I am in the process of building a Intranet MVC 4 application for our analysts. The goal is to allow internal users access to this application without having to sign on given they are part of our internal network. When they access the application I want to be able to capture their windows user name and check against the active directory using LDAP and retrieve the department they belong to and display the relevant details on the screen. Based on the advice from different fora, I have chosen Windows Authentication for this application and I was able to test the app successfully running from Visual Studio. The trouble I am having is when I deploy this to our UAT server running IIS 7.5.
<authentication mode="Windows">
</authentication>
<identity impersonate="false" />
This is the current state of my Web.config file. Irrespective of whether impersonate is true or false, the application seems to not capture the windows username of the browser from which the application is accessed. Is
impersonate = true
required for this at all? In the Welcome message on the homepage, I always see the windows user name of the computer where the application is hosted/IIS is running. I have tried a wide variety of ways to capture the Windows User name of the incoming user request.
string name = System.Web.HttpContext.Current.User.Identity.Name;
string name = System.Web.HttpContext.Current.Request.LogonUserIdentity.Name;
string name = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
string name = System.Web.HttpContext.Current.Request.ServerVariables["LOGON_USER"].Name;
etc. I also looked into several other posts here like this. But I am unable to get it to work. I am afraid that I am trying to achieve this by accident rather than really understanding what is going on? Could someone please guide me in the right direction?
No, you misunderstand the purpose of impersonation.
First, Impersonation is no longer supported in IIS 7 or greater running in integrated mode.
Second, the purpose of impersonation is to change the "user" the worker process runs under at runtime, specifically to allow access to filesystem or database resources as that user. It has nothing to do with authentication in general, and is not particularly useful for most web applications.
You want to use Windows Authentication, however you should know that this will only work with Internet Explorer. It will also only work with servers that are joined to your domain, and do not have any intermediary Kerberos authentication issues. (these are often known as "double hop" problems). Other browsers do not, by default, provide Active Directory account information automatically, although some may be configured to allow it to do so, others do not.
If you are using a properly configured server with Windows Authentication, and you are using a browser that supports ActiveDirectory Kerberos ticket passthrough, and there are no network issues that would cause problems with this passthrough, then you can use HttpContext.Current.User.Identity.Name to get the users name.
Don't use LogonName or anything like that, as those will just give you the worker process, not the authenticated users name.
Related
I'm trying to set the Machine Key in Web.Config of ASP.Net MVC apps but it sounds like Azure automatically provision unique machine keys for each web app and override what's in my Web.Config.
The reason I want to do that is because I have an App Service witch is used as Authentication App. Thats where users will login. And I also have plenty others apps that will be using the Token provided by the first app. Doing this will Authenticate users at one unique place and users will be able to navigate through some modules in a portal being authenticated only once. It works very well in localhost or hosted in IIS, but on Azure Hosted App Service it seems like Machine Key aren't read properly or something even if I reset the machine-key configuration section upon Application_Start.
I tried the solution described Here, but as #gorillapower said
Seems this isnt working for us. We are using .NET 4.6.1 and using OWIN startup with app.UseCookieAuthentication() and using a Redis cache session provider. I implemented the above, but the user keeps getting logged out after a slot swap. Any ideas?
It also seems that when you run an ASP.NET application on multiple instances of an App Service Plan (ASP) you do not need to worry about machineKeys as the App Service Platform will use the same one across all your instances and therefore will not need to make any changes to your application.
But in my case, our Apps are all in different App Service Plan. So this solution doesn't apply.
Any clues about this problem ?
Thanks
Generate machine Key and add into web.config file
It will work for Web Farm / load balancer either in IIS or Azure Web App service.
Note : It will only work if you are using IAppBuilder->UseCookieAuthentication-> CookieAuthenticationOptions
<system.web>
<authentication mode="None" />
<machineKey validation="HMACSHA256" decryption="AES" validationKey="D6883865C0490AFA4907A046E838DD2C7B13B636694B552630C13770701B944A" decryptionKey="2C3C48562E6FE018E71B69BDB27D06048A573C094A962AA9A1547C3D874C63B0" />
We're trying to setup IIS so that is uses its IIS AppPool identity when going against ACL permission checks (when getting static files from the filesystem) so that we don't have to add "everyone" or "authenticated" users to the main app folder or specific folders.
