I am stuck at the moment on trying to configure the Windows authentication on a web site.
The site is configured (in IIS 7.5) as follows:
Windows authentication and ASP.NET Impersonation - Enabled.
The 'Enable Kernel-mode authentication' is checked.
Providers section contain all 3 possible: Negotiate, NTLM, Negotiate:Kerberos.
The site connects to a SQL Server using Windows authentication as well.
The Web server is marked as trusted for delegation for the SQL server.
When I browse the site locally from the web server everything works; when I browse it from a client computer I get the well known error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"
I read I should set some SPNs - but in my case - to what\whom ?...
The access to the SQL Server is done individually to users (also, the Web server, SQL server and the users accessing the site are in the same domain; the application pool also uses a domain account)
An advice would be much appreciated ...
I think you're getting "Anonymous Logon" because you have anonymous logon enabled.
Try enabling only Windows authentication and ASP.NET Impersonation and disabling the rest
Also might help to check the internet explorer security settings for the 'zone' you're in from the client computer (i'm guessing internet) at the very end set internet explorer to prompt for user name and password
Related
So I have developed an API with Windows Authentification. When I ran the project with Visual's Studio IIS Express - endpoint's secured with:
[Authorize(AuthenticationSchemes = IISDefaults.AuthenticationScheme)]
In services I have registered:
services.AddAuthentication(IISDefaults.AuthenticationScheme);
get's the current Windows user, which I can access through HttpContextAccessor.
After I have published the app to Windows Server (HTTPS enabled) with IIS 10 running when I am trying to access protected endpoints I just get Login Prompt and it doesn't matter what I enter in it, it goes away only if I cancel.
My Site settings in Windows IIS Server, Windows Auth uses Negotiate Provider:
Application pool settings:
Is there anything I can do to fix this? If this post lacks some other information, please, let me know, I will edit it.
When you enable anonymous authentication and authentication at the same time, iis will use anonymous authentication, so you need to disable anonymous authentication and try again.
I hosted few applications in IIS (Version:10) with Kerberos authentication. And all web applications are configured under a single web site.
Only windows authentication is enabled.
What I observed is I get 401 followed by 200 for every request.
And the expectation is 401 for the first call, then 200 for all subsequent calls from same client to same api since its already authenticated.
I tried applying authPersistSingleRequest="false" for windows authentication.
Note: This was done after referring to 3 requests for every resource (2 x 401.2 and 1 x 200) in a windows authenticated asp.net mvc app
Then I can see that one api (web application) is working as expected now. And we still have issue with other api(in a different web application).
Can anyone help me to understand if there are any other settings apart from what I mentioned above to make it working as expected.
Make sure you configured the spn account properly with the application pool.
Open IIS Manager and select the Configuration Editor.
In the dropdown menu select system.webServer > security > authentication > windowsAuthentication
set useAppPoolCredentials to True.
In Internet explorer add the site address to the list of trusted websites and specify Automatic logon with a current user name and password in User Authentication -> Logon in Trusted Zones Sites settings.
Refer below link for more detail:
Troubleshoot Kerberos failures in Internet Explorer
I have to mention that I am new to IIS. I have a local IIS 8.5 on a windows server 2012 machine. When I enable the windows authentication (basic authentication is disabled), I can access and see the home page of IIS (http://localhost) with the credentials of a LDAP user in the same domain. However, when I enable basic authentication (windows authentication is disabled), I cannot access the home page with the same credentials I used for windows (The authentication pop up never goes away).
Shouldn't the same credentials work for both basic and windows authentication or basic authentication works differently ? If not, then how are the credentials validated in case of basic authentication ?
Note: Eventually I plan to write restlet java code to post resources using basic authentication.
So finally I got this problem solved. For Basic Authentication (click on edit), we need to set the default domain (realm is optional). Once I set the default domain, I could login using the LDAP user credentials.
I develop web app, which cooperates with to TFS2012. In my local machine its works fine, but when i deploy on server i get the following exception:
[WebException: The remote server returned an error: (401) Unauthorized.]
System.Net.HttpWebRequest.GetResponse() +6440920
Microsoft.TeamFoundation.Client.Channels.TfsHttpWebRequest.SendRequestAndGetResponse(HttpWebRequest webRequest, WebException& webException) +195
My connect to TFS Code:
_collection = TfsTeamProjectCollectionFactory.GetTeamProjectCollection(new Uri("http://xxx/tfs/TestPrjects/"));
_collection.EnsureAuthenticated();
_store = _collection.GetService<WorkItemStore>();
my web-config:
<system.web>
<customErrors mode="Off"></customErrors>
<authentication mode="Windows"/>
...
<system.web>
in ISS i activate Windows authorization:
Where is my mistake?
The details you are using to access TFS are incorrect.
The reason it works on your local machine is because the webserver is running as you, who has access to TFS. On the IIS server it's running as the app pool user, which won't have access.
Potential Solutions
Run the app pool as a user that has access to TFS (or grant the current user access)
This is ok for read only access, but if you're writing back to items you may want to not go down this route
Enable delegation so the code that connects to TFS is run as the currently authenticated windows user
This is much harder to do and only works in internet explorer out of the box. Firefox users can change a setting and Chrome users need to start chrome with a commandline switch.
wrap a using(WindowsIdentity.GetCurrent().Impersonate()) {} around your code that uses TFS and ensure you are using CredentialCache.DefaultNetworkCredentials to connect to TFS.
Use the TFS Server API
Be naughty and use server instead of the client api. The server API writes directly to the db and doesn't need to impersonate a user. I highly doubt this is a supported path and you won't find much information on it. However it still needs to run as a user with access to the db (like option 1, but supports updates as windows authed users)
I'm working on an Asp.Net Application in Windows XP Professional with IIS 5, VS 2008 and MS Sql Server 2008. Normal Asp.Net program and html page can be viewed correctly in IIS, however, if there is a successful database connection in the Asp.Net program(otherwise it will show a exception page), the IIS will ask for username and password and then throws:
You are not authorized to view this page
...
HTTP 401.2 - Unauthorized: Logon failed due to server configuration
Any one can help?
Thanks
IIS requesting user name and password - do you have windows authentication enabled, or basic, or anonymous? IIS requesting a user name/password isn't database related necessarily...
First thing to always check is that you have configured SQL Server to allow remote connections.
How to configure SQL Server 2005 to allow remote connections
For generic SQL Server Connectivity Troubleshooting consult the following Blog Post
Finally I find out it's not the Asp.Net or SQL Server problem, it's because the Asp.Net program uses URL stored in database and redirect the user to the web root, then when user navigate to the web root directory, IIS automatically uses the iisstart.asp page as an index page, and that page caused the authentication dialog.