I have a Windows 2008 server running IIS 7 and I'm trying to configure Windows Authentication and ASP.NET Impersonation, specifically for an intranet site which uses MVC. When a user hits the site from IE they are automatically logged to our site using the captured Windows username.
I have everything working in IIS 6 with:
Anonymous access off
Integrated Windows Authentication on, and:
<identity impersonate="true"/> in the web.config.
In IIS 7, I can't seem to get it working, even in classic mode.
Under Authentication for the site in IIS 7, I have Windows Authentication and ASP.NET Impersonation enabled, everything else disabled. When I hit the site locally, it works. From a remote machine (on the same domain, using IE, loading it as an intranet site using the machine name i.e. http://servername/site/) I get challenged for my Windows credentials. Even if I enter in valid Windows credentials it fails, and clicking cancel gives me a HTTP Error 401, "The requested resource requires user authentication".
Turning ASP.NET Impersonation does not help anything. Any suggestions?
The problem turned out to be that the server had lost connection with the domain. I tried to remote desktop into the machine using my domain user account instead of a local admin, and I got the error:
The trust relationship between this workstation and the primary domain failed.
I remove the machine from the domain and re-added it, and after that both Windows Authentication and ASP.NET Impersonation work correctly.
Related
We have one ASP.Net Pure MVC application (.Net MVC and jQuery). But due to traffic increasing clients wanted to move on HADR (High Availability Disaster Recovery) using Microsoft Azure Web App. So we have deployed the same on 2 different Web App by going through the link https://codewithshadman.com/machine-key-generator/ and also link Adding machineKey to web.config on web-farm sites
Post following above links, we are using the same Machine Key for these 2 Web Apps. But when we hit the HADR URL we landed to Login Page but when hit on Login Button post entered Username and password, under the web development tool in Google Chrome, we see the error 'Internal Server Error (500)'.
So anyone have idea how to setup the same for Azure Web App?
I have an ASP.NET MVC app. It is hosted on Windows Server 2012 R2 joined to an AD domain.
The operating regime requires a Http proxy and credentials. When using a browser, the logged in credentials of the (human) domain user are applied transparently.
My ASP.NET app uses HttpWebRequest. Although the documentation says it would use the proxy as set in Internet Explorer, it does not appear to be doing so. So I assign the proxy manually and set UseDefaultCredentials to true, which the documentation says the credentials of the "currently logged on user" will be used. But the response came back with:
The remote server returned an error: (407) Proxy Authentication Required.
Under IIS Authentication settings, I already have enabled ASP.NET Impersonation: <identity impersonate="true" />. (Is this the right thing to do?) How do I find out the identity of the process that is used to make the HttpWebRequest?
Or what must I do to use the credentials of the logged in domain user using my app to access the proxy?
I think you may refer to this answers on another question right here
I think it's exactly related to your question
We have an on site ADFS 2016 server setup to authenticate clients to web applications. This seems to work fine for browsers other than IE or Edge.
When using those browsers the client gets a 401 and gets prompted for their credentials when trying to access the ADFS login page.
This version of ADFS doesn't use IIS so there is nothing to set there.
We made sure the ADFS DNS entry is an A record.
We tried adding the adfs url to the trusted sites in the client browser with no success.
Is there something else that needs to be setup for this to work?
This issue may relate to your primary authentication setting in ADFS being set to Windows Authentication. This may be a bit different in Windows 2016, but in 2012 R2, if you open your ADFS console, select Authentication Policies in the left-pane and then Edit Global Primary Authentication in the right-pane, you can see the primary authentication settings for Extranet and Intranet users.
If you would like Windows Authn to be your primary authentication, you may then need to enable Windows Integrated Authentication in IE / Edge. There are a couple of steps for this I can provide if this is your case.
UPDATE: Appears as though this turned out to be Kerberos and SPN issue. Your ADFS machine name and ADFS service name should NOT be the same. The core of the issue I believe is the SPN "HOST/AdfsMachineName" is registered with the AD computer object for the ADFS server and the SPN "HOST/AdfsServiceName" is registered with the ADFS service account. If AdfsMachineName and AdfsServiceName are the same, this causes a duplicate SPN scenario.
Check the output of the below command.
Get-AdfsProperties | Select-Object -ExpandProperty WIASupportedUseragents
Should look something like this.
