Best IT Recipes

Failed to get Windows Authentication to work through local IIS

So, I created a new ASP.NET MVC project using an intranet template. web.config contains the appropriate values ​​(for example, <authentication mode="windows"/> ).

If I run the web application using the VS web server, everything looks fine - the page displays my domain and Windows username and that’s it. However, this works in Opera and Safari, as well as in IE and FF, which says that it does not use Windows auth at all (since, as far as I know, it does not work in any browser except IE / FF).

The next step is to make it work through the local IIS. I create a hosts file entry indicating www.mysite.mydomain to 127.0.0.1. Therefore, in IIS, I create a site with a link to www.mysite.mydomain and enable Windows authentication and disable anonymous authentication.

I installed IE and FF to enable Windows auth as follows:

IE

  • Add URL to Intranet Group
  • Verify that Windows auth is enabled in Advanced Settings

Ff

Put 'www.mysite.mydomain' into the network.automatic-ntlm-auth.trusted-uris configuration setting.

But when I type www.mysite.mydomain in IE / FF, I get a login prompt. Interestingly, even when I enter my login on Windows, it still fails and again shows me a login prompt.

We do not have an active directory, but I understand that it should work well with the local account.

I can’t think of anything else that I need to do. Any suggestions?

Edit: We recently switched to using Active Directory, and the problem remains.

Edit: when I cancel the login prompt, I get to the "IIS 7.5 Detailed Errors" page with the following information:

HTTP Error 401.2 - Unauthorized You do not have permission to view this page due to invalid authentication headers. **

+65
asp.net-mvc iis windows-authentication ntlm
Sep 12 '11 at 11:28
source share
9 answers

For Windows authentication, you must whitelist the domain specified in the hosts file.

Copied from the link above for quick access:

  • Set the DisableStrictNameChecking registry entry to 1. For more information on how to do this, see Microsoft Knowledge Base Article 281308
  • Click "Start", select "Run," enter "regedit" and click "OK."
  • In the registry editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ LSA \ MSV1_0
  • Right-click MSV1_0, select New, and select Multiline Value.
  • Type BackConnectionHostNames and press Enter.
  • Right-click BackConnectionHostNames and select Modify.
  • In the Value field, enter the host name or host names for sites located on the local computer, and click OK.
  • Quit Registry Editor and restart the IISAdmin service.
+127
Oct 22 '12 at 18:31
source share

Did you try to put the domain before the username?

 DOMAIN\username

If you do not have a domain account, try specifying a username with the machine name:

 MYCOMPUTER\myusername
+6
Sep 12 '11 at 19:06
source share

I recently spent three days trying to solve the same problem, and it drove me crazy. This happened during a load-balanced installation, where one of the servers authenticated correctly and the other failed. Examining the problem - and finally resolving it - it turned out that it is not connected with a load-balanced environment, it can happen to any server during authentication using Windows authentication, and the server is called with a name different from the name recognized by Active Directory

1. Enable Kerberos Logging

To properly diagnose your problem, you need to enable Kerberos logging on the computer hosting your IIS site. To do this, add the following registry entry:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ LSA \ Kerberos \ Parameters

Add a LogLevel registry value with ValueType REG_DWORD and a value of 0x1 .

As soon as you turn on logging, you try to authenticate, you get errors that are logged in your Windows application log. You can ignore the KDC_ERR_PREAUTH_REQUIRED error (this is only part of the handshake), but if you get the KDC_ERR_C_PRINCIPAL_UNKNOWN error message , it means that your AD controller does not recognize your server, so you need to follow these steps.

2. KDC_ERR_C_PRINCIPAL_UNKNOWN

if you get KDC_ERR_C_PRINCIPAL_UNKNOWN, it means that the name "mysite.mydomain.com" is different from how AD recognizes your computer so that it cannot provide a valid ticket in the keberos. In this case, you need to register the service principal name (SPN) for "www.mysite.mydomain" in AD.

