Windows authentication on webpage - No user

Question

I have enabled Windows Authentication in my webconfig. Now I want to retrieve the user who Is trying to access the webpage like this:

  [AllowAnonymous]
    public async Task<ActionResult> Index()
    {
        try
        {

            var username2 = System.Web.HttpContext.Current.User.Identity.Name;
        }
    }

I can't get any user from the Curent.User.Identity.Name. It's just blank. Why this?

I have also tried to disable Anonymous Authentication, but when I do this, a login dialog Is prompted. I don't want that.

I just want to get the computer user who trying to access the page. Is this possible?

And I'm not looking for Environment.Username, because that don't work when I deploy to the main server.

@ManfredRadlwimmer: So this Is not possible to do? How can I retrive the information the user enter into the login dialog when I have disabled Anonymous Authentication? — Bryan, Feb 21 '18 at 13:48
@WueF: On my local machine, It's IIS Express. When I deploy, It's on a regular IIS-server — Bryan, Feb 21 '18 at 13:49
Have you enabled windows authentication in IIS express config? Possible duplicate: https://stackoverflow.com/questions/36946304/using-windows-authentication-in-asp-net — WueF, Feb 21 '18 at 13:50
If you're trying to get a local Windows user from a remote connection this way, there are security reasons that's not going to work. That takes wiring up to Active Directory and such. If I log into Windows as user CDove, the best you're going to do from a website without specific permissions or a directory hookup is get my IP. — CDove, Feb 21 '18 at 14:04
Give up `System.Web.HttpContext.Current.User.Identity.Name`, and stick to `User` property of your controller. Besides, a prompt is so common for Windows authentication. To suppress the prompt, search on Stack Overflow to learn how to. — Lex Li, Feb 21 '18 at 14:12
It's not fully clear, are you talking about users from the open internet, not from your internal network? If so you can't do it - for a start, there's nothing to say they're even definitely using Windows, and if they are, they're not part of your Active Directory, so you can't check them (that's what Windows Auth does - it quietly checks your local ActiveDirectory for the user's identity). — ADyson, Feb 21 '18 at 14:12
@ADyson: In this case, It's on the internal network because you must have VPN to access It. Is this possible to omit the prompt? — Bryan, Feb 21 '18 at 14:13
If you just mean the internal network, then it should work if you enable Windows Auth and turn off Anonymous Access (in IIS and in web.config). Note that only Chrome and IE send the correct Kerberos token automatically. In Firefox it's not connected to the relevant Windows APIs and so the user will have to type their Windows username and password instead. It's also pretty flakey if you use RunAs or anything like that to open your browser. And it only works if the client machine using the VPN is a Windows machine which is joined to the same ActiveDirectory domain as the webserver. — ADyson, Feb 21 '18 at 14:14
@Bryan: Correct. It would be a security problem if I could, say, capture the Windows login of every person from a specific organization who accessed my website. It would be a social engineering hacker's dream. On top of that, what would happen if the user logged in from Linux or a Mac? You can only scrape usernames for Windows using Windows Auth on an intranet without consent of a directory, and that is by design. — CDove, Feb 21 '18 at 14:15
@ADyson: I have enabled Windows ath and turned off Anonymous Access, but It still prompts. — Bryan, Feb 21 '18 at 14:26
What about the other comments I made? Did you verify your client PC / browser meets all the necessary conditions? — ADyson, Feb 21 '18 at 14:30
A sensible thing would be to check and compare using a machine which is connected directly to the domain's LAN and not via VPN. Then we can rule that in or out as a factor. — ADyson, Feb 21 '18 at 14:40
@ADyson: You where right about chrome. The prompts is not shown in chrome, but it is shown in firefox. — Bryan, Feb 21 '18 at 14:44
yes, that's simply because Firefox doesn't plug in to the right Windows APIs to get the security token automatically, for whatever reason. It's well known that this is the case. There is an extension for Firefox available which provides this. — ADyson, Feb 21 '18 at 14:53

JaisG · Answer 1 · 2018-02-21T14:45:14.403

-1

Pls try using [Authorize] attribute

My code in the Controller works like so -

    [Authorize(Roles="# Some_team_name")]
    public ActionResult Foo(string param1)
    {
        string windowsLogonName = User.Identity.Name;
        ...............
        ...............

P.S: I hope the moderators would appreciate that to comment one still needs 50 points, so I am putting my comments in the answer block. Hope that is ok.

edited Feb 21 '18 at 14:45

answered Feb 21 '18 at 14:27

JaisG

147
1
8

1

You better remove `P.S.` before it's too late. You are attempting to answer, so it may be ok to post as an answer. If your answer is bad - you will get downvotes, but saying "Hey, you have rules and I am going to break them" is so wrong ;) – Sinatr Feb 21 '18 at 14:30

Windows authentication on webpage - No user

1 Answers1