I have a standard ASP.NET MVC site with forms authentication.
Users log in via a web page. Then they can reach a silverlight app. When they log in, I pass them a forms auth cookie just like any other site:
FormsAuthentication.SetAuthCookie(userName, createPersistentCookie);
The XAP file is in the ~/ClientBin/ folder. The SVC file is in the ~/Services/ folder. Anonymous access is blocked:
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
The Silverlight calls to the SVC results in a HTTP 302 bouncing back to the login page, and crashing the Silverlight. :( This only happens when anonymous access is disabled. I think Silverlight is NOT passing the cookie along with the WCF service call. Why not?
I made sure to use the AspNetCompatibilityRequirements as defined within the documentation (http://msdn.microsoft.com/en-us/library/dd560702(VS.95).aspx):
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Required)]
public class TaskSchedulerService : ITaskSchedulerService
{
and my web.config has
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"
multipleSiteBindingsEnabled="true" />
</system.serviceModel>
The same thing happens using basicHttpBinding or customBinding with BinaryCompression enabled.
Good news! I found the issue...
My silverlight application was programmed such that it would inject a dot "." into the URL when it called the web service on localhost
(http://localhost/myservice.svc -> http://localhost./myservice.svc).
I purposefully added this extra DOT so I could debug local traffic with fiddler. I removed the dot, and authentication works! The extra dot was percieved as a separate domain.
It turns out that WITH INTERNET EXPLORER 9, FIDDLER CAN DEBUG LOCAL TRAFFIC WITHOUT THE DOT.
As the MSDN Dcoumentation says:
To use the service from a Silverlight application, no special steps are required. Invoke the service in the same way as you would invoke a non-secure service. When calling the service, if the user is not logged in to the ASP.NET site that hosts your Silverlight application, or if the user is not authorized to call the service, an error will occur. Thus, it is especially important to gracefully handle error conditions when using secure services.
Bottom line: if you are developing silverlight, IE9 is your best friend.
Related
We want to host ASP.NET MVC 5 project (.NET 4.8 Framework) where users will be automatically authenticated via their Windows login. When the users call the hosted project via the browser, then the browser should not prompt the user to login. The browser should pass the login-data to the server-side controller automatically.
Regarding this article, the Integrated Windows Authentication uses the security features of Windows clients and servers. Unlike Basic or Digest authentication, initially, it does not prompt users for a user name and password.
So the Integrated Windows Authentication seem to be the correct solution for our problem.
The MVC 5 Project has the following entry in the web.config file:
<configuration>
[...]
<system.web>
[...]
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
Here are the authenciation settings in IIS:
The authenticated user data is accessible in the controller by the following code:
public class HomeController : Controller
{
public ActionResult Index()
{
var lWindowsIdentity = Request.LogonUserIdentity;
[...]
}
}
The Problem: When we access the site in the browser via the binding http://192.168.178.41 then we expect, that the user is logged in automatically, but an prompt appears:
How to login in asp.net MVC using windows authentication without prompt?
Have you try the answer from this ticket ASP.NET MVC intranet app with windows authentication, how to get the current domain user automatically? ?
The fix for that guy was to go to authentication menu in iis -> select windows authentication -> click providers in the right pane -> adjust so that only NTLM is in the list of available providers. Negotiate seems to be the culprit for forcing the log-in prompt.
Check if the page is in the intranet zone... if not you might need to add it specifically to the intranet zone using the servername and/or ip address via configuration / internet options / security / local intranet / websites
Disable "Anonymous authentication" and make sure that "NTLM" is above "Negotiate" as a windows authentication provider (right-click in IIS on "Windows Authentication")
And since you disabled the "anonymous authentication" provider, there is no need for the <authorization> section in your web.config. remove it.
Finally test if it works.
I think on development web server that is with in the localhost environment it will skip the prompt but when the application runs through IIS(production) server, it prompts the user with the dialog that is pretty normal behavior. When you initiate a local url(your local ip) it kicks in IIS web server(not local) which checks for windows authentication and issues a prompt.
