I want to use Windows Authentication on my .NET Core MVC 5 web app. To allow specific domain users and an AD group.
I added a web.config in the root:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="mydomain\username1, mydomain\username2" />
<deny users="?" />
</authorization>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<clear />
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
</providers>
</roleManager>
</system.web>
</configuration>
I added this to startup.cs
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
services.AddAuthentication(IISDefaults.AuthenticationScheme);
}
I added this in my controller
[Authorize(Roles = #"mydomain\ADgroupName")]
[Authorize(Users = #"mydomain\username1")]
public class HomeController : Controller
In project properties I disabled Anonymous auth and enabled Windows auth.
I added a project reference to Microsoft.AspNetCore.Authentication.
When all that is said and done I get the error "Type or namespace 'Users' could not be found".
What am I missing here?
the error "Type or namespace 'Users' could not be found".
From the AuthorizeAttribute Class, we can see that the Authorize attribute only have the Roles and Policy property, without the Users property, so it will show the above error.
If you want to set authorization rights for specified users, you could create a policy for the users, then, in the Controller, set the Authorize attribute as below:
[Authorize(Policy = "policyforUser")]
public class HomeController : Controller
More detail information about create policy, see the following links:
Policy-based authorization in ASP.NET Core
ASP.NET Core Authorize AD Groups through web.config
ASP.NET Core - Authorization Using Windows Authentication
Using AD groups to authorise access to pages using IIS Windows Authentication
Related
I'm trying to secure a simple ASP.net website hosted on an internal IIS10 instance so that only a specific AD group can access it.
All my testing (and the final usage) would be internal to the same domain on which the IIS server resides - no external or cross-domain usage will occur.
Within Site Authentication I only have Windows Authentication enabled with a HTTP 401 Challenge response type. Enabled providers are Negotiate and NTLM (in that order), Extended Protection is Off and Kernel-mode authentication is enabled
In .NET Authorisation Rules I have no explicit Deny Rules.
If I add a 'Specified users' Allow Rule for my user account (and thus the user for which I'm testing access to the website) then I am able to access the website. At this point the relevant area of the web.config file looks like this:
<authorization>
<allow users="MYDOMAIN\MYUSERACCOUNT" />
</authorization>
If I remove that Allow Rule and add a 'Specified roles or user groups' Allow Row for an AD group for which my user account is a member of then I am unable to access the website and browsing to it prompts me for a Sign in dialog box which entering my AD credentials then gives a 401 error.
At this point the relevant area of the web.config file looks like this:
<authorization>
<allow roles="MYDOMAIN\AwesomeUsers" />
</authorization>
I've tried changing various Authentication settings (changing the order, disabling Kernel-mode authentication etc), adding the domain groups in the 'allow users' section in the Web.config but I just cant get AD group authentication working.
IIS isn't my strong point so would really appreciate any hints or tips I can try, Thanks! :)
try to use below code:
web.config:
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="DOMAIN\ADGROUP" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
applicationHost.config:
<configuration>
<location path="YOUR-APP">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
</configuration>
I tried to do something in IIS which I though is very simple, but I am unable to make it work.
I created a web page with simple html+js page and web api backend. (It means I have one single plain old html page with one single JavaScript file and it uses AJAX call back to the same server to get data from backend. The backend is written in C# with .NET Framework 4.7 and current version of ASP.NET. It is not MVC, it is not .NET Core, it is not ASP.NET Core.)
Now I want to allow this web page only for some users on local network and I expect this can be somehow configured in web.config file. The IIS is running on a computer in a domain, so I set up the web application in its web.config to use Windows authentication and provided the list of allowed users in authorization section (the user accounts are in the same domain as the web server). I though this would prevent other users to access the web, but apparently all authenticated users can display it. So it seems that Windows authentication works correctly, but there is no authorization check performed and all users are allowed. Can this be done easily in web.config in this kind of html+js+webapi scenario?
Currently, the related section in web.config looks like this:
<system.web>
<compilation targetFramework="4.7.2" />
<httpRuntime targetFramework="4.7.2" />
<authentication mode="Windows" />
<authorization>
<deny users="?" />
<allow users="alloweduser1,alloweduser2" />
</authorization>
</system.web>
Try :
<system.web>
<compilation targetFramework="4.7.2" />
<httpRuntime targetFramework="4.7.2" />
<authorization>
<allow users="domain\alloweduser1,domain\alloweduser2" />
<deny users="*" />
</authorization>
</system.web>
I am working on asp.net mvc 4 application. Currently the application is forms authentication enabled. But now i want to implement windows authentication in same application. The scenario is- When application will run, it will by default check for window authentication and once that is authenticated, depending upon the role of user, I need to enable forms authentication.
