I am developing an intranet site hosting RESTful services via ASP.NET WebAPI.
I am having an issue where all browsers (Chrome, Firefox and IE) are displaying a login prompt requesting credentials. I am hosting the site in IIS 7.5 on Windows 7 Home Premium with Anonymous Access enabled.
The root URL http://localhost/RootAPI/ should be viewable to anonymous users, but the private routes, e.g. http://localhost/RootAPI/Invoice and http://localhost/RootAPI/Order should be accessed only to authenticated users via the [Authorize] attribute. I am intending to control the authentication process using WebAPI calls via AngularJS once I have fixed this issue.
My website uses the ASP.NET v4.0 app pool identity and I have assigned read permissions to the application's folder for this user.
I have also added http://localhost to the list of trusted sites in IE as well as checking the 'Allow Integrated Windows Authentication' in the Advanced options in IE. Furthermore, the 'Automatic login with current user name and password' is checked in the custom level for the Intranet sites and the issue still persists.
I have got this in my web.config file.
<authentication mode="None" />
<identity impersonate="true" />
When viewing the log files under C:\inetpub\logs\LogFiles\W3SVC1 it does not display the user name (I was expecting to see the anonymous user name) and shows HTTP status 401.
I've spend two days on this frustrating issue and I cannot stop the logon prompt from appearing. Can anyone point me in the right direction as to what I am doing wrong?
I managed to figure this out after discovering the custom authorization filter was being executed and was checking to see if the controller was decorated with [AllowAnonymousAttribute()] and it wasn't.
After adding this attribute to the root controller I no longer received login prompts.
This is what the root controller looks like after adding the attribute filter:
[AllowAnonymousAttribute()]
public class RootController : ApiController
{
...
}
The root page now displays as expected.
Related
I hosted few applications in IIS (Version:10) with Kerberos authentication. And all web applications are configured under a single web site.
Only windows authentication is enabled.
What I observed is I get 401 followed by 200 for every request.
And the expectation is 401 for the first call, then 200 for all subsequent calls from same client to same api since its already authenticated.
I tried applying authPersistSingleRequest="false" for windows authentication.
Note: This was done after referring to 3 requests for every resource (2 x 401.2 and 1 x 200) in a windows authenticated asp.net mvc app
Then I can see that one api (web application) is working as expected now. And we still have issue with other api(in a different web application).
Can anyone help me to understand if there are any other settings apart from what I mentioned above to make it working as expected.
Make sure you configured the spn account properly with the application pool.
Open IIS Manager and select the Configuration Editor.
In the dropdown menu select system.webServer > security > authentication > windowsAuthentication
set useAppPoolCredentials to True.
In Internet explorer add the site address to the list of trusted websites and specify Automatic logon with a current user name and password in User Authentication -> Logon in Trusted Zones Sites settings.
Refer below link for more detail:
Troubleshoot Kerberos failures in Internet Explorer
I’m currently developing a web site that uses windows authentication, with ApplicationPoolIdentity configured with Identity=Application Pool. I can connect by login with my administrator user when asked by the browser and it works perfect, but if any other user tries to access, the browser asks for the credentials 3 times and then it throws a 401 Error.
Test scenarios:
If the server is configured with Anonymous Authentication ON, everybody is able to open the page.
If I try to set the application pool Identity to a regular user account, IIS doesn’t recognize the user/password provided.
The folder C:\inetpub\ was set with full control to Everyone, but the users can’t connect anyway.
The folder C:\inetpub\ was set with full control to a specific user, but the user can’t connect anyway.
Following a recommendation from another post, the following section was added to the web.config :
<authorization>
<allow users="*"/>
</authorization>
The windows logs in the Event Viewer don’t store anything about a failed login.
thanks for your comments
Update
i enabled and add Failed Request Tracing Rules to web site
it was result
ModuleName :IIS Web Core
Notification : AUTHENTICATE_REQUEST
HttpStatus : 401
HttpReason : Unauthorized
ErrorCode : Access is denied (0x80070005)
i searched this error but the post tell me, maybe permissions, but i set everyone as full control and it doesn't working
I am hosting a site on IIS 10.0 on my local network with anonymous authentication as the only enabled option. Previously, only the computer hosting the site could login and every other computer on the network was blocked entirely.
