8

We have an ASP.NET application on ASP.NET 4.0 using MVC 3 which uses Windows authentication.

When run from Visual Studio 2010 everything works as expected but when rolled out to IIS7 the Windows logged in user never gets populated (checking User.Identity.Name). No dialog prompt for user credentials comes up either.

The web.config setting:

<authentication mode="Windows" />

In IIS I can see that Windows authentication is enabled, as is Anonymous (disabling Anonymous results in a 403 Forbidden and no content being shown).

I've tried both enabling and disabling "Kernel-mode authentication" (useKernelMode="true"), but this doesn't seem to make any difference. Though I do remember that we had to disable this setting on another site on a different server to get the authentication to work properly (might point to a potential issue further down the stack?).

In case it's useful, from IIS's applicationHost.config:

<security>
  <authentication>
    <anonymousAuthentication enabled="true" />
    <digestAuthentication enabled="false" />
    <basicAuthentication enabled="false" />
    <windowsAuthentication enabled="true" useKernelMode="false">
      <providers>
        <clear />
        <add value="NTLM" />
      </providers>
    </windowsAuthentication>
  </authentication>
</security>

Any ideas what the issue could be?

Thanks in advance for any suggestions.

Update 1

I managed to find another IIS7 server to test on and I found if I disabled Anonymous access everything worked as desired. However I still have issues on the original IIS7 server even when I disable Anonymous access as well (I'm keeping Anonymous disabled now). So there must be some issue further down the stack I guess. Any ideas? Something I need to fix as it's going to keep popping up and biting us I imagine.

Update 2

If I enable Digest Authentication on the problem IIS7 box then I am challenged with the login prompt dialog and everything works as expected if I provide suitable credentials. But being an internal web app with users already logged in to the domain we don't really want to challenge them this way. Credentials should be passed through transparently as it works on the second IIS7 box.

Update 3

Some progress... I've found that if the web app is in the root and not a sub site then directly editing the applicationHost.config file for IIS7 to give the following authentication settings allows the site to work as expected:

<authentication>
  <anonymousAuthentication enabled="false" />
  <windowsAuthentication enabled="true">
    <providers>
      <clear />
      <add value="NTLM" />
    </providers>
  </windowsAuthentication>
  <digestAuthentication enabled="false" />
</authentication>

Using IIS7's UI to configure the authentication doesn't give quite the right results. authentication items are either missing after wards (as I guess IIS7 assumes they are being inherited) or they have the wrong settings (windowsAuthentication seems to need the providers configuration above present to work correctly).

Unfortunatly the web application in question is actually a sub application as there's an internal version (using windows authentication > www.site.com/internal) and an external version (using forms authentication > www.site.com/external). I still can't get the authentication to work as a sub application yet. I just get a "Error Code: 403 Forbidden".

Gavin
  • 5,629
  • 7
  • 44
  • 86
  • check this one out: http://stackoverflow.com/questions/1067591/user-identity-name-blank-in-asp-net-mvc – Davide Piras Sep 28 '11 at 22:41
  • what browser are you testing with? If it's Firefox you might want to check out: https://addons.mozilla.org/en-US/firefox/addon/integrated-auth-for-firefox/ Firefox doesn't have windows authentication "enabled" correctly out of the box. – NotMe Sep 28 '11 at 22:51
  • Cheers Davide, but nothing helped there. This guy seemed to be having issues getting Windows authentication to work because he had missed the web.config settings (so couldn't get to work in VS or IIS). Everything works fine for me in VS, it's just IIS that things aren't behaving as expected. – Gavin Sep 28 '11 at 22:54
  • Thanks Chris. I've tried in IE, Firefox, and Chrome. All works fine when run from VS, but not when on IIS. I think I'm missing something on IIS, or there's an issue there further down the stack as it should be pretty simple to setup in theory. – Gavin Sep 28 '11 at 22:57
  • @Gavin did you ever locate the problem? – fearofawhackplanet Jan 16 '12 at 09:44
  • @fearofawhackplanet - sorry, not found a solution yet – Gavin Jan 17 '12 at 10:00
  • @Gavin I'm having this same issue. Windows Auth works with VS and I can get `User.Identity.Name` but when published to IIS 8 and IIS 11, `User.Identity.Name` comes up null even though I'm authorized to use the application. I have `[Authorize]` annotations just to ensure security is being enforced. – Daniel Jackson Jun 05 '18 at 13:53

2 Answers2

3

In this case it was a Microsoft ISA Server issue. Seems the request was being routed internally through ISA for the Windows Authenticated site, once ISA was removed the problem disappeared.

I don't know a lot about ISA and how it routes requests but I assume it must have been stripping out some important information from the request because of some rule someone will have configured.

As a side note in case it helps diagnose similar setups: I was told by the network admin staff that internal traffic was not routed through ISA, but pinging the website internally showed that ISA was actually in play.

Gavin
  • 5,629
  • 7
  • 44
  • 86
  • So was this how you got things working? I'm confused on exactly what this means. – Daniel Jackson Jun 05 '18 at 13:54
  • @DanielJackson Sorry, my memory doesn't stretch back very well to 6 years ago ;) – Gavin Jun 06 '18 at 20:51
  • No problem. Thanks anyways. I'm using .Net Core but still similar enough. My issue was adding `forwardWindowsAuthToken="true"` which is something that Microsoft claims that is true by default but without this property, user identity properties were null. – Daniel Jackson Jun 08 '18 at 15:54
0

You mentioned that disabling anonymous access worked on another server, but on your main server you are experiencing 403 errors. Therefore, I would check the file based permissions on the folder where your site is running from. In the past I have needed to grant the \Network Serivce account full control to the site folder and all subfolders or I would experience 403 errors. Check the file permissions on the server that is working and see if there are differences with the server that is not working.

Also, if this is not the issue, I would recommend comparing all of the other IIS settings between the two servers, since you know it works on one and not the other. Find the difference.

Paige Cook
  • 22,415
  • 3
  • 57
  • 68
  • Thanks Paige, but still no joy. Network Service has full permissions to the folders and is also used by the App Pool. I'm comparing servers, but there's no obvious differences so far. I'm wondering if it's something to do with AD configuration being different for the different boxes. Will track down a member of the operations team to try and investigate further. – Gavin Sep 29 '11 at 02:13
  • @Gavin, you need to check permissions for app pool identity which need not be network service. – VinayC Sep 29 '11 at 04:34
  • @VinayC - cheers. In this case Network Service is in use by app poolNetwork Service also has full permissions to file locations. – Gavin Sep 29 '11 at 20:21