0

On the Visual Studio environment, during debugging I am retrieving the proper username through the familiar c# code line below: 

WindowsIdentity.GetCurrent().Name;

However when I publish the project to the Server on Windows 2008 R2 with IIS 7.5, it returns me NT AUTHORITY\SYSTEM

I have configured web.config to use <authentication mode="Windows" />

Utilizing the Application Pool that is configured to use Integrated mode with Identity set to LocalSystem

And on the IIS for the virtual folder, I have disabled Anonymous Auth and set Enable to Windows Auth.

This is the first time that this company is being set for Microsoft development and hence struggling to set up the environment correctly.

What am I missing to get the code to work? OR perhaps, what is a better code that would return me the Window NY Authentication user? One more thing: If I hardcode the strUserName, the rest of the code to extract the User FullName works and works fine. So AD works.

Spent about a day or two to resolve this issue, any help will be appreciated. Thanks,

TylerH
  • 20,799
  • 66
  • 75
  • 101
Ikram M.
  • 347
  • 4
  • 16
  • I have edited your title. Please see, "[Should questions include “tags” in their titles?](http://meta.stackexchange.com/questions/19190/)", where the consensus is "no, they should not". – John Saunders Jan 26 '15 at 18:44

3 Answers3

0

It's dangerous to run the Application Pool as NT AUTHORITY\SYSTEM (aka LocalSystem). This means everything your code running in IIS has highest privileges in the system. If you choose default IIS APPPOOL\Application Pool Name (aka ApplicationPoolIdentity), IIS impersonate appreciate account to process.

Running ApplicaationPoolIdentity can impersonate local Administrator enter image description here

masaki
  • 121
  • 1
  • 6
  • Will set it back to use ApplicationPoolIdentity and that it too returns back the Application Pool Name. What does and how to achieve your last statement : "IIS impersonate appreciate account to process"? – Ikram M. Jan 26 '15 at 18:48
  • Please ensure "Windows Authentication" is enabled and "Anonymous Authentication" is disabled. – masaki Jan 26 '15 at 18:54
  • "And on the IIS for the virtual folder, I have disabled Anonymous Auth and set Enable to Windows Auth." – Ikram M. Jan 26 '15 at 18:59
  • Added an image. If IIS_IUSRS have "secpol.msc -> Security Settings -> Local Policies -> User Rights Assignment -> Impersonate a client after authentication" privileges, Not only "System" could impersonate someone who logged on. – masaki Jan 26 '15 at 19:03
  • Running "Virtual Directory" not "Application" ? It has very limited configuration (Root Application rules all). Sites have same icon as I uploaded? – masaki Jan 26 '15 at 19:05
  • I checked this on my computer and it is exactly as your screen shot. – Ikram M. Jan 26 '15 at 19:05
  • Adding below in web.config, still couldn't impersonate? – masaki Jan 26 '15 at 19:17
  • 1
    Impersonation is not supported in IIS7+ in Integrated Pipeline Mode, this is because Integrated pipeline supports asynchronous pipelines, and with asynch pipelines an await can return on a different thread from the original thread, and since impersonation is a thread based context, this doesn't work. However, you can disable the validation of this by setting `` but this may have repercussions so be careful that this is actually what you want to do. – Erik Funkenbusch Jan 26 '15 at 20:34
  • The word "Impersonation" in classic ISAPI integration deprecated? Yes. But both classic and integrated pipeline actually use impersonation. (You can see what happened in Security event.) And original question, @IkramM. tried LocalSystem account. That's odd... – masaki Jan 27 '15 at 03:23
0

Posting this SURPRISE answer as I was unable to find out the configuration; environment settings and/or code to determine what would be the best way to extract NT Auth User. I ended up using the standard unconventional way, and gave up on why WindowsIdentity wouldn't work.

Went back to using this. Its still using the App Pool with "Integrated" mode and Identity set to "ApplicationPoolIdentity"; and the site is set "Enabled" to only "Windows Authentication". The below line works just fine and I got what I need.

Request.ServerVariables["AUTH_USER"];
TylerH
  • 20,799
  • 66
  • 75
  • 101
Ikram M.
  • 347
  • 4
  • 16
  • Did you have try following? Context.User.Identity.Name Context.User.Identity.IsAuthenticated – masaki Jan 27 '15 at 03:55
  • Yes and it is true. When I look up the Authentication Type, it comes up with "Kerbose"? – Ikram M. Jan 27 '15 at 14:59
  • If 'Context.User.Identity.IsAuthenticated' is true and Authentication Type is "Kerberos", its identity is authenticated by Active Directory, not environment variable "AUTH_USER" set by malicious user :) Active Directory... based on LDAP uses Kerberos authentication, if not in AD environments, Context.User.Identity.AuthenticationType should "Negotiated" (means NTLM authentication). If you need about Kerberos authentication, I'll explain it. – masaki Jan 28 '15 at 17:04
  • If I hear you right, don't use AUTH_USER. Think the solution lies in making my company environment such that Context.User.Identity.AuthenticationType return "Negotiated", But how? yes please explain if you can steer me in setting it for Windows NT instead of Kerberos. – Ikram M. Jan 28 '15 at 17:38
0

Here is how I resolved this problem. It is not beautiful, but it works

Add Attribute [CustomAuthorize] to my Action and add class to controller

 [CustomAuthorize]
        public ActionResult Index()
        {
           var http = this.HttpContext;
           String UserID = http.User.Identity.Name; 
            return View();
        }



  public class CustomAuthorize : AuthorizeAttribute
    {
        protected override bool AuthorizeCore(HttpContextBase httpContext)
        {
            return true;
        }
    }

Project has property Windows Authentication Enabled. Managed Pipeline Mode Integrated. IIS configuration for project Windows Authentication Enabled. Application pool Integrated.

Hope it helps.

Vagif
  • 1
  • 1