windows-authentication interview questions
Top windows-authentication frequently asked interview questions
I am using windows authentication without impersonation on my company's intranet website with IIS7.
Under IIS7, what account is used to access the folder which contains my web app using these settings?
Would it be IIS_IUSRS? Or NETWORK SERVICE? Or another I don't know about?
Source: (StackOverflow)
I'm running MVC3 and a windows auth web application. When I deploy to IIS6 it runs great until I hit a page that requires authentication. It then is auto-redirecting to /Account/Login when I have no trace of that in my application and my web.config is configured to windows auth.
Any ideas?
Here is my entire web.config file: http://pastie.org/1568510
Source: (StackOverflow)
I am trying to use the ASP.NET Web API Self-Host option with Windows authentication so I can determine the logged on user and ultimately accept or reject the user based on their identity. Here is my console application code:
using System;
using System.Web.Http;
using System.Web.Http.SelfHost;
namespace SelfHost
{
class Program
{
static void Main(string[] args)
{
var config = new HttpSelfHostConfiguration("http://myComputerName:8080");
config.UseWindowsAuthentication = true;
config.Routes.MapHttpRoute(
"API Default", "api/{controller}/{id}",
new { id = RouteParameter.Optional });
using (HttpSelfHostServer server = new HttpSelfHostServer(config))
{
server.OpenAsync().Wait();
Console.WriteLine("Press Enter to quit.");
Console.ReadLine();
}
}
}
}
Here is the controller:
[Authorize]
public class HelloController : ApiController
{
public string Get()
{
// This next line throws an null reference exception if the Authorize
// attribute is commented out.
string userName = Request.GetUserPrincipal().Identity.Name;
return "Hello " + userName;
}
}
Edit - I added the Authorize attribute, and the debugger shows that the code inside the Get action method is never invoked. The following HTML is returned:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=windows-1252" http-equiv=Content-Type></HEAD>
<BODY></BODY></HTML>
If the Authorize attribute is commented out, Request.GetUserPrincipal().Identity.Name
throws a null reference exception since Request.GetUserPrincipal()
yields null.
Source: (StackOverflow)
How to implement Windows Authentication in a ServiceStack project build on ASP.NET MVC4?
I started with a global Request-Filter added in the AppHost
:
private void ConfigureAuth(Funq.Container container)
{
this.RequestFilters.Add((httpReq, httpResp, requestDto) =>
{
var user = HttpContext.Current.User.Identity;
if (!user.IsAuthenticated ||
!user.Name.Contains(_myTestUser)) //todo: check username here in database (custom logic) if it has access to the application
httpResp.ReturnAuthRequired();
});
}
This opens up a login dialog, which if entered correctly (username exists and valid password is entered and also the myTestUser
is set to this), results in a successful response.
If anything is wrong, the login dialog is shown again. -- Thats sounds ok to me.
But after retyping the correct user in that second login window, it stops working. The dialog opens again, if like its again incorrect. No breakpoint is hit inside the filter function.
Any idea what might cause this?
Thats what i added in the web.config:
<authentication mode="Windows"/>
<authorization>
<deny users="?" /> <!--only allow authenticated users-->
</authorization>
I want to completely lock up the website and enable access to specified windows users in the database only with their specific permissions (roles). I need to implement custom logic to access the "list of users and roles".
Maybe there is an other way to do this in MVC4/ ASP.NET?
Source: (StackOverflow)
I'm using jQuery to call a .Net web service like this:
var service_url = "https://mysite.com/myservice.asmx"
$.ajax({
type: "GET",
url: service_url,
dataType: "xml",
data: "ParamId=" + FormId.value,
processData: false,
error: function(XMLHttpRequest, textStatus, errorThrown) { ajaxError(XMLHttpRequest, textStatus, errorThrown); },
success: function(xml) { DoSomething(xml); }
});
Now I want to wrap "https://mysite.com/myservice.asmx" in Windows Authentication. How can I pass credentials to the service using jQuery/javascript?
Ideally I'd like to use the current user's credentials but if needed I can use 1 master credential for all service calls.
Source: (StackOverflow)
I have a SQL Server 2005 named instance using Windows Authentication with domain groups serving as logins. The domain structures are as follows:
Forest1 Forest2
/ \ |
Domain1 Domain2 Domain3
Objects are organized in the following domains:
Forest1.Domain1
Forest1.Domain2
- SQL Server Instance
- Domain Local Groups (serving as Logins)
Forest2.Domain3
All my users exist in Domain1
and Domain3
but the SQL Server box exists in Domain2
. As such, my logins are domain groups in Domain2
. When a user in Domain1
is added to a domain local group in Domain2
and attempts to connect using TCP/IP protocol to the SQL Server instance, he receives the following error message:
Cannot connect to <instance>. Login failed for user 'Domain1\userName'. (Microsoft SQL Server, Error: 18456)
Other things I've tried:
If I add the user as a login
explicitly, he can connect.
