I have several web applications that I created for our intranet. I wanted to let users not worry about logging in, so these applications pull the current user when they get to the site. I used this code for this:
Dim userName As String = User.Identity.Name CurrentUser = userName.Substring(userName.IndexOf("\") + 1)
It works like a charm, there is no problem. The next step is to query Active Directory for this registered user to get various information. As I currently encoded it, it works like a charm on the devleopment side (typical because I don't run IIS).
The problem occurs when I publish it on my IIS server (Windows Server 2008 R2, running IIS 7.5). I get error messages pointing to a specific line in my code that Active Directory is requesting. The interesting part of these applications works great last week. They broke after my server administrator made the last batch of Windows updates (note, I run them using .Net Framework 4.0)
Before I had every installation of the application so that Windows authentication was turned on, other types of authentication were turned off. For providers, Negotiate is No. 1, NTLM is No. 2. For advanced settings, Enhanced Protection = Off And kernel mode authentication is enabled.
My web.config has the following set:
<customErrors mode="Off"/> <authentication mode="Windows" /> <authorization> <deny users="?"/> </authorization>
These were the settings that I had, and everything worked like a charm. Now, to make it work several times, I need to exchange providers, so NTLM is No. 1, and Negotiate is No. 2. Because of this, the user credentials are not transferred properly, and the AD request fails. This is the encoding that I use for the request:
Dim adSearchRoot As New DirectoryEntry("LDAP://DC=[DOMAIN],DC=com") Dim adSearch As New DirectorySearcher(adSearchRoot) adSearch.Filter = "(&(ObjectClass=User)(sAMAccountName=" & CurrentUser & "))" Dim searchResult As SearchResult = adSearch.FindOne()
Since the update, when you load the site using Negotiate, it does not work on this bottom line, because I do not have a username and password for DirectoryEntry. Even when I set the username / password, it still does not work 100%, as usual.
So my question is, what do I need to do so that the user accesses the site, can I find out his username and request the active directory without requiring a username / password in DirectoryEntry?
Is this a setting in IIS? Or do I need to transcode? Perhaps setting web.config? Do I need to return server updates and find out what caused the gap?
Thanks for the advice in advance. If you have questions that will help answer the question, let me know.
UPDATE
I tried, as suggested by Matt, adding the following clip to the web.config file:
<security> <authorization> <add accessType="Deny" users="?" /> </authorization> </security>
This did not work. I did some reading and then changed this section further:
<location path="Default Web Site/NameOfApp"> <system.webServer> <security> <authentication> <anonymousAuthentication enabled="false"/> <windowsAuthentication enabled="true"> <providers> <add value="Negotiate" /> <add value="NTLM" /> </providers> </windowsAuthentication> </authentication> <authorization> <add accessType="Deny" users="?" /> </authorization> </security> </system.webServer> </location>
In doing so, I also deleted the line that was higher in my web.config section. That didn't work either (fyi, it was a great link http://www.iis.net/ConfigReference/system.webServer/security/authentication )
Then I stumbled over this article: http://social.technet.microsoft.com/Forums/en/winserverDS/thread/7deba16b-295a-4887-98f9-9f291ed49871 , which seemed to be similar to the situation. This article eventually mentions "Double Hops", looking at it and trying a few things, this also did not solve my problem.
Next step
I am going to try a new implementation of IIS 7.5 on another Server 2008 R2 server system and, in fact, start from scratch to see if the problem recreates or not.
ANY new offers will be of great help.