Menu
We have asp.net mvc web application, hosted in IIS with Windows authentication enabled (we are using active directory to authenticate users).
At some point (in production), users found themselves logged in using different users, the login usually done when user login to their laptops/PCs in the organization, so it is expected the website to always show their logged in user to the PC/laptop cause that is their identities.
For IIS, we are storing session state in Sql server, and we are maintaining sessions using HttpContext.Session in the application.
I need some guides on how I can track the source of the issue. Is there a tool or what code I can share with you that might help ?
Thanks!
336
When you enable Windows authentication, your web server becomes responsible for authenticating users. Typically, there are two different types of web servers that you use when creating and deploying an ASP.NET MVC application.
In a Windows environment, after a user authenticates, the authenticating application can impersonate that user's impersonation. Impersonation is implemented on a thread-by-thread basis. The primary purpose of impersonation is to trigger access checks against a client's identity.
By default MVC apps use Form Authentication and Simple Membership, so you need to make it "false" to run Windows Authentication. Select the project name in Solution Explorer and then in the Property Explorer, click to enable Windows Authentication.
For . Start Visual Studio and select Create a new project. In the Create a new project dialog, select ASP.NET Core Web App (or Web API) > Next. In the Configure your new project dialog, enter Project name > Next. In the Additional Information dialog, select Authentication Type as Windows.
Make sure that:
You have “Integrated Windows Authentication” (formerly called NTLM authentication) enabled within IIS for the application you are using.
You should then add a web.config file to the root directory of
your ASP.NET application that contains an <authentication> section
which sets the mode to “Windows”.
<authorization> section to the same
web.config file that denies access to “anonymous” users visiting the site. This will force ASP.NET to always authenticate the
incoming browser user using Windows Authentication – and ensure that
from within code on the server you can always access the username and
Windows group membership of the incoming user.The below web.config file demonstrates how to configure both steps described above:
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Troubleshooting ideas...
For seeing the error, I would make sure you are showing the current user HttpContext.Current.User.Identity.Name; on each page. Refresh the page and make sure the user doesn't change. Go to other pages and do the same. Clear all cookies and application state in the browser, close the browser, then re-open the browser and go back to the site. You should still be logged in as the same user every page and every browser session. If this is intermittent, you may have to repeat this a few times to reproduce the error.
Does this every happen when running local IIS Express on developer machines? Does it ever happen in other environments (test, staging) where the code is deployed? If not, what is different about production?
Is there a proxy server between the users and the production web server? Or even some of the users, like if they come in through VPN?
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
