application with basic authentication works on local host but get unauthorized user after publish on IIS

0
votes

i have a legacy web API written in MVC 4 web API,it has basic authentication, when i test it,it works on localhost using POSTMAN, when i publish on iis i get 401 - Unauthorized: Access is denied due to invalid credentials.i have enabled the basic authentication for this API on iis server but still I get the same error,should i change something on iis or in my code?

Web Api Config:

   config.Filters.Add(new BasicAuthenticationAttribute());
   // config.Filters.Add(new AuthorizeAttribute());      
    config.Routes.MapHttpRoute(
        name: "DefaultApi",
        routeTemplate: "api/{controller}/{id}",
        defaults: new { id = RouteParameter.Optional }
    );


    // Uncomment the following line of code to enable query support for actions with an IQueryable or IQueryable<T> return type.
    // To avoid processing unexpected or malicious queries, use the validation settings on QueryableAttribute to validate incoming queries.
    // For more information, visit http://go.microsoft.com/fwlink/?LinkId=279712.
    //config.EnableQuerySupport();

    // To disable tracing in your application, please comment out or remove the following line of code
    // For more information, refer to: http://www.asp.net/web-api

    config.EnableSystemDiagnosticsTracing()

Authentication class:

     public class BasicAuthenticationAttribute: AuthorizationFilterAttribute
    {
   public override void OnAuthorization(HttpActionContext actionContext)
    {
 var authHeader = actionContext.Request.Headers.Authorization;

 if (authHeader != null)
 {
    var authenticationToken = actionContext.Request.Headers.Authorization.Parameter;
    var decodedAuthenticationToken = Encoding.UTF8.GetString(Convert.FromBase64String(authenticationToken));
    var usernamePasswordArray = decodedAuthenticationToken.Split(':');
    var userName = usernamePasswordArray[0];
    var password = usernamePasswordArray[1];

    // Replace this with your own system of security / means of validating credentials
    var isValid = userName == "rene" && password == "2019";

    if (isValid)
    {
        var principal = new GenericPrincipal(new GenericIdentity(userName), null);
        Thread.CurrentPrincipal = principal;

        actionContext.Response =
           actionContext.Request.CreateResponse(HttpStatusCode.OK,
              "User " + userName + " successfully authenticated");

        base.OnAuthorization(actionContext); 
    }
    else
    {
        HandleUnathorized(actionContext); 
    }
 }
1
asp.net-mvc-4iisasp.net-web-api
I suggest you could check you have enabled other auth mode like windows auth or else in the IIS manamgent console firstly. If you don't enable it, I suggest you could try to use remote debug to remote debug the OnAuthorization method to find userName and password value to make sure it is right. Details ,you could refer to this article.Brando Zhang
i enabled that but still does not workingmortezasol
Have you checked if there is other auth mode in your IIS server? You mean you have enabled the windows auth? Have tried to remote debug your web application?Brando Zhang

1 Answers

1
votes

I've had similar issue when deploying to IIS and it can be difficult to identify the main cause of the issue. What i would recommend is checking if the application is throwing an error which is probably the cause of your error.

You can try the following:

  • Make sure all dependencies Exist and are configured on the IIS Server.(.Net framework 3.5 .Net framework 4.5 etc)
  • Event viewer for errors or failed authentications.
  • Windowslog/Application (Shows errors if one exits).
  • Windowslog/Security for failed auth attempts
  • Check IIS log files (C:\inetpub\logs\LogFiles). you might find a clue to the error.

I hope this might help you as it has done to me in the past. In worst case scenario try to set up a VM with a fresh IIS and deploy there. And then Cross-check.