Run this command on the AD controller - you will need the domain administrator privilege:

 Setspn -A HTTP/mysite.mydomain YOUR_MACHINE_HOSTNAME

3. Use an individual identifier for the application pool

Finally, make the application pool use a custom account owned by Active Directory instead of using NetworkService. This can be done in the advanced settings of your application pool.

and .. voila.



Notes. The problem may (unlikely) be due to the fact that several SPNs are registered on the same computer, in which case you will need to run a command to remove duplicate SPNs, but I doubt it is. Also try adding another binding to your site (which does not use a user name), for example htttp: // localhost: custom_port_number, and see if authentication works. If this works, it’s another sign that you are suffering from the same problem as me.

+5
Oct 26
source share

You should check if Windows Authentication is installed / enabled. This may seem strange, but in IIS 7 you need to install and enable various authentication methods. See http://support.microsoft.com/kb/942043/ for more information, see the section below.

Reason 1
The web application is configured to use built-in authentication windows. However, Windows authentication is not enabled. Or, the built-in Windows authentication module section of the ApplicationHost.config file or the Web.config file does not work. To resolve this issue, see Resolution 1.

Original
Usually, when you try to view the asp.net web page hosted in IIS and receive an invitation to log in, this does not mean that your credentials were not received or that you did not authenticate. This means that the account on which your site is running does not have the necessary rights to work with files.

In IIS 6 and 7, you can easily change the user account your application pool is running on. Try changing the application pool identifier in a large access account specifically designed for this. Or if you want to stick to an existing account (IUSR_? Network Service?), You can grant that account more permissions in the directory where your website is hosted.

This article is specifically intended for BizTalk, but contains almost no links to it and focuses on troubleshooting permissions in IIS and application pools: http://msdn.microsoft.com/en-us/library/aa954062.aspx

+4
Dec 21 '11 at 17:02
source share

Why local IIS? Can you use local IIS Express?

If so, try this. Apparently, IIS Express has false authentication by default.

Edit

 <windowsAuthentication enabled="false">

to "true" in the applicationhost.config file (in the folder 'C: \ Users [Profile] \ Documents \ IISExpress \ config'). This works for me.

+3
Oct. 25
source share

To ensure that IIS uses Windows authentication, I think you should try to enable other authentication methods. If anonymous authentication is enabled, Windows authentication will not work. You can also read this Microsoft support article that details the requirements of IE and IIS.

+2
Dec 25 '11 at 10:26
source share

I got this error when I activated windows authentication. I wanted to authorize a user based on Windows login, and there is no login page in my application.

I fixed the error by adding below to my Web config file. Under the system.web tag system.web I changed authentication mode="None" to authentication mode="Forms" .

Under the appSettings tag appSettings I added add key="owin:AutomaticAppStartup" value="false"

0
Apr 14 '16 at 6:24
source share

After reading Espen Burud's answer, I solved my problem by changing web.config in the root:

 <allow users="*" />

at

 <deny users="?" />

A page that requires Windows authentication is not located in the root directory, but in a subdirectory with its own web.config file from deny users? but that did not make Windows authentication work. Apparently, you need to prevent users from the root for this to work.

IIS configuration includes anonymous authentication; it didn't matter. After the above change to web.config, Windows authentication worked.

0
Jun 19 '19 at 13:57 on
source share

For Dot Net Core 2.2 and working on IIS, I had problems with 401.2 Unauthorized when I checked Enable Windows Authentication in my application. It was an extremely simple test website that did nothing, just tried to get Windows authentication to work. I finally got authorization to work, and here is what you need:

In Startup ConfigureServices:

 services.AddAuthentication(IISDefaults.AuthenticationScheme);

Open "Application Properties", click "Debug" on the left and make sure that you check "Enable Windows Authentication".

enter image description here

But here is the kicker that I forgot ... Configure your system so that Windows authentication is installed on IIS . This was never configured on my machine, and no matter what I did, I always got a 401 unauthorized error. After installing this (Win 10, IIS v10.0.18362.1), I now receive an invitation to log in. This is not exactly what I need at the moment, but at least it is not an unauthorized error. Good luck and hopefully this helps.

enter image description here

0
Sep 06 '19 at 14:45
source share


More articles:


All Articles