|
Home > Archive > IIS Server Security > June 2004 > Help please to authenticate Windows users
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Help please to authenticate Windows users
|
|
| danielle 2004-06-20, 10:36 pm |
| I created company's intranet in ASP.NET, hosted on windows 2003. We need to capture windows account user - who accessed the application. We dont want employees to login to intranet. Many months I still can not figure out how to get user. I can get only IP
address in a code, but it is not enough. ASP application web.config has <authentication mode="Windows" />, IIS web site > Directory security > integrated Windows. This is not enough for sure. We have Active Directory. Web server and users computers a
re on the same domain.
I found documents explaining how authentication process works and authenicates using Active Directory.
Please help to understand what else should be installed on server or how trusted connections can be created to "a Key Distribution Center (KDC) " because of Kerberos method is used by Intergrated Windows authentication.
| |
| David Wang [Msft] 2004-06-20, 10:36 pm |
| If authentication is being negotiated by IIS prior to handing the request to
ASP.Net, you will be able to capture the Windows account user in
ServerVariables. The fact that you cannot do this tells me that
authentication is probably not being negotiated, meaning you have anonymous
authentication enabled along with other authentication methods.
Make sure that you do NOT have Anonymous authentication enabled in IIS for
the web site/app.
The reason that anonymous gets used prior to other authentication types when
you enable them both is simple -- the web is anonymous, and browsers always
try anonymous first. If you have anonymous authentication enabled, IIS is
going to allow anonymous -- IIS isn't going to say "but you ALSO have
authentication enabled -- so I should enforce authentication first and then
fall back to anonymous" -- that just isn't how the web works.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"danielle" <danielle@discussions.microsoft.com> wrote in message
news:14D504CD-C5D5-46DD-8D51-A352FA794224@microsoft.com...
I created company's intranet in ASP.NET, hosted on windows 2003. We need to
capture windows account user - who accessed the application. We dont want
employees to login to intranet. Many months I still can not figure out how
to get user. I can get only IP address in a code, but it is not enough. ASP
application web.config has <authentication mode="Windows" />, IIS web site
> Directory security > integrated Windows. This is not enough for sure. We
have Active Directory. Web server and users computers are on the same
domain.
I found documents explaining how authentication process works and
authenicates using Active Directory.
Please help to understand what else should be installed on server or how
trusted connections can be created to "a Key Distribution Center (KDC) "
because of Kerberos method is used by Intergrated Windows authentication.
| |
| danielle 2004-06-20, 10:36 pm |
| David thank you!
You are right. But when I do only Integrated Windows then I can not get to the website at all, even to open solution in Visual Studio .NET. Windows authentication is not working. I changed even machine.config file attribute 'system' instead of 'machin
e' as process (article). Somehow IIS is not communicating with Active Directory or browsers are not passing server variables. 
In short: Access denied or you are not authorized to see pages when Integrated Windows only checked.
thanks everyone for help
| |
| David Wang [Msft] 2004-06-20, 10:36 pm |
| Can you locate the web Log file entries corresponding to your requests which
result in "Access Denied" and post it here. I need to know the HTTP sub
status error code as well as Win32 error code -- I know the HTTP status code
is 401.
%SYSTEMROOT%\System32\LogFiles\W3SVC#\*.log
The authentication methods you are using has very little to do with
machine.config. This is all stuff that happens BEFORE reaching managed code
and ASP.Net, so your configuration changes are pretty much useless. What
you are doing is like trying to change your password by typing on the
keyboard, but the computer isn't powered on yet -- so even though you typed
on the keyboard, your password obviously isn't changed.
Windows Authentication automatically works if the machines are joined to the
same domain. If the web server is in the domain and your client machine is
also in the domain, both computers will accept your domain user credential,
as-is, using Windows Authentication.
So, please describe:
1. Whether the machine running VS.Net is joined to the domain
2. Whether the machine running IIS is joined to the domain
3. Is VS.Net on the same machine as IIS
4. Is IIS on the same machine as the Domain Controller
Honestly, all this stuff worked automatically for me when I installed VS.Net
and IIS6 on separate or the same machine, default settings, where all
machines were either stand-alone machines (so I made sure to have
synchronized accounts between all the machines) or domain-machines. So, I'm
curious to know where you are going astray.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"danielle" <danielle@discussions.microsoft.com> wrote in message
news:0000F25F-ABC2-4F3E-A742-CFCB57637138@microsoft.com...
