I've set up a directory where I simply want to know the person's name
when he comes into the directory. I've set up the following:
* Uncheck allow anon in IIS
* Uncheck basic authentication
* Check 'Use windows authentication'
My web.config file looks as follows:
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
However, I cannot get to the page -- there's no error being thrown.
It seems that it just ignores everything. Checking the IIS logs shows
that a 401 has been issued, but there's no message sent to the user.
The physical folder has 'Everyone' with read permissions. All I want
is the user's DOMAIN\name sent to me so I can do something with it,
but it doesn't seem it's being passed.
Any ideas?
Cheers
Ken
"Steve" <steve....@ticketmaster.com> wrote in message
news:b74b67c3.04012...@posting.google.com...
: All --
No, I'm not using any basic authentication and prompting the user for
the name/password. I'm trying to grab what they've already logged
into the network with. This was a piece of cake in classic ASP, but
I'm still having difficulties getting this to work.
I also have under IIS the directory listed as an application, not as a
virtual directory. Is there any other information I can provide you?
Thanks --
"Ken Schaefer" <kenR...@THISadOpenStatic.com> wrote in message news:<#joLnWH5...@TK2MSFTNGP10.phx.gbl>...
I would suggest that you enable Windows file-access-failure auditing on the
file in question. Then, attempt to browse the page from your web-browser.
You should see something logged in the event log indicating what user
account the server thinks is being used to attempt to access the page, and
then tweak your NTFS permissions appropriately.
Also, be aware that NTLM doesn't work through most proxy servers, and
Kerberos authentication doesn't work through most firewalls (those are the
two Integrated Authentication options), so if you're browsing from an
external site, keep that in mind.
Cheers
Ken
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Steve" <steve....@ticketmaster.com> wrote in message
news:b74b67c3.04012...@posting.google.com...
: Hi Ken, thanks for the reply.
I've even tried this from an IE5 browser (since use windows auth is
default) to see if that would go through, but no joy. I've double
checked my IE6 SP1 settings and I do have send windows auth through.
What I get in the IIS logs (after both of your suggestions) is
17:43:23 127.0.0.1 GET /capex/user.aspx 401 4644 10
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322;+.NET+CLR+1.0.3705)
-
17:43:23 127.0.0.1 GET /capex/user.aspx 401 4383 0
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322;+.NET+CLR+1.0.3705)
-
17:43:23 127.0.0.1 GET /capex/user.aspx 401 4644 10
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322;+.NET+CLR+1.0.3705)
-
Now the 401.4 is
Unauthorized: Authorization failed by a filter installed on the Web
server.
Thing is, it's my localhost webserver. Now I'd guess that the
"filter" it's referring to is the web.config log, no? I've even added
a location to the file... so now it looks like
<configuration>
<location path="CapEx">
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
and have even tried <deny users="?">
An inspection of the system log file in Event Viewer says
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 1/28/2004
Time: 11:08:23 AM
User: NT AUTHORITY\SYSTEM
Computer: MYMACHINENAME
Description:
A trusted logon process has registered with the Local Security
Authority. This logon process will be trusted to submit logon
requests.
Logon Process Name: KSecDD
Does this information help any?
Thank you both for taking time to help me... it is much appreciated.
"Ken Schaefer" <kenR...@THISadOpenStatic.com> wrote in message news:<OkuL$pU5DH...@TK2MSFTNGP12.phx.gbl>...
that's what shows up in my logs when I make a request to my test page.
basically, the browser is making 2 requests. the first is sent without
nt auth, which the server rejects, and the second is the browser
coming back with the nt auth, which gets a 200 response. if you're not
seeing a 2nd request basically in the same second as the first
request, then your browser is not replying to the challenge. I haven't
dug too deep into what the server is sending back as a challenge, but
I think it lists the options that the browser can use to auth with the
server. your browser should either be immediately responding, or
popping up a window asking you for the logon.
here's the content of the 401 challenge my web server is sending back
HTTP/1.1 401 Access Denied
Server: Microsoft-IIS/5.1
Date: Wed, 28 Jan 2004 23:34:06 GMT
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Content-Length: 4431
WWW-Authenticate: Digest qop="auth", realm="DOMAIN_NAME_HERE",
nonce="bunch of gibberish like a nt token or something here"
Content-Type: text/html
...bunch of error html here...
you can check it versus what your server is sending back as a
challenge. just telnet to localhost on port 80 and type "GET
/capex/user.aspx HTTP/1.0" and hit enter twice, and you'll get the
response. you may have to turn up your line buffer to see it all.
Cheers
Ken
"Steve" <steve....@ticketmaster.com> wrote in message
news:b74b67c3.04012...@posting.google.com...
: Thanks for both of your suggestions....
:
: I've even tried this from an IE5 browser (since use windows auth is
: default) to see if that would go through, but no joy. I've double
: checked my IE6 SP1 settings and I do have send windows auth through.
:
: What I get in the IIS logs (after both of your suggestions) is
:
: 17:43:23 127.0.0.1 GET /capex/user.aspx 401 4644 10
:
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322;+.NET+C
LR+1.0.3705)
: -
: 17:43:23 127.0.0.1 GET /capex/user.aspx 401 4383 0
:
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322;+.NET+C
LR+1.0.3705)
: -
: 17:43:23 127.0.0.1 GET /capex/user.aspx 401 4644 10
:
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322;+.NET+C
LR+1.0.3705)
: -
Now telnet-ing into port 80 does actually return me a 401 -- Access
Denied. (even though I set up use NTLM in telnet).
However, through the browser, nothing comes back to the browser AT
ALL. If I didn't send the 'second of the hour' to the screen, I
wouldn't have known anything isn't happening.
This is telnet:
17:04:27 127.0.0.1 GET /capex/user.aspx 401 4625 0 - -
This is IE 6 SP 1
17:04:55 127.0.0.1 GET /capex/user.aspx 401 4383 0
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322;+.NET+CLR+1.0.3705)
-
17:04:55 127.0.0.1 GET /capex/user.aspx 401 4644 0
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322;+.NET+CLR+1.0.3705)
-
17:04:55 127.0.0.1 GET /capex/user.aspx 401 4383 0
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322;+.NET+CLR+1.0.3705)
-
As you said, it looks like it is making 3 requests, but the 401 is not
sent to the browser. Now if I turn on 'allow anon', I get what's
expected:
17:08:33 127.0.0.1 GET /capex/user.aspx 200 448 0
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322;+.NET+CLR+1.0.3705)
-
So is it the browser messing up?
Thanks for all your help, it is appreciated.
Perhaps when you install Visual Studio .Net it installs something like
that behind the scenes?
Thanks for your patience as well.
Dunno... maybe something got corrupted? When I installed VS.Net on
Monday, it asked for the Windows Component CD -- even though I had the
1.1 libs already installed. Maybe something happened behind the
scenes.
Thanks again for your help and dedication to this... it is much
appreciated.
Steve
shr...@yahoo.com (Shriop) wrote in message news:<7c6b8c80.04012...@posting.google.com>...
Didn't know that changing the title in a reply made a new post.
So thanks Ken and Shriop.
steve....@ticketmaster.com (Steve) wrote in message news:<b74b67c3.04013...@posting.google.com>...