Recipe: Enabling Windows Authentication within an Intranet ASP.NET Web application

Problem:

You are building an Intranet web application for your organization, and you want to authenticate the users visiting your site.  Specifically, you want to ensure that they are logged in using a valid Windows account on the network, and you want to be able to retrieve each incoming user's Windows account name and Windows group membership within your application code on the server.

Discussion:

Authentication is the process of identifying and validating the identity of a client accessing an application.  Put more simply -- it is the process of identifying “who” the end-user is when they visit a website. 

Authentication is typically used in combination with Authorization -- which is the process of figuring out whether the authenticated user has permissions to access a particular page/resource or to perform some action.  For example, when an end-user in a browser tries to access a page, ASP.NET might authenticate the user as “Scott”, and would then run through the configured authorization rules for the requested page to figure out whether “Scott” has permission to access it.

ASP.NET supports multiple ways to authenticate browser users visiting a web application, and implements a flexible set of ways to authorize which permissions they have within the application.

For Internet web applications, the most common authentication scenario to use it called Forms Authentication.  Forms Authentication enables a developer to provide a standard HTML login form within their application, and then validate the username/password an end-user submits against a database or other credential store.  Assuming the username/password combination is correct, the developer can then ask ASP.NET to issue an encrypted HTTP cookie to identify and track the user.

For Intranet web applications, the most common authentication scenario to use is called Windows Authentication.  Windows Authentication avoids the need to create a login form within an application, and does not require end-users to manually enter their username/password credentials to login to the application.  Instead, ASP.NET and IIS can automatically retrieve and validate the Windows username of the end-user visiting the site in a secure way.  The benefit of this approach is that it improves the end-user customer experience since users don’t have to re-type their passwords, and/or maintain separate accounts.  It also allows companies to re-use a common security identity system across their entire corporate networks (Windows clients, servers, file-shares, printers, and web apps).

Solution:

To enable Windows Authentication within an ASP.NET Application, you should make sure that you have “Integrated Windows Authentication” (formerly called NTLM authentication) enabled within IIS for the application you are building. 
 
You should then add a web.config file to the root directory of your ASP.NET application that contains an <authentication> section which sets the mode to “Windows”. 

You should also then add an <authorization> section to the same web.config file that denies access to “anonymous” users visiting the site.  This will force ASP.NET to always authenticate the incoming browser user using Windows Authentication – and ensure that from within code on the server you can always access the username and Windows group membership of the incoming user.

The below web.config file demonstrates how to configure both steps described above:

 <configuration>

    <system.web>

        <authentication mode="Windows" />

         <authorization>
             <deny users="?"/>
          </authorization>
     
    </system.web>
 
</configuration>

Note that the <deny users=”?”/> directive within the <authorization> section above is what tells ASP.NET to deny access to the application to all “anonymous” users to the site (the “?” character means anonymous user).  This forces Windows to authenticate the user, and ensures that the username is always available from code on the server.

Obtaining the Logged-in Username via Code

Once you follow the above configuration steps, you can easily access the logged-in username and role/group mappings for the authenticated user within ASP.NET.  For example, you could use the code-snippet below within an ASP.NET page to easily obtain the username of the visiting user:

Dim username As String
username = User.Identity.Name 

The code-snippet above works because there is a “User” property built-in to all ASP.NET pages and user-controls.  If you want to gain access to this user data from within a regular class or business object (which doesn’t have this property provided), you can write code like below to achieve the same result:

Dim User As System.Security.Principal.IPrincipal
User = System.Web.HttpContext.Current.User

Dim username As String
username = User.Identity.Name

The code above obtains the User IPrincipal object for the current request by accessing it via the static HttpContext.Current property that ASP.NET provides (this in turn uses call-context to retrieve it from the active ASP.NET worker thread).  This avoids you having to pass this User object into your business classes directly, and instead allows you to access the User object from anywhere in the application.
 
Outputting the Logged-in Username on a Page

You can use the username string we retrieved above to programmatically output the username to a page however you want.  For example, you could easily add an <asp:label> control to the page and write code like so to set it:

Label1.Text = "Welcome " & User.Identity.Name

ASP.NET 2.0 also ships with a built-in <asp:LoginName> control that you can use to declaratively output the user-name to the page:

<asp:LoginName ID="LoginName1" FormatString="Welcome {0}!" runat="server" />

This control provides an easy way to display the username within the application without having to write any code at all (note the use of the “FormatString” property on the control above – which allows you to easily specify a text mask to use with it).

