9

I am trying to deploy an application in a client network, with AD/domain controller.

My application is a simple asp.net c# application, using windows authentication.

I am using win2003.

Basically, using VS2008, create a new website, hosted on IIS6.0. Only 2 changes. 1. On IIS Directory security for the application, enabled "Integrated Security".
Note: anonymous is also enabled.

Only one change to the skeleton code generated. Add below to the page_load method of default.aspx

using System.Security.Principal;
...
protected void Page_Load(object sender, EventArgs e)
{
    WindowsIdentity id = WindowsIdentity.GetCurrent();
    Response.Write("<B>Windows Identity Check</B><br>");
    Response.Write("Name: " + id.Name + "<br>");
    Response.Write("<BR>");
    Response.Write("User.Identity: " + User.Identity.Name);
    Response.Write("<BR>");
}

Output of browsing to the page: Windows Identity Check- Name: NT AUTHORITY\NETWORK SERVICE User.Identity:

The User.Identity.Name does not output the current username.

As discussed in this article http://weblogs.asp.net/scottgu/archive/2006/07/12/Recipe_3A00_-Enabling-Windows-Authentication-within-an-Intranet-ASP.NET-Web-application.aspx

I added:

<authorization>
    <deny users="?"/>
</authorization>

From what i userstand is that, when this is added, I can get the current users, username from User.Identity.Name.

However, once I added the above, the browser now prompts me for a username and password. Once I enter it, I am able to use User.Identity.Name to get the username. However I do not want the username/password pop up to appear. I want the application to authenticate the user based on their network credentials.

Am I missing something?

minalg
  • 481
  • 2
  • 4
  • 13
  • What browser did you test with? Only IE will pass the Windows username/password authentication. – Robert C. Barth Mar 03 '09 at 01:11
  • 1
    That's not necessarily true - FireFox supports Windows Integrated Authentication. – Christopher G. Lewis Mar 03 '09 at 04:36
  • Yeah, Firefox has no problem with this it just doesn't treat local hostnames as trusted/intranet zone by default like IE does - but it sure can be configured to. There's even an existing ADM template somewhere for FF I think for the lazy sysadmins to use. – Oskar Duveborn Mar 22 '09 at 20:51
  • Here's the check list btw: http://support.microsoft.com/kb/258063/en-us - not sure but having anonymous auth enabled in IIS as well might be a problem? – Oskar Duveborn Mar 22 '09 at 21:03

7 Answers7

3

Check that internet explorer knows the site is part of local intranet zone. Also, under the settings for intranet zone check that automatic logon is enabled.

pipTheGeek
  • 2,703
  • 17
  • 16
3

Your configuration in IIS is incorrect - turn off anonymous access, then integrated authentication will kick in, assuming you've also set it in your web.config via

<configuration>
    <system.web>
        <authentication mode="Windows" />
    </system.web>
</configuration>
blowdart
  • 55,577
  • 12
  • 114
  • 149
1

You do not want to change any configuration in we.config file. In IS server manager in site Authentication, only enable Windows authentication and disable other authentications. enter image description here

Windows Authentication need your =windows credentials to authenticate user. That's the reason to prompt the login. To avoid that you need to set your site IP or domain as trustful intranet site in your client browser. For that;

1)Go to Browser settings -> Open proxy settings -> Security -> Local Intranet -> Sites -> Advanced

2)Then add your site domain or IP address enter image description here

Now see whether your issue is ok after clear browser caching.

This work for me. :)

Check this also Receiving login prompt using integrated windows authentication

Dhananjaya
  • 372
  • 1
  • 6
  • 22
0

I think you can not control it from server app, it is browser function to pass the credentials, in IE you may recommend your users to check "enable Windows integrated authentication" in internet options->advanced

Mani
  • 67
  • 2
  • 4
0

You do not want to change any configuration in we.config file. In IS server manager in site Authentication, only enable Windows authentication and disable other authentications. enter image description here

Windows Authentication need your =windows credentials to authenticate user. That's the reason to prompt the login. To avoid that you need to set your site IP or domain as trustful intranet site in your client browser. For that;

1)Go to Browser settings -> Open proxy settings -> Security -> Local Intranet -> Sites -> Advanced

2)Then add your site domain or IP address enter image description here

Now see whether your issue is ok after clear browser caching.

This work for me. :)

Dhananjaya
  • 372
  • 1
  • 6
  • 22
0

What URL is your site using, and what's the IE zone? If your app is running outside of the LocalIntranet zone, passthrough authentication is blocked, always prompting for User/Password.

Christopher G. Lewis
  • 4,777
  • 1
  • 27
  • 46
  • I am still trying to access it locally, using http://localhost/site. It prompts on all, IE, Firefox & Chrome – minalg Mar 03 '09 at 04:51
  • Can you add the relevant IIS logs to your question - looking for the 401/200 series of log items. Also can you try http://127.0.0.1/site and see if you get prompted? – Christopher G. Lewis Mar 03 '09 at 17:28
0

Is "Enable Windows Integrated Authentication" selected in IE's Internet Options?

Do both the IUSR_ and username you're entering have Read and Execute permissions to the directory where the application is hosted?

Does the application's directory reside on the IIS server, or is it located on a share, where Windows share permissions would come into play?

Eric H
  • 236
  • 1
  • 3
  • 12