20

In IIS7 under Windows Server 2008, I have a virtual directory with anonymous access off and Windows authentication on. In my web.config, I have:

<authentication mode="Windows"/>
<authorization>
            <allow roles="MYGROUP"/>
            <deny users="*"/>
</authorization>

and

<system.webServer>
    <!-- IIS7 security settings -->
    <security>
        <authorization>
                <add accessType="Deny" users="*"/>
                <add accessType="Allow" roles="MYGROUP"/>
        </authorization>
    </security>
</system.webServer>

Yet when I access default.aspx from IE and set a breakpoint in Global.asax.vb Application_AuthenticateRequest(), I get a null HttpContext.Current.User where I am expecting my own identity. It is almost as if Anonymous Access is on?

What can I do to troubleshoot this? Everything seems to work in IIS6.

Patrick Szalapski
  • 8,738
  • 11
  • 67
  • 129
  • BTW, I looked here: http://codesnip.net/iis7-integrated-windows-authentication-win-2008 -- and everything looks good according to that. – Patrick Szalapski Nov 02 '09 at 21:07
  • Did you ever figure out a solution to this? Having the same issue, and this is the closest question I can find on the topic. – Jerad Rose Jan 03 '11 at 22:58
  • No--it has something to do with the new way IIS works, in that it can pass control to your ASP.NET program to do its authentication. I still need someone to explain it to me in more layman's terms, I'd guess. – Patrick Szalapski Jan 04 '11 at 22:26

4 Answers4

29

The answer to of moving the Application Pool back to classical is just delaying the problem.

Instead leave the application pool alone and move your authenticate check from Application_AuthenticateRequest(), to the next function in the pipeline:

Application_AuthorizeRequest(object sender, EventArgs e)

By then the integrated Application Pool has completed the windows authentication allow you not to receive null from HttpContext.Current.User.

The pipeline can be found here (link provided by CarlosAg).

A visualization of the pipeline can be found on the asp website message lifecycle page. In the controller section checkout the two green boxes "Authentication filters" and "Authorization filters". These are the areas you are messing with.

Elliott Beach
  • 10,459
  • 9
  • 28
  • 41
Choco Smith
  • 1,658
  • 18
  • 24
2

With IIS 7 and asp.net 4.0 the user was still null within Application_AuthenticateRequest() (object sender, EventArgs e). I had to place all authentication logic within the Application_PostAuthenticateRequest() (object sender, EventArgs e). You can see an example here context-user-is-null-in-application-authenticaterequest-via-windows-auth-in-asp

Community
  • 1
  • 1
wickdninja
  • 949
  • 1
  • 10
  • 15
  • Application_AuthorizeRequest is after Application_PostAuthenticateRequest and after Application_AuthenticateRequest. Authorization should be done/checked in authorization not authenticate – Choco Smith Jan 10 '14 at 14:44
2

II7 has integrated authentication. You can set it back to the old type by changing the Application Pool back to classical in the basic settings in IIS.

*Caution this is just an explanation and example, you may want to use the integrated authentication and do something different.

Yuriy Faktorovich
  • 67,283
  • 14
  • 105
  • 142
  • I must be missing something--IIS6 had "Integrated Windows Authentication" too. It is the first option under Authenticated Access in Directory Security > Authentication and access control > edit. What am I missing? – Patrick Szalapski Nov 02 '09 at 21:08
  • I didn't think what I am trying to do is "old type"--surely Microsoft isn't phasing out Windows Authentication. Where can I see info on the "new way" of doing authentication? – Patrick Szalapski Nov 02 '09 at 21:12
  • @Patrick: In II6 there were two levels of Authentication that were hit for each .NET request. First the windows one, then the ISAPI would find out it was a .NET request and then .NET would do its own Authentication. In IIS7 .NET was integrated into the Web Server and now there is only one Authentication. As far as I understand it. MSDN would likely be the unfortunate choice for the new way, if you don't want to go with the old way. – Yuriy Faktorovich Nov 02 '09 at 21:21
  • Does this new way have a name so that I can search for it? Everything I search for seems to be referring to the old way. – Patrick Szalapski Nov 02 '09 at 21:26
  • @Patrick: you can find it on msdn: In IIS 7, application pools run in one of two modes: integrated mode and classic mode. The application pool mode affects how the server processes requests for managed code, link: http://technet.microsoft.com/en-us/library/cc753449(WS.10).aspx – Yuriy Faktorovich Nov 02 '09 at 21:29
  • Clearly I'd like to stay in integrated mode, not classic mode, and then adjust my app to properly using Windows Authentication (or its successor functionality) in integrated mode. I see nothing anywhere on how to do this, do you know of any? – Patrick Szalapski Nov 02 '09 at 21:34
  • @Patrick: Unfortunately I haven't tried that yet, I was just showing how you could set it back to the old way(which I prefer, most likely because I'm use to it). – Yuriy Faktorovich Nov 02 '09 at 21:45
  • 3
    You should read information about classic vs integrated, see http://learn.iis.net/page.aspx/243/aspnet-integration-with-iis-7/ Integrated mode is much better, and it will have less duplication. The reason this used to work was because IIS would perform "AuthenticateRequest" way before ASP.NET would even see the request. In integrated, ASP.NET becomes 1st class in IIS and it will see the "BeginRequest and AuthenticateRequest" at the same time that IIS does. This causes some changes (correct changes I should add), which means some applications that leveraged the wrong behavior might fail. – Carlos Aguilar Mares Oct 28 '10 at 17:24
1

Anonymous access must be on if you don't use ssl or something your own security.

stdT
  • 11
  • 1