Looking up Role/Group information for a User

ASP.NET provides a useful “Role Management” capability, which allows developers to map users into logical “Roles” that can then be used to better control end-user capabilities and authorization access.  For example, as a developer I could create a role called “managers” for my web application, and then limit access to portions of the site to only those users within the “managers” role (note: I will be posting additional recipes in the future that discuss how to fully use the Role Management authorization and capabilities features more).

When using Windows Authentication, ASP.NET allows developers to create and populate roles from multiple sources.  For example, a developer could setup the built-in ASP.NET 2.0 SqlRoleProvider to map Windows users to custom application roles that are store within a database.  This approach is very useful for scenarios where there might be application-specific role mappings that don’t make sense to push into a centralized Active Directory tree/store.

ASP.NET also makes it easy to access central Windows and Active Directory group mappings from within an application as well.  For example, if there is a Windows group on the Active Directory network called “DOMAIN\managers”, an ASP.NET application could lookup whether the current Windows authenticated user visiting the ASP.NET site belongs to this group by writing code like this:

If User.IsInRole("DOMAIN\managers") Then
     Label1.Text = User.Identity.Name & " is a manager"
Else
     Label1.Text = User.Identity.Name & " is not a manager"
End If

Note that the role/group look-up is done via the “User.IsInRole(rolename)” method that is a peer of the User.Identity.Name property. 

Next Steps

Once you understand the basics above, you know how to authenticate and identify Windows users visiting your Intranet application, as well as to lookup what Windows groups and roles they belong to.

In a future Recipe we’ll walkthrough more advanced role-management scenarios, and also discuss ways to authorize and restrict access and capabilities within an ASP.NET application based on the authenticated user’s authorization rights.

Additional Discussion:

• Links to Tons of ASP.NET Security Content
• How To: Use Windows Authentication in ASP.NET 2.0

Hope this helps,

Scott

 

87 Comments

  • Any suggestions for a web application that is both intranet (Windows Authentication) and internet (Forms Authentication) facing?

  • Hi Scott,

    For Intranet applications I've done where I want to use NTLM I've done the following: 1) Create a web application which uses Forms authentication. 2) Set the loginUrl attribute of the forms element to "AutoLogon/AutoLogon.aspx" and set the . 3) Create a virtual folder beneath the we app called AutoLogon which is itself an application. 4) Set the AutoLogon web.config to use the settings you describe above. 5) Add the following (simplified) code to the page AutoLogon.aspx

    IPrincipal ip = HttpContext.Current.User;
    IIdentity id = ip.Identity;
    FormsAuthentication.Initialize();
    FormsAuthentication.SetAuthCookie(id.Name, false);
    HttpContext.Current.Response.Redirect("../", false);

    What this gives you is all combination of NTLM authentication without having to authenticate every page using NTLM as you can rely on the forms authentication scheme. You can also easily tie together a custom authorisation scheme with NT/Active Directory groups.

  • It's important to know that for your Active Directory groups example above to work that you need to change the role provider from its default of "AspNetSqlRoleProvider" to "AspNetWindowsTokenRoleProvider" in your web.config. Like so: Then you are also able to access those AD groups in your web.config via the element as well.. e.g.: Immensely useful for any AD users.

  • Scott,
    Do you plan on discussing how to use ASP.NET's Membership, Roles, and Profile functionality using Windows Authentication? I challenge you to find a website that talks about this. I've only seen sites talk about how to use the Membership, Roles, and Profile with FORMS authentication which appears to work very differently than Windows Authentication.

    Thanks for the great posts,
    Roger

  • It's surprising the extent to which the extremely common scenario of intranet+Windows Authentication has been ignored by many people, including some ISVs.

