I am encountering the following issue when trying to configure an intranet ASP.NET site in IIS 8.5 for Windows authentication. I have the IIS Windows authentication provider settings set to:
Negotiate
NTLM
This works great for Windows-based browsers - users are logged in seamlessly. Mac-based browsers don't seem to support the Negotiate protocol; when accessing my site you are prompted for your domain credentials. Even when responding with correct credentials, the browser responds to the authentication challenge with "NTLM xxxxxxx...". IIS doesn't like this and always responds with a 401. This sends the browser into an authentication loop where you are prompted for your credentials endlessly. If you click "Cancel" (depending on which browser you are in), you will finally get a 401 response (not very useful).
If I modify the settings and remove the "Negotiate" provider, I am still prompted when accessing the site from a Mac browser, but this time the NTLM challenge succeeds and I can authenticate. The problem with this is I am now getting an authentication prompt from Windows browsers as well.
Is there a way to get around this (do I have Windows authentication misconfigured)? I am fine with having to answer a credential prompt from the Mac but as the vast majority of my users will be accessing from Windows, I would prefer they still get the "invisible" log on experience.
If I'm understanding your question correctly; Safari/Apple doesn't support Windows Authentication. Basic Authentication needs to be enabled within IIS in order for Safari to login.
Related
So I have developed an API with Windows Authentification. When I ran the project with Visual's Studio IIS Express - endpoint's secured with:
[Authorize(AuthenticationSchemes = IISDefaults.AuthenticationScheme)]
In services I have registered:
services.AddAuthentication(IISDefaults.AuthenticationScheme);
get's the current Windows user, which I can access through HttpContextAccessor.
After I have published the app to Windows Server (HTTPS enabled) with IIS 10 running when I am trying to access protected endpoints I just get Login Prompt and it doesn't matter what I enter in it, it goes away only if I cancel.
My Site settings in Windows IIS Server, Windows Auth uses Negotiate Provider:
Application pool settings:
Is there anything I can do to fix this? If this post lacks some other information, please, let me know, I will edit it.
When you enable anonymous authentication and authentication at the same time, iis will use anonymous authentication, so you need to disable anonymous authentication and try again.
Using IIS server with NTLM authentication. Where can I modify the session timeout settings?.
I'm afraid it is almost impossible to control the lifetime of your NTLM ticket from server side.So windows authentication should be implemented in a trusted environment.
I think the only way to log out windows authentication is clean cache in server side and re-open web browser.
If you need kind of authentication that ticket timeout can be controlled all the time, you could use custom form authentication instead.
https://learn.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/introduction/an-overview-of-forms-authentication-cs
I have to mention that I am new to IIS. I have a local IIS 8.5 on a windows server 2012 machine. When I enable the windows authentication (basic authentication is disabled), I can access and see the home page of IIS (http://localhost) with the credentials of a LDAP user in the same domain. However, when I enable basic authentication (windows authentication is disabled), I cannot access the home page with the same credentials I used for windows (The authentication pop up never goes away).
Shouldn't the same credentials work for both basic and windows authentication or basic authentication works differently ? If not, then how are the credentials validated in case of basic authentication ?
Note: Eventually I plan to write restlet java code to post resources using basic authentication.
So finally I got this problem solved. For Basic Authentication (click on edit), we need to set the default domain (realm is optional). Once I set the default domain, I could login using the LDAP user credentials.
I am trying to access O365 site with Windows Live authentication from windows application. With Web Browser control I am able to do it. The problem is this tool runs for more than 15 hrs and within this time frame FedAuth cookies expires and I need to again refresh the cookies without bringing up the Web Browser control. And the other reason why I cannot have Web Browser control is that this application also supports windows service mode.
We have automated the ADFS authentication through Http Requests but for Windows Live authentication there are some javascript involved to actually do the login.
I have tried the SOAP approach mentioned here How to do Windows Live Authentication (RST) via SOAP, it returns the Request Security Token but it is not in the same format which ACS (Azure Control Service) returns.
Please suggest any work around or technique I can use to achieve this goal.
I've disabled anonymous authentication and I've enabled Windows authentication on my website in IIS 7.
Now, when I browse to the website (http://webserver), Internet Explorer keeps prompting me for a username/password. Since I'm on the intranet, IE should pass on my credentials automatically...
What's more is that if I enter my credentials, they are not even recognized.
I'm out of ideas, if anyone could help....