If I add a Domain1
global group of
which the user is a member as a login
explicitly, he can connect.
If I add a Domain1
global group of
which the user is a member as a
member of the Domain2
domain local
group used as a login, he cannot
connect.
EDIT: If I add the Domain2
domain local group to the Demote Desktop Users group on the Domain2
server hosting the SQL Server instance, the Domain1
user can successfully connect to the server - I can also connect to the instance locally as the Domain1
user (just not remotely).
EDIT: If I add the Domain2
domain local group to a local server group and create a SQL Server login for that local server group, the Domain1
user still cannot connect to the instance remotely.
EDIT: If I change the connection network protocol to "Named Pipes", the Domain1
user can successfully connect remotely.
From what I understand (referencing these TechNet articles: Group Scope and Nesting Groups), the domain group MUST be a domain local group in order to include users from both Domain1
and Domain3
.
How can I use a domain group as a SQL Server login using Windows authentication such that the domain group can contain users from both Domain1
and Domain3
and users can connect remotely via TCP/IP?
MORE NOTES
- The service account for the SQL Server named instance is a user account in
Domain1
- SPN's have been added for the service account (including server name and alias names)
UPDATE
Changing the SQL Service instance service account to be in Domain2
seems to have resolved the issue. I'll investigate further and post back my findings!
Source: (StackOverflow)
I am currently trying to run SQL Server Management Studio 2008 as a user who is on a different domain. I noticed in other threads that running the following command from a batch script will do this however it doesn't seem to work for me.
runas /netonly /user:DOMAIN\USER "C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe"
I am asked for my password, the Login screen appears however the Windows Authentication username and password are still incorrectly the currently logged in impersonated user on the local Domain. Attempting to connect to the database on the other domain is unsuccessful regardless.
This seems to work for most people, the kicker for me is that this domain exists over a VPN connection. I am not able to view the VPN domain network computers in My Network Places, and thus I cannot Add Users in Control Panel.
My OS is Vista Business unfortunately, I cannot help this.
Any ideas would be appreciated.
Source: (StackOverflow)
I've created a simple (asmx) web service which returns a DataSet.
I've added the webservice to my Excel 2007 workbook using the Data -> From Web button and I'm able to view / refresh the data.
The problem comes when I need to secure the web service: I've turned on Windows authentication for the web service and the request uses SSL.
Unfortunately, the user's logged on windows credentials aren't used by Excel when trying to refresh the data - the refresh fails.
If I click on Data -> Connections -> Properties -> Definition -> Edit Query, only then am I prompted for my windows credentials and does the refresh then succeed.... not a problem for me, but not something I want every user of this spreadsheet to have to do... any ideas how to make the prompt come up when the refresh is attempted instead of having it fail??
Thanks!!
Update Answers so far are to do with SharePoint and Excel Services (neither of which are any use to me)... and one link for which "The following procedure does not apply to data that is retrieved from a text file or a Web query"... I just want a person with a copy of excel on his desktop machine to be able to update from a password-protected web service... is that so hard Microsoft??
Another Update Still no answers accepted - because no answers so far have provided a working solution ( Nice googling though - thanks guys ;-) )
Source: (StackOverflow)
I recently had a nasty issue getting Windows Authentication to work on a local instance of IIS 7.5 (Windows 7 Pro) to an ASP.net 4.0 site. I followed the basic steps.
IIS Authentication
- Disable Anonymous Authentication
- Enable Windows Authentication
Edit web.config
<authentication mode="Windows" />
This did a nice job of enabling Windows Authentication but every attempt to login was rejected and ultimately returned a 401.1 error. This is where the problem started. There appear to be many reasons for this that are well documented around the web including here on Stack Overflow.
I'd tried:
- Editing IIS Authentication 'Advanced settings' for Windows Authentication to disable Extended Protection and Kernel-mode authentication
- Editing IIS Authentication 'Providers' to move NTLM above Negotiate.
- Editing IIS .NET Authorization Rules to explicity Allow users (and various other combinations).
- Various IIS command line scripts and tweaks.
- Various config tweaks in web.config file.
- Even some file system permissions tweaks.
But all to no avail, the dreaded 401.1 remained.
This really is a case of "can't see the wood for the trees". None of the solutions I managed to find (call it a case of bad search parameters if you will) worked for me so I thought it worth posting this question to, hopefully, provide a clear answer that's easier to find for anyone suffering the same issue.
