Windows Authentication Header Token Not Being Sent?
Feb 21, 2011
I'm trying to get a ASP.NET application to use windows authentication. I have disabled anonymous auth and enabled windows auth in IIS7. On my dev box (my workstation, localhost) I can use fiddler and see proper token is passed in through the header and I'm not prompted. Everything is working fine and I'm authenticated as my domain user.
However, on a remote server on our domain, with identical settings, I continually get prompted. We need it to automatically send the domain authentication for windows auth.
Does anything in IE need to be configured for this to happen for a remote machine on the same domain?
View 2 Replies
Similar Messages:
Sep 15, 2010
I'm working on a solution to part of my companys site that is done in 2 different languages. My part of the project is in ASP.NET, and the login portal is in a different language. We pass authentication credentials by storing login information in the database on the portal page and then sending a corresponding token to the URL in the page written in .NET. Almost all the tutorials and articles I've read about security for ASP.NET, and most languages, the message has generally been "just use the built in stuff and don't mess with it".
I have code that takes the token, goes into the database and gets the user details.. what do I do then to integrate that into the built-in security stuff for ASP.NET? I'd like to ultimately use Action Filters for authorization on my controllers.
View 1 Replies
Jul 28, 2010
We have a SSO authentication service that other externally facing web pages and services use to authenticate users. A user tries to reach a service, if no cookie is found containing an authentication token, they are redirected (HTTP 302) to the SingleSignOn authentication service. The auth service does it's work, and redirects the user (HTTP 302) to the original URL with their encrypted authentication token in the URL. Great. How can I invoke this from a WCF POX service? No SOAP here, just HTTP GET/POST with XML responses.
What I'm currently doing is, in each service method implementation method, checking the headers for the cookie. If the cookie exists, verify the auth token and process the request. If the cookie doesn't exist or the auth token has expired, then respond with:
[Code]....
That works, but isn't integrated with any of the WCF features, and requires me to manually code for a whole bunch of scenarios. Is there a way I could implement this using these classes:
[Code]....
or use some other means that checks each request to the service? I've been reading pages like: How to: Create a Custom Token, but I don't see how it applies to my needs. I'm looking into this because I have some time before my project kicks off, and I'd like to implement this project correctly and learn about WCF as much as I can.
View 2 Replies
Oct 30, 2010
I have an asp.net site. Its a mixture of web forms and MVC2.
I have this on 2 different servers which I get to via different urls.
On one server authentication works fine via all browsers (IE 8, FF 3.6, Chrome)
On the other IE 8 fails, it doesn't send back the cookie on the request to the page after authenticating.
Using Fiddler I have seen that both sites attempt to set the cookie, in the response from the login page.
Response Header I see from both servers
Set-Cookie: DemandLaunch=CCA4...E79C2D1; path=/; HttpOnly
Both sites are in the internet zone of IE.
I'm at a loose for what to check now.
I also have a page that sets a cookie via c# code and that cookie fails in IE as well.
The IE issue is not on a single computer either. I see this failure on 4 different computers Internet Explorer.
My urls which I should have included were:
beta.[site].com - works
beta_[company].[site].com - fails
View 1 Replies
Mar 2, 2010
How to create Uniue Token with properties like expiration time,
Any standars method provided by Microsoft,
View 2 Replies
Apr 4, 2011
I have an existing asp.net mvc website that uses basic forms authentication. The site has a login page that posts back to a login action, which logs the user in via FormsAuthentication.SetAuthCookie(). I am looking to add an api to the site, as an mvc2 area, where users would be authenticated based on a token passed as an http header. This area will consist of only json actions, so redirecting the user to a login page doesn't make sense. Instead, I want the users to just pass a token along with each request. That token is mapped to each user account and the user would be authenticated automatically.
I'm struggling with where to put this logic. At this point, the best choice seems to be adding the header lookup logic and authentication to the Global.asax in the Application_AuthenticateRequest method. I want to avoid needing to redirect the user after calling FormsAuthentication.SetAuthCookie(), though. I want the login action to be transparent to them. Am I approaching this the wrong way? As a side note: Requiring a username/password for api requests is not possible, as the site has a mix of users. Some joined using OpenID while the rest joined with a username/password.
View 1 Replies
Jun 14, 2010
So I have an asp.net Web Application (Not Web Site) that I am trying to support profiles for anonymous users. I have a form and I want anonymous users to be able to enter their name and email only once, and have that information automatically accessible on the next load for them.
