Windows Authentication Does not work on IIS with ASP.NET Core

T

3

4

I am trying to use Windows Authentication for ASP.NET Core MVC application. Following is the problem statement.

When application is run with IISExpress, it runs without any issues. But when it is configured as a site in IIS and run, it prompts for credentials and even after entering corrected credentials application shows error page with status 401.

Details: Application is a plain boiler plate ASP.NET Core MVC application with Windows Authentication enabled. I am experimenting to find a solution to use in the actual application.

Framework : .NET Core 2.2

Environment: Visual Studio 2019 on Windows Server 2019 machine with IIS 10.0

Following are the changes I made in the boiler plate application. Changes in Startup.cs file to use authentication.

public void ConfigureServices(IServiceCollection services)
{
    services.Configure<CookiePolicyOptions>(options =>
        {
            // This lambda determines whether user consent for non-essential cookies is needed for a given request.
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.None;
        });

        services.Configure<IISOptions>(options =>
        {
            options.AutomaticAuthentication = true;
        });

        services.AddAuthentication(IISDefaults.AuthenticationScheme);

        services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
}

Added following line of code in Configure method in Startup.cs file.

app.UseAuthentication();

Enabled windows authentication for debug in Project Properties and configured IIS hosting with OutProcess hosting model.

Configured application as a website in IIS with Windows Authentication enabled.

Things I have tried.

Tried adding forwardWindowsAuthToken="true" in web.config file.
Tried adding the site in Local Intranet sites in Internet options of browser.
Tried using UseIIS() in Program.cs for WebHostBuilder.

Suggestions from StackOverflow questions I tried.

Asp.Net core MVC application Windows Authentication in IIS

ASP.Net Core: keep windows authentication

Asp.Net Core Windows Authentication Not Working in IIS

If I enabled Windows Authentication on both IIS and on Application, the application prompts for credentials when browsed. Even after entering current credentials it does not go thru and re-prompts. After attempting 3 times the application shows error page with 401 error.

I believe configurations are correct if I application is prompting for credentials, but I am fail to understand why it is not accepting the user login even after providing corrected credentials.

Note : All the activities, development, debugging, hosting etc are happening on the same Windows 2019 server machine. And the machine is hosting a domain controller too and login is attempted with one of the valid domain users.

I am completely clueless right now and anything I try results in the same issue at the end. Feel free to ask if any more details required.

EDIT 1 ----------------------------------------------

I got little success with configuring my site on IIS with port 8081 and with not binding name.

This way when I browse http://localhost:8081 it logs the current user in without any problem. But when I configure it with any binding name such as sample.localapp.com it starts prompting for credentials but never accept it.

Thanks in advance.

Triaxial answered 2/8, 2020 at 7:42 Comment(10)

support.microsoft.com/en-ca/help/926642/… Avoid the famous loopback check first. – Thereunder 2/8, 2020 at 14:33

I am not sure changing any registry will be possible for client's production server @LexLi. To give more context, the target application will be as intranet application used by the company employees only from inside the corporate network. So the expectation is to log in the employee with their current AD user. – Triaxial 3/8, 2020 at 2:10

"And the machine is hosting a domain controller" is never a good way to go. DC should be DC only, and all other roles like web server should be moved to another machine. You cannot test the web app on the same server either, due to issues like the famous loopback check. Launch browsers from other machines and see what happens. – Thereunder 3/8, 2020 at 5:16

You are right @LexLi. Since things are in Development/Test phase, everything is on the same machine. I didn't try hosting/browsing the application from other machine. I need to see how can I achieve that... as this is the only machine made available by client for dev/test. – Triaxial 3/8, 2020 at 5:31

Dev/test environment should mirror the production one, so using a single server only gives you more headaches than necessary. With virtualization solutions like Docker/Hyper-V, it is rather easy to spin out a bunch of test machine instances without much resource consumption. – Thereunder 3/8, 2020 at 6:42

try to check the iis log for the sub status code. add [Authorize(Roles ="Employees")] attribute. try to login with the domain/username at the time of login. – Bianchi 3/8, 2020 at 7:18

@JalpaPanchal Thank you for the input. Unfortunately I am not able to debug the application coz it is not reaching my code at all. It is stuck a the IIS level only. – Triaxial 3/8, 2020 at 7:27

@ChetanRanpariya check the iis log which is located at %SystemDrive%\inetpub\logs\LogFiles. support.microsoft.com/en-us/help/943891/… – Bianchi 3/8, 2020 at 7:52

@LexLi... I tried replicating the things on real corp network machine which is connected to corporate newtork and authenticates used against AD. But that didn't change the result. It still prompts for login and shows 401 error after rejecting correct user credentials.. – Triaxial 3/8, 2020 at 12:4

Hello @Chetan. I faced to the same issue. Did you find the way out? – Gorlovka 25/12, 2021 at 19:17

H

2

I was having this same issue on Windows 10. The solution turned out to be detailed in first comment on the question described here

Open RegEdit
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Right-click MSV1_0 and create a new multi-string value called BackConnectionHostNames
Double click BackConnectionHostNames and enter the DNS name of your local site.
Reboot your computer.

Hemitrope answered 18/5, 2022 at 14:43 Comment(1)

It's also working Windows Server 2019. If you working on custom hostname written on host file, windows authentication only work after made this. Thank! you saved my day! – Guan 6/6, 2024 at 15:48

S

0

Please add IIS_IUSRS to the publish folder or where your web application located

Stairway answered 3/8, 2020 at 21:38 Comment(0)

S

0

Hello friend I know you put the answer in the question but I try to elaborate more:

Delete your binding name in c:\windows\system32\drivers\etc\host file and in IIS manager goes to your website right click it and choose Edit Bindings... option, edit your binding website clearing the Host Name: field, and you now can write in the browser url http://servername:port/

Sentience answered 21/8, 2021 at 16:39 Comment(0)

Recommended topics

Hot tags