I have developed an MVC intranet application which I have successfully deployed to IIS.
I have enabled Windows Authentication and denied access to anonymous users, however, only some accounts on the domain are able to gain access to the application.
I have checked these accounts and there is nothing special about them that I can see.
The first check for security is Domain Users which everyone is a member of.
All other users are prompted to login but it does not recognize their credentials.
I get a 401.1 - Unauthorized Error
Not sure what else to try. Any suggestions would be appreciated.
Solution : Folder permission on my wwwroot - Domain Users did not have read access.
=================================================================================
Check that kernel mode authentication is on:
Site>Authentication>Windows Authentication>Advanced Settings
Check authorization rules are not blocking users:
Site>Authorization Rules
I would test (allow all users) first, does that allow users through?
Related
I have a website that is hosted on an IIS web server. Within this site, I would like to access the username of the person logged on to the computer that is being used to access the site. However, I don't want them to have to log in. I have enabled windows authentication and identity impersonate in the web.config file. I have also enabled windows authentication and disabled anonymous login within IIS manager. I am receiving a login prompt from the browser and when i enter my credentials, they do not work.
I would like to know how to get rid of the login prompt and allow anyone to access the site while still being able to retrieve their windows username
According to your descritpion, the only way to achieve your requirement is modify IE setting to access your web application.
The IE has the security setting which will send the current login in windows user name and password automatically.
More details about how to modify the IE setting, you could refer to below article.
1.Open the IE and find the internet options.
2.Modify the user authentication
We have a Vaadin / Spring Boot application which should be accessible via a browser and without login from intranet only.
We would like to implement SSO with the Windows login (Active Directory).
The goal is high security with least configuration as the application is sold to customers.
I came up with the following scenario:
receive the IP address of the client accessing the Vaadin-Application.
Look up in the Active directory / Domain controller, which is in RW mode and see which user is online with this IP address in this very moment.
check the rights of this user managed by the Active Directory Groups.
make application available with logged in user for the client requesting it.
IP spoofing is not possible (as the connection is bidirectional, also users have no access to network devices.)
this login process is only done once to initiate the session.
Am I correct with these thoughts? Can you see any security issues? Is it really necessary to use certificates?
What would you recommend if so? Kerberos, CAS, x509, SAML?
Is there a good way to implement 2-Factor authentication on an MVC web application that is using Windows Authentication?
I see examples that show how to implement 2-Factor on a Forms-based MVC app, but couldn't find one for a Windows-based MVC app.
Any help would be appreciated!
2-factor doesn't make sense in the context of Windows Auth. The application is authorized by the user's domain account. The security aspect lies on the domain-end, not the application-end.
However, if you're dead set on doing this, you effectively can't use Windows Auth. That sounds a little contradictory, I know. How you would have to handle this is use application-based authentication, such as Identity, so the web application itself would hold the user accounts. Then, you can authenticate via connecting to LDAP directly. You'll have to set all this up yourself, in other words; no easy set it and forget like you get with Windows Auth. With something like Identity, you can implement 2-factor auth, so you're golden there. However, instead of validating the password via your application's database and users, you authenticate via LDAP.
This is actually pretty common among enterprise-class applications utilizing AD. Typically, they'll have a script that you can run, as a consumer of the app, to periodically update the application's user database from AD, so all the same users with the same details exist in both places, except for the password, which remains solely with AD. This way, the application can associate its own data with its copy of the user, but authentication and authorization still happens at the AD level.
I am running this MVC 4 site on iis express initiated through visual studio 2012. If I change the impersonate to false it works fine. Any ideas what I could be doing wrong?
Use ASP.NET impersonation when you want to run your ASP.NET application under a security context different from the default security context for ASP.NET application.
If you enable impersonation for an ASP.NET application, that application can run in one of two different contexts: either as the user authenticated by IIS 7 or as an arbitrary account that you set up. For example, if you were using Anonymous authentication and chose to run the ASP.NET application as the authenticated user, the application would run under an account set up for anonymous users (typically, IUSR). Likewise, if you chose to run the application under an arbitrary account, it would run under whatever security context was set up for that account.
By default, ASP.NET impersonation is disabled. If you enable impersonation, your ASP.NET application runs under the security context of the user authenticated by IIS 7.
I don't know how to answer why the message is so useless but I can say that it seems to be a product of the development web host (iis express) not being in the domain of the user you are trying to authenticate.
In my example I was on my home machine (not registered to the domain) connected in via vpn. With impersonate set to false and windows authentication enable in the web.config it will work fine. When you turn on impersonate it gives the invalid message.
If you have impersonate turned on when running from a machine (my workstation in the office) registered to the domain it works with no error message.
Hope this helps someone else.
I'm working with an MVC application on a test server that used to work perfectly. It creates accounts on a server that a 2nd application uses for logging in. It uses a credential store and PrincipalContext and UserPrincipal objects to create these accounts.
I haven't used the test version of this app for months or possibly almost a year. Now when I go to create an account with the application, I get the following error:
Access is denied.
ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request
identity. ASP.NET has a base process identity (typically
{MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and
the configured application pool identity on IIS 7.5) that is used if
the application is not impersonating. If the application is
impersonating via , the identity will be
the anonymous user (typically IUSR_MACHINENAME) or the authenticated
request user.
To grant ASP.NET access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add
the appropriate user or group. Highlight the ASP.NET account, and
check the boxes for the desired access.
I looked at anonymous access, but the production version of this app also has a rule to deny anonymous access and it's working fine. This application never used impersonation even when it was working and I've heard that granting explicit access to ASP.NET is not generally recommended. I can make the application work locally through Visual Studio, but the version deployed to test continues to give this error. I would rater not republish the site to test, but perhaps that's the only option left? Is there anything obvious (but not to me) that could have changed in the security settings to cause this? I'm still researching with no luck.
Thank you!
You need to provide a service account to your ApplicationPool Identity that has the appropriate level of access. When you're using the Studio, it uses your user account for access so it's almost a given. When the application is installed onto IIS it uses the lowest possible level of access available, and that simply isn't enough. It isn't recommended that you open it wide up, but establishing a limited access service account for this specific purpose will allow the application to function without having to compromise system or personal accounts.