David thank you!
You are right. But when I do only Integrated Windows then I can not get to
the website at all, even to open solution in Visual Studio .NET. Windows
authentication is not working. I changed even machine.config file attribute
'system' instead of 'machine' as process (article). Somehow IIS is not
communicating with Active Directory or browsers are not passing server
variables.
In short: Access denied or you are not authorized to see pages when
Integrated Windows only checked.
thanks everyone for help
| |
| danielle 2004-06-20, 10:36 pm |
| David, thanks very much for your help. I will post tomorrow as soon as I have answers to your questions.
danielle
"David Wang [Msft]" wrote:
> Can you locate the web Log file entries corresponding to your requests which
> result in "Access Denied" and post it here. I need to know the HTTP sub
> status error code as well as Win32 error code -- I know the HTTP status code
> is 401.
>
> %SYSTEMROOT%\System32\LogFiles\W3SVC#\*.log
>
> The authentication methods you are using has very little to do with
> machine.config. This is all stuff that happens BEFORE reaching managed code
> and ASP.Net, so your configuration changes are pretty much useless. What
> you are doing is like trying to change your password by typing on the
> keyboard, but the computer isn't powered on yet -- so even though you typed
> on the keyboard, your password obviously isn't changed.
>
> Windows Authentication automatically works if the machines are joined to the
> same domain. If the web server is in the domain and your client machine is
> also in the domain, both computers will accept your domain user credential,
> as-is, using Windows Authentication.
>
> So, please describe:
> 1. Whether the machine running VS.Net is joined to the domain
> 2. Whether the machine running IIS is joined to the domain
> 3. Is VS.Net on the same machine as IIS
> 4. Is IIS on the same machine as the Domain Controller
>
> Honestly, all this stuff worked automatically for me when I installed VS.Net
> and IIS6 on separate or the same machine, default settings, where all
> machines were either stand-alone machines (so I made sure to have
> synchronized accounts between all the machines) or domain-machines. So, I'm
> curious to know where you are going astray.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "danielle" <danielle@discussions.microsoft.com> wrote in message
> news:0000F25F-ABC2-4F3E-A742-CFCB57637138@microsoft.com...
> David thank you!
>
> You are right. But when I do only Integrated Windows then I can not get to
> the website at all, even to open solution in Visual Studio .NET. Windows
> authentication is not working. I changed even machine.config file attribute
> 'system' instead of 'machine' as process (article). Somehow IIS is not
> communicating with Active Directory or browsers are not passing server
> variables.
>
> In short: Access denied or you are not authorized to see pages when
> Integrated Windows only checked.
>
> thanks everyone for help
>
>
>
>
>
| |
| danielle 2004-06-26, 10:16 am |
|
1. Whether the machine running VS.Net is joined to the domain
YES
2. Whether the machine running IIS is joined to the domain
YES
3. Is VS.Net on the same machine as IIS
YES
4. Is IIS on the same machine as the Domain Controller
NO
What else can be a clue why my intranet (the same domain) users are not authenticated.
If I only Integrated windows check - "Access Denied" to the web site.
I am going c......
thanks in advance
"David Wang [Msft]" wrote:
> Can you locate the web Log file entries corresponding to your requests which
> result in "Access Denied" and post it here. I need to know the HTTP sub
> status error code as well as Win32 error code -- I know the HTTP status code
> is 401.
>
> %SYSTEMROOT%\System32\LogFiles\W3SVC#\*.log
>
> The authentication methods you are using has very little to do with
> machine.config. This is all stuff that happens BEFORE reaching managed code
> and ASP.Net, so your configuration changes are pretty much useless. What
> you are doing is like trying to change your password by typing on the
> keyboard, but the computer isn't powered on yet -- so even though you typed
> on the keyboard, your password obviously isn't changed.
>
> Windows Authentication automatically works if the machines are joined to the
> same domain. If the web server is in the domain and your client machine is
> also in the domain, both computers will accept your domain user credential,
> as-is, using Windows Authentication.
