10

Asp.Net Core doesn't seem to recognize the user from the call context?.User?.Identity?.Name when windows authentication is enabled and running in IIS Express or IIS.

Desired behavior: Enabling both Windows authentication and anonymous authentication in IIS and/or IIS Express, Asp.Net Core should automatically recognize the windows user.

Actual behavior: When I enable both windows and anonymous authentication in IIS or IIS Express, the user name is null. When I disable anonymous authentication or call HttpContext.ChallengeAsync(IISDefaults.AuthenticationScheme), I get a login prompt, which I don't want.

My understanding is that, even though I want to use this for Active Directory, I don't need active directory or a domain to authenticate a windows user.

Environment:

  • Windows 8.1 (not on a domain)
  • IIS 8.5 / Visual Studio 2017 w/ IIS Express
  • Windows Authentication security feature installed
  • Windows Authentication & (with NTLM provider) & Anonymous Authentication Enabled
  • Logged in as local account user

Dependencies:

  • Microsoft.AspNetCore.All 2.0.8

Startup:

public void ConfigureServices(IServiceCollection services)
{
    services.Configure<IISOptions>(iis =>
    {
        iis.AuthenticationDisplayName = "Windows";
        iis.AutomaticAuthentication = true;
    });

    services.AddAuthentication(IISDefaults.AuthenticationScheme);
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }

    app.UseAuthentication();
    app.Run(async (context) =>
    {
        await context.Response.WriteAsync(JsonConvert.SerializeObject(new
        {                
            UserName = context?.User?.Identity?.Name
        }));
    });

launchSettings.json:

{
  "iisSettings": {
    "windowsAuthentication": true,
    "anonymousAuthentication": true,
    "iisExpress": {
      "applicationUrl": "http://localhost:51682/",
      "sslPort": 0      
    }
  },
  "profiles": {
    "IIS Express": {
      "commandName": "IISExpress",
      "launchBrowser": true,
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    }
  }
}

web.config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <handlers>
      <remove name="aspNetCore" />
      <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
    </handlers>
    <aspNetCore forwardWindowsAuthToken="true" processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="true" stdoutLogFile=".\logs\stdout" />
  </system.webServer>
</configuration>

applicationhost.config: (IIS Express)

Based on this article: https://learn.microsoft.com/en-us/iis/configuration/system.webServer/security/authentication/windowsAuthentication/

<authentication>
  <anonymousAuthentication enabled="true" userName="" />
  <basicAuthentication enabled="false" />
  <clientCertificateMappingAuthentication enabled="false" />
  <digestAuthentication enabled="false" />
  <iisClientCertificateMappingAuthentication enabled="false"></iisClientCertificateMappingAuthentication>
  <windowsAuthentication enabled="true">
    <providers>
      <add value="NTLM" />
    </providers>
  </windowsAuthentication>
</authentication>
szahn
  • 183
  • 1
  • 3
  • 11

2 Answers2

5

A couple things:

  1. When you disable anonymous authentication, you get a popup because the browser likely doesn't trust the site. You need to open Internet Options (from the Windows Control Panel) -> Security tab -> Click 'Trusted Sites' -> Click 'Sites' and add the URL to your site there. Both IE and Chrome use those settings for deciding whether to automatically send your credentials.

  2. When you have both anonymous and Windows authentication enabled, anonymous takes precedence except in places where you tell it that the user must be logged in. To do that, use the [Authorize] attribute either on a controller, or just on individual actions. There are more details in the documentation, under the heading Allow Anonymous Access.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • It seems the latest version of Chrome inherits settings from IE. When testing on localhost, I had to move localhost from trusted sites to local intranet zone in IE to fix the login prompt issue in both IE and Chrome. Follow these instructions on Firefox: https://docs.secureauth.com/display/KBA/Enable+Integrated+Windows+Authentication+%28IWA%29+in+Mozilla+Firefox – szahn May 21 '18 at 16:25
  • 1
    @GabrielLuci I have followed pretty much the step but still can not get it work. The site works if I configure it without any binding with port 8081. But if I configure the site with any binding it just keep prompting the credentials dialog and even after providing correct credentials it never goes thru. I posted question [here](https://stackoverflow.com/questions/63213584/windows-authentication-does-not-work-on-iis-with-asp-net-core). Please suggest if there is any other way I can solve this issue. – Chetan Aug 12 '20 at 15:29
  • My god thank you I've been ripping my hair out on this one – Aaron Jordan Aug 24 '20 at 22:40
0

In my case not enabled the windows authentication in the IIS server. once I enabled it's working fine.

enter image description here

Kona Suresh
  • 1,836
  • 1
  • 15
  • 25