Network Credentials not passing in Authentication mode

[Steve]

All --

I've set up a directory where I simply want to know the person's name
when he comes into the directory. I've set up the following:

* Uncheck allow anon in IIS
* Uncheck basic authentication
* Check 'Use windows authentication'

My web.config file looks as follows:

<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>

</system.web>
</configuration>


However, I cannot get to the page -- there's no error being thrown.
It seems that it just ignores everything. Checking the IIS logs shows
that a 401 has been issued, but there's no message sent to the user.

The physical folder has 'Everyone' with read permissions. All I want
is the user's DOMAIN\name sent to me so I can do something with it,
but it doesn't seem it's being passed.

Any ideas?

[Ken Schaefer]

Are you using a pop-up window in your browser asking you for a
username/password?

Cheers
Ken

"Steve" <steve.cimino@ticketmaster.com> wrote in message
news:b74b67c3.0401260911.204e16ca@posting.google.c om...
: All --
:
: I've set up a directory where I simply want to know the person's name
: when he comes into the directory. I've set up the following:
:
: * Uncheck allow anon in IIS
: * Uncheck basic authentication
: * Check 'Use windows authentication'
:
: My web.config file looks as follows:
:
: <configuration>
: <system.web>
: <authentication mode="Windows" />
: <authorization>
: <allow users="*" />
: </authorization>
:
: </system.web>
: </configuration>
:
:
: However, I cannot get to the page -- there's no error being thrown.
: It seems that it just ignores everything. Checking the IIS logs shows
: that a 401 has been issued, but there's no message sent to the user.
:
: The physical folder has 'Everyone' with read permissions. All I want
: is the user's DOMAIN\name sent to me so I can do something with it,
: but it doesn't seem it's being passed.
:
: Any ideas?

[Steve]

Hi Ken, thanks for the reply.

No, I'm not using any basic authentication and prompting the user for
the name/password. I'm trying to grab what they've already logged
into the network with. This was a piece of cake in classic ASP, but
I'm still having difficulties getting this to work.

I also have under IIS the directory listed as an application, not as a
virtual directory. Is there any other information I can provide you?

Thanks --



"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message news:<#joLnWH5DHA.1592@TK2MSFTNGP10.phx.gbl>...

> Are you using a pop-up window in your browser asking you for a
> username/password?
>
> Cheers
> Ken
>
> "Steve" <steve.cimino@ticketmaster.com> wrote in message
> news:b74b67c3.0401260911.204e16ca@posting.google.c om...
> : All --
> :
> : I've set up a directory where I simply want to know the person's name
> : when he comes into the directory. I've set up the following:
> :
> : * Uncheck allow anon in IIS
> : * Uncheck basic authentication
> : * Check 'Use windows authentication'
> :
> : My web.config file looks as follows:
> :
> : <configuration>
> : <system.web>
> : <authentication mode="Windows" />
> : <authorization>
> : <allow users="*" />
> : </authorization>
> :
> : </system.web>
> : </configuration>
> :
> :
> : However, I cannot get to the page -- there's no error being thrown.
> : It seems that it just ignores everything. Checking the IIS logs shows
> : that a 401 has been issued, but there's no message sent to the user.
> :
> : The physical folder has 'Everyone' with read permissions. All I want
> : is the user's DOMAIN\name sent to me so I can do something with it,
> : but it doesn't seem it's being passed.
> :
> : Any ideas?

[Shriop]

on my xp machine, using .net frmaework 1.0, I put Response.Write(
this.User.Identity.Name ); into the Page_Load method of an asp.net
page in its own web application. I used the exact same web.config as
you. I then went into IIS, did what you did, unchecked anon, unchecked
basic, checked NT. I then went to folder security, removed all users
and groups and made sure the permissions weren't propogating down from
its parent. I then added in the domain group "Everyone" with read
permissions. I can run the page just fine from another computer using
[url]http://computer_name/web_app_name/page.aspx[/url] syntax and it outputs what
you're looking for. if I remove that one setting, then I can't view
the page from the other computer. I also can't view the page if I use
an external ip for the http server. I also tried the exact same thing
on a w2k machine running .net framework 1.1, and got the same results.
I can't hardly come up with any settings you can do that prevent you
from seeing that page.

[Ken Schaefer]

Hi,

I would suggest that you enable Windows file-access-failure auditing on the
file in question. Then, attempt to browse the page from your web-browser.
You should see something logged in the event log indicating what user
account the server thinks is being used to attempt to access the page, and
then tweak your NTFS permissions appropriately.