    But mainly I'd like to comment on a blind assumption that many people make that if you're using Windows Authentication you have to use Windows groups and roles for authorisation, which is of course completely untrue. In practice (and I don't think my experience is atypical) I've found it much more useful to use roles stored in a database (lately, aspnetdb) since this provides the necessary granularity and dynamism and easily accommodates any new applications that are created.
    The new Provider model in ASP.NET 2.0 makes things much easier (and more consistent) of course...I recently covered the last gap by writing a ClickOnce app for user administration: it obtains the user list from Active Directory and lists of applications and roles from the database (I had to write one extra SP to list applications in aspnetdb as I recall). The hardest thing was learning how to obtain a meaningful list of users, since our AD has "users" with names such as "1080 Poison Drop", as well as the predictable "Test USer1", "Test User2" and so on.

  • Hi Motley,

    Ripster has a good suggestion on how you could implement a hybrid windows/forms authentication approach -- where basically you use forms-auth to issue the authentication ticket, but detect whether the user is on the Intranet and if so try and obtain a Windows principal to identify the login name.

    Hope this helps,

    Scott

  • Hi Ryan,

    Actually you can get access to your Windows group information directly via the User object like I showed above without having to configure a roles-provider. When Windows Authentication is enabled ASP.NET will automatically populate the principal with the Windows groups.

    Where configuring a Roles provider with the built-in ADProvider makes more sense is when you want to use the full Roles API in ASP.NET 2.0 against it. This provides additional capabilities and support not directly in the User API (which is a read-only one).

    But if you don't need this extra capabilities, you can juse enable Windows Authentication like I did above and you are all set.

    Hope this helps,

    Scott

  • Roger/Kevin,

    Yep -- I definitely plan to cover how to use Roles (where they are stored in a database) with Windows Authentication. I definitely agree that this is not something that people broadly understand how to-do, and yet enables a really powerful and useful set of scenarios.

    Thanks,

    Scott

  • I use the user.identity.name result to do an active directory lookup for that user. I then populate session variables with their firstname, lastname, email etc. These can then be called anytime in your intranet application

  • Hi
    I have one query. Many times we need to use the data related to the user with other table in the database( where userid is a foriegn key). How can we use the data stored in the aspnetdb with our main database
    Thanks

  • Okay I see that your example would work without specifying "AspNetWindowsTokenRoleProvider". What got stripped out of my comment (xml) was that if you wanted to use the "authorization" element in your web.config to allow/deny access to that role rather than hard-coding it in your code-behind, you have to use the WindowsTokenRoleProvider. I think this method is the simplest especially for anyone already doing authorization checks against specific usernames in their web.config. Having to specify the role provider seems counter-intuitive when you can access the role via the User object already until you realize that they use different APIs for role checks like you mention.

  • I enabled Windows authentication, but was getting errors on my local box (i.e. "The trust relationship between the primary domain and the trusted domain failed.") until I enabled the roleManager and set the default provider. Then it worked.

  • For Windows + Forms authentication, I use a typical Forms authentication process but in the Login.aspx page I first check if there is a windows account (through Request.ServerVariables(&quot;LOGON_USER&quot;) and setting Windows authentication only for this special login page in IIS) and use the default forms authentication mechanism using
    FormsAuthentication.RedirectFromLoginPage(userLogin, True)

  • really this ia a great article
    i want to ask one thing more
    Please tell me that How I should Get the domain Name of my Network

  • Hi Scott,
    &nbsp; &nbsp; Great topic! &nbsp;I think this is the first area where somebody is talking Windows and Form authentication at the same time (at least my experience). &nbsp;I have been using form authentication for an Intranet app but using Active Directory as the Membership role provider. &nbsp; I have created simple interface like the one ASP.Net Web Administration that comes with VWD IDE, so I can add/remove users to roles, create roles etc. &nbsp;I have even come up with some report too but facing some limitation.
    I would like to see you come up with an example app which allow both Active Directory users for Intranet and DB users for Internet (ability to user, group management), Reporting for audit purpose etc. &nbsp;I already have 80% of what I am speaking here, but there are some pieces I am missing. &nbsp; I you want my code for speed up, let me know impu007@REMOVEIT.yahoo.com

  • Just as a comment...

    You don't need two applications or two virtual directories to do NTLM hybrid.

