I am running an ASP.NET (VB) 4.6.1 Web Forms application. I am using Windows Authentication ( <authentication mode="Windows" />
).
The scenario is to allow any authenticated Windows user to the landing page. Any user in the “Check Admins” active directory security group should get access to any of the pages in the Admin sub-folder.
The root web.config has:
<authorization>
<deny users="?" />
</authorization>
The Admin web.config has:
<authorization>
<allow roles="domain\Check Admins" />
<deny users="*" />
</authorization>
On the landing page, I enumerate through all the roles the user has with:
test &= "<br/><h3>You have the following roles:</h3>"
For Each r In Roles.GetRolesForUser()
test &= r & "<br/>"
Next
I’ve gone through several setting and web.config changes (most outlined below). I can get it to work as expected on my dev PC but cannot get it to work when deployed to the test server running Windows 2008 R2 and IIS 7.5. I can get the site to come up some times, but only if I go to http://localhost. It doesn’t come up when I use the fully qualified name: http:// test.mysite.net
Here are the changes & settings I’ve tried:
When running without impersonation:
Dev Machine:
All works as expected.
When deployed to the server with IIS Settings
IIS 7.5 Server (http://localhost):
IIS 7.5 Server (FQDN: http:// Test.mysite.net): Never-ending security challenge
Changing IIS Settings on the server
Both server sites return HTTP Error 500.24 - Internal Server Error An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode.
Adding <identity impersonate="true"/>
on dev machine:
HTTP Error 500.24 - Internal Server Error An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode.
Most likely causes: • system.web/identity@impersonate is set to true.
