All geek questions in one place

Asp.net mvc windows authentication - users are logged in as different users

We have an asp.net mvc web application hosted in IIS with Windows authentication enabled (we use the active directory to authenticate users).

At some point (during the production process), users entered the system using different users, the login is usually performed when the user logs on to their laptops / PCs in the organization, therefore it is expected that the website will always show its registered PC / laptop user - these are their identifiers.

For IIS, we save session state on the Sql server, and we support sessions using the HttpContext.Session in the application.

I need some guides on how I can track the source of the problem. Is there a tool or what code can I share with you that might help?

Thanks!

+5
source share
2 answers

Make sure that:

  • You have "Integrated Windows Authentication" (formerly called NTLM authentication) in IIS for the application you are using.

  • Then you should add the web.config file to the root directory your ASP.NET application containing the <authentication> section that sets the mode to "Windows" .

  • Then you should add the <authorization> section to the same web.config file, which denies access to the "anonymous" users who visited the site. This will force ASP.NET to always authenticate the incoming browser user using Windows authentication - and make sure that from within the code on the server you can always access the username and membership of the Windows group for the incoming user.

The web.config file below shows how to configure both of the steps described above:

 <configuration> <system.web> <authentication mode="Windows" /> <authorization> <deny users="?"/> </authorization> </system.web> </configuration>
+2
source

Troubleshooting ...

To view the error, I would make sure that you show the current user HttpContext.Current.User.Identity.Name; on every page. Refresh the page and verify that the user has not changed. Go to other pages and do the same. Clear all cookies and the state of the application in the browser, close the browser, then reopen the browser and return to the site. You still need to log in as the same user on every page and in every browser session. If this is intermittent, you may need to repeat this several times to reproduce the error.

Does this happen when running local IIS Express on developer machines? Does this ever happen in other environments (test, staging) where the code is used? If not, how is production different?

Is there a proxy between users and the production web server? Or even some of the users, for example, if they log in via VPN?

+2
source

Source: https://habr.com/ru/post/1274729/

More articles:


All Articles