I am building a ASP.NET MVC 5 Web Application which should be used by corporate users.
When they are inside the corporate Network the should be authenticated automatically by Windows Authentication. When they call the application from outside the corporate Network from lets say a mobile phone, they should be redirected to a logon page where they can authenticate against active Directory.
I've tried different things, but haven't been successfully so far.
The last thing I tried was to create an authentication filter with the following configuration:
Web Application setting in IIS: Authentication = Windows Authentication
Web.Config Setting: authentication mode = Windows
From inside the Network this works fine. But when I try to authenticate from outside I get the authentication request before the AuthenticationFilter was hit.
In the second try I tried the following Settings:
Web Application setting in IIS: Authentication = Windows Authentication + Anonymous
Web.Config Setting: authentication mode = Windows
With this Setting when I call the site from inside the Network the AuthenticationFilter gets hit twice. The first time with anonymous authentication, the second time with the real user I am logged in with.
Is there a way to configure the order authentication happens or any other way to get both Scenarios handled?
I have now used this Approach to implement the forms based authentication:
http://www.schiffhauer.com/mvc-5-and-active-directory-authentication/
Related
I have created an app using ASP.NET Core 6 MVC application. I am using the Microsoft.Identity platform for authentication (Azure AD authentication). It worked fine locally. User is able to sign-in and sign-out and able to navigate. When signing in with wrong password or username then user getting an error.
But when hosted the same code on Azure App Service and when accessing the app the 401 error occured. HOw I fix that issue. As I mentioned everything works fine locally so no issue with registration clientId or any other registration level info.
WebConfig file
AppService configuration
As mentioned in the question, if you enabled Azure Active Directory, there is no need to you to login and logout explicitly. As you are trying to do those operations locally, it must be they are not configured perfectly locally also. The same error it is causing while moving and accessing in Azure App Service.
Kindly check the following things in configuration:
1. Configuration of IIS before deployment
2. Configuration of AAD
These two steps could solve the issue.
I have an ASP.NET MVC app. It is hosted on Windows Server 2012 R2 joined to an AD domain.
The operating regime requires a Http proxy and credentials. When using a browser, the logged in credentials of the (human) domain user are applied transparently.
My ASP.NET app uses HttpWebRequest. Although the documentation says it would use the proxy as set in Internet Explorer, it does not appear to be doing so. So I assign the proxy manually and set UseDefaultCredentials to true, which the documentation says the credentials of the "currently logged on user" will be used. But the response came back with:
The remote server returned an error: (407) Proxy Authentication Required.
Under IIS Authentication settings, I already have enabled ASP.NET Impersonation: <identity impersonate="true" />. (Is this the right thing to do?) How do I find out the identity of the process that is used to make the HttpWebRequest?
Or what must I do to use the credentials of the logged in domain user using my app to access the proxy?
I think you may refer to this answers on another question right here
I think it's exactly related to your question
I successfully host an app service on azure (ASP.Net MVC 5). There are some areas that are publically accessible (...mywebsite). To access the admin area (...mywebsite/admin) a user needs needs to authorize which is done via Azure AD and the [Authorize] attribute on all controller actions.
Everything worked perfectly via http.
Now in Azure I added a certificate to the app service and enabled „always use https“ which means every user accessing the app service via http gets redirected to https (http://mywebsite -> https://mywebsite).
Fine, it also works. But: when I try to access the admin area, after the login page from Microsoft where I enter my username and pwd it doesn’t get redirected to https://mywebsite/admin (which I expected) but back to the base url https://mywebsite.
Seems that I am missing something...
This will be due to your web application's Azure AD registration containing the https://mywebsite/ as the Return URL and not the https://mywebsite/admin. You can either add your admin site as another return URL or use some code to determine the location to return to after login. See How to set Azure Authentication custom login return url?
I have created a project in MVC that connects to TFS and brings the work items , i am displaying those work items according to my requirement. My project worked well on localhost , as soon i deployed it on some server , i am failing to connect to TFS , all it says is "Unauthorised".
Any help ?
You are running into the dreaded double hop authentication problem.
In AD you are authenticated by virtue of a Kerberos token. That token is issues to the machine that you are logged into and is only valid on that machine or one it directly connects to.
So you can use your local host token to authenticate to TFS, but as soon as you have a second hop (local->webserver->tfs) your authentication fails.
This is security by design.
To resolve this you need to use SetSPN to create a Service Principal Name (SPN) in AD that allows you to reuse the token on the web server.
You can create an SPN that only works for the webserver but you can't then deploy elsewhere. A better way is to create an SPN for the service account that you run the WebServer AppPool under. Then you can run it anywhere.
I have a Windows 2008 server running IIS 7 and I'm trying to configure Windows Authentication and ASP.NET Impersonation, specifically for an intranet site which uses MVC. When a user hits the site from IE they are automatically logged to our site using the captured Windows username.
I have everything working in IIS 6 with:
Anonymous access off
Integrated Windows Authentication on, and:
<identity impersonate="true"/> in the web.config.
In IIS 7, I can't seem to get it working, even in classic mode.
Under Authentication for the site in IIS 7, I have Windows Authentication and ASP.NET Impersonation enabled, everything else disabled. When I hit the site locally, it works. From a remote machine (on the same domain, using IE, loading it as an intranet site using the machine name i.e. http://servername/site/) I get challenged for my Windows credentials. Even if I enter in valid Windows credentials it fails, and clicking cancel gives me a HTTP Error 401, "The requested resource requires user authentication".
Turning ASP.NET Impersonation does not help anything. Any suggestions?
The problem turned out to be that the server had lost connection with the domain. I tried to remote desktop into the machine using my domain user account instead of a local admin, and I got the error:
The trust relationship between this workstation and the primary domain failed.
I remove the machine from the domain and re-added it, and after that both Windows Authentication and ASP.NET Impersonation work correctly.