Is there a way to find out what identity an MVC web application is impersonating?
I've set web.config to include
<system.web>
<identity impersonate="true" />
For IIS7 in integrated pipeline mode, I believe this should make the application impersonate IUSR (my thinking is set out in my blog post Identity impersonation with IIS and ASP.NET.
The MVC application itself uses Forms Authentication, and I can see the logged in user ok at
System.Web.HttpContext.Current.User.Identity
But my application then has to call a COM component, and I need to be sure what account it is using. From my tests, it still seems to be using NETWORK SERVICE, rather than IUSR, so I'm looking for a way to verify which identity the application is impersonating when calling the COM component.
Take a look at System.Security.Principal.WindowsIdentity.GetCurrent().User
Related
I'm trying to set the Machine Key in Web.Config of ASP.Net MVC apps but it sounds like Azure automatically provision unique machine keys for each web app and override what's in my Web.Config.
The reason I want to do that is because I have an App Service witch is used as Authentication App. Thats where users will login. And I also have plenty others apps that will be using the Token provided by the first app. Doing this will Authenticate users at one unique place and users will be able to navigate through some modules in a portal being authenticated only once. It works very well in localhost or hosted in IIS, but on Azure Hosted App Service it seems like Machine Key aren't read properly or something even if I reset the machine-key configuration section upon Application_Start.
I tried the solution described Here, but as #gorillapower said
Seems this isnt working for us. We are using .NET 4.6.1 and using OWIN startup with app.UseCookieAuthentication() and using a Redis cache session provider. I implemented the above, but the user keeps getting logged out after a slot swap. Any ideas?
It also seems that when you run an ASP.NET application on multiple instances of an App Service Plan (ASP) you do not need to worry about machineKeys as the App Service Platform will use the same one across all your instances and therefore will not need to make any changes to your application.
But in my case, our Apps are all in different App Service Plan. So this solution doesn't apply.
Any clues about this problem ?
Thanks
Generate machine Key and add into web.config file
It will work for Web Farm / load balancer either in IIS or Azure Web App service.
Note : It will only work if you are using IAppBuilder->UseCookieAuthentication-> CookieAuthenticationOptions
<system.web>
<authentication mode="None" />
<machineKey validation="HMACSHA256" decryption="AES" validationKey="D6883865C0490AFA4907A046E838DD2C7B13B636694B552630C13770701B944A" decryptionKey="2C3C48562E6FE018E71B69BDB27D06048A573C094A962AA9A1547C3D874C63B0" />
We have asp.net mvc web application, hosted in IIS with Windows authentication enabled (we are using active directory to authenticate users).
At some point (in production), users found themselves logged in using different users, the login usually done when user login to their laptops/PCs in the organization, so it is expected the website to always show their logged in user to the PC/laptop cause that is their identities.
For IIS, we are storing session state in Sql server, and we are maintaining sessions using HttpContext.Session in the application.
I need some guides on how I can track the source of the issue. Is there a tool or what code I can share with you that might help ?
Thanks!
Make sure that:
You have “Integrated Windows Authentication” (formerly called NTLM
authentication) enabled within IIS for the application you are using.
You should then add a web.config file to the root directory of
your ASP.NET application that contains an <authentication> section
which sets the mode to “Windows”.
You should also then add an <authorization> section to the same
web.config file that denies access to “anonymous” users visiting the site. This will force ASP.NET to always authenticate the
incoming browser user using Windows Authentication – and ensure that
from within code on the server you can always access the username and
Windows group membership of the incoming user.
The below web.config file demonstrates how to configure both steps described above:
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Troubleshooting ideas...
For seeing the error, I would make sure you are showing the current user HttpContext.Current.User.Identity.Name; on each page. Refresh the page and make sure the user doesn't change. Go to other pages and do the same. Clear all cookies and application state in the browser, close the browser, then re-open the browser and go back to the site. You should still be logged in as the same user every page and every browser session. If this is intermittent, you may have to repeat this a few times to reproduce the error.
Does this every happen when running local IIS Express on developer machines? Does it ever happen in other environments (test, staging) where the code is deployed? If not, what is different about production?
Is there a proxy server between the users and the production web server? Or even some of the users, like if they come in through VPN?
I am trying to get details of current windows (AD) user in my mvc 5 asp.net vb.net intranet site.