    If a page is set to allow NTLM authentication (note: you only want this for Intranet users -- NTLM over Internet is dangerous, because NTLM is insecure), and you do this:
    Response.StatusCode = 401
    Response.End

    You will find that Server("http_auth") is set to negotiate (typically) and Server("http_user") is set to the user's name. There is additional information in the Server object that can be used as well.

    I've also triggered it by setting the login page as the custom error page for 401, and then having an HTML file with a redirect in it set to deny access to anonymous users.

    Hitting the HTML file will trigger a 401, which convinces Internet Explorer to authenticate. If it hits the page successfully, the redirect on the page sends it to the login page. If it hits the page unsuccessfully, the error page directs it to the login page. Either way, the login page can check "http_auth" and "http_user" to determine if the user authenticated or not.

  • Has anyone been able to get User.IsInRole working with the local administrators group? I've got it to work against AD groups but I really need to test against local groups on the server.

  • Hi Dave,

    You should be able to-do this. Is your computer connected to an AD domain right now? Have you configured any role provider? And how are you referencing the local group?

    In theory you should be able to write:

    If (User.IsInRole("administrators")) Then

    End If

    and it will resolve to the local group (whereas DOMAIN\admins would resolve to a domain group.

    Hope this helps,

    Scott

  • Is there any reason why Windows authentication would work in one environment and not another? On my local machine, authentication fails, but on our development IIS server, the same code base authenticates successfully via windows integrated authentication? Is there a port that might be blocked?

  • Can you also discuss delegation where you would want to use the user's authentication info to access the database/service on another backend server. Also would this be best practice? Does connection pooling still apply if each user is accessing the database under a separate user account?

  • Scott, You mentioned that you can
    "setup the built-in ASP.NET 2.0 SqlRoleProvider to map Windows users to custom application roles that are store within a database. This approach is very useful for scenarios where there might be application-specific role mappings that don’t make sense to push into a centralized Active Directory tree/store"

    Does that mean just having a roles table in the application, and somehow mapping the users to the roles table from AD?

    Or do you need to keep a users table?

    Do you have an example?

    THanks.

  • Dave,

    You might also try "BUILTIN\Administrators". Or "MACHINENAME\Administrators".

  • Hi Doug,

    Yep -- you can just maintain a roles tables for the application in your database -- while still keeping all of the user data within AD.

    I am going to try and put together a Recipe sample that I'll post in the next few weeks that walksthrough more how to-do this.

    Hope this helps,

    Scott

  • Hi pneumonia,

    Definitely check to see whether you have a firewall enabled -- potentially that could be a cause.

    Also check to make sure that integrated windows authentication is enabled within IIS. It could be that it is enabled on one machine but not the other.

    Hope this helps,

    Scott

  • hello i user the code

    Dim username As String
    username = User.Identity.Name
    Me.Label1.Text = username

    on page load to get the username but it gives the result as

    DomainName/username

    is these any way to only pick the username

    plz tell if anybdy know

    my email is itsrajiv@hotmail.com

  • Hi Scott. I have code that uses many of the concepts you have discussed here and works well with IIS 5.1/6.0 . When I run the code on IIS 7 I can't get to the user information through the HttpContext object anymore (presumably because authentication is handled natively by IIS 7). Is there an interface I can use to get to this information using ASP.NET on IIS 7?

    Thank you,
    Josh

  • Hi Josh,

    That is pretty odd. Do you have the section set to disable anonymous access? I wonder if that could be the cause.

    Thanks,

    Scott

  • Hi Raj,

    User.Identity.Name will return the full username. To parse out the DOMAIN name, you can use the string functions to just retrieve the characters after the "\" character.

    Hope this helps,

    Scott

  • Scott, I made the section changes you suggested and I am still having trouble. Specifically, I get an empty string back from User.Identity.Name. Interestingly, if I change the DefaultAppPool to run in ISAPI pipeline mode, I get the correct user name string.

    It could be I have some other configuration issue and I will continue to look at it. But if I understand you correctly, I should be able to get authentication information from the HttpContext object when running ASP.NET 2.0 on IIS 7 in Integrated pipeline mode when using Windows authentication?

    Thanks for your response,
    Josh

  • I,did not get the information under these three headings, where to write the VBcode.

