Develop Reference

ASP.Net MVC 5 Windows Authentication

I know that this has been asked before here, but I couldn't find a way to fix this. I'm using VS 2022/MVC 5/IISExpress and these are my configs:
web.config:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
And these lines in my vbproj file:
<IISExpressAnonymousAuthentication>disabled</IISExpressAnonymousAuthentication>
<IISExpressWindowsAuthentication>enabled</IISExpressWindowsAuthentication>
According to the approved solution in this post the above should work, but doesn't. I am logged in to Windows using my domain account and have been added to local administrators group (Of course I'm not a domain admin, just a standard user). I can login to my web app using my own domain account, but not with other domain accounts (I have tried two different accounts). Any credentials other than mine is rejected by application. How can I fix it?

IIS 10 .Net Authorization woes with AD groups

I'm trying to secure a simple ASP.net website hosted on an internal IIS10 instance so that only a specific AD group can access it.
All my testing (and the final usage) would be internal to the same domain on which the IIS server resides - no external or cross-domain usage will occur.
Within Site Authentication I only have Windows Authentication enabled with a HTTP 401 Challenge response type. Enabled providers are Negotiate and NTLM (in that order), Extended Protection is Off and Kernel-mode authentication is enabled
In .NET Authorisation Rules I have no explicit Deny Rules.
If I add a 'Specified users' Allow Rule for my user account (and thus the user for which I'm testing access to the website) then I am able to access the website. At this point the relevant area of the web.config file looks like this:
<authorization>
<allow users="MYDOMAIN\MYUSERACCOUNT" />
</authorization>
If I remove that Allow Rule and add a 'Specified roles or user groups' Allow Row for an AD group for which my user account is a member of then I am unable to access the website and browsing to it prompts me for a Sign in dialog box which entering my AD credentials then gives a 401 error.
At this point the relevant area of the web.config file looks like this:
<authorization>
<allow roles="MYDOMAIN\AwesomeUsers" />
</authorization>
I've tried changing various Authentication settings (changing the order, disabling Kernel-mode authentication etc), adding the domain groups in the 'allow users' section in the Web.config but I just cant get AD group authentication working.
IIS isn't my strong point so would really appreciate any hints or tips I can try, Thanks! :)

try to use below code:
web.config:
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="DOMAIN\ADGROUP" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
applicationHost.config:
<configuration>
<location path="YOUR-APP">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
</configuration>

Authorization doesn't work with Windows Authentication in IIS

I tried to do something in IIS which I though is very simple, but I am unable to make it work.
I created a web page with simple html+js page and web api backend. (It means I have one single plain old html page with one single JavaScript file and it uses AJAX call back to the same server to get data from backend. The backend is written in C# with .NET Framework 4.7 and current version of ASP.NET. It is not MVC, it is not .NET Core, it is not ASP.NET Core.)
Now I want to allow this web page only for some users on local network and I expect this can be somehow configured in web.config file. The IIS is running on a computer in a domain, so I set up the web application in its web.config to use Windows authentication and provided the list of allowed users in authorization section (the user accounts are in the same domain as the web server). I though this would prevent other users to access the web, but apparently all authenticated users can display it. So it seems that Windows authentication works correctly, but there is no authorization check performed and all users are allowed. Can this be done easily in web.config in this kind of html+js+webapi scenario?
Currently, the related section in web.config looks like this:
<system.web>
<compilation targetFramework="4.7.2" />
<httpRuntime targetFramework="4.7.2" />
<authentication mode="Windows" />
<authorization>
<deny users="?" />
<allow users="alloweduser1,alloweduser2" />
</authorization>
</system.web>

Try :
<system.web>
<compilation targetFramework="4.7.2" />
<httpRuntime targetFramework="4.7.2" />
<authorization>
<allow users="domain\alloweduser1,domain\alloweduser2" />
<deny users="*" />
</authorization>
</system.web>

IIS 8.5 Prompting for Credentials with Windows Authentication

I'm getting a prompt for credentials on a website in IIS 8.5 running on Windows 2012 that I cannot explain.
App Pool is running under a custom identity that is a member of Administrators and IIS_IUSRS on the server.
I have the following setting on the Web Site:
Anonymous Authentication = Disabled
ASP.NET Impersonation = Enabled
Windows Authentication = Enabled
useAppPoolCredentials = True
My web.config has:
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<allow users="*" />
</authorization>
I've ruled out folder security by temporarily granting Full Control to Everyone.
The real weird part is that I have the same App Pool, Web Site, and Folder setup on another node in my NLB cluster and it does not prompt for credentials.
I've also compared ApplicationHost.config files between the two servers and did not find any significant differeneces.
Where else could there be a difference between the two servers?
Update from questions in comments:
The HTTP status code is 401.2.5. FailedReqLog:
<failedRequest url="http://url-myapp.com:80/"
siteId="4"
appPoolId="myapp"
processId="14368"
verb="GET"
authenticationType="NOT_AVAILABLE"
activityId="{8000002B-000E-FF00-B63F-84710C7967BB}"
failureReason="STATUS_CODE"
statusCode="401.2"
triggerStatusCode="401.2"
timeTaken="0"
xmlns:freb="http://schemas.microsoft.com/win/2006/06/iis/freb"
>
AppPool is in Integrated mode
It does allow after entering credentials

How To Password Protect a Static Site in Azure

I have a static site (i.e all html files, no .Net project) that is being hosted in Azure. I'm trying to password protect this site. I've read that I could create a custom authorisation module, which I've done, but I can't install this as I need to run a appcmd.exe command to allow the correct bit of the web.config to be edited.
Either; how can I password protect a static azure site, or how can I take advantage of the features of the ServiceDefinition.csdef without having a visual studio project?

On the management portal, you can configure that your site needs to use credentials. Credentials are managed via the Azure portal if you use this method.

You could use Forms Authentication which should be pretty straightforward to implement and won't require any startup task (necessary to run appcmd.exe).
Set your application to use forms authentication in your web.config.
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="/myadminlogin.aspx" protection="All" path="/" timeout="120" />
</authentication>
Define the protected folders in your web.config.
<location path="secure">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Within your login area check a condition and set the auth cookie:
'SET AUTH COOKIE
FormsAuthentication.SetAuthCookie(sessionID, False)
response.redirect(/secure/securearea.html)
This unfortunately is the one page where you will need some server side code.