Also, be aware that NTLM doesn't work through most proxy servers, and
Kerberos authentication doesn't work through most firewalls (those are the
two Integrated Authentication options), so if you're browsing from an
external site, keep that in mind.

Cheers
Ken


--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Steve" <steve.cimino@ticketmaster.com> wrote in message
news:b74b67c3.0401270644.13972f16@posting.google.c om...
: Hi Ken, thanks for the reply.
:
: No, I'm not using any basic authentication and prompting the user for
: the name/password. I'm trying to grab what they've already logged
: into the network with. This was a piece of cake in classic ASP, but
: I'm still having difficulties getting this to work.
:
: I also have under IIS the directory listed as an application, not as a
: virtual directory. Is there any other information I can provide you?
:
: Thanks --
:
:
:
: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:<#joLnWH5DHA.1592@TK2MSFTNGP10.phx.gbl>...
: > Are you using a pop-up window in your browser asking you for a
: > username/password?
: >
: > Cheers
: > Ken
: >
: > "Steve" <steve.cimino@ticketmaster.com> wrote in message
: > news:b74b67c3.0401260911.204e16ca@posting.google.c om...
: > : All --
: > :
: > : I've set up a directory where I simply want to know the person's name
: > : when he comes into the directory. I've set up the following:
: > :
: > : * Uncheck allow anon in IIS
: > : * Uncheck basic authentication
: > : * Check 'Use windows authentication'
: > :
: > : My web.config file looks as follows:
: > :
: > : <configuration>
: > : <system.web>
: > : <authentication mode="Windows" />
: > : <authorization>
: > : <allow users="*" />
: > : </authorization>
: > :
: > : </system.web>
: > : </configuration>
: > :
: > :
: > : However, I cannot get to the page -- there's no error being thrown.
: > : It seems that it just ignores everything. Checking the IIS logs shows
: > : that a 401 has been issued, but there's no message sent to the user.
: > :
: > : The physical folder has 'Everyone' with read permissions. All I want
: > : is the user's DOMAIN\name sent to me so I can do something with it,
: > : but it doesn't seem it's being passed.
: > :
: > : Any ideas?

[Steve]

Thanks for both of your suggestions....

I've even tried this from an IE5 browser (since use windows auth is
default) to see if that would go through, but no joy. I've double
checked my IE6 SP1 settings and I do have send windows auth through.

What I get in the IIS logs (after both of your suggestions) is

17:43:23 127.0.0.1 GET /capex/user.aspx 401 4644 10
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CL R+1.1.4322;+.NET+CLR+1.0.3705)
-
17:43:23 127.0.0.1 GET /capex/user.aspx 401 4383 0
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CL R+1.1.4322;+.NET+CLR+1.0.3705)
-
17:43:23 127.0.0.1 GET /capex/user.aspx 401 4644 10
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CL R+1.1.4322;+.NET+CLR+1.0.3705)
-


Now the 401.4 is

Unauthorized: Authorization failed by a filter installed on the Web
server.

Thing is, it's my localhost webserver. Now I'd guess that the
"filter" it's referring to is the web.config log, no? I've even added
a location to the file... so now it looks like


<configuration>
<location path="CapEx">
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>

and have even tried <deny users="?">

An inspection of the system log file in Event Viewer says

Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 1/28/2004
Time: 11:08:23 AM
User: NT AUTHORITY\SYSTEM
Computer: MYMACHINENAME
Description:
A trusted logon process has registered with the Local Security
Authority. This logon process will be trusted to submit logon
requests.

Logon Process Name: KSecDD

Does this information help any?

Thank you both for taking time to help me... it is much appreciated.






"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message news:<OkuL$pU5DHA.1804@TK2MSFTNGP12.phx.gbl>...