    Obtaining the Logged-in Username via Code

    Outputting the Logged-in Username on a Page

    Looking up Role/Group information for a User

    pradeep

  • Hi Josh,

    That is interesting. Any chance you could send me an email (scottgu@microsoft.com) summarizing what you did and including your web.config file? I'd like to loop a few folks from the IIS7 team onto it so that we can figure out what is going on.

    Thanks,

    Scott

  • I tried to implement this in my app but GetRolesForUser method in WindowsTokenRoleProvider class returns all Windows groups, not the groups user is in.
    And when I try to call User.IsInRole(group) method, it will always return TRUE, whatever Window group name I use as parameter. What's wrong?

  • Hi Basavaraj,

    The above article shows how to implement silent windows integrated authentication.

    Hope this helps,

    Scott

  • Hi Maxmyd,

    Can you send me email describing this problem more, as well as attach your web.config file? I can then try and investigate.

    Thanks,

    Scott

  • Hi Scott.

    I'm on ASP.net 1.1 and framework 1.1

    If User.IsInRole("DOMAIN\managers") Then
    Label1.Text = User.Identity.Name & " is a manager"
    Else
    Label1.Text = User.Identity.Name & " is not a manager"
    End If

    it cant get it to detect @"server\accounts"
    it can only go up to @"BuiltIn\Administrators" or wat ever built in accounts

    did i forget to do something somewhere?

  • Hi Jiasheng,

    I'm not sure I understand your question - are you trying to perform a role lookup on a domain level group or a local server group?

    Thanks,

    Scott

  • Hi Scott,

    I either have a configuration issue or just don't understand how this should be working.

    I have tested numerous code samples (from here and other msdn articles). With the Anonymous access turned off in IIS I get a login popup windows in IE. If I turn Anonymous on it then uses the machine account, as it should, but I can't force it to find my Identity information. As a domain user, shouldn't I already be authenticated?

    Thanks for any help.

    -Craig

  • Hi Craig,

    Can you check within IIS to see if you have "integrated authentication" or NTLM authentication enabled? When this is enabled IIS will automatically authenticate you (no IE prompt).

    Hope this helps,

    Scott

    P.S. Note that the application itself will not change to running under the logged in account. So if you are looking up the process account name it will still be a machine account. What will change when you enable authentication like above is the User.Identity.Name value -- which will map to that of the authenticated user for the request.

  • Scott, Thanks for the reply. I am configured as you have described. This is why I am confused, because as you said, the IE prompt should not be comming up, but is. I have Server 2003, IIS 6.0, .NET 2.0. Thanks Again. -Craig Petkus

  • When will you discuss abt the following

    "In a future Recipe we’ll walkthrough more advanced role-management scenarios, and also discuss ways to authorize and restrict access and capabilities within an ASP.NET application based on the authenticated user’s authorization rights."

  • Hi Priyatam,

    Here is a pointer to the article I did on using Windows Authentication with Role Management: http://weblogs.asp.net/scottgu/archive/2006/07/23/Recipe_3A00_-Implementing-Role-Based-Security-with-ASP.NET-using-Windows-Authentication-and-SQL-Server.aspx

    Hope this helps,

    Scott

  • Hi Craig,

    If you want to send me email directly with more details about your configuration and scenario, I can loop you in with a few folks who might be able to help figure out why the prompt is coming up.

    Hope this helps,

    Scott

  • Hi Ujjwal,

    Yes - this is fully possible. What you want to use is the section in your web.config fie to allow or deny access to users. For example:












    The above config will allow you but deny everyone else access to this page. You can use this approach for any page on the site.

    Hope this helps,

    Scott

  • Scott,

    I am having the same problem as Craig, not getting the silent authentication. I have windows authentication checked and anonymous access un-checked in IIS. My authorization section looks as such:






    and have this:



    How can I go about emailing you?

    Thanks,

    Matt

  • Hi Matt,

    Can you send me an email describing your configuration and issue more? I can then loop a few people on my team in to investigate.

    Thanks,

    Scott

  • Hi Scott, I am implementing Windows Authentication on our new intranet site and I have denied access to all users except those in a site admin AD group via the web.config. When a user who isn't in the site admin group clicks on the link to the page they get a dialog asking for credentials. Is there any way to suppress this dialog and just take them to an Access Denied page? Thanks.

