I have a web application in vb.net which uses windows authentication and passes the username of the logged on user into a helper function to determine if the user is an admin. The application then displays different menu options based on if the user is an admin or not. When I try to run this using my visual studio server the application works perfectly, but when trying to run using my IIS server, or IIS express the application does not recognize my admin rights, and the helper function paramater for the user name is empty. Is there something I am missing on how to get IIS to recognize my admin rights? I have disabled anonymous login for this site in iis and enabled windows authentication.
Related
So I have developed an API with Windows Authentification. When I ran the project with Visual's Studio IIS Express - endpoint's secured with:
[Authorize(AuthenticationSchemes = IISDefaults.AuthenticationScheme)]
In services I have registered:
services.AddAuthentication(IISDefaults.AuthenticationScheme);
get's the current Windows user, which I can access through HttpContextAccessor.
After I have published the app to Windows Server (HTTPS enabled) with IIS 10 running when I am trying to access protected endpoints I just get Login Prompt and it doesn't matter what I enter in it, it goes away only if I cancel.
My Site settings in Windows IIS Server, Windows Auth uses Negotiate Provider:
Application pool settings:
Is there anything I can do to fix this? If this post lacks some other information, please, let me know, I will edit it.
When you enable anonymous authentication and authentication at the same time, iis will use anonymous authentication, so you need to disable anonymous authentication and try again.
I have this situation where the main domain requires Anonymous Authentication while the sub-domain can only accept Windows Authentication for my app to work.
Currently, I can only do one or the other on IIS. Basically, in my service it's expecting WindowsIdentity and unless it's coming through Windows Authentication it'll becomes ClaimsIdentity. I want to ensure that the identity of this request is a Windows and is authenticated.
I've tried enable Anonymous Authentication and Windows Authentication for the main domain and disabled Anonymous Authentication & enabled Windows Authentication for sub-domain.
Folder and site structure:
Folder
inetpub
/myservice
/wwwroot
/mysubdomain
In IIS
Default Web Site
/myservice
/wwwroot
/mysubdomain
I made the request via http://localhost/myservice/mysubdomain. If I publish my service as IIS in Visual Studio 2019, Windows Authentication works but Anonymous Authentication doesn't. If I publish my service as myservice project then Anonymous Authentication works but Windows Authentication doesn't.
I have this sorted out. It's not the ideal solution I wanted but it worked around my problem. I had to change my app to accept only Windows Authentication.
I have to mention that I am new to IIS. I have a local IIS 8.5 on a windows server 2012 machine. When I enable the windows authentication (basic authentication is disabled), I can access and see the home page of IIS (http://localhost) with the credentials of a LDAP user in the same domain. However, when I enable basic authentication (windows authentication is disabled), I cannot access the home page with the same credentials I used for windows (The authentication pop up never goes away).
Shouldn't the same credentials work for both basic and windows authentication or basic authentication works differently ? If not, then how are the credentials validated in case of basic authentication ?
Note: Eventually I plan to write restlet java code to post resources using basic authentication.
So finally I got this problem solved. For Basic Authentication (click on edit), we need to set the default domain (realm is optional). Once I set the default domain, I could login using the LDAP user credentials.
I have a server 2012 box running IIS. I am trying to change the admin password for the OS, but it is breaking permissions/access for IIS. I have since reverted back to the old password and all works. What do I need to change in addition to the OS to make the new password work for IIS sites?
Open IIS
Select Application Pools
right-click on your pool and select Advanced settings...
Edit the Identity setting with your credentials
For mine, I set the Custom Account. I have to update this every time I change my credentials.
Have you tried synchronizing the new passwork in IIS, in the sites thats don't work?
Check site credentials, specially if using a "specific user" (as opposed to pass-through authentication) at:
IIS console-->Click on site-->Click Basic Settings (on the Action panel)-->Connect As
There you can synchronize the password registered in IIS with the current user password, but take note that if this works, then something is wrong with your configuration since the logged on user (the admin as you mentioned) shouldn't be used to access site data/folders. It's way too risky!!
If you're using pass-through authentication, check the configuration of the application pool that the site is using, but I repeat: If changing/synchronicing the admin's passwork solves your problem, then you must have some bad configuration in place.
I am stuck at the moment on trying to configure the Windows authentication on a web site.
The site is configured (in IIS 7.5) as follows:
Windows authentication and ASP.NET Impersonation - Enabled.
The 'Enable Kernel-mode authentication' is checked.
Providers section contain all 3 possible: Negotiate, NTLM, Negotiate:Kerberos.
The site connects to a SQL Server using Windows authentication as well.
The Web server is marked as trusted for delegation for the SQL server.
When I browse the site locally from the web server everything works; when I browse it from a client computer I get the well known error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"
I read I should set some SPNs - but in my case - to what\whom ?...
The access to the SQL Server is done individually to users (also, the Web server, SQL server and the users accessing the site are in the same domain; the application pool also uses a domain account)
An advice would be much appreciated ...
I think you're getting "Anonymous Logon" because you have anonymous logon enabled.
Try enabling only Windows authentication and ASP.NET Impersonation and disabling the rest
Also might help to check the internet explorer security settings for the 'zone' you're in from the client computer (i'm guessing internet) at the very end set internet explorer to prompt for user name and password