Please see this
I need my MVC4 app to get the current domain user that is logged on to the machine automatically logged in in my index.cshtml page.
the rest of the application works as intended by using the Authorize attribute the actions i need secured.
I just need to say to the app "get the current machine logged in user , dont secure anything and take the user to the landing page".
web.config:
<authentication mode="Windows" />
like this the user is BLANK on the landing page.
If i try to put just [Authorize] on my index action then it asks for credentials and then continues as i want, without securing anything on the landing page.
Is there any way around this?
UPDATE:
No matter what you do , it seems that there is no way to bypass the login prompt and make the application automatically get the current domain user and log him in the app.
Check this from MSDN
add impersonate="true" along with it
<identity impersonate="true"/>
<authentication mode="Windows" />
Then use
((HttpContext)context).User.Identity as WindowsIdentity
Use Windows Authentication and for ASP.NET and IIS and specify the ASP.NET URL Authorization in the web.config as shown in this answer. Whenever the current user is authorised, the user will be silently logged in.
Tested using IE 11, IIS 8.5, Windows Server 2012 R2.
i just finished fighting with this problem. i should preface that this is with iis 7 running on win 2k8r2. the fix for me was to go to authentication menu in iis -> select windows authentication -> click providers in the right pane -> adjust so that only ntlm is in the list of available providers. negotiate seems to be the culprit for forcing the log-in prompt.
You may also try adding the following to your <appSettings>:
<add key="enableSimpleMembership" value="false" />
I am building a local intranet web application which uses the current user's AD credentials to access the system. My web server is running IIS 7.5 on Server 2008.
My AD is configured with two groups, Users and Admins, both of which I want to access my web application and I have added the two groups (read/execute permissions) to my directory in IIS. My web.config is pretty standard and I do not have any additional filters in my Global.asax file.
I am able to access my application if I use my user or admin account, but my coworker can not, which further complicates things. My accounts do not have any permissions on the folder - only the groups to which they belong.
Authentication mode is set to Windows, but unfortunately every attempt as my coworker to access the website fails with the following:
HTTP Error 401.0 - Unauthorized
You do not have permission to view this directory or page.
The "most likely cause" box suggests:
The authenticated user does not have access to a resource needed to process the request.
I just can not figure this out. If I create a sample mvc3 application and deploy it in the same directory, I can authenticate and view pages fine as any user.
There can be many reasons for this.
Your controller needs to be decorated with appropriate authorization attribute like following
[Authorize(Roles = "Administrator")]
In your web.config, you need to have following code inside your system.web configuration
<roleManager enabled="true" defaultProvider="YourRoleProvider">
Finally you need to see if that user has been added to their respective roles
I'd the exact same issue. After having few hours of research, it seems to be very easy way to deal with this issue.
<system.webServer>
<modules>
<!--<remove name="FormsAuthentication" />-->
</modules>
</system.webServer>
I'd to remove <remove name="FormsAuthentication" /> statement from modules attribute in Web.config file which was added by default while creating default MVC website.
I had the same problem in MVC 4, and I have resolved it with this:
[AllowAnonymous]
(Add this line in controller, above action you are calling when this error appears.)
I have an intranet application using windows authentication that works great. Now I have a requirement to expose an Api area. This area should use basic authentication but to keep things easy I am first just trying to make this area allowed to anonymous.
I am using IIS 7.5 and it is configured like this:
IIS > My Intranet Site > Authentication > Windows Authentication Enabled,
everything else Disabled
in the application root web.config I have
<authentication mode="Windows"></authentication>
All the intranet controllers (except for Api Area) inherit from a BaseController that have an AuthorizeAttribute
I tried adding
<location path="~/Api">
<system.web>
<authentication mode="None" />
</system.web>
</location>
In the web.config for the API area, but no go, still get prompted for credentials.
My application structure looks like this
-IntranetApp
--Controllers
--Areas
----Area1
----Area2
----Api
All should be using Windows Authentication except for Api area.
Thanks for any help/pointers.
I don't know details, but the way I've seen "mixed" authentication done is two web applications. The one with windows authentication enabled will then use the ASP membership API to authenticate the user(and automatically create a username if necessary using information from domain account) and then redirect to the other site. Both site's membership config share the same application ID, keys, etc.
