11

I would like to be able to detect, from ASP.NET code, whether IIS currently has "Windows Authentication" "available"?

Starting from my application installed and currently running under "Anonymous Access", I want to detect:

  1. "Windows Authentication" component has actually been installed in IIS (e.g. some IIS7 have it not installed by default); and...
  2. "Windows Authentication" is actually "Enabled" on my virtual root/location.

I want this information to let the Administrator know whether he needs to take action in IIS before he actually attempts to switch it on on my application.

(Hence, for example, I think IIS7: How to define that windows authentication is turned on? does not help me, as that is looking at whether it is already on for my application; I want to know whether it is installed/can be turned on.)

My "solution" would need to work (or at least not "fail") with versions of IIS prior to 7 as well as 7 itself, so if there are differences there I need to know. Thanks.

Community
  • 1
  • 1
JonBrave
  • 4,045
  • 3
  • 38
  • 115
  • What versions of IIS need to be supported? Do you need to support IIS 1.0 (a Windows NT 3.51 add-on)? – Chris Shouts Jun 27 '11 at 16:17
  • :-) I would *like* to support back to IIS 5 and 6, but if a solution is 7 only I could live with that provided I can test for 7/not break older IIS hosts. – JonBrave Jun 27 '11 at 16:57
  • For #1, I suppose I could follow the http://learn.iis.net/page.aspx/135/discover-installed-components/ route and check the registry for "WindowsAuthentication" (as I do from setup program for "IIS Metabase Compatibility"), seems messy but if nothing else is available? But for #2, I don't think registry will tell me? – JonBrave Jun 27 '11 at 17:06
  • @JonBrave, the `applicationHost.config` file can also be used to determine whether windows authentication is **installed**. All you have to do is query the globalModules section for a module with the name "WindowsAuthenticationModule" (it's rather easy). Unfortunately, I had to elevate the application pool identity's permission to query the applicationHost.config file ... – Tung Mar 31 '12 at 14:06

5 Answers5

4

On the default aspx page check if the user is set to a type of WindowsPrincipal. If Windows authenication is not enabled then the type will be different.

Also for windows authenication to work, the browser should be configured for the NTLM handshake.

Will add some code later!

ggonsalv
  • 1,264
  • 8
  • 18
3

My answer is based on @Paul Stovell's minimum requirements (that it only needs to work for IIS 7). When WindowsAuthentication is installed, the applicationHost.config file will have the following entry in the <globalModules> section:

<add name="WindowsAuthenticationModule" image="%windir%\System32\inetsrv\authsspi.dll" />

Using Microsoft.Web.Administration.dll, which can be found in %windir%\System32\inetsrv\, one can check for the existence of the WindowsAuthenticationModule with the following code:

ConfigurationSection globalModulesConfig = config.GetSection("system.webServer/globalModules");
ConfigurationElementCollection globalModulesCollection = globalModulesConfig.GetCollection();
bool installed = globalModulesCollection.FirstOrDefault(a => a.GetAttribute("name").Value.Equals("WindowsAuthenticationModule")) != null;

Since the applicationHost.config file resides in %windir%\System32\inetsrv\config, the application making this query requires elevated privileges.

Tung
  • 5,334
  • 1
  • 34
  • 41
2

The following checks web.config/IIS settings I believe. You could add more checks at each instantiation to see if the config sections defined etc...

System.Configuration.Configuration config = WebConfigurationManager.OpenWebConfiguration("~");

SystemWebSectionGroup configSection = (SystemWebSectionGroup)config.GetSectionGroup("system.web");

AuthenticationSection auth = configSection.Authentication;

if (auth.Mode == AuthenticationMode.Forms) { }
else if (auth.Mode == AuthenticationMode.Windows) { }
Greg
  • 31,180
  • 18
  • 65
  • 85
2

When Windows Authentication is enabled, IIS returns this HTTP header in response :

WWW-Authenticate: NTLM

It's possible to send a testing HTTP request with a WebClient, wait for it and check the header presence.

battlmonstr
  • 5,841
  • 1
  • 23
  • 33
1

This isn't an answer so much as just an idea to point you in a possible direction.

A web application is normally isolated to itself and runs under least privilege so I don't think you can see global settings like this from an application's ASP code.

I would guess that you would want to look at the WMI classes. You can query them using ADO or the WMI objects. You may need to impersonate higher credentials to call it though.

See this post TechNet Article

Rich M
  • 377
  • 1
  • 3
  • 12
  • Thank you, and I understand what you are saying. However, I think that would be too much complication to satisfy the need. – JonBrave Jun 27 '11 at 16:59