Source: (StackOverflow)
I have an ASP.NET Web API service that runs on a web server with Windows Authentication enabled.
I have a client site built on MVC4 that runs in a different site on the same web server that uses the HttpClient to pull data from the service. This client site runs with identity impersonation enabled and also uses windows authentication.
The web server is Windows Server 2008 R2 with IIS 7.5.
The challenge I am having is getting the HttpClient to pass the current windows user as part of its authentication process. I have configured the HttpClient in this manner:
var clientHandler = new HttpClientHandler();
clientHandler.UseDefaultCredentials = true;
clientHandler.PreAuthenticate = true;
clientHandler.ClientCertificateOptions = ClientCertificateOption.Automatic;
var httpClient = new HttpClient(clientHandler);
My understanding is that running the site with identity impersonation enabled and then building the client in this manner should result in the client authenticating to the service using the impersonated identity of the currently logged in user.
This is not happening. In fact, the client doesn't seem to be authenticating at all.
The service is configured to use windows authentication and this seems to work perfectly. I can go to http://server/api/shippers in my web browser and be prompted for windows authentication, once entered I receive the data requested.
In the IIS logs I see the API requests being received with no authentication and receiving a 401 challenge response.
Documentation on this one seems to be sparse.
I need some insight into what could be wrong or another way to use windows authentication with this application.
Thank You,
Craig
Source: (StackOverflow)
After trying to enable owin & AspNet Identity to my Web Api project (in VS 2013 + .Net 4.5.1) I get the following error in each valid or unvalid(request to none exist controller) requests :
<Error>
<Message>An error has occurred.</Message>
<ExceptionMessage>
No OWIN authentication manager is associated with the request.
</ExceptionMessage>
<ExceptionType>System.InvalidOperationException</ExceptionType>
<StackTrace>
at System.Web.Http.Owin.PassiveAuthenticationMessageHandler.SuppressDefaultAuthenticationChallenges(HttpRequestMessage request) at System.Web.Http.Owin.PassiveAuthenticationMessageHandler.<SendAsync>d__0.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() at System.Web.Http.HttpServer.<SendAsync>d__0.MoveNext()
</StackTrace>
</Error>
As I checked in debug mode, no exception is handled too! Also I realized that Configuration
in Startup
class is never called (indeed never caught by the debugger). here is the code for startup :
[assembly: OwinStartup(typeof(bloob.bloob.Startup))]
namespace bloob.bloob
{
public partial class Startup
{
public void Configuration(IAppBuilder app)
{
ConfigureAuth(app);
}
}
}
Source: (StackOverflow)
I am working on an C# and ASP.Net application, that uses Windows Authentication.
i.e. in Web.config:
<system.web>
<authentication mode="Windows" />
</system.web>
I want to get details for the current user (full name, email address, etc) from Active Directory.
I can get their pre Windows 2000 user login name (eg: SOMEDOMAIN\someuser
) by using
string username = HttpContext.Current.Request.ServerVariables["AUTH_USER"];
I've worked out the LDAP query for the user, using their current login name (not their pre Windows 2000 user login name):
DirectorySearcher adSearch = new DirectorySearcher(
"(userprincipalname=someuser@somedomain.com.au)");
SearchResult adSearchResult = adSearch.FindOne();
However, I don't know how to either search AD for the user using their pre W2K login name, or get their login name in the 'someuser@somedomain.com.au' format.
Any ideas?
Source: (StackOverflow)
How do you logout when using Windows authentication in ASP.NET like this web.config?
<authentication mode="Windows" />
I've already tried the following unsuccessfully. It redirects, but does not log out the user.
void logoutButton_Click(object sender, EventArgs e) {
HttpContext.Current.Session.Clear();
HttpContext.Current.Session.Abandon();
ViewState.Clear();
FormsAuthentication.SignOut();
Response.Redirect("/");
}
Background Info:
I have to use Windows authentication because I need to impersonate the identity using Active Directory to gain access to local files. And I cannot impersonate using Forms authentication because the HttpContext.Current.User.Identity
won't be a WindowsIdentity
.
http://stackoverflow.com/questions/1066275/impersonate-using-forms-authentication
Source: (StackOverflow)
Short version:
For IIS 7.5 web applications with Windows Authentication does the end
user need to have Read file access?
Long version:
I have an intranet ASP.NET web app that uses windows authentication. It's installed at dozens of different companies and normally the authentication works fine: users navigate to the site e.g. http://appserver/MyApp
, the app recognizes who they're logged in as and displays pages accordingly. I just installed it at a new client and encountered a problem:
When connecting e.g. to http://appserver/MyApp
I'm prompted for windows credentials but after entering them I'm repeatedly prompted. After several re-entering credentials I'm shown a 401 error page saying "401 - Unauthorized: Access is denied due to invalid credentials.". So not only is it not passing through my identity but even when entering the username & password it's still denying access.