In my Web.config I have anonymous ID setup like so:
<anonymousIdentification enabled="true" cookieless="AutoDetect" />
I have my profile section setup like this:
<profile defaultProvider="SqlProvider" enabled="true" inherits="QA_Web_Tools.UserProfile">
<providers>
<clear />
<add connectionStringName="QAToolsConnectionString" name="SqlProvider"
type="System.Web.Profile.SqlProfileProvider" />
</providers>
</profile>
Finally, due to my app being a Web App and not a Web Site, I am using the profiles via this custom object:
public class UserProfile : ProfileBase
{
public static UserProfile GetUserProfile(string username)
{
return Create(username) as UserProfile;
}
public static UserProfile GetUserProfile()
{
return Create(Membership.GetUser().UserName) as UserProfile;
}
[SettingsAllowAnonymous(true)]
public string FullName
{
get { return base["FullName"] as string; }
set { base["FullName"] = value; }
}
[SettingsAllowAnonymous(true)]
public string BuildEmail
{
get { return base["BuildEmail"] as string; }
set { base["BuildEvmail"] = value; }
}
}
This code is based off of this reference. The issue is that that code does not support anonymous users, or if it does I don't know how. I can't use the GetUserProfile() method with no parameters because if the user is anonymous, Membership.GetUser() is null. I could pass in the anonymous ID token into the first GetUserProfile(string username) method but I cant' find any way to get the anonymous ID token for the current user. Does anyone know how to get this information? Google doesn't seem to be returning useful results.
View 1 Replies
Sep 22, 2010
I have developed a web service and installed in a server suucess fully, its working fine there.
I tried to work in another server, But I had some error there in the new server.
I trying to access a network folder, Its accessible for the user which I have mentioned in the web config, But I'm having error.
in the web config
<identity impersonate="true" userName="UserName" password="password"/>
View 21 Replies
Feb 1, 2010
I'm writing an ASP.net application that uses Windows Identity Foundation. My ASP.net application uses claims-based authentication with passive redirection to a security token service. This means that when a user accesses the application, they are automatically redirected to the Security Token Service where they receive a security token which identifies them to the application.
In ASP.net, security tokens are stored as cookies.
I want to have something the user can click on in my application that will delete the cookie and redirect them to the Security Token Service to get a new token. In short, make it easy to log out and log in as another user. I try to delete the token-containing cookie in code, but it persists somehow.
How do I remove the token so that the user can log in again and get a new token?
View 2 Replies
Jul 16, 2010
In my website, I am not using any authentication or authorization. I've created login page to capture the user credentials and check against database. If the user successfully authenticates, it's storing the user data in session and navigating to other pages. How thinking of implementing Forms Authentication, but my concern is how to secure the authentication token in client browser for security reasons. Does anyone have any ideas how to secure the authentication token?
View 1 Replies
Sep 17, 2010
Just going to start making a web application and was wondering which was better, or at least what are the main differences between them (as it probably matters what I am using them for)?
View 3 Replies
Jan 8, 2010
I have just installed SQL Server 2005. I selected windows mode authentication. I am not able to login in management studion. Now, I want to use mixed and server authentication option inplace of windows authentication. so, would that be possible after installation.
View 2 Replies
Jan 4, 2011
What's the difference between Basic Authentication and Integrated Windows Authentication in IIS?
View 3 Replies
Mar 10, 2010
I set authentication mode to Windows in the web.config and I enable Windows Authentication and disable the Anonymous Authentication in IIS 7 on win 7, but HttpContext.Current.User is always null.It works fine when I host the web app in IIS 6.0.
View 1 Replies
Dec 30, 2010
I have been trying to avoid the windows login userid and password window when I use the Windows Authentication mode for a web site. I need to capture the the windows logon user name without prompting for the user id and password and display that on the web site. I had tried almost everything... changed authentication,security setups on IE and IIS etc... still not being able to avoid the window...
View 1 Replies
Mar 24, 2011
I'm trying to enable automatic Window authentication working on our ASP.NET Intranet. I've changed the Authentication on our IIS 7.5 server from Anonymous to Windows Authentication Enabled only, and changed the Web.config file for the website to:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
The Windows login box appears when accessing the website via IE 8, I enter valid credentials, but the login window keeps reappearing as if it does not accept my credentials. By repeatedly cancelling the login box it disappears, and my login name can be viewed on the website. Is there any possible reason for the login box to keep popping up even though valid credentials are being entered? I've restarted the servers / cleared browser cache etc. Also, ideally I would like the user to enter the login details once in the login box and not be required to reenter login details whenever he reopens the browser.
View 3 Replies
Sep 3, 2010
What do I need to do in order to change an application from Forms Authentication to windows authentication?
