5

I have followed a combination of these three resources for getting started with Identity Server 4.

  1. IdentityServer4.Quickstart.UI
  2. 4_ImplicitFlowAuthenticationWithExternal
  3. Combined_AspNetIdentity_and_EntityFrameworkStorage

The combination of the three were used in order to store users within the the database even from external providers. Also store Identity Server 4 configurations such as claims, roles, clients, and resources. My main issue right now is when running in IIS Express windows authentication works as expected. Once I publish to a full IIS server on my local machine I get a repeated popup to login when I hit the Windows external login page. I do not get that popup when running Identity Server 4 within IIS Express. In IIS Express, I am able to click the windows external authentication button. It routes through the app properly and successfully completes the login.

Any and all help is highly appreciated. I tried to include as many reproduction steps as possible so let me know if there is anything not clear.

Repeating Login Popup:

enter image description here

IIS is setup with Windows Auth and Anonymous Auth enabled.

enter image description here

Setup.CS (ConfigureServices method)

public void ConfigureServices(IServiceCollection services) {
        // Windows authentication is supported only by hosting Kestrel (Asp.net Core Web Server inside iis as a reverse proxy)
        // It is different than other Authentication methods because you don't Add the Authentication middleware like above.
        services.Configure<IISOptions>(options => {
            options.AuthenticationDisplayName = "Windows";
            options.AutomaticAuthentication = true;
        });

        services.AddMvc();

Program.cs

public static IWebHost BuildWebHost(string[] args) =>
        WebHost.CreateDefaultBuilder(args)
            .UseKestrel()
            .UseContentRoot(Directory.GetCurrentDirectory())
            .UseIISIntegration()
            .UseStartup<Startup>()
            .Build();
DataNerd
  • 349
  • 4
  • 12

2 Answers2

2

I luckily answered this myself. This in fact was not a software developer issue but was an environment configuration issue. Local loopback check since the app was deployed locally was causing the issue. https://support.microsoft.com/en-us/help/896861/you-receive-error-401-1-when-you-browse-a-web-site-that-uses-integrate

DataNerd
  • 349
  • 4
  • 12
  • The link is broken now, but it’s available on the Internet Archive: [https://web.archive.org/web/*/https://support.microsoft.com/en-us/help/896861/you-receive-error-401-1-when-you-browse-a-web-site-that-uses-integrate] – rob3c Dec 25 '19 at 02:24
  • This is an up to date link with same resolution steps: https://support.microsoft.com/en-us/help/926642/error-message-when-you-try-to-access-a-server-locally-by-using-its-fqd – Jorge Cabot Apr 14 '20 at 15:14
0

Given your code works in express but not full, IIS is probably having a permission problem verifying the windows creds you are entering. Make sure your app pool account has access to validate creds in your domain.

Dan
  • 1,101
  • 1
  • 9
  • 30
  • I am currently using my credentials for the app pool. It's I think an environment setup issue but certainly frustrating to know if it is environment or code for the environment that needs to change. – DataNerd May 10 '18 at 17:56
  • What type of account is needed to validate creds in the domain? I have been using AppPoolIdentity for a while now. I need to setup this up at somepoint too - IDSVR4 with Windows Auth. – IbrarMumtaz Feb 11 '19 at 16:48
  • @IbrarMumtaz Something with read access on your domain. AppPoolIdentity is a local only account, no network requests. I would use a domain account. Could also use Network Service though – Dan Feb 11 '19 at 19:55