Windows based authentication app hosted in IIs asking for username and password

Question

0.00/5 (No votes)

See more:

I have a scenario in my application like, need to fetch the current system login userName and check the username with other details. if valid username then need to allow the form to redirect to other page. For that i have used the code to fetch the current login username as :

C#

string userName = HttpContext.Current.User.Identity.Name;

As i am using the current system user details, i went for "windows Authentication mode" and wrote the following code in web.cofig file

HTML

<system.web>
    <customErrors mode="Off"/>
    <compilation debug="true" targetFramework="4.0"/>
    <authentication mode="Windows">
    </authentication>
    <identity impersonate="true"/>
    <authorization>
      <deny users="?"/>
    </authorization>
  </system.web>

The whole thing is working fine in my local system. But after publishing the application in IIS and open in web browser it is asking for the username and password credentials with one prompt dialogue. After passsing the current system username and password only it is going to application main page other wise it is showing the error like

"HTTP Error 401.1 - Unauthorized You do not have permission to view this directory or page using the credentials that you supplied."

By goggling for answer i have made some changes like: In IIS, after going to Application i have adjusted the following setting : For authentication : i disabled the "Anonymous and Impersonation" authentication and only enabled the "Windows authentication"

And in windows authentication ,i go for "providers" and Moved the "NTLM" to upper.

what may be the reason for this, How to disable the popup that is asking for the username and password.

Thanks

Posted 29-Jul-14 6:05am

V G S Naidu A

Updated 30-Jul-14 0:57am

Nirav Prabtani

v3

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Answer 1 · 2014-07-29T06:09:00

Solution 1

Internet Explorer will only use the current system credentials to log in to Windows Authenticated sites which are in the Local Intranet zone. Add your site to that zone, and you should get the same behaviour as your local copy.

http://www.sevenforums.com/tutorials/144766-internet-explorer-security-zones-add-remove-sites.html[^]

Other browsers will still prompt for a username and password.

EDIT: It turns out other browsers can log in automatically, but it's not immediately obvious.

Firefox

https://developer.mozilla.org/en-US/docs/Integrated_Authentication[^]

Mozilla currently supports a whitelist of sites that are permitted to engage in SPNEGO authentication with the browser. This list is intended to be configured by an IT department prior to distributing Mozilla to end-users.

The preferences are:
pref("network.negotiate-auth.trusted-uris", site-list);
pref("network.negotiate-auth.delegation-uris", site-list);
pref("network.automatic-ntlm-auth.trusted-uris", site-list);
where, site-list is a comma-separated list of URL prefixes or domains of the form:
site-list = "mydomain.com, https://myotherdomain.com"

https://addons.mozilla.org/en-US/firefox/addon/integrated-auth-for-firefox/[^]

This add-on makes it easier to manage this list, allowing you to stick with Firefox but still use pass-through authentication like Windows/NTLM or Kerberos.

http://www.liquidstate.net/blog/technology/enabling-ntlm-authentication-single-sign-on-in-firefox/[^]

Chrome

https://productforums.google.com/d/msg/chrome/1594XUaOVKY/8ChGCBrwYUYJ[^]

Chrome doesn't have separate page for specifying intranet URL for NTLM auto login. It takes its URLs for auto login from Internet Explorer's "Local Intranet" sites list.

Posted 29-Jul-14 6:09am

Richard Deeming

Updated 30-Jul-14 0:52am

v2

Comments

V G S Naidu A 30-Jul-14 0:51am

so can't we implement the windows authentication in other browsers without asking username and password ?

Richard Deeming 30-Jul-14 6:46am

It turns out you can, but it's not obvious. I'll update the answer with the details.

V G S Naidu A 30-Jul-14 11:45am

thanks for your valuable solution, but we are deploying the application in client location,In which we could not assign those setting to every system in local network. Here my questions are (1) Is windows authentication is mandatory to work with asp.net website in local network (2) is windows authentication mode is required to get the login Name and current domain of the system. But when i use the Forms authentication, the above code to get the current system login name returns null, it is only working with windows login. What is the reason. thanks

Richard Deeming 30-Jul-14 12:54pm

1. No, Windows Authentication is not required. You could use any supported authentication scheme, or even turn off authentication all together. However, this would leave you unable to restrict access to the application based on the user account.

2. To automatically get the username and domain name from the browser without the user re-typing them, you must use Windows Authentication, the site must be in the user's "Local Intranet" zone (or Firefox's trusted URIs list), and the web server must be in the same AD domain as the user.

For security reasons, browsers do not send your username and domain name to sites which aren't using Windows Authentication, or which aren't in the Local Intranet zone. If you are unable to add your site to the Local Intranet zone, then you'll either have to turn off authentication, or the users will have to re-type their username and password.

V G S Naidu A 2-Aug-14 2:01am

ok thanks for the valuable information. In my application two types of logins one is user section, i.e he can directly go default page and access them,if his user name is listed in Database table otherwise he can't browse the application,

Another one is Admin Section in this section he will access more setting pages then user.
In this scenario, with out any authentication i could not handle the application, that's why i am going to either "Forms authentication " or "Windows authentication".
From the above comments, what i have understood is, if i go through "Forms authentication" the browser must and surely asking for the credential. so we didn't have any alternative over come this with "forms authentication".
To overcome this situation, i must and surely have to use "Windows authentication" am i right? (presenlty what i am doing).
But unfortunately ,it is also asking for username and password even though i published the application in my local iis in my own system.
From your point 2, it should be in same Active directory domain,here sure i am Same AD,because i hosted the application in my local iis only.
you said site must be in "Local intranet" zone, Is there any way that local IIS can be recognized as "non local intranet" zone?.

Thanks once again,surely your points makes me to move forward.

Richard Deeming 4-Aug-14 7:48am

There are several reasons why your site might not automatically be in the local intranet zone:

* If the host name you use to access the site contains a ".", then it won't be treated as an intranet site;
* The zone might be disabled - typically, if your computer isn't joined to a domain;
* The "automatically detect intranet network" setting might be turned off;

Eric Law has a blog post which goes into more detail: http://blogs.msdn.com/b/ieinternals/archive/2012/06/05/the-local-intranet-security-zone.aspx[^]

V G S Naidu A 18-Aug-14 10:48am

Thank you very much for your explanation.

V G S Naidu A 18-Aug-14 10:51am

I have another doubt, as i mentioned before, my application working with windows based authentication ,i am using the Oracle database and i need to implement the role based authorization, how could i achieve this , i think membership could not work with oracle and Windows authentication.. can you give me any idea. thanks

Richard Deeming 18-Aug-14 13:19pm

Oracle provide a range of ASP.NET providers[^], including a role provider.

ASP.NET role providers operate entirely independently from the authentication and membership systems. You just need to ensure that the usernames in your role provider match the usernames provided from the authentication system - with Windows authentication, they will probably be prefixed with the Windows domain-name.