View 2 Replies
Mar 29, 2011
I have a web application (intranet based) which uses Windows Authentication. Unfortunately there are public computers that have public logins at some company locations. My web app doesn't support these public logins because I need to know the user workingSo, even though these public users are windows authentication users, my app will fail because I have no user account setup for that particular account. I want to then try Active Directory Authentication.In my Default.aspx.cs I'd have something like this
protected void Page_Load(object sender, EventArgs e)
{try
userContext = new UserContext(); // If the authenticated user isn't a user in my system then throw an exception
}
[code]...
View 2 Replies
Sep 8, 2010
We have a working version of application (Intranet) with uses Windows Authentication deployed in Windows 2003. The application uses HttpContext.Current.User.Identity.Name to get the logged-in user. Here impersonate is turned off.Right now, we are move to Windows 2008 RC2 where this Windows Authentication problem arised. I have Digest Authentication and Windows Authentication enabled. And also I have enabled Anonymous Authentication enabled to avoid the Login dialog of IIS in the end-user IE. Now I am getting HttpContext.Current.User.Identity.Name as Empty. When I impersonate using username and password, I am used to login using that user but all the users uses the same user to login.Does any has solution for this?Deployment Server - Windows 2008 RC2 (IIS 7.5)Development - Windows 7 (IIS 7.5)I am new to IIS 7.5. Please give me a solution
View 3 Replies
Nov 2, 2010
My overall goal is just to get the logged on users information for an Intranet site I'm developing without them providing their login (since they are already logged into their computer). So far I just get 401.1 errors and it keeps asking for my login/password. Even though I provide my login/password, it still won't let me in.
I've Enabled Windows Authentication from IIS > Sites > Default Web Site, added this to my web.config:
<authentication mode="Windows" />
<authorization>
<deny users="?"/>
</authorization>
My Application Pool is setup as Integrated / ApplicationPoolIdentity for .NET Framework 2.0.
View 1 Replies
Sep 15, 2010
I've been asked to convert an asp.net application from forms authentication with roles using the aspnetdb database to use windows authentication instead.
what is required to do this? can I still use the roles defined in the app and stored in aspnetdb?
View 1 Replies
Feb 12, 2010
I have an (ASP.NET 3.5) intranet application which has been designed to use forms authentication (along with the default aspnet membership system). I also store additional information about users in another table which shares its primary key with the aspnet_users table.
For users who are part of our domain I store their domain account name in the secondary users table, and I want to automatically log in users whose domain account name matches a name stored in the table.
I have read the guides which are available - they're all from two years ago or more and assume that you are able to activate Windows Authentication on a separate login page that allows you to extract the domain account name. From what I can tell, though, this is not possible in IIS7 (the overall authentication method is applied on all pages and cannot be selectively deactivated, and both authentication methods can't be applied on the same page).
Is there a way of getting IIS to pass through the windows domain account name of the requesting user? I don't need proper AD authentication, just the domain name.
View 6 Replies
Apr 26, 2010
Is it possible to disable windows authentication on one or more subfolders of an ASP.net application using windows authentication?
For example:
A website contains several other folders that contain parts of the overall application: /frontend,/backend, /login
The bin folder is on the same level as these subfolder, i.e. the root of the website.
All of these subfolders contain pages that use binaries that reside in the bin folder of the root of the website.
The user must input windows credentials when visiting a page in the backend folder, but not when visiting a page in the login or frontend folder.
View 2 Replies
Sep 3, 2010
I am developing one intranet website. Being an intranet application, one of the requirement is to have a single sign on feature.
It means that the windows PC username (i.e the "ctrl + alt + delete" username) is going to be the username for the system.
How do i fetch that username?
I tried the following two ways which are working in debug mode but not on live site.
System.Security.Principal.IPrincipal user = System.Web.HttpContext.Current.User;
Response.Write(user.Identity.Name);
&
Response.Write(Request.ServerVariables["AUTH_USER"].ToString());
Both the above method works when i run the page from visual studio.
However when i run the page from IIS or any other server, it gives me a blank value
View 12 Replies
May 3, 2010
We have Novell's Access Manager protecting our site. After the user logs in, Access Manager forwards the request back to a web page. On that web page, I need to read a combination of some Basic Auth username information as well as some custom header variablest that AM is passing to the web page. AM will continue to send these variables/values on every page as long as the user stays logged in.
What I'd like to do is create a class that checks for these values to evaluate whether the user is logged in or not. How do I gain access to those variables from a .cs class file?
View 3 Replies