> Hi,
>
> I would suggest that you enable Windows file-access-failure auditing on the
> file in question. Then, attempt to browse the page from your web-browser.
> You should see something logged in the event log indicating what user
> account the server thinks is being used to attempt to access the page, and
> then tweak your NTFS permissions appropriately.
>
> Also, be aware that NTLM doesn't work through most proxy servers, and
> Kerberos authentication doesn't work through most firewalls (those are the
> two Integrated Authentication options), so if you're browsing from an
> external site, keep that in mind.
>
> Cheers
> Ken
>
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Steve" <steve.cimino@ticketmaster.com> wrote in message
> news:b74b67c3.0401270644.13972f16@posting.google.c om...
> : Hi Ken, thanks for the reply.
> :
> : No, I'm not using any basic authentication and prompting the user for
> : the name/password. I'm trying to grab what they've already logged
> : into the network with. This was a piece of cake in classic ASP, but
> : I'm still having difficulties getting this to work.
> :
> : I also have under IIS the directory listed as an application, not as a
> : virtual directory. Is there any other information I can provide you?
> :
> : Thanks --
> :
> :
> :
> : "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:<#joLnWH5DHA.1592@TK2MSFTNGP10.phx.gbl>...
> : > Are you using a pop-up window in your browser asking you for a
> : > username/password?
> : >
> : > Cheers
> : > Ken
> : >
> : > "Steve" <steve.cimino@ticketmaster.com> wrote in message
> : > news:b74b67c3.0401260911.204e16ca@posting.google.c om...
> : > : All --
> : > :
> : > : I've set up a directory where I simply want to know the person's name
> : > : when he comes into the directory. I've set up the following:
> : > :
> : > : * Uncheck allow anon in IIS
> : > : * Uncheck basic authentication
> : > : * Check 'Use windows authentication'
> : > :
> : > : My web.config file looks as follows:
> : > :
> : > : <configuration>
> : > : <system.web>
> : > : <authentication mode="Windows" />
> : > : <authorization>
> : > : <allow users="*" />
> : > : </authorization>
> : > :
> : > : </system.web>
> : > : </configuration>
> : > :
> : > :
> : > : However, I cannot get to the page -- there's no error being thrown.
> : > : It seems that it just ignores everything. Checking the IIS logs shows
> : > : that a 401 has been issued, but there's no message sent to the user.
> : > :
> : > : The physical folder has 'Everyone' with read permissions. All I want
> : > : is the user's DOMAIN\name sent to me so I can do something with it,
> : > : but it doesn't seem it's being passed.
> : > :
> : > : Any ideas?

[Shriop]

23:20:36 127.0.0.1 GET /authtest/WebForm1.aspx 401
23:20:36 127.0.0.1 GET /authtest/WebForm1.aspx 200

that's what shows up in my logs when I make a request to my test page.
basically, the browser is making 2 requests. the first is sent without
nt auth, which the server rejects, and the second is the browser
coming back with the nt auth, which gets a 200 response. if you're not
seeing a 2nd request basically in the same second as the first
request, then your browser is not replying to the challenge. I haven't
dug too deep into what the server is sending back as a challenge, but
I think it lists the options that the browser can use to auth with the
server. your browser should either be immediately responding, or
popping up a window asking you for the logon.

here's the content of the 401 challenge my web server is sending back

HTTP/1.1 401 Access Denied
Server: Microsoft-IIS/5.1
Date: Wed, 28 Jan 2004 23:34:06 GMT
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Content-Length: 4431
WWW-Authenticate: Digest qop="auth", realm="DOMAIN_NAME_HERE",
nonce="bunch of gibberish like a nt token or something here"
Content-Type: text/html

....bunch of error html here...

you can check it versus what your server is sending back as a
challenge. just telnet to localhost on port 80 and type "GET
/capex/user.aspx HTTP/1.0" and hit enter twice, and you'll get the
response. you may have to turn up your line buffer to see it all.

[Ken Schaefer]

The filter referred to would be an ISAPI filter of some kind, not a
web.config issue.