Then, I disabled the firewall on the necessary port, but that lead to other devices on the network being prompted for credentials.
Then, I went to inetpub\wwwroot and it wasn't shared, so I shared read permissions with IIS_IUSRS and under the security tab it now has "read & execute," "List folder contents," and "read" checked.
Now other devices are still prompted for credentials AND the very computer that hosts it is denied access. Not even prompted for credentials, just given the IIS error page for 401.3.
Every resource I've found says the security tab is all I need. What am I missing? I can't just continue developing without this, as I'm developing with PHP and so I need an actual server running this.
Anonymous Auth works on IIS is by assigning a user to the incoming request. This is configured under the authentications options. If you check the applicationHost.config, you would see something like this:
<authentication>
<anonymousAuthentication enabled="true" userName="IUSR" />
</authentication>
This is the UI.
There is another factor that comes into play, which is the Application Pool Identity. To check whether this is a permissions issue. Change the application Pool identity to Local System.
If the above works, then it is definitely a permissions issue.
To investigate this you can run procmon.exe. Add a filter on RESULT for ACCESS DENIED and then proceed further.
There is a blogpost which talks about troubleshooting 401.3 errors using Procmon. Here is the link: https://blogs.msdn.microsoft.com/webtopics/2009/06/25/troubleshooting-http-401-3-errors-with-process-monitor/
I have build a MVC 5 application. Now is time to publish it to production.
The infrastructure consist of two servers: one that can be accessed on internet and the other that is accessed only in intranet.
Server is Windows Server 2012 R2 and uses IIS 8.5 to host the application.
The application consist of backend and frontend. Backend's functionality are accessible only with login.
The problem that I want to solve is: How can I prevent login to the application from Internet and allow it only in intranet?
I think that might be some configuration on web.config to prevent opening of login page.
I have read a lot articles, but all the results are to prevent pages of unauthorized users. In my case login controller has [AllowAnonymous] attribute and it can be accessed without authorization.
If it can be done with a simple configuration in web.config I am going to add a key in web.config to keep track where it is the server on internet or the server on intranet like:
//for server accessible on intranet
<add key="serverType" value="PUBLIC"/>
// or
//for server accessible on intranet
<add key="serverType" value="Private"/>
And in the corresponding controller for login I will check for the value and if it is ConfigurationManager.AppSettings["serverType"] == "PUBLIC" I will redirect it to site public home page.
Does this solution have any security issue?
In this case, I would change the config with transforms or Parameterization (I prefer this one) to use the appropriate authentication type. For example, Anonymous for public and Windows/Forms Auth for private. You would have a transform/parameterization for each server type.
The following posts provide more specifics around ASP.NET security.
https://msdn.microsoft.com/en-us/library/3yfs7yc7.aspx
https://msdn.microsoft.com/en-us/library/7t6b43z4.aspx
http://weblogs.asp.net/jgalloway/archive/2012/08/29/simplemembership-membership-providers-universal-providers-and-the-new-asp-net-4-5-web-forms-and-asp-net-mvc-4-templates.aspx
A developer posts their code from a staging site (which requires authentication) to the live public site (which should not) and suddenly the live site is requiring authentication (which is not good).
They don't have permissions to change any settings on the server(s) and there is no call from the code on the live site to anything on the staging site, that I can locate. (No forgotten calls to an image on the staging site or anything)
Can the group think of some file that might have been removed/changed that could cause this to happen? I checked this question as well - [HTTP Authentication in ASP Classic via IIS] - but none of those methods are being used.
App is Classic ASP, IIS6.0 server.
Security Settings - Anonymous Access permitted on the live site. Account for anonymous internet users allowed read access to the directory where the site is located - user is unable to change directory or site permissions on the server.
Thanks!
Did the files retain their security permissions from the folder they were copied from? Reset the permissions on the files.
Are you using a four-part URL to get to the site (http://www.somesite.com/)? That will default to the Internet zone and not intranet, prompting for authentication.
User will get challenged when Anonymous Access is turned off in IIS. What are the security settings? Without that information, we will not be able to help much.