Following is the setting in web.config-
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Windows">
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
and following is the code in Login Controller-
[AllowAnonymous]
[HttpPost]
public JsonResult JsonLogin(User model, string returnUrl)
{
var user = HttpContext.User.Identity.Name;
if (ValidateUser(model))
{
FormsAuthentication.SetAuthCookie(model.LoginUserID, false);
return Json(new { success = true, redirect = returnUrl });
}
return Json(new { errors = GetErrorsFromModelState() });
}
but i am getting User.Identity.Name = ""; What am I missing? I want to run application on local system itself. Please tell me how to implement this scenario. Any help is appreciated! Thanks in advance!
Here are the details of my problem. I have one simple WCF Data Service (named WCFServiceAppCBS.svc) using an Entity Framework data access layer that talks to a SqlServer 2008 R2 datasource to return some entities. I just want to expose a few tables as "GET" to be later consumed by external getJSON/AJAX calls in some html files.
For development purposes, it works fine when I'm playing around with it in VS2010 using IIS Express and can consume the OData URI and return data. But, the OData service doesn't return anything when I deploy it to the localhost IIS 7.
All I get is the Atom Pub feed that lists my entities, but when I try to execute any type of iQueryable statements (i.e. http://localhost/WCFServiceAppCBS/OData.svc/officers), I get a generic "the website cannot display the page".
I'm not sure if it is having a problem authenticating or if there are other settings in my Web.Config or IIS that I'm missing.
Here's my web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</assemblies>
</compilation>
</system.web>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
<connectionStrings>
<add name="CBSEntities" connectionString="metadata=res://*/CBSLookup.csdl|res://*/CBSLookup.ssdl|res://*/CBSLookup.msl;provider=System.Data.SqlClient;provider connection string="data source=QCSQL2K8DEV;initial catalog=CBS;integrated security=True;multipleactiveresultsets=True;App=EntityFramework"" providerName="System.Data.EntityClient" />
</connectionStrings>
</configuration>
Here's my OData.svc.cs...
using System;
using System.Collections.Generic;
using System.Data.Services;
using System.Data.Services.Common;
using System.Linq;
using System.ServiceModel.Web;
using System.Web;
namespace WCFServiceAppCBS
{
public class OData : DataService<CBSEntities>
{
// This method is called only once to initialize service-wide policies.
public static void InitializeService(DataServiceConfiguration config)
{
// TODO: set rules to indicate which entity sets and service operations are visible, updatable, etc.
// Examples:
config.SetEntitySetAccessRule("*", EntitySetRights.AllRead);
// config.SetServiceOperationAccessRule("MyServiceOperation", ServiceOperationRights.All);
config.DataServiceBehavior.MaxProtocolVersion = DataServiceProtocolVersion.V2;
}
}
}
Thanks for any help you can provide!
In IIS 7.5 under Windows 7 Utilmate, I have an application which is configured for authentication as follows:
Anonymous & Windows
In the ASP.NET Website, I have turned Forms authentication and identity impersonate = true
I also deny any anonymous users.
<authentication mode="Forms">
</authentication>
<identity impersonate="true"/>
<authorization>
<deny user="?">
</authorization>
IIS complains. What am I doing wrong...
What I want to achieve :I want the windows Logged On User so I can build a FormsAuthentication ticket and pass it to a Passive STS.
So in IIS I have anonymous and windows...If have only windows ticked, I cannot go onto the Login.aspx page as I have an extra parameter to be passed from there.
So now in webconfig, I then disable anonymous users by saying deny user="?" , so it leaves me with the authenticated windows user but using Forms Authentication.You know what I mean??
http://msdn.microsoft.com/en-us/library/ff649264.aspx
If you see Table 4 IIS Integrated Windows for IIS then Web.config setting 3rd row, accordingly WindowsIdentity is Domian\Username .It works on IIS 6.0 win2003/IIS 5.1 under XP
If this is an application that leverages claims based identity, then the responsibility of authenticating users is in the STS itself, not in the app.
If you are configuring your (web) application to trust an external STS, then your authentication mode would be "None" and you'd have a whole section in the config file for "Microsoft.identityModel". You would then configure the STS address there (the issuer attribute). Something like this:
<microsoft.identityModel>
<service>
<audienceUris>
<add value="https://aexpense-dev.adatum.com/" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="https://localhost/Adatum.SimulatedIssuer/" realm="https://aexpense-dev.adatum.com/" requireHttps="true" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
<serviceCertificate>
<certificateReference x509FindType="FindBySubjectDistinguishedName" findValue="CN=localhost"/>
</serviceCertificate>
<certificateValidation certificateValidationMode="None"/>
<applicationService>
<claimTypeRequired>
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
</claimTypeRequired>
</applicationService>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="f260042d59e14937984c6183fbc6bfc71baf5462" name="https://localhost/Adatum.SimulatedIssuer/" />
</trustedIssuers>
</issuerNameRegistry>
</service>
The STS itself might use Forms authentication or something else, depending on the implementation.