Windows Authentication prompts for username/password

9
votes

I am trying to deploy an application in a client network, with AD/domain controller.

My application is a simple asp.net c# application, using windows authentication.

I am using win2003.

Basically, using VS2008, create a new website, hosted on IIS6.0. Only 2 changes. 1. On IIS Directory security for the application, enabled "Integrated Security".
Note: anonymous is also enabled.

Only one change to the skeleton code generated. Add below to the page_load method of default.aspx

using System.Security.Principal;
...
protected void Page_Load(object sender, EventArgs e)
{
    WindowsIdentity id = WindowsIdentity.GetCurrent();
    Response.Write("<B>Windows Identity Check</B><br>");
    Response.Write("Name: " + id.Name + "<br>");
    Response.Write("<BR>");
    Response.Write("User.Identity: " + User.Identity.Name);
    Response.Write("<BR>");
}

Output of browsing to the page: Windows Identity Check- Name: NT AUTHORITY\NETWORK SERVICE User.Identity:

The User.Identity.Name does not output the current username.

As discussed in this article http://weblogs.asp.net/scottgu/archive/2006/07/12/Recipe_3A00_-Enabling-Windows-Authentication-within-an-Intranet-ASP.NET-Web-application.aspx

I added:

<authorization>
    <deny users="?"/>
</authorization>

From what i userstand is that, when this is added, I can get the current users, username from User.Identity.Name.

However, once I added the above, the browser now prompts me for a username and password. Once I enter it, I am able to use User.Identity.Name to get the username. However I do not want the username/password pop up to appear. I want the application to authenticate the user based on their network credentials.

Am I missing something?

7
asp.netwindowssecurityauthentication
What browser did you test with? Only IE will pass the Windows username/password authentication. - Robert C. Barth
That's not necessarily true - FireFox supports Windows Integrated Authentication. - Christopher G. Lewis
Yeah, Firefox has no problem with this it just doesn't treat local hostnames as trusted/intranet zone by default like IE does - but it sure can be configured to. There's even an existing ADM template somewhere for FF I think for the lazy sysadmins to use. - Oskar Duveborn
Here's the check list btw: support.microsoft.com/kb/258063/en-us - not sure but having anonymous auth enabled in IIS as well might be a problem? - Oskar Duveborn

7 Answers

3
votes

Check that internet explorer knows the site is part of local intranet zone. Also, under the settings for intranet zone check that automatic logon is enabled.

3
votes

Your configuration in IIS is incorrect - turn off anonymous access, then integrated authentication will kick in, assuming you've also set it in your web.config via

<configuration>
    <system.web>
        <authentication mode="Windows" />
    </system.web>
</configuration>
1
votes

You do not want to change any configuration in we.config file. In IS server manager in site Authentication, only enable Windows authentication and disable other authentications. enter image description here

Windows Authentication need your =windows credentials to authenticate user. That's the reason to prompt the login. To avoid that you need to set your site IP or domain as trustful intranet site in your client browser. For that;

1)Go to Browser settings -> Open proxy settings -> Security -> Local Intranet -> Sites -> Advanced

2)Then add your site domain or IP address enter image description here

Now see whether your issue is ok after clear browser caching.

This work for me. :)

Check this also Receiving login prompt using integrated windows authentication

0
votes

What URL is your site using, and what's the IE zone? If your app is running outside of the LocalIntranet zone, passthrough authentication is blocked, always prompting for User/Password.

0
votes

Is "Enable Windows Integrated Authentication" selected in IE's Internet Options?

Do both the IUSR_ and username you're entering have Read and Execute permissions to the directory where the application is hosted?

Does the application's directory reside on the IIS server, or is it located on a share, where Windows share permissions would come into play?

0
votes

I think you can not control it from server app, it is browser function to pass the credentials, in IE you may recommend your users to check "enable Windows integrated authentication" in internet options->advanced

0
votes

You do not want to change any configuration in we.config file. In IS server manager in site Authentication, only enable Windows authentication and disable other authentications. enter image description here

Windows Authentication need your =windows credentials to authenticate user. That's the reason to prompt the login. To avoid that you need to set your site IP or domain as trustful intranet site in your client browser. For that;

1)Go to Browser settings -> Open proxy settings -> Security -> Local Intranet -> Sites -> Advanced

2)Then add your site domain or IP address enter image description here

Now see whether your issue is ok after clear browser caching.

This work for me. :)