  • Hi dcuk7,

    Usually that happens if you have basic or digest authentication also enabled for the site. What ends up happening is that the windows auth/NTLM lookup fails, and then it falls back to trying basic/digest auth. If you disable these protocols it should just show you the error page I believe.

    Thanks,

    Scott

  • Hi Scott,

    How do I define the role provider to lookup roles on the local Windows? I develop an Intranet web app in a corporate enviroment where I don't control the Domain groups. I authorize Domain users to access to website, but I define their roles on the local machine (where I am NT admin) by creating local NT groups and including Domain Users in those groups/roles. I verified trough code all roles of an authenticated Domain user and found only the Domain roles/groups.

    Thanks,
    Aurelian

  • Hi Aurelian,

    To check against local role groups on a Windows machine you want to use the "BUILTIN" keyword. For example:

    User.IsInRole("BUILTIN\mygroup")

    Hope this helps,

    Scott

  • Hi Scott,

    Thanks for answering.

    It doesn't work. When a Windows user defined on the Primary Domain controller is authenticated on the website he will automatically have his roles assigned as defined on the Primary Domain controller. He doesn't get any of the roles assigned on my Production server (which is not the same with the Primary Domain server/controller). On the Production server I defined a NT group, WebAppRole1, and I added members defined in the Primary Domain (users not defined/created on the local machine). For ex, I added MyCorporate\User1 to a local group of MyProduction server, MyProduction\WebAppGroup1. However, when I list all roles of an authenticated user he is not showing the MyProduction\WebAppGroup1 role, neither Builtin\WebAppGroup1, but only the roles defined on the PrimaryDomain. I used the following code to list all roles in a Page_Load procedure:
    Dim members As String() = Roles.GetRolesForUser()
    For Each role As String In members
    Label1.Text &= role + "
    "
    Next

    Thanks,
    Aurelian

  • Hi Undying,

    You can use the WindowsTokenRoleProvider for Roles stored within ActiveDirectory.

    I have a tutorial that walksthrough that shows how to map windows or active directory users to custom roles stored within a SQL database here: http://weblogs.asp.net/scottgu/pages/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server.aspx

    Hope this helps,

    Scott

  • Hi Aurelian,

    Can you send me email describing this more? I'll then loop you in with a collegue of mine who knows more about security and can hopefully help.

    Thanks,

    Scott

  • Hi Scott!

    Thanks you so much for this link. I check this out!
    Thanks again for your support!

    Undying

  • Hi Scott. Thanks for the reply. I don't have basic or digest auth ticked in IIS but I get the pop up still. I notice a couple of other people get a similar problem. I am using IIS 5 on a Windows 2000 server with .NET 2.0.

  • Hi Ronnie,

    Can you send me this question in email? I'll then loop in a few people from the IIS team who can help make some suggestions.

    Thanks,

    Scott

  • Hi dcuk7,

    Can you send me an email describing your configuration a little better? I will then loop you in with some folks from the IIS team who can help.

    Thanks,

    Scott

  • Hi Scott, I am using windows authentication in Intranet Application. My user is listed in the Active Directory named - GEN. In active directory I have created One Organizational Unit(OU) named AC and added Group called AC-ADMIN, AC-USER. There are several user in this group. I have to validate the user so that only AC-ADMIN, AC-USER can access this application. Following is the code:
    if (User.IsInRole(@"GEN\AC-USER"))
    {
    Response.Write(User.Identity.Name + "Is a USER");
    }
    else
    {
    Response.Write("User Not Found");
    }
    Even if the user is in the group, it is always executing the else part.

    Can u pls. tell me where I am wrong?

  • Hi Sumit,

    Is the web-server part of your domain?

    Also -- have you denied anonymous access to the page? It could be that the user is not currently authenticated.

    Thanks,

    Scott

  • Yes. Webserver is part of my domain. Actually I am testing it locally and I am in the AD group.

    I have denied the anonymous access through IIS.
    Do you have any material which can help me in this. B'coz I have to list the group under a specific OU as well as the member of the group also.

    Thx

    Sumit

  • Hi Sumit,

    Can you send me email with more details about your configuration? I can then help loop you in with someone on the IIS team to help.

