I have this situation where the main domain requires Anonymous Authentication while the sub-domain can only accept Windows Authentication for my app to work.
Currently, I can only do one or the other on IIS. Basically, in my service it's expecting WindowsIdentity and unless it's coming through Windows Authentication it'll becomes ClaimsIdentity. I want to ensure that the identity of this request is a Windows and is authenticated.
I've tried enable Anonymous Authentication and Windows Authentication for the main domain and disabled Anonymous Authentication & enabled Windows Authentication for sub-domain.
Folder and site structure:
Folder
inetpub
/myservice
/wwwroot
/mysubdomain
In IIS
Default Web Site
/myservice
/wwwroot
/mysubdomain
I made the request via http://localhost/myservice/mysubdomain. If I publish my service as IIS in Visual Studio 2019, Windows Authentication works but Anonymous Authentication doesn't. If I publish my service as myservice project then Anonymous Authentication works but Windows Authentication doesn't.
I have this sorted out. It's not the ideal solution I wanted but it worked around my problem. I had to change my app to accept only Windows Authentication.
Related
So I have developed an API with Windows Authentification. When I ran the project with Visual's Studio IIS Express - endpoint's secured with:
[Authorize(AuthenticationSchemes = IISDefaults.AuthenticationScheme)]
In services I have registered:
services.AddAuthentication(IISDefaults.AuthenticationScheme);
get's the current Windows user, which I can access through HttpContextAccessor.
After I have published the app to Windows Server (HTTPS enabled) with IIS 10 running when I am trying to access protected endpoints I just get Login Prompt and it doesn't matter what I enter in it, it goes away only if I cancel.
My Site settings in Windows IIS Server, Windows Auth uses Negotiate Provider:
Application pool settings:
Is there anything I can do to fix this? If this post lacks some other information, please, let me know, I will edit it.
When you enable anonymous authentication and authentication at the same time, iis will use anonymous authentication, so you need to disable anonymous authentication and try again.
I hosted few applications in IIS (Version:10) with Kerberos authentication. And all web applications are configured under a single web site.
Only windows authentication is enabled.
What I observed is I get 401 followed by 200 for every request.
And the expectation is 401 for the first call, then 200 for all subsequent calls from same client to same api since its already authenticated.
I tried applying authPersistSingleRequest="false" for windows authentication.
Note: This was done after referring to 3 requests for every resource (2 x 401.2 and 1 x 200) in a windows authenticated asp.net mvc app
Then I can see that one api (web application) is working as expected now. And we still have issue with other api(in a different web application).
Can anyone help me to understand if there are any other settings apart from what I mentioned above to make it working as expected.
Make sure you configured the spn account properly with the application pool.
Open IIS Manager and select the Configuration Editor.
In the dropdown menu select system.webServer > security > authentication > windowsAuthentication
set useAppPoolCredentials to True.
In Internet explorer add the site address to the list of trusted websites and specify Automatic logon with a current user name and password in User Authentication -> Logon in Trusted Zones Sites settings.
Refer below link for more detail:
Troubleshoot Kerberos failures in Internet Explorer
I have to mention that I am new to IIS. I have a local IIS 8.5 on a windows server 2012 machine. When I enable the windows authentication (basic authentication is disabled), I can access and see the home page of IIS (http://localhost) with the credentials of a LDAP user in the same domain. However, when I enable basic authentication (windows authentication is disabled), I cannot access the home page with the same credentials I used for windows (The authentication pop up never goes away).
Shouldn't the same credentials work for both basic and windows authentication or basic authentication works differently ? If not, then how are the credentials validated in case of basic authentication ?
Note: Eventually I plan to write restlet java code to post resources using basic authentication.
So finally I got this problem solved. For Basic Authentication (click on edit), we need to set the default domain (realm is optional). Once I set the default domain, I could login using the LDAP user credentials.
I have a web application in vb.net which uses windows authentication and passes the username of the logged on user into a helper function to determine if the user is an admin. The application then displays different menu options based on if the user is an admin or not. When I try to run this using my visual studio server the application works perfectly, but when trying to run using my IIS server, or IIS express the application does not recognize my admin rights, and the helper function paramater for the user name is empty. Is there something I am missing on how to get IIS to recognize my admin rights? I have disabled anonymous login for this site in iis and enabled windows authentication.
I am stuck at the moment on trying to configure the Windows authentication on a web site.
The site is configured (in IIS 7.5) as follows:
Windows authentication and ASP.NET Impersonation - Enabled.
The 'Enable Kernel-mode authentication' is checked.
Providers section contain all 3 possible: Negotiate, NTLM, Negotiate:Kerberos.
The site connects to a SQL Server using Windows authentication as well.
The Web server is marked as trusted for delegation for the SQL server.
When I browse the site locally from the web server everything works; when I browse it from a client computer I get the well known error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"
I read I should set some SPNs - but in my case - to what\whom ?...
The access to the SQL Server is done individually to users (also, the Web server, SQL server and the users accessing the site are in the same domain; the application pool also uses a domain account)
An advice would be much appreciated ...
I think you're getting "Anonymous Logon" because you have anonymous logon enabled.
Try enabling only Windows authentication and ASP.NET Impersonation and disabling the rest
Also might help to check the internet explorer security settings for the 'zone' you're in from the client computer (i'm guessing internet) at the very end set internet explorer to prompt for user name and password