I have built an application in Visual Studio, ASP.NET MVC for the company I work at. It is only accessible on our intranet, and uses Windows Authentication to validate the user. There are a few pages that I only want a few users to be able to view, and have restricted access to only those few. The problem is that multiple people use one computer. I need the people that are able to view the few pages to log out when they are done so that others cannot access the page. Right now, I have them closing out the browser, and that logs them out.
The log off button is visible at the top of the screen, but does nothing. Is it possible to use the log off button as well as Windows Authentication?
I have impersonation set to "on" within IIS.
Related
I am in the process of building a Intranet MVC 4 application for our analysts. The goal is to allow internal users access to this application without having to sign on given they are part of our internal network. When they access the application I want to be able to capture their windows user name and check against the active directory using LDAP and retrieve the department they belong to and display the relevant details on the screen. Based on the advice from different fora, I have chosen Windows Authentication for this application and I was able to test the app successfully running from Visual Studio. The trouble I am having is when I deploy this to our UAT server running IIS 7.5.
<authentication mode="Windows">
</authentication>
<identity impersonate="false" />
This is the current state of my Web.config file. Irrespective of whether impersonate is true or false, the application seems to not capture the windows username of the browser from which the application is accessed. Is
impersonate = true
required for this at all? In the Welcome message on the homepage, I always see the windows user name of the computer where the application is hosted/IIS is running. I have tried a wide variety of ways to capture the Windows User name of the incoming user request.
string name = System.Web.HttpContext.Current.User.Identity.Name;
string name = System.Web.HttpContext.Current.Request.LogonUserIdentity.Name;
string name = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
string name = System.Web.HttpContext.Current.Request.ServerVariables["LOGON_USER"].Name;
etc. I also looked into several other posts here like this. But I am unable to get it to work. I am afraid that I am trying to achieve this by accident rather than really understanding what is going on? Could someone please guide me in the right direction?
No, you misunderstand the purpose of impersonation.
First, Impersonation is no longer supported in IIS 7 or greater running in integrated mode.
Second, the purpose of impersonation is to change the "user" the worker process runs under at runtime, specifically to allow access to filesystem or database resources as that user. It has nothing to do with authentication in general, and is not particularly useful for most web applications.
You want to use Windows Authentication, however you should know that this will only work with Internet Explorer. It will also only work with servers that are joined to your domain, and do not have any intermediary Kerberos authentication issues. (these are often known as "double hop" problems). Other browsers do not, by default, provide Active Directory account information automatically, although some may be configured to allow it to do so, others do not.
If you are using a properly configured server with Windows Authentication, and you are using a browser that supports ActiveDirectory Kerberos ticket passthrough, and there are no network issues that would cause problems with this passthrough, then you can use HttpContext.Current.User.Identity.Name to get the users name.
Don't use LogonName or anything like that, as those will just give you the worker process, not the authenticated users name.
Right now I'm trying to get Atlassian's basic JQL standalone gadget template working with my Confluence install (found here: https://developer.atlassian.com/display/JIRADEV/Writing+a+JQL+Standalone+Gadget). It renders just fine when I bring up the preview window, but it seems that the gadget kicks me out of my Confluence session as soon as it renders. This makes it impossible to place onto the page, and of course, impossible to use. Right now I have both OAuth and Atlassian Application links set up between my instances, what could possibly be causing this behavior?
Do you have your JIRA and Confluence instances on the same hostname but on different ports? To get the Application Links to function properly, you will want your JIRA and Confluence on two separate hostnames. Trying to use http://localhost:8080 for JIRA and http://localhost:8090 for Confluence is asking for trouble, especially for things like cookies and OAuth.
You don't need to move the servers at all, but you do need to set up different hostnames. For example, edit /etc/hosts to add "127.0.0.1 conftest jiratest" and then access them as http://jiratest:8080 and http://conftest:8090.
Once you've made those changes, make sure that you go into each application and reconfigure the base URL in the admin console according to whatever it is that you decided above, then delete and recreate the application links, delete and recreate the external gadget feed, and try again.
You may also want to turn on the Trusted Application feature in both the incoming and outgoing authorization for the application link (scroll down when you are configuring it—some parts of that dialog may not be visible above the fold). (Though maybe this is what you meant by "Atlassian Application links"?)
I have the following architecture:-
Active directory server
IIS which will host asp.net MVC
Both the Active directory and the MVC web application are inside our company intranet.
I set the Asp.net MVC authentication type to be windows based.
But I have these questions:-
If our company employees tries to access the asp.net MVC web application from their home using their personal PC; will windows authentication work?
If the above answer is Yes; then how they will be typing their usernames, Something similar to username# domain.com ?
According to my above requirements, should I consider having form based authentication that is connected to AD? Instead of using windows based authentication?
Thanks for any help and advice
Best Regards
Assuming your website in IIS is visible to the outside through the firewall, then yes it will be accessible from home
depending on the browser, you should get a pop up asking for username and password, and the username should be typed
MYDOMAIN\JOEBLOGGS
This setup may well work fine but it depends on your needs - is your network admin happy to open this server up to the outside world
There can be a quirk if using Internet explorer externally, where IE does not display a pop up box, and instead tries to authenticate with the local windows username, which may not match AD username if it is a personal PC (to get around this on the client, go to Internet Options > Security > Custom Level then scroll down to User Authentication and select 'Prompt for username and password'
We are building a new web application that needs to run inside the SP Context for authentication. Unfortunately the person logged into the machine is not necessarily the person logged into SharePoint. I could not figure out a way to detect who was logged into SharePoint from an application outside of SharePoint. So, the solution is to deploy the application to the LAYOUTS folder within the 12 hive. This works great in that I can use a custom master page, go crazy with fancy user controls, AND be within the SP Context. I also locked down access to the page by detecting which web app the user was on so no one can access it from a different SP web app.
The problem is the URL. It is ugly. I want the url to be something like this: www.sitename.com/ instead of www.sitename.com/_layouts/appname/
I tried created creating a new web site within IIS that points directly to the app in the LAYOUTS folder. That failed because I was no longer within the SP Context.
I also tried an IIS redirect which worked, but the URL still switched over to the ugly URL.
Does anyone have any ideas for this?
My orginal problem was not being able to detect the currently logged in user for SharePoint outside of SP, so if you have a solution to that problem, that would be great too.
Your best option is to rewrite the URLs and HTML with a proxy. Apache with the mod_rewrite and mod_html_rewrite options are an option. However this kind of setup is not trivial.
You can use URL rewriting in IIS.
I'm building a .Net MVC app, where I'm using one particular view to generate an internal report. I don't want the users of the site to gain access to this page at all.
I've a console app that fires every so often which will scrape some of the details from this page by hitting it's URL.
I don't like the idea of having the URL hanging out there but I'm not sure of another way to go about it.
Thoughts on what might be the best practice way for tackling this?
Edit:
Here's what I ended up doing, created a new WCF Service project in the solution. I also copied basically what was the MVC view page into a new standard web forms page in this project. On top of adding security via the regular .net Authentication methods (eg set only valid windows users can access the page), I can also lock down the vhost to only be accessed by certain IP's.
The best practice would be to expose a wcf service for this, and set up a security model that is different than website.
If you must use MVC the best approach use forms authentication with mvc and set
[Authorize(Roles = "SecureUser")]
On the View.
If the view never needs to be rendered at all except to provide data for the console app, then why not have the console app simply connect to your database to get the data directly instead of going through the web app? You could still do this for the console app even if the view does need to be available for some users, then control access to the view using the Authorization attribute, which could suitably restricted now that an external app need not have access to it.