable impersonation for an ASP.NET application, that application can run in one of two different contexts: either as the user authenticated by IIS 7 or as an arbitrary account that you set up. For example, if you were using Anonymous authentication and chose to run the ASP.NET application as the authenticated user, the application would run under an account set up for anonymous users (typically, IUSR). Likewise, if you chose to run the application under an arbitrary account, it would run under whatever security context was set up for that account.
By default, ASP.NET impersonation is disabled. If you enable impersonation, your ASP.NET application runs under the security context of the user authenticated by IIS 7.
I don't know how to answer why the message is so useless but I can say that it seems to be a product of the development web host (iis express) not being in the domain of the user you are trying to authenticate.
In my example I was on my home machine (not registered to the domain) connected in via vpn. With impersonate set to false and windows authentication enable in the web.config it will work fine. When you turn on impersonate it gives the invalid message.
If you have impersonate turned on when running from a machine (my workstation in the office) registered to the domain it works with no error message.
Hope this helps someone else.
I'm working with an MVC application on a test server that used to work perfectly. It creates accounts on a server that a 2nd application uses for logging in. It uses a credential store and PrincipalContext and UserPrincipal objects to create these accounts.
I haven't used the test version of this app for months or possibly almost a year. Now when I go to create an account with the application, I get the following error:
Access is denied.
ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request
identity. ASP.NET has a base process identity (typically
{MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and
the configured application pool identity on IIS 7.5) that is used if
the application is not impersonating. If the application is
impersonating via , the identity will be
the anonymous user (typically IUSR_MACHINENAME) or the authenticated
request user.
To grant ASP.NET access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add
the appropriate user or group. Highlight the ASP.NET account, and
check the boxes for the desired access.
I looked at anonymous access, but the production version of this app also has a rule to deny anonymous access and it's working fine. This application never used impersonation even when it was working and I've heard that granting explicit access to ASP.NET is not generally recommended. I can make the application work locally through Visual Studio, but the version deployed to test continues to give this error. I would rater not republish the site to test, but perhaps that's the only option left? Is there anything obvious (but not to me) that could have changed in the security settings to cause this? I'm still researching with no luck.
Thank you!
You need to provide a service account to your ApplicationPool Identity that has the appropriate level of access. When you're using the Studio, it uses your user account for access so it's almost a given. When the application is installed onto IIS it uses the lowest possible level of access available, and that simply isn't enough. It isn't recommended that you open it wide up, but establishing a limited access service account for this specific purpose will allow the application to function without having to compromise system or personal accounts.
I'm publishing a public ASP.NET website. I'm assuming the visitor is using Windows and Internet Explorer. I want to display the Windows username on the front page, is it possible?
I have already enabled Windows Authentication in IIS and on a development environment everything works fine. On production it keeps asking the Windows login credentials.
For Windows Authentication, the user must supply credentials that can authenticate to the server/domain in which the website is running. If the client is running within the same domain and authenticated, Internet Explorer will automatically handle the credential exchange; this is why it works in the dev environment. However, when accessed from the public side, Internet Explorer tries to hand over the credentials that the user is currently using (some other Windows domain), but those credentials cannot authenticate to your sever, so IE prompts the user to enter credentials that can authenticate to that domain.
If it's a public website then you can't do it. Why? Because you would need to verify the user credentials against your AD and you can't do that on a public web page. (Which makes total sense, after all how would you know who I am otherwise?)
If you ARE doing this in an internal network where each account is in your Active Directory, then people just need to add the site to their Trusted Sites or Local Network Zone in IE for NTLM to work transparently.
I'm writing some load tests against a restricted web server on our local domain. The webserver requires entering network credentials to be able to access sites on the server. How do I automate my network login? Again, this is a server login, not a website login form.
Found the answer. This MSDN ariticle explains how to set credentials for a web site that uses basic authentication or Integrated Windows authentication.
http://msdn.microsoft.com/en-us/library/ms182548.aspx