0

I'm trying to create a simple action filter for my MVC site that checks the current Windows user against those allowed access to the site. For some reason, the filterContext.HttpContext.User.Identity object is always set to anonymous with no username. I've tried to grab it at different stages (OnAuthenticate and OnAuthorize), but it's always anonymous.

I currently have anonymous and Windows authentication enabled in IIS (actually followed this example to configure the Windows Auth feature), and I have the following block in the system.web node of my web.config:

<authentication mode="Windows" />
<authorization>
  <allow users="*" />
  <deny users="?" />
</authorization>

However for some reason, the Identity is always anonymous with no username. I have to be missing something here. With Windows Auth set in IIS, I'm always prompted for the username/password combo (which actually fails with HTTP401.1 error 0xc000006d, though I think this might be because I have a custom host header setup for development). I've also read a few articles that suggest this is because my site is determined to be in the internet zone and the answers always state to add the site to the intranet zone in Internet Explorer. This seems like a band-aid fix though, and not the actual solution.

Ideally, I would like to have the following:

  1. User browses to my site
  2. Behind the scenes, their Windows username is picked up, and authenticated against allowed users managed by the app
  3. User authenticated successfully, page loads, user is none the wiser they were authenticated

What do I need to do to achieve this?

Thanks in advance for any help. Please let me know if I can provide more context.

Edit: Forgot to add I'm running this on Windows 7 SP1, IIS 7.5

Michael H
  • 185
  • 1
  • 2
  • 9
  • You need to complete the login without a 401 before a Windows Identity will be set. Otherwise your identity will be anonymous. As far as the intranet zone I have never had the problem. There can be issues when authenticating using localhost. – Alexander Higgins Jul 04 '17 at 04:50

4 Answers4

1

Try

<system.web>
    <identity impersonate="true" />
</system.web>

OR

Click On The Project Not the Solution => Open Properties Explorer not right click properties => you will find Anonymous Authentication set to disabled

Hope Mystery
  • 338
  • 2
  • 5
1

In your solution explorer, press F4 over the project, and change Windows Authentication to Enable if you are running your project from Visual Studio;

In IIS select your WebSite -> Authentication and Disable Anonymous Authentication and make sure that "Windows Authentication" if Enable

ThaNet
  • 597
  • 11
  • 19
0

You need to disable the anonymous authentication from iis and enable windows auth only.

Houssam Hamdan
  • 888
  • 6
  • 15
0

These two rules are in wrong order in your code

<allow users="*" />
<deny users="?" />

Since you first allow everyone, the second rule is not even evaluated.

Try switching them

<deny users="?" />
<allow users="*" />

This way you first deny anonymous requests so that the authentication pipeline can even return 401 to the client. When the NTLM/Kerberos authentication picks the username, the second rule allows everyone (authenticated this time).

For this to work you also have to disable the anonymous authentication.

Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106