When I started this project, I set my authentication to individual accounts assuming that I can still get windows user information. But I have had no luck. I can get this information when I am using visual studio in debugging. But this information is replaced by the identity name of apppool in IIS.
My intranet site is currently set to use the following config.
<authentication mode="Windows" />
<authorization>
<allow users="*"/>
<!--<deny users="?"/>-->
</authorization>
My application is set to use anonymous and windows authentication. If I turn off anonymous, I start getting query string too long. It starts going in infinite loop when trying to create a return url. This is really annoying.
Anyways. For me, the concept was: If the user is windows AD user, they can get to my log in page and if correct credentials they can use the site else get kicked out. So a bit like a two factor authentication.
I have settled for allowing anonymous in favour of getting ad information and then based on that I can either deny or allow access. I intend to put this information in my login controller where signinstatus.success = true.
I have scoured the internet in trying to find a decent enough solution to try and get this hybrid to work but I am struggling for clarity. In some cases people just want to plug their own tools.
AllowAnonymous is necessary when you have a precursor to authorization, i.e. a login page the user must submit. If you don't allow anonymous users to access this page, then there's no way for them to actually login to become authorized to view the page (hence your infinite redirect).
ASP.NET Identity and Windows Auth are distinct and incompatible authorization schemes. You cannot use both simultaneously in the same application. You can however, use ASP.NET Identity and add a custom authentication/authorization layer that utilizes an LDAP connection to check credentials against AD. In other words, if you want to use AD, you have to add a manual integration of that.
Can someone explain to me how to achieve single-sign on? I have an MVC ASP.NET core web app(let's say www.internalsite.com), how can the app get the user credentials automatically and authenticate etc.? I need a very clear explanation on how to do it.
By using www.internalsite.com I guess you are talking about a site on an intranet, right? How are you hosted? IIS in front of Kestrel? If so, then it's quite straightforward, you just need to configure IIS to foward the Windows identity (coming from a Kerberos token usually) by setting the proper value in the web.config: forwardWindowsAuthToken="true" as explained here: Asp.net Core Web API - Current user & Windows Authentication and make sure you have a controller/action protected by an [Authorize] tag so that the IIS middleware is challenged and set the identity of the request as explained here: NTLM authentication on specific route in ASP.NET Core No much code to write in your project. If you are using another hosting setup, WebListener, it is pretty much the same.
Another solution, would be to do SSO by client certificate which has the advantage of working cross domain, but SSO by Kerberos is by far easier and usually doing a good job on an intranet.
I have an MVC 3 website that is using Forms authentication. The user logins and navigates to a Silverlight 5 application. The Silverlight app is calling a Silverlight-Enabled WCF service on another port. Because one of my requirements is to use Https/SSL, I decided to move the WCF services into a "Services" folder in my MVC application.
To see if the service is working, I typed in the address of my service. I got an error message stating my service requires anonymous access, but the website is specified to use forms authentication. So, I removed my mexHttpBinding in my web.config for my service and added authenticationScheme="Negotiate" to my httpTransport of my binding. (I'm not to https yet).
Now, I get a 302 and am redirected to the log-in page. It seems that my service is suggesting i'm not logged in. So, I added
routes.IgnoreRoute("{resource}.svc/{*pathInfo}");
and
routes.IgnoreRoute("Services/");
but that hasn't made a difference. I think the service says i'm not authenticated, but I'm certain I am.
Can someone explain what I'm doing wrong?
All of this works when I debug on my localhost, but I can't access the service when I deploy to a server.
Edit
I may have found my answer. I turned on anonymous access for my website in IIS and changed the httpTransport's authenticationScheme to the default (Anonymous). I then added
<authorization>
<deny users="?"/>
</authorization>
along with
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
which seems to be requiring the user to be authenticated in order to access the service. I am now going to check my silverlight application to make sure it can reach the service and get/post data. This was all in a test application, so I'll have to change my real application accordingly. Then, I'll tackle ssl/https.
Does all this sound right?
EDIT 2
I had to ensure mex was enabled and aspNetCompatibilityEnabled was set to 'false' to get the conctracts to update in my silverlight app. But after updating my services, I set the aspNetCompatibilityEnabled to 'true', and everything appears to be working.
I hope I'm still headed down the right path...
I ended up setting up IIS to add the webservice as a website under the parent website. Then, I used the Location tag in the parent site's web.config to implement forms authentication on the webservice.