Cheers
Ken

"Steve" <steve.cimino@ticketmaster.com> wrote in message
news:b74b67c3.0401281159.17d8c0ae@posting.google.c om...
: Thanks for both of your suggestions....
:
: I've even tried this from an IE5 browser (since use windows auth is
: default) to see if that would go through, but no joy. I've double
: checked my IE6 SP1 settings and I do have send windows auth through.
:
: What I get in the IIS logs (after both of your suggestions) is
:
: 17:43:23 127.0.0.1 GET /capex/user.aspx 401 4644 10
:
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CL R+1.1.4322;+.NET+C
LR+1.0.3705)
: -
: 17:43:23 127.0.0.1 GET /capex/user.aspx 401 4383 0
:
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CL R+1.1.4322;+.NET+C
LR+1.0.3705)
: -
: 17:43:23 127.0.0.1 GET /capex/user.aspx 401 4644 10
:
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CL R+1.1.4322;+.NET+C
LR+1.0.3705)
: -
:
:
: Now the 401.4 is
:
: Unauthorized: Authorization failed by a filter installed on the Web
: server.
:
: Thing is, it's my localhost webserver. Now I'd guess that the
: "filter" it's referring to is the web.config log, no? I've even added
: a location to the file... so now it looks like
:
:
: <configuration>
: <location path="CapEx">
: <system.web>
: <authentication mode="Windows" />
: <authorization>
: <allow users="*" />
: </authorization>
: </system.web>
: </location>
: </configuration>
:
: and have even tried <deny users="?">
:
: An inspection of the system log file in Event Viewer says
:
: Event Type: Success Audit
: Event Source: Security
: Event Category: System Event
: Event ID: 515
: Date: 1/28/2004
: Time: 11:08:23 AM
: User: NT AUTHORITY\SYSTEM
: Computer: MYMACHINENAME
: Description:
: A trusted logon process has registered with the Local Security
: Authority. This logon process will be trusted to submit logon
: requests.
:
: Logon Process Name: KSecDD
:
: Does this information help any?
:
: Thank you both for taking time to help me... it is much appreciated.
:
:
:
:
:
:
: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:<OkuL$pU5DHA.1804@TK2MSFTNGP12.phx.gbl>...
: > Hi,
: >
: > I would suggest that you enable Windows file-access-failure auditing on
the
: > file in question. Then, attempt to browse the page from your
web-browser.
: > You should see something logged in the event log indicating what user
: > account the server thinks is being used to attempt to access the page,
and
: > then tweak your NTFS permissions appropriately.
: >
: > Also, be aware that NTLM doesn't work through most proxy servers, and
: > Kerberos authentication doesn't work through most firewalls (those are
the
: > two Integrated Authentication options), so if you're browsing from an
: > external site, keep that in mind.
: >
: > Cheers
: > Ken
: >
: >
: > --
: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: > "Steve" <steve.cimino@ticketmaster.com> wrote in message
: > news:b74b67c3.0401270644.13972f16@posting.google.c om...
: > : Hi Ken, thanks for the reply.
: > :
: > : No, I'm not using any basic authentication and prompting the user for
: > : the name/password. I'm trying to grab what they've already logged
: > : into the network with. This was a piece of cake in classic ASP, but
: > : I'm still having difficulties getting this to work.
: > :
: > : I also have under IIS the directory listed as an application, not as a
: > : virtual directory. Is there any other information I can provide you?
: > :
: > : Thanks --
: > :
: > :
: > :
: > : "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
: > news:<#joLnWH5DHA.1592@TK2MSFTNGP10.phx.gbl>...
: > : > Are you using a pop-up window in your browser asking you for a
: > : > username/password?
: > : >
: > : > Cheers
: > : > Ken
: > : >
: > : > "Steve" <steve.cimino@ticketmaster.com> wrote in message
: > : > news:b74b67c3.0401260911.204e16ca@posting.google.c om...
: > : > : All --
: > : > :
: > : > : I've set up a directory where I simply want to know the person's
name
: > : > : when he comes into the directory. I've set up the following:
: > : > :
: > : > : * Uncheck allow anon in IIS
: > : > : * Uncheck basic authentication
: > : > : * Check 'Use windows authentication'
: > : > :
: > : > : My web.config file looks as follows:
: > : > :
: > : > : <configuration>
: > : > : <system.web>
: > : > : <authentication mode="Windows" />
: > : > : <authorization>
: > : > : <allow users="*" />
: > : > : </authorization>
: > : > :
: > : > : </system.web>
: > : > : </configuration>
: > : > :
: > : > :
: > : > : However, I cannot get to the page -- there's no error being
thrown.
: > : > : It seems that it just ignores everything. Checking the IIS logs
shows
: > : > : that a 401 has been issued, but there's no message sent to the
user.
: > : > :
: > : > : The physical folder has 'Everyone' with read permissions. All I
want
: > : > : is the user's DOMAIN\name sent to me so I can do something with
it,
: > : > : but it doesn't seem it's being passed.
: > : > :
: > : > : Any ideas?

[Steve]

Interesting...

Now telnet-ing into port 80 does actually return me a 401 -- Access
Denied. (even though I set up use NTLM in telnet).

However, through the browser, nothing comes back to the browser AT
ALL. If I didn't send the 'second of the hour' to the screen, I
wouldn't have known anything isn't happening.