    Thanks,

    Scott

  • Need your Email id. I have fowarded on scottgu@microsoft.com. But it bounced back.

    Sumit

  • Hi Scott,
    Thanks for the useful information related to the windowns authentication. I have just one question regarding my application. Actually I am using win auth in my application but I need to have more information about the connected user so I call the Active Directory to get the needed information like users email, country etc. I am using DirectoryEntry and DirectorySearcher to communicate with the AD.
    The first thing that I noted is that using User.Identity.Name it gives me the name of the user along with the Domain name and i dont have a field in the AD with this combination. The "sn" field gives the exact user name not DomainName//UserName. Am I missing something or should I have to manually extract the username from User.Identity.Name to get the users info from the AD?
    Thanking you in advance.
    Khurram

  • Win 2003, IIS 6.0, IE 7.0
    Running asp.net 2.0 app under windows authentication. If apppoolidentity is network service, then IE does not challenge for authentication. If i change app pool identiy to a service account then IE challenges. How do we overcome this issue of IE Challenging ?

  • Scott / Ronnie -

    Did either of you find out if it is possible to access Windows Authentication without disabling anonymous authentication?

    I swear I heard there was a way to programmatically obtain the user id in such a case, but I can't find any info on it.

    ps - Scott, really enjoyed your talk in Dallas.

  • Hi Scott, Is it possible to populate a windows identity programmatically? We have a scenario whereby we want to change the credential of an authenticated user temporarily to another credential from code. We are able to do that only if we use Forms Authentication. Any ideas on how to do it in Windows Authentication?

    Thanks in advance, Setyawan

  • Hi Setyawan,

    It is in theory possible -- although you'd need to probably use pinvoke to take a username/password and cookie up a Windows Identiy that you then set on the HttpContext.User property.

    Hope this helps,

    Scott

  • Hi,

    Do i have to use Application_AuthenticateRequest for checking the roles of the user. U have not mentioned how to check roles.

    regards
    Rakesh

  • Here's what I've run into and am looking for an easy(?) solution.

    Our AD setup:
    forest with multiple children.
    The W2K3 IIS6 web server is at forest level.
    All users are within the children.
    With builtin/default trusts between forest and children.

    From home, I developed a new ASP.NET(VB) app to read/update child1 AD user accounts,
    was VPN'd into our network with my child2 domain credentials (which have admin
    auth into child1/child2 and the forest).

    Got everything to work, no forms auth, and without any ID/PW on the connections/bindings.
    I figured because I'm admin to everything and was counting on IIS windows auth and trusts
    when put into prod.

    Copied my site onto our server.
    If I'm log'd on/remoted into the server itself with an actual forest admin account
    or with my child2 admin account its works.

    But if I connect to the site from my workstation at work(log'd on with my child2 account)
    or if I'm VPN'd in from home also with child2 account:

    I can access the site but my queries/access into child1's AD fails.

    On the IIS site have:
    anonymous access unchecked
    Integrated Windows authentication checked

    In the web.config have:






    In my web browsers(IE6) the Enable Integrated Windows Authentication(requires restart), is set
    ===

    So, how come could develop site with child2 account but now can't access?
    also, will want to allow only a certain child AD security group to run the site.

    I'm missing something with: IIS windows auth and trusts ?

    *

  • Hi Rakesh,

    Here is a tutorial that I've written that demonstrates how to integrate Windows authentication with roles stored in SQL Server: http://weblogs.asp.net/scottgu/pages/ASP.NET-2.0-Tips_2C00_-Tricks_2C00_-Recipes-and-Gotchas.aspx

    Hope this helps,

    Scott

  • Hi Mleonard,

    Wow - that is impressive splunking!

    Can you send me an email (scottgu@microsoft.com) with more details on the exact scenario? I'll then loop in a security expert on the team who can help more.

    Thanks,

    Scott

  • Hi,

    i am trying to authenticate user with httpcontext.current.user.isinrole(domain\), but its return false. what is wrong with the code?
    i have already configured the webconfig to allow only windows users and denied anonymous access.

    Thanks.

  • I am having the same problem described by a number of people - Integrated Windows Authentication is always popping a dialog box up when I access the site from a machine different than were IIS is running. I tried the tip from JDL about using the name instead of the IP address, but that doesn't work either. Any ideas?

