6

We have asp.net mvc web application, hosted in IIS with Windows authentication enabled (we are using active directory to authenticate users).

At some point (in production), users found themselves logged in using different users, the login usually done when user login to their laptops/PCs in the organization, so it is expected the website to always show their logged in user to the PC/laptop cause that is their identities.

For IIS, we are storing session state in Sql server, and we are maintaining sessions using HttpContext.Session in the application.

I need some guides on how I can track the source of the issue. Is there a tool or what code I can share with you that might help ?

Thanks!

Amirhossein Mehrvarzi
  • 18,024
  • 7
  • 45
  • 70
Ahmad Alkhawaja
  • 529
  • 2
  • 12
  • 29

2 Answers2

2

Make sure that:

  • You have “Integrated Windows Authentication” (formerly called NTLM authentication) enabled within IIS for the application you are using.

  • You should then add a web.config file to the root directory of your ASP.NET application that contains an <authentication> section which sets the mode to “Windows”.

  • You should also then add an <authorization> section to the same web.config file that denies access to “anonymous” users visiting the site. This will force ASP.NET to always authenticate the incoming browser user using Windows Authentication – and ensure that from within code on the server you can always access the username and Windows group membership of the incoming user.

The below web.config file demonstrates how to configure both steps described above:

<configuration>
    <system.web>
        <authentication mode="Windows" />

         <authorization>
             <deny users="?"/>
          </authorization>

    </system.web>
</configuration>
Amirhossein Mehrvarzi
  • 18,024
  • 7
  • 45
  • 70
2

Troubleshooting ideas...

For seeing the error, I would make sure you are showing the current user HttpContext.Current.User.Identity.Name; on each page. Refresh the page and make sure the user doesn't change. Go to other pages and do the same. Clear all cookies and application state in the browser, close the browser, then re-open the browser and go back to the site. You should still be logged in as the same user every page and every browser session. If this is intermittent, you may have to repeat this a few times to reproduce the error.

Does this every happen when running local IIS Express on developer machines? Does it ever happen in other environments (test, staging) where the code is deployed? If not, what is different about production?

Is there a proxy server between the users and the production web server? Or even some of the users, like if they come in through VPN?

Joe Wilson
  • 5,591
  • 2
  • 27
  • 38