This is telnet:

17:04:27 127.0.0.1 GET /capex/user.aspx 401 4625 0 - -

This is IE 6 SP 1

17:04:55 127.0.0.1 GET /capex/user.aspx 401 4383 0
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CL R+1.1.4322;+.NET+CLR+1.0.3705)
-
17:04:55 127.0.0.1 GET /capex/user.aspx 401 4644 0
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CL R+1.1.4322;+.NET+CLR+1.0.3705)
-
17:04:55 127.0.0.1 GET /capex/user.aspx 401 4383 0
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CL R+1.1.4322;+.NET+CLR+1.0.3705)
-

As you said, it looks like it is making 3 requests, but the 401 is not
sent to the browser. Now if I turn on 'allow anon', I get what's
expected:

17:08:33 127.0.0.1 GET /capex/user.aspx 200 448 0
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CL R+1.1.4322;+.NET+CLR+1.0.3705)
-


So is it the browser messing up?

Thanks for all your help, it is appreciated.

[Steve]

However with a localhost setup, I should have full permissions, and I
haven't installed any filters.

Perhaps when you install Visual Studio .Net it installs something like
that behind the scenes?

Thanks for your patience as well.

[Shriop]

in IE, go to tools, internet options, advanced, and uncheck "show
friendly HTTP error messages. you might then be able to actually get
the 401 error message in your browser. I doubt it's something that IE
is actually doing wrong. it sounds more like a network problem. are
you sure that you're logging on to your computer as a network user,
like when you go to log on, it is showing your domain in the log on to
drop down box? can you browse to other computers on the domain? to
access other people's computers on the domain, you should see them
under "My Network Places", entire network, microsoft windows network,
domain name, and then the computer. Are you trying to view the web
page from inside Visual Studio using the debug feature or anything
odd, or are you just opening a browser and typing in the localhost
url?

[Steve]

Out of a hunch, I just uninstalled IIS and then reinstalled it, then
registerd the .Net libraries and voila, everything is now working.

Dunno... maybe something got corrupted? When I installed VS.Net on
Monday, it asked for the Windows Component CD -- even though I had the
1.1 libs already installed. Maybe something happened behind the
scenes.

Thanks again for your help and dedication to this... it is much
appreciated.

Steve




[email]shriop@yahoo.com[/email] (Shriop) wrote in message news:<7c6b8c80.0401291509.1eb27c8b@posting.google. com>...

> in IE, go to tools, internet options, advanced, and uncheck "show
> friendly HTTP error messages. you might then be able to actually get
> the 401 error message in your browser. I doubt it's something that IE
> is actually doing wrong. it sounds more like a network problem. are
> you sure that you're logging on to your computer as a network user,
> like when you go to log on, it is showing your domain in the log on to
> drop down box? can you browse to other computers on the domain? to
> access other people's computers on the domain, you should see them
> under "My Network Places", entire network, microsoft windows network,
> domain name, and then the computer. Are you trying to view the web
> page from inside Visual Studio using the debug feature or anything
> odd, or are you just opening a browser and typing in the localhost
> url?

[Steve]

Ugh... this was supposed to be attached to this thread.

[url]http://groups.google.com/groups?dq=&hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=7c6b8c80.0401291509.1eb27c8b%40posting.g oogle.com&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26group%3Dmicrosoft.public.dotnet.framework.aspn et.security[/url]


Didn't know that changing the title in a reply made a new post.

So thanks Ken and Shriop.


[email]steve.cimino@ticketmaster.com[/email] (Steve) wrote in message news:<b74b67c3.0401300951.541fe9e7@posting.google. com>...

> Out of a hunch, I just uninstalled IIS and then reinstalled it, then
> registerd the .Net libraries and voila, everything is now working.
>
> Dunno... maybe something got corrupted? When I installed VS.Net on
> Monday, it asked for the Windows Component CD -- even though I had the
> 1.1 libs already installed. Maybe something happened behind the
> scenes.
>
> Thanks again for your help and dedication to this... it is much
> appreciated.
>
> Steve
>
>
>
>
> [email]shriop@yahoo.com[/email] (Shriop) wrote in message news:<7c6b8c80.0401291509.1eb27c8b@posting.google. com>...

> > in IE, go to tools, internet options, advanced, and uncheck "show
> > friendly HTTP error messages. you might then be able to actually get
> > the 401 error message in your browser. I doubt it's something that IE
> > is actually doing wrong. it sounds more like a network problem. are
> > you sure that you're logging on to your computer as a network user,
> > like when you go to log on, it is showing your domain in the log on to
> > drop down box? can you browse to other computers on the domain? to
> > access other people's computers on the domain, you should see them
> > under "My Network Places", entire network, microsoft windows network,
> > domain name, and then the computer. Are you trying to view the web
> > page from inside Visual Studio using the debug feature or anything
> > odd, or are you just opening a browser and typing in the localhost
> > url?