You are probably running into this:
"you cannot achieve this within a single application because in IIS once you set up Windows authentication for a virtual directory it will no longer accept users from different domains."
See this for more information on setting up one version of this:
ASP.NET MVC and mixed mode authentication
Exactly as per the title.
Simply in my HomeController I have:
string Username = User.Identity.Name;
Why is this value always blank?
Is there something special I have to place in the web.config to get this value to come through. I've tried on both the VS dev web server as well as on a windows server 2003 IIS server.
It's got to be something simple, a server setting in IIS or something as the code is so simple and seems to be the correct way to reference this value.
Thx a lot
If you are wanting to use windows authentication it's not enough to just add
...
<system.web>
...
<authentication mode="Windows"/>
...
</system.web>
...
You also want to check the readme file instructions for the MVC project, especially if your running in IIS Express and using Visual Studio 2012.
See below:
Hosting on IIS Express:
Click on your project in the Solution Explorer to select the project.
If the Properties pane is not open, open it (F4).
In the Properties pane for your project:
a) Set "Anonymous Authentication" to "Disabled".
b) Set "Windows Authentication" to
"Enabled".
Hosting on IIS 7 or later:
Open IIS Manager and navigate to your website.
In Features View, double-click Authentication.
On the Authentication page, select Windows authentication. If Windows authentication is not an option, you'll need to make sure
Windows authentication is installed on the server.
To enable Windows authentication on Windows:
a) In Control Panel open "Programs and Features".
b) Select "Turn Windows features on or off".
c) Navigate to Internet Information Services > World Wide Web Services > Security
and make sure the Windows authentication node is checked.
To enable Windows authentication on Windows Server:
a) In Server Manager, select Web Server (IIS) and click Add Role Services.
b) Navigate to Web Server > Security
and make sure the Windows authentication node is checked.
In the Actions pane, click Enable to use Windows authentication.
On the Authentication page, select Anonymous authentication.
In the Actions pane, click Disable to disable anonymous authentication.
Sure is mate. You need to authenticate with the website. That's the name used for authentication.
You are authenticating, right?
It's not a setting, etc.
Click the LOG IN link, if you're using the stock standard ASP.NET MVC template (if my memory serves me right).
UPDATE (as the posted has added more info/comments)
So what you're after is Windows Authentication. A quick google search came up with this post. It's pretty helpful (though a bit old, but still relevant) .. check that out.
Found a better post with MVC code for Windows Authentication. Check that out instead.
Config setting that is important, is...
...
<system.web>
...
<authentication mode="Windows"/>
...
</system.web>
...
If you do not wish to Authorize on every controller or action, you can do a blanket authorization in the web.config file. This should work as long as you are using Windows authentication. If you allow ASP.NET to control the authentication, then you would not need to configure any IIS setting. It should then work well with whatever web server that you are running on. I do not know or assume what u have tried so far I'll try to be complete in my answer. First remark off the forms authentication tag in web.config. All following settings are placed in the system.web configuration section.
<!--
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
-->
Replace with the Windows authentication tag.
<authentication mode="Windows" />
Then add the authorization tag to deny access to anonymous users. If the users are using Internet Explorer and are connecting from an Intranet zone, IE automatically will login the user. But if the user is connecting from the Internet zone, IE will still display a login box though for safety. But these are options that can be set from IE.
<authorization>
<deny users="?" />
</authorization>
Setting authentication mode alone without authorization does not force the user to be authenticated in ASP.NET. If you want to control the security from IIS, I cannot help much with IIS settings but I know basically you can disable Basic Authentication , then enable Integrated Windows Authentication and then disable the Anonymous Login Account which will achieve the same or better results.
I am also working on an MVC project at the moment and I tested the above settings with my project and it works. You would not need the Authorize attribute since we have the authorization tag in the configuration. I hope this can be of help to you and not get another -1.
Have you attached Authorize attribute to ur action or controller?
public class HomeController : Controller {
[Authorize]
public ActionResult Index() {
string userName = User.Identity.Name;
return View();
}
}