Giving Read & Execute permissions to the end users of the app solves this problem, but I don't think this should be necessary at all.
In the windows Application Event Log there's a message "File authorization failed for the request" along with Thread account name: NT AUTHORITY\NETWORK SERVICE and User: [the correct workstation users's domain account]. This suggests that the file access is being performed with the User's identity, not the AppPool identity of Network Service. Sure enough if I grant the end user Read & Execute permission (I didn't try Read only) to the application's directory then everything works correctly: when the user browses to the site they're authenticated automatically, not prompted, and the web site correctly recognizes their identity! Therefore my workaround solution is to give Read & Execute permission to Everybody on the application directory...but this is not an ideal solution.
This seems very strange. I've never needed to do this before in IIS 7.5, so far as I recall, and definitely never needed to in IIS 6 or IIS 7. Is this a new IIS7.5 thing? The documentation says that Impersonation is turned off by default. I added a element to the web.config to be sure, removed file permissions other than Network Service, but the problem remained.
Any thoughts? Is it normal for Windows Authenticated sites on IIS 7.5 for end users to need file permissions on the web server files?
Some relevant details:
- Network Service
has Full Control file permissions to the app folder.
- When connecting from the server itself I was prompted for credentials
but after entering them i'm authenticated and the application works
correctly including displaying my windows login and connecting and
retrieving data from the db. I later determined that it was prompting
for credentials because
http://localhost
was in the trusted sites
and therefore not recognised as the Intranet Zone and thus not
passing identity through. I also determined that it was working as
this user identity because it's an admin user who has file
permissions.
- The web server is running Windows Server 2008 R2 / IIS
7.5. It didn't have IIS on it until I installed it. I installed the default features as well as Windows Authentication, ASP.NET, and
possibly a couple of other items. A separate WCF app I installed that
uses IIS, anonymous authentication & .net 2.0 is working fine on
that web server.
- The app install process is a manual copy of files,
creation of IIS App Pools & web apps, updating connection strings,
etc.
- I checked the IE security settings. It was recognizing the
server as in the Intranet zone and had the option 'Automatic logon
only in Intranet zone' selected. Also on Advanced Settings the
'Enable Integrated Windows Authentication' option was checked.
- After
installing IIS I ran
aspnet_regiis -i
for .net 2.0 and
aspnet_regiis -iru
for .net 4.0.
- Anonymous authentication is
disabled for my app and Windows Authentication enabled.
- The app is
running on ASP.NET v4 but there's another app I installed
experiencing the same issue running ASP.NET v2.
- The app is running
with Identity = Network Service and in 32-bit mode.
- Database
connection string includes
Trusted Connection=True
and database
permissions are granted to the web server account [domain]\[server]$
e.g. DGM\MyServer$
.
- In IIS > Authentication > Windows Authentication > Providers the list was Negotiate first then NTLM. I tried reordering so NTLM is first.
- In the Windows Security Event Log there
were a series of Microsoft Windows security auditing events: Logon
and Logoff. They indicated that the Logon was successful and was
displaying the User Id of the workstation user. This are from when
I'm connecting from another workstation and receive a 401
Unauthorized after several attempts.
I see someone has had this problem reported here but with no solution. Originally I posted in the ASP and then the IIS forums with no answers so far.
Update:
This msdn article says
When Windows authentication is enabled but impersonation is disabled, ASP.NET performs file access checks in the file authorization module using the credentials that are sent from the browser (my emphasis). Impersonation does not need to be enabled, because the FileAuthorizationModule module ensures that the requesting user is allowed read access or write access to the resource, depending on the request verb (for example, GET or POST) before executing the request. This behavior applies to any requests that enter managed code. In earlier versions of ASP.NET, accessing files based on URIs such as "Default.aspx" triggered the access check. In ASP.NET MVC applications, where access to resources is typically performed using extensionless URLs, this check typically does not apply, because there is not a physical file to check. In that case, the FileAuthorizationModule class falls back to checking access-control lists (ACLs) for the folder.
This does suggest that the end user needs permissions to the files (in the case of .aspx) or the folder (for MVC) ... although still this seems slightly tucked away and non-definitive. This article about App Pools says they're used as the identity for securing resources, which contradicts the idea of needing to grant privileges to end users. Unless the rules are different for App Pools and NETWORK SERVICE, which could be the case but would be surprising.
Source: (StackOverflow)