Receiving login prompt using integrated windows authentication

Casey picture Casey · Mar 23, 2011 · Viewed 291.5k times · Source

I have a .NET 3.5 application running under IIS 7 on Windows 2003 server and cannot get integrated windows authentication working properly as I continue to get prompted for a login. I have set Windows Authentication to enabled in IIS with all other security types disabled and my application web.config file authentication/authorization is set up as:

<system.web>
    <compilation debug="true" strict="false" explicit="true" targetFramework="3.5" />
    <authenticationmode="Windows"/>
    <authorization>
    <deny users = "?" />
    </authorization>
</system.web>

With this setup, I'm expecting behind the scene verification of the Windows user to allow access and deny anonymous users. However, what I'm getting is a Windows login pop-up when I try to access the site.

I have been troubleshooting this issue for a few days now and cannot figure out the problem. Based on posts with similar problems, I confirmed my URL does not include any periods, double checked that my IE settings are set to Enable Integrated Windows Authentication, and also added my URL to my intranet sites, but still getting the pop-up.

To troubleshoot it further, I enabled Anonymous Authentication in IIS and modified my web.config file to which lets me right in and then added Response.Write(System.Security.Principal.WindowsIdentifity.getcurrent().user.name.toString()) to try to see what user is being used in the authentication. The result I'm getting is IIS APPPOOL\myapp which is obviously the IIS application pool for my application.

I really appreciate any help anyone can provide so that I'm still using only windows authentication but don't get the pop-up and the windows authentication is performed against the actual Windows user.

Thanks.


Additional note after troubleshooting further:

Just noticed that when the login fails and the Windows login prompt displays again, it is showing the username that attempted to login as "SERVERNAME"\"USERNAME" which led me to believe it was trying to validate the user against the server vs. the domain. To confirm this, I created a local user account directly on the app server with the same username and password as the network domain user and tried to login again. The result was that I received the login prompt again but when I entered the username and password this time, I was able to successfully login. The network user and app server are on the same domain so really not sure why IIS authentication is pointing to the local app server accounts and not to the domain accounts. I realize this is an IIS question at this point so posting on forums.iis.net as well but appreciate any advice anyone may have since have been troubleshooting this for days.

Answer

jp2code picture jp2code · Jan 7, 2015

I have a Windows 2008 server that I'm working on, so my answer is not completely the same as what the OP has on a Windows 2003 server.

Here is what I did (recording this here so I can find it later).

I was having this same issue:

login prompt

In my Web.config file, I had this section:

<system.web>
    <authentication mode="Windows" />
    <authorization>
        <allow users="*" />
        <deny users="?" />
    </authorization>
</system.web>

Under IIS, all of these seems to be solved under the Authentication icon.

  1. Edit Permissions: Make sure your ASP.NET account has permission. Mine was not originally added.

ASP.NET permission

Now go into the features of Authentication:

Authentication Features

Enable Anonymous Authentication with the IUSR:

Anonymous Authentication

Enable Windows Authentication, then Right-Click to set the Providers.

NTLM needs to be FIRST!

Windows Authentication

Next, check that under Advanced Settings... the Extended Protection is Accept and Enable Kernel-mode authentication is CHECKED:

Advanced Settings

Once I did this, I went back to my web application, clicked the Browse link, and logged in without having to provide my credentials again.

I hope this proves beneficial to many of you, and I hope it is useful for me later as well.