1

I recently updated a legacy 4.5 C#.NET webforms app to use ADFS for authentication, but somehow it only works if I also have Windows authentication enabled in IIS. When I have windows auth enabled, after a user signs into our ADFS server, a Windows auth pop-up box shows up which requires the user to log in twice. That is not the result I wanted, so I turned off Windows authentication in the hopes that the second login would go away, but now after signing into ADFS, the user gets a 401 Unauthorized error.

If I have to keep Windows auth enabled for this legacy app to successfully login, is there something I should add to the code to prevent the Windows auth pop-up from presenting itself after a user logs into ADFS?

Startup.Auth.cs

public partial class Startup
{
    private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
    private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];

    public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions());

        app.UseWsFederationAuthentication(
            new WsFederationAuthenticationOptions
            {
                Wtrealm = realm,
                MetadataAddress = adfsMetadata
            });

        // This makes any middleware defined above this line run before the Authorization rule is applied in web.config
        app.UseStageMarker(PipelineStage.Authenticate);
    }
}

Startup.cs

public partial class Startup
{
    public void Configuration(IAppBuilder app)
    {
        ConfigureAuth(app);
    }
}

UPDATE: I just confirmed that my dev site works fine - meaning the Windows auth box DOES NOT show up after authenticating with ADFS. It has the same code, the same web.config, the same set up in IIS on the dev server compared to live, and the same setup on the ADFS server. The ONLY difference that I can see is that the live server is Windows Server 2019 Datacenter and the dev server is Windows Server 2012 R2.

Are there differences between these 2 servers that would make that Windows authentication box pop up after ADFS authentication? Could it be that the legacy app will only behave on a legacy server and not a newer one?

Jamie
  • 1,579
  • 8
  • 34
  • 74
  • 1
    when the auth box pops up, you should see a HTTP 401, you need to check the response headers, 401 negotiate kerberos/ntlm is telling you it's trying to negotiate one or the other and is failing and falling back, if servers are returning different response headers then you have somewhere to start looking – fuzzybear Dec 14 '21 at 23:04
  • I can't see any reason in the requests and responses that the dev site would work with Windows auth disabled, but the live site will not work without Windows auth. Do you think there's a big difference between IIS 8.5 and 10 that could be causing the legacy app to only function properly on the old 2012 server? – Jamie Dec 16 '21 at 16:53
  • Well, I guess I take that back, the only difference I can see is that the live site says something about HTTP/2 and the dev site says HTTP/1.1. I don't know enough about server things to tell if this is what is causing this behavior in the app, but I will do some research. – Jamie Dec 16 '21 at 16:55

1 Answers1

0

I just found the answer I needed here: 401 Unauthorized: Access is denied due to invalid credentials

  1. Open IIS
  2. Select The Site
  3. Open Authentication
  4. Edit Anonymous Authentication
  5. Select Application Pool Identity
Jamie
  • 1,579
  • 8
  • 34
  • 74