Last post Mar 19, 2019 08:51 AM by PatriceSc
Mar 14, 2019 03:02 PM|BlakQueen|LINK
I'm not sure which forum this should go to so here it is.
I'm using VS 2017, vb.net, framework 4.5, Windows 10, IIS V10.0.17763.1
All authentication is set to WindowsAuthentication, all others are disabled.
In our domain, I have 2 Active Directory accounts, my main account and one for testing. We are trying to upgrade our web apps to VS 2017. "HttpContext.Current.User.Identity.Name"
was not working, but changing it to "HttpContext.Current.Request.LogonUserIdentity.Name"
finally gave me users. Now I get an array with both my user accounts in it like this: "A00001@MYDOM T00001@mydom".
I can split it to get only the user I need, however, every other function (for example "HttpContext.Current.Request.LogonUserIdentity.Groups")
fails because the
user of 'LogonUserIdentity' is an array, not a single value, and I can't figure out how to make it only recognize the first user, A00001@MYDOM. I will also have to make it recognize the second user when testing.
How can I specify which user to get when a single user has multiple AD accounts? Is it even possible?
Mar 14, 2019 03:39 PM|mgebhard|LINK
Windows authentication is NOT enabled or Anonymous is enable if the following is empty.
This construct will always return something; the anonymous account, impersonation, or windows depending. So you do not want to use this construct.
Mar 14, 2019 03:50 PM|PatriceSc|LINK
HttpContext.Current.User.Identity.Name should ALWAYS work. If blank, check User.Identity.IsAuthenticated which is likely false.
HttpContext.Current.Request.LogonUserIdentity likely returns the account under which your code runs which may or may not be what you want depending on the site configuration. Maybe it returns multiple names when you impersonate user B from a process
running under A ? Never saw that until now (but as I said I'm using User.Idendity.Name instead).
Mar 14, 2019 05:35 PM|BlakQueen|LINK
Perhaps read the question more carefully, it does NOT return blank, it returns TWO values instead of one.
Mar 14, 2019 05:45 PM|PatriceSc|LINK
You just said that "it doesn't work". My understanding is that you changed that to HttpContext.Current.Request.LogonUserIdentity.Name which returns two values..
I'm telling I would go back at using HttpContext.Current.User.Identity.Name and check why it doesn't work (I assume it is blank because the user is not authenticated).
Mar 14, 2019 06:35 PM|BlakQueen|LINK
These are my settings, they are correct:
ASP.NET Impersonation: disabled
In the Web.config file: <authentication mode="Windows" />
In the applicationhost.config:
<anonymousAuthentication enabled="false" userName="" />
<basicAuthentication enabled="false" />
<clientCertificateMappingAuthentication enabled="false" />
<digestAuthentication enabled="false" />
<windowsAuthentication enabled="true" overrideModeDefault="Allow">
<add value="Negotiate" />
<add value="NTLM" />
HttpContext.Current.User.Identity.Name returns blank and User.Identity.IsAuthenticated is false, obviously because user is blank.
HttpContext.Current.Request.LogonUserIdentity.Name returns "A00001@MYDOM T00001@MYDOM", note that is 2 values, the A00001 is my actual AD account, the T value is my testing AD account. HttpContext.Current.Request.LogonUserIdentity.IsAuthenticated
is of course false because it cannot process an ARRAY.
When I converted the web app to framework 4.5,
HttpContext.Current.User.Identity.Name returned blank, and after extensive research, I finally found the suggestion to use instead Request.LogonUserIdentity.Name, which did work, just too many values returned.
Mar 15, 2019 12:23 PM|PatriceSc|LINK
What if you test with something such as :
<deny users="?" />
I'm positive that I always used User.Identity.Name which always worked perfectly fine for us regardless of which authentication method is used. "Windows authentication" is a bit special as it is triggered only when really needed so I suspect it could be
still not triggered if for example file permissions are wide open.
This is the same domain for both or you have done a domain migration ? I never heard about this behavior (ie having two names) but anyway you should IMHO fix the issue you have with User.Identity.Name rather than trying to use LogonUserIdentity.
Ah you really get firstname.lastname@example.org ? According to https://docs.microsoft.com/en-us/dotnet/api/system.security.principal.windowsidentity.name?view=netframework-4.7.2 it
is supposed to return DOMAIN\SamAccountName (and this is what I have when using User.Identity.Name and Windows authentication, it is always domain\username rather than user@domain).
Really User.Identity.Name should ALWAYS work and this is the only thing I'm using...
Edit: at worst create a new site in VS, enable Windows authentication and I expect you'll see that User.Identity.Name returns the expected name (all other methods as well but this is because the code currently runs under your name which is often but not
necessarily always the same than the browser side authenticated user).
Mar 18, 2019 08:26 PM|BlakQueen|LINK
I tried <deny users="?">, that sent me directly to an error page, can't run the site at all.
I've always used User.Identity.Name as well, it only stopped working when I tried to migrate to VS 2017, I found a suggestion to use
LogonUserIdentity, and it seemed to work, but as you say it returns the wrong format for both my accounts, it should indeed be domain\user like user.identity.name would, and I need that format to make the other functions work as well.
I also tried creating a new site from scratch but user.identity.name still returns null. I've tried so many different things now my site is totally SNAFU. I'll have to nuke it and start converting again with a fresh copy. I'll keep you posted.
Mar 19, 2019 02:34 AM|Nan Yu|LINK
Do you have any other config in other application level to override the windows authentication setting , that is quite strange as HttpContext.Current.User.Identity.Name should work :
Scenario : Windows Authentication in IIS, impersonation off.
Mar 19, 2019 08:51 AM|PatriceSc|LINK
Until you have User.Identity.IsAuthenticated being false it means that authentication doesn't happen for some reason. You are using https://quycao.wordpress.com/2016/04/12/change-individual-authentication-to-windows-authentication-mode-in-asp-net-mvc/ to
enable "Windows authentication"?
According to https://stackoverflow.com/questions/17043140/windows-authentication-doesnt-works-when-i-run-project-from-visual-studio one
had to change settings at the application.config file level (maybe if you have an explicit option here it overrides whatever is declared at the web.config file level).
I would make it work fisrst on my local machine (I assume it is joined to a domain ?)
Edit: not sure which error you have but it seems to confirm that an anonymous user can't access the site (and so you are really not authenticated and no authentication at all is done).