Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

why does IIS ignore web.config when it comes to <authentication mode="Windows"/>?

Tags:

I'm using IIS and trying to deploy a web application that needs authentication mode="Windows".

However on every machine I try this on, simply deploying the web app doesn't work. The web.config says

<authentication mode="Windows">

but under the IIS manager it says

Windows Authentication Disabled

So I save a backup of my web.config, then I use IIS to enable windows authentication. After I do that, my application works fine but the web.config file is unchanged.

I have to automatically create a new instance of this web app for each client. Requiring an IT guy to manually go to each webapp and turn on this feature is a non-starter. I need the web.config file to work, or I need to know what config file I have to change to make it work. I've spent days trying to get this sorted without success.

Any help is much appreciated.

like image 420
Jason Henriksen Avatar asked Apr 20 '11 23:04

Jason Henriksen


People also ask

How does Windows Authentication work in IIS?

Authentication: The client generates and hashes a response and sends it to the IIS server. The server receives the challenge-hashed response and compares it to what it knows to be the appropriate response. If the received response matches the expected response, the user is successfully authenticated to the server.

How do I enable Windows Authentication in Web config?

On the taskbar, click Start, and then click Control Panel. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off. Expand Internet Information Services, then World Wide Web Services, then Security. Select Windows Authentication, and then click OK.

How do I change authentication mode in IIS?

In the Authentication pane, select Anonymous Authentication, and then click Edit... in the Actions pane. In the Edit Anonymous Authentication Credentials dialog box, do one of the following: Select Application pool identity to use the identity set for the application pool, and then click OK.


1 Answers

I'm presuming that you are authenticating users against some windows user accounts? I am also presuming that you want the browser to pop up the username and password challenge?

There are two different things at work here.

The <authentication mode="Windows"/> setting in web.config is just telling ASP.NET to construct an identity based on credentials supplied by IIS rather than by Forms Authentication (or another provider). It is not a setting controlled by IIS and IIS has no visibility of this setting. Also changing this setting in web.config will not change the authentication settings for IIS.

When you change the Windows Authentication settings in IIS MMC you are altering a setting in the IIS6 metabase or if you're using IIS7 the system.webServer/security/authentication section (in your web.config or possibly in applicationHost.config depending on how the setting was altered).

So unless you (you know this):

  • remove anonymous authentication from the site in IIS MMC, or remove NTFS permissions for the anonymous account on the sites files and folders

  • specify Windows Authentication in IIS MMC

You won't get the username and password challenge in the browser regardless of the setting in system.web/authentication.

like image 77
Kev Avatar answered Sep 26 '22 09:09

Kev