0

I have two domains A and B, with a user Administrator in each. Both admins have different objectGuids, SIDs and passwords. There's an IIS 8.5 in B configured with Windows Authentication (Methods Negotiate/NTLM, Extended Security disabled, Kernel mode auth enabled). Domain B trusts domain A (one-way trust).

When I now open IE as A\administrator, and connect to the IIS in B, the IIS returns to me that the user logged in is B\administrator (should be A\administrator).

This is my code:

public class UserController : ApiController
{
    // GET api/<controller>
    public User Get()
    {
        var usr = ((WindowsIdentity)User.Identity).User;
        return new User() {
            Name = User.Identity.Name,
            SID = usr==null?"":usr.ToString()
        };
    }
}

Also, the same is in the IIS log:

2018-05-07 09:19:10 172.17.41.31 GET /winauthtest/User - 80 B\Administrator 172.17.42.11 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+10.0;+WOW64;+Trident/7.0;+.NET4.0C;+.NET4.0E) - 404 0 2 31
  • Is this intended behaviour or a bug, and if it's a bug, where to report the bug?
  • Can I fix it by changing Windows Authentication settings, or what else could I do about it?
  • Do you know any other possibility to get the true SID of the user that is accessing my IIS?
Alexander
  • 19,906
  • 19
  • 75
  • 162
  • 1. Which user is used to run the application (ApplicationPool user)? 2. Can you add `authentication` snippet from the `web.config`? – Albert May 07 '18 at 09:50
  • @Albert The app pool is running as `ApplicationPoolIdentity`. – Alexander May 07 '18 at 09:51
  • 3. Have you tried to [enable `impersonation` in `web.config`](https://stackoverflow.com/a/47263205/2495004)? – Albert May 07 '18 at 09:55
  • @Albert Not allowed in Integrated Pipeline Mode. – Alexander May 07 '18 at 10:21
  • @Albert I switched to Classic pipeline mode and changed impersonation to true but I still get the wrong Administrator account. – Alexander May 07 '18 at 10:25
  • IIS/Windows believes the B/administrator is the login user, which should be very clear from the logs. Then you should analyze AD packets to see what’s up on your AD configuration. – Lex Li May 07 '18 at 10:33
  • @Alexander, you can try this: [Can I impersonate a user on a different Active Directory domain in .NET?](https://stackoverflow.com/a/997052/2495004) – Albert May 07 '18 at 10:44

1 Answers1

1

OMG, I had the same problem and your problem gave me a hint as to why this is happening. So, running my project in Chrome gives me the wrong domain, while opening in Edge gives me the correct domain. I have my project set up using Windows Authentication and it seems Chrome is in some way blocking Windows Authentication. This link gives more info. https://specopssoft.com/blog/configuring-chrome-and-firefox-for-windows-integrated-authentication/

In the end, another of my coworker had the same issue and we couldn't fix it properly. It would misbehave randomly. The only solution that seemed to work was restarting the PC.

Cubelaster
  • 338
  • 4
  • 6