Windows Authentication and Windows Server ASP.NET

On Fri, 4 Feb 2005 05:55:07 -0800, "Chris" <Ch***@discussions.microsoft.com> wrote:

¤ I'm building a web app in C# for use on a company intranet. I want to
¤ restrict access to only authenticated users on the domain. There is plenty
¤ of documentation on this subject except for one issue that I've come across.
¤
¤ When running this on IIS installed on my Windows XP deveopment system, any
¤ authenticated user on the domain can access the page and using the Security
¤ object I can identify them.
¤
¤ However, when running the app on a Windows 2000 Server, users are always
¤ asked for their username and password. I cannot figure out how to get the
¤ information automatically handled by the server.
¤
¤ I've gone through all of the recommended settings for IIS and the web.config
¤ file and cannot get rid of this prompt. Is this normal or expected? Any
¤ help would be appreciated.

If you have the web application set up for Windows Integrated Authentication only, and you're still
getting a login dialog, it would appear that there is an attempt to access a secured resource to
which the user does not have access.

You could create a very simple web app that just displays "Hello World" in order verify whether the
security issue is specific to the application or a resource the application is using.
Paul ~~~ pc******@ameritech.net
Microsoft MVP (Visual Basic)

Currently, I'm running a simple test page that displays the
"User.Identity.Name" information only. Still puzzled...

"Paul Clement" wrote:

On Fri, 4 Feb 2005 05:55:07 -0800, "Chris" <Ch***@discussions.microsoft.com> wrote:

¤ I'm building a web app in C# for use on a company intranet. I want to
¤ restrict access to only authenticated users on the domain. There is plenty
¤ of documentation on this subject except for one issue that I've come across.
¤
¤ When running this on IIS installed on my Windows XP deveopment system, any
¤ authenticated user on the domain can access the page and using the Security
¤ object I can identify them.
¤
¤ However, when running the app on a Windows 2000 Server, users are always
¤ asked for their username and password. I cannot figure out how to get the
¤ information automatically handled by the server.
¤
¤ I've gone through all of the recommended settings for IIS and the web.config
¤ file and cannot get rid of this prompt. Is this normal or expected? Any
¤ help would be appreciated.

If you have the web application set up for Windows Integrated Authentication only, and you're still
getting a login dialog, it would appear that there is an attempt to access a secured resource to
which the user does not have access.

You could create a very simple web app that just displays "Hello World" in order verify whether the
security issue is specific to the application or a resource the application is using.
Paul ~~~ pc******@ameritech.net
Microsoft MVP (Visual Basic)

Using a fully qualified domain name or ip address in a url will always force
a prompt if authentication is required.

NTLM authentication is only done automatically if a "simple" name is used.
(e.g. http://myserver as opposed to http://myserver.mycompany.com or
http://192.168.1.100 )

"Chris" <Ch***@discussions.microsoft.com> wrote in message
news:57**********************************@microsof t.com...

I'm building a web app in C# for use on a company intranet. I want to
restrict access to only authenticated users on the domain. There is
plenty
of documentation on this subject except for one issue that I've come
across.

When running this on IIS installed on my Windows XP deveopment system, any
authenticated user on the domain can access the page and using the
Security
object I can identify them.

However, when running the app on a Windows 2000 Server, users are always
asked for their username and password. I cannot figure out how to get the
information automatically handled by the server.

I've gone through all of the recommended settings for IIS and the
web.config
file and cannot get rid of this prompt. Is this normal or expected? Any
help would be appreciated.

In order for this box to be bypassed you must either use a direct computer
name or add the fully qualified domain path to your trusted sites list. NTLM
will only execute transparently when these conditions are met.

Typically developers are confused by this result because in tests you would
refer to your http:\\localhost which is always a trusted site. It is an
annoyance but it is the only solution to transparent security measure using
NTLM.

"Chris" wrote:

I'm building a web app in C# for use on a company intranet. I want to
restrict access to only authenticated users on the domain. There is plenty
of documentation on this subject except for one issue that I've come across.

When running this on IIS installed on my Windows XP deveopment system, any
authenticated user on the domain can access the page and using the Security
object I can identify them.

However, when running the app on a Windows 2000 Server, users are always
asked for their username and password. I cannot figure out how to get the
information automatically handled by the server.

I've gone through all of the recommended settings for IIS and the web.config
file and cannot get rid of this prompt. Is this normal or expected? Any
help would be appreciated.