We've found that setting authenticatedUserOverride to UserWorkerProcessUser achieves the above, but no longer lets us access the specific windows user hitting the website from within the MVC application.
Is there a better way to accomplish this? Again, we're trying avoid having the specific user's credentials validated against ACLs when accessing files.
You can still get the authenticated user that is accessing the site using the LOGON_USER in the Request:
Request["LOGON_USER"]
Scott Forsyth details this on his blog under option #4 (http://weblogs.asp.net/owscott/iis-using-windows-authentication-with-minimal-permissions-granted-to-disk).
As for the best way to accomplish this, I think you are on the right path. I have used this approach along with the roles authorization aspect of ASP.NET to allow/deny access based on membership.
I have several intranet-only web sites written in ASP.NET MVC 5 and hosted on IIS7.
For these I want to enable impersonation when accessing the database.
I don't want the complete impersonation that lasts for the whole request - because I don't need it and because it is not supported in the integrated mode and requires suppressing the error.
The important note is that impersonation here is not related to security. I don't want to prevent anyone from accessing the web site (if they are on the company's network, that is already a granted permission).
Rather, I need to store the Windows user name in the database against certain actions for logging purposes only. If no Windows user name is available for logging, that is fine and the user must be able to proceed.
The code I'm going to be using will be
var identity = User.Identity as System.Security.Principal.WindowsIdentity;
if (identity != null && !identity.IsAnonymous)
{
using (var context = identity.Impersonate())
{
// access SQL Server who will get the user name from SUSER_SNAME()
}
}
The problem is that in order for IIS to pick up the Windows credentials, the anonymous access must be disabled, otherwise IIS will not even try to request credentials in some way or another.
This is a problem, because I want to keep the anonymous access.
Is it possible to somehow configure IIS or the application to let anonymous users in too?
Ideally this should be happening transparently, but if that is not possible, I will probably be happy with the browser displaying the username/password dialog, which the user would dismiss by clicking OK, which would provide blank username/password to IIS, which would allow them and map them to the anonymous situation (ish).
It is, however, not okay to request credentials from users whose browsers can provide Windows credentials automatically (IE does that by default, Firefox does that after changing a setting).
I have seen this .NET v1.1 era hack that involves reflection on private fields and this question on writing a custom HttpModule - but it is said to be called after IIS completes its authentication business, which is too late, and I have no idea how to initiate an NTLM handshake from such a custom handler.
I have a site based on asp.net mvc on windows hosting. Now I need one more site based on php linux. I authonticate a user on windows site and let him upload some information. Now I want this information to go to linux based site. This information could be audio/video or images.
How would i make sure that he can only load to linux server when he is logged into windows based site.
So basically I am thinking before the linux based save something, it should verify that the user is logged into the windows site. What about the logout process.
Help will be appreciated.
Regards
Parminder
If these two services use the same domain, your windows site can save some value in the cookie, and the linux site will identify whether user is authenticated base on these values. However it will only work if the two services are under same domain name (can be different port).
If not, I think Single-Sign On is advisable for security reasons, and OpenID or OAuth is recommended.
I have a pretty simple ASP.NET MVC Site Application. (MVC 1.0)
I have NO authorization sections in my web.config because I use the [Authoize] attribute on my controllers.
The default web.config for the server allows * for forms authentication, as expected.
I have 2 existing Windows 2008 dedicated (hosted) servers. The site works well.
I have a new dedicated server, seems identical except the site just won't work. Every resource, even images/javascript is redirecting to the login page.
I tried adding explicit authorization rules to allow * and location rules, same result. I checked the .NET Trust level, Internal/Full Trust. Everything runs perfectly on two servers, just this one is ignoring all rules for authorization.
Any ideas?
thanks
I found the issue :) Unless something has changed in Windows 2008 I would have expected this to show as an error but as stated above, it was being hidden by Forms Authentication.
The issue was the hosting company now adds data drives to all servers for your websites/storage. There were no permissions set to allow IIS to read the files. The reason I couldn't find it was I already added permission for the application pool user, in my case I just went ahead and added ASPNET, Network Service, IIS Anon User etc to have full permissions.
I needed to allow Everyone to have at least Read to the website folders and then IIS showed the non-secured content. I still think it is odd that forms auth. was kicking in and ignoring all web.config rules but anyway.
I found the error by turning off Forms Auth support in the IIS 7 manager. Then I got the process failure error because of file permissions.