6

We have a simple intranet site in MVC3 and entity framework. Everything works fine for running in debug from visual studio. When I publish the site to either my local boxes IIS7.5 webserver or to a dev box on the same domain, then I get prompted for a username and password and it won't connect to the site. It just returns a 401.1 error and curiously shows

Logon Method Not yet determined 
Logon User Not yet determined

I have verified that the windows authentication is enabled and anonymous authentication is disabled. the application is using the applicationPoolIdentity but I have tried it with Network Services with no difference. The webconfig includes 

<authentication mode="Windows" />

and I have tried it with and without the authorization section.

<authorization>
  <allow users="*" />
</authorization>

The only other thing I've found online involved changing a registry entry, but this will eventually be on a production server so I'm not comfortable making registry changes just for this.

running locally with this code block returns all the expected information

<div id="title">
    <h4> Environment.UserName: @Environment.UserName  
    @DateTime.Now.Millisecond.ToString() </h4>
    @foreach (var role in Roles.GetRolesForUser())
    {
        role.ToString(); <br />
    }
</div>
<div id="logindisplay">
    Context.User.Identity.Name <strong>@Context.User.Identity.Name</strong>!<br />
    @Environment.UserDomainName
</div>

It is an MVC3 Web Application. The IIS Authentication switches are 

Anonymous Authentication     Disabled
ASP.NET Impersonation        Disabled
Forms Authentication         Disabled
Windows Authentication       Enabled

Any other ideas or things I'm missing?

Brian
  • 2,229
  • 17
  • 24

4 Answers4

3

This Article on MSDN illustrates how to setup an IIS 7 MVC3 Intranet Website: http://msdn.microsoft.com/en-us/library/gg703322(VS.98).aspx

The interesting piece that relates to you is most likely the last section on Impersonation. If you run your site as Windows Authentication but have Impersonation off you will be reading/executing the files for the website using the authenticated identity. That means each user who wants to access the site will need folder/file permissions.

To avoid that, use Windows Auth to allow users to authenticate but use Impersonation to use a single identity to access the folder/files.

AdamV
  • 594
  • 2
  • 19
  • Yeah I had seen that article and it kind of fixes the issue by making the site an application under the default website. I was hoping to have it as a stand alone web app but this is the only way I've been able to get it to work although it caused some path issues that I still need to fix. Thanks. – Brian Feb 09 '12 at 13:57
  • Glad I can help! What kind of path issues? That sounds like an interesting issue. – AdamV Feb 09 '12 at 16:38
  • running in debug relative paths work fine but the app gets confused when running on the server so I changed to absolute paths just to get it to display static images. The intent is to launch web and desktop apps from the portal and the paths for the desktop apps get messed up. The Images I think I can fix with a virtual directory. The app paths I'm not sure. I'm using process.start to launch them. I may start another question for that when I dig out from under a different crises. :-) – Brian Feb 09 '12 at 16:44
2

It seems that you windows authentication works, since you are prompted for credentials when opening the page...you should put your credentials in there and it should take you to your web page...or the problem is that you are not able to open you page after putting correct credentials?

What I would try first is to change your application pool mode from Classic to Integrated (or vice versa).

Then, it looks like that your machines are in some domain? In that case, check that you are putting right credentials. You should put <domain>\<your_username> as username. Further, if that doesn't work, try adding and removing your machine from domain and try again. There might be more ideas, let me know how this goes and if possible what is the output of command nltest.exe /SC_QUERY:domain_name ?

Aleksandar Vucetic
  • 14,715
  • 9
  • 53
  • 56
1

I am having the same problem. When creating a new application under default websites, things work fine. But when I create a new website and put the files under there I cant seem to get this to work. I keep getting a login prompt. I am using the same application pool for my new site and have configured the directory permissions to allow full control to iis_isuser and others since this is a dev machine.

James
  • 11
  • 1
1

You need to actually configure this in IIS to utilize Windows Authentication.

  1. Open up the IIS Manager
  2. Go to where your application resides in IIS
  3. In Content View double-click Authentication
  4. Enable Windows Authentication and disable Anonymous Authentication

If you are only doing this on the AppPool, the application settings will override this.

When you say:

I have verified that the windows authentication is enabled and anonymous authentication is disabled.

Where exactly did you set this? Not sure what OS you are running on the machine where you get prompted, but certain flavors of Windows don't support Windows Authentication (i.e. Windows 7 Home does not).

  • The windows authentication is set on the website. It is an office intranet and all the clients are running windows 7 pro. – Brian Feb 02 '12 at 13:27
  • Can you list all of the authentication switches and their settings for your website? Also, is this a website or an web application? –  Feb 02 '12 at 13:57
  • @Brian what OS is your server running? –  Feb 03 '12 at 23:21
  • @Brian and the users are on the same domain as the server? Not a workgroup, but a domain? –  Feb 06 '12 at 14:09
  • @Brian also what do you have set for Windows Auth Providers? You can find this in IIS, by going to Authentication on your application, clicking Windows Auth and "Providers...". –  Feb 06 '12 at 14:13
  • @Brian also in Windows Auth, Advanced Settings, ensure that **Enable kernel-mode authentication** is checked. –  Feb 06 '12 at 14:20