PS C:\Users\admin.contoso> Get-AdfsProperties | Select-Object -ExpandProperty WIASupportedUseragents
MSAuthHost/1.0/In-Domain
MSIE 6.0
MSIE 7.0
MSIE 8.0
MSIE 9.0
MSIE 10.0
Trident/7.0
MSIPC
Windows Rights Management Client
MS_WorkFoldersClient
=~Windows\s*NT.*Edge
PS C:\Users\admin.contoso>
This controls which user agents, browsers are allowed to do WIA. I suspect this list only contains non IE-Edge user agents.
I am building a ASP.NET MVC 5 Web Application which should be used by corporate users.
When they are inside the corporate Network the should be authenticated automatically by Windows Authentication. When they call the application from outside the corporate Network from lets say a mobile phone, they should be redirected to a logon page where they can authenticate against active Directory.
I've tried different things, but haven't been successfully so far.
The last thing I tried was to create an authentication filter with the following configuration:
Web Application setting in IIS: Authentication = Windows Authentication
Web.Config Setting: authentication mode = Windows
From inside the Network this works fine. But when I try to authenticate from outside I get the authentication request before the AuthenticationFilter was hit.
In the second try I tried the following Settings:
Web Application setting in IIS: Authentication = Windows Authentication + Anonymous
Web.Config Setting: authentication mode = Windows
With this Setting when I call the site from inside the Network the AuthenticationFilter gets hit twice. The first time with anonymous authentication, the second time with the real user I am logged in with.
Is there a way to configure the order authentication happens or any other way to get both Scenarios handled?
I have now used this Approach to implement the forms based authentication:
http://www.schiffhauer.com/mvc-5-and-active-directory-authentication/
I'm trying to set up a TFS2010 (with SP1) server and I keep running into hurdles.
The latest prevents me from doing anything useful as every HTTP request to "https://tfs.myserver.com/tfs" results in a HTTP 401. It doesn't matter if these requests come from the TFS Administration Console or from a web-browser. Every time I'm prompted to authenticate I enter the domain Administrator's fully-qualified username and password and I always get this error message:
Team Foundation Server
TF30063: You are not authorized to access https://tfs.myserver.com/tfs. - The remote erver returned an error: (401) Unauthorized.
Only a few settings in the Administration Console work (such as "Change URLs") but others, like "Group Membership" (either on the Application Tier node or on a Team Project Collection) results in the same prompt-then-fail.
The SSL certificate is valid, and the URLs seem consistent. I can't think what I'm missing out on.
EDIT: There is nothing relevant in the usual Event Logs. The Security log does show my Audit Failures, but I don't understand them because I'm entering the usernames and passwords correctly (the very same I use to access the servers over RDP):
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Administrator
Account Domain: DOMAIN
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
What's different about Group Membership & security dialogs is they go through the client APIs and access via IIS. All others such as change server urls go through the server model straight to the DBs. That means IIS cannot authenticate on your domain for some reason ...
From the description, it seems like a domain joined machine. Does IIS have access to the domain controllers? (is it connected to the domain network) The wizards verify you can reach AD but if you disconnect afterwards ... If IIS can't reach AD it will not be able to authenticate. TFS relies on IIS for windows authentication. It appears it can't do that.
Some other things to try:
On the application tier panel of the admin console, try changing the account (domain account) that the server runs as.
Did you choose Kerberos authentication in the advanced wizard? If you do that with a domain user as the service account, there's a pop-up dialog telling you that you need extra AD administration. If you did that, you can change to NTLM from the admin console.
Try to access it via http://machinename:8080/tfs (instead of FQDN) both locally and remotely. Try http://machinename:8080/tfs/web from the web browser as well. make sure you're not having a proxy server issue (routing NTLM through proxy servers can be problematic - if you have bypass local in IE settings then address without dots won't route through the proxy and takes that out of the troubleshooting picture). You can also completely disable proxy in IE just for troubleshooting.
Create another web site manually with a hello world aspx running as the same account with anonymous & basic auth disabled and integrated windows auth enabled. Ensure it works.
After growing frustrated with trying the helpful suggestions people made but not getting anywhere I decided to start-over and try again. I completely uninstalled TFS, SQL Server, and SharePoint services and reinstalled from scratch.
This time it worked fine - no meddling with security was necessary and the system just worked out-of-the-box.
Looking back, I think the problem was that I set-up TFS with the advanced option to use SharePoint, and then I probably fiddled around with settings I wasn't familar with and ended up making a hash of things.
Note to future self: practice in a VM before deploying in production.