  • Hi WBarber,

    Can you send me an email with the details of this? I'll then loop someone in on my team to help.

    Thanks,

    Scott

  • nice that all the code is broken up by some diatribe making it useless to try to copy and actually use. i must be a retarded dumb idiot to think i'd actually see a real working example of this on one of these so called 'help' sites.

  • NobodyReally,

    Here is a pointer to a complete app that includes a .zip file with Windows authetnication and role authorization enabled: http://weblogs.asp.net/scottgu/archive/2006/07/23/Recipe_3A00_-Implementing-Role-Based-Security-with-ASP.NET-using-Windows-Authentication-and-SQL-Server.aspx

    Scott

  • Hello

    I have to make a Intranet customizable home page which should work with currently logged on active directory user as well users with anonymous access or accessing from another intranets.
    I want to save the page customizable (Web Parts) information of users in MSSQL database with their user names. So that page can be load on their visit.
    Please can you help me in that, how can I do in .net 2.0 and which approach should I adopt for that.

    Thanks

  • Hi Khurram,

    You can configure your application to use Windows Authentication, and then the WebPartPersonalization provider will automatically persist your configuration settings for the user.

    Hope this helps,

    Scott

  • I am testing this recipe for sole use on our company intranet and was having the issue described by many and semi-resolved by JDL. I.e. that using the server IP in my browser URL, I would get prompted for credentials. When I used the FQDN (server name) the problem went away... EXCEPT over VPN. Connected via VPN and using my local browser my choices are either to use the IP of the server (with the app path…) and get prompted for a login... or I can attempt to use the FQDN and get a "Page Cannot Be Displayed" error.

    I suspected that this is related to some flaky DNS settings on the corporate level... but further reading indicates this may be an intentional IE security feature.

    I found a temporary work around by adding the server IP address into the Local Intranet sites in my personal IE settings. The problem is I eventually need to roll this out to several hundred users and I don't know how to make this a global or dynamic setting. It would be preferable to publish one URL to our user community... many of whom work both in and outside the office. If necessary we can publish the server IP and app path if anyone knows of a workaround.

    Any thoughts would be appreciated.

  • Similar to a few questions above: how do I get the server to tell the browser, "You're not authorized. If you have credentials, send them - if not, just display page X"? If the browser doesn't already have credentials - like it's Mac Safari or something - I want to just go to the "generic" version of the site.

    Thanks!

  • Hi JMB,

    Can you send me an email (details in the about link at the top of this page) about this issue? I can then have someone help investigate.

    Thanks,

    Scott

  • Hi Bill,

    You can do this error page pretty easily using Forms Authentication - although it is harder when you are using Windows Authentication.

    Are you trying to-do this with forms auth or windows auth?

    Thanks,

    Scott

  • I am having some problems with this...

    My server is located on WorkgroupA. It's a Windows 2003 server, with just IIS running for development purposes. I am trying to get the Windows Auth to check DomainA for user credentials, buck it keeps failing. I've try everything I can think of.

    I specify the username as DOMAIN\USERNAME, and it doesn't work. Is there some trick to get a server on a Workgroup to see the Active Directory on a Domain?

  • Hi thorkia,

    Can you send me an email with this question? I'll then loop someone in who can help.

    Thanks,

    Scott

  • Good article, it point out the important feature of the ASP.Net. I guess ASP.Net become popular and welcome, most likely is due to the introducing of the built-in authentication mechanism.

  • I am having the same problem described by a number of people - Integrated Windows Authentication is always popping a dialog box up when I access the site from a machine different than were IIS is running. Is there a standard solution for this? Or is it specific to each situation?

    Thanks!!

  • I have set up a .NET 2 web app using the AD Membership provider class with Forms authentication which works well if I use a login control.

    However I want the user ot be authenticated automatically so could use Windows authentication but this means I cannot then pull the users firstname, lastname, email office etc from AD.

    How do I mix the above so that the login is automatic and the AD information is there to use?

    Thanks

  • Hi Gregory,

    I'd recommend using Windows Authentication - I believe you can then query the AD for that additional information once the user is authenticated.

    Thanks,

    Scott

Comments have been disabled for this content.