>
> So, please describe:
> 1. Whether the machine running VS.Net is joined to the domain
> 2. Whether the machine running IIS is joined to the domain
> 3. Is VS.Net on the same machine as IIS
> 4. Is IIS on the same machine as the Domain Controller
>
> Honestly, all this stuff worked automatically for me when I installed VS.Net
> and IIS6 on separate or the same machine, default settings, where all
> machines were either stand-alone machines (so I made sure to have
> synchronized accounts between all the machines) or domain-machines. So, I'm
> curious to know where you are going astray.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "danielle" <danielle@discussions.microsoft.com> wrote in message
> news:0000F25F-ABC2-4F3E-A742-CFCB57637138@microsoft.com...
> David thank you!
>
> You are right. But when I do only Integrated Windows then I can not get to
> the website at all, even to open solution in Visual Studio .NET. Windows
> authentication is not working. I changed even machine.config file attribute
> 'system' instead of 'machine' as process (article). Somehow IIS is not
> communicating with Active Directory or browsers are not passing server
> variables.
>
> In short: Access denied or you are not authorized to see pages when
> Integrated Windows only checked.
>
> thanks everyone for help
>
>
>
>
>
| |
| Jeff Cochran 2004-06-26, 10:16 am |
| On Wed, 23 Jun 2004 15:01:01 -0700, "danielle"
<danielle@discussions.microsoft.com> wrote:
>
>1. Whether the machine running VS.Net is joined to the domain
>YES
>2. Whether the machine running IIS is joined to the domain
>YES
>3. Is VS.Net on the same machine as IIS
>YES
>4. Is IIS on the same machine as the Domain Controller
>NO
>
>What else can be a clue why my intranet (the same domain) users are not authenticated.
>If I only Integrated windows check - "Access Denied" to the web site.
Only IE will pass credentials for Windows Integrated authentication,
no other browsers. Have you added the domain to the Intranet Zone in
IE's security? (Yeah, I know you shouldn't need to if the domain is
the same...)
Jeff
[vbcol=seagreen]
>I am going c......
>
>thanks in advance
>
>
>
>"David Wang [Msft]" wrote:
>
| |
| danielle 2004-06-26, 10:16 am |
| Thanks Jeff,
I found in Active Directory > Managed > intranetServer > Delegation > Not Trusted...
Is it something with the "trusted" not "trusted" that may effect the release of user credentials??
danielle
"Jeff Cochran" wrote:
> On Wed, 23 Jun 2004 15:01:01 -0700, "danielle"
> <danielle@discussions.microsoft.com> wrote:
>
>
> Only IE will pass credentials for Windows Integrated authentication,
> no other browsers. Have you added the domain to the Intranet Zone in
> IE's security? (Yeah, I know you shouldn't need to if the domain is
> the same...)
>
> Jeff
>
>
>
>
>
| |
| David Wang [Msft] 2004-06-26, 10:16 am |
| No, that setting should not affect the authentication issue you are seeing.
Can you locate the web Log file entries corresponding to your requests which
result in "Access Denied" and post it here. I need to know the HTTP sub
status error code as well as Win32 error code -- I know the HTTP status code
is 401.
%SYSTEMROOT%\System32\LogFiles\W3SVC#\*.log
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"danielle" <danielle@discussions.microsoft.com> wrote in message
news:0D4AD2BC-AF37-4C58-99F0-08FF16C51C30@microsoft.com...
Thanks Jeff,
I found in Active Directory > Managed > intranetServer > Delegation > Not
Trusted...
Is it something with the "trusted" not "trusted" that may effect the
release of user credentials??
danielle
"Jeff Cochran" wrote:
> On Wed, 23 Jun 2004 15:01:01 -0700, "danielle"
> <danielle@discussions.microsoft.com> wrote:
>
authenticated.[vbcol=seagreen]
>
> Only IE will pass credentials for Windows Integrated authentication,
> no other browsers. Have you added the domain to the Intranet Zone in
> IE's security? (Yeah, I know you shouldn't need to if the domain is
> the same...)
>
> Jeff
>
>
>
which[vbcol=seagreen]
sub[vbcol=seagreen]
code[vbcol=seagreen]
code[vbcol=seagreen]
What[vbcol=seagreen]
typed[vbcol=seagreen]
to the[vbcol=seagreen]
machine is[vbcol=seagreen]
credential,[vbcol=seagreen]
VS.Net[vbcol=seagreen]
So, I'm[vbcol=seagreen]
rights.[vbcol=seagreen]
get to[vbcol=seagreen]
Windows[vbcol=seagreen]
attribute[vbcol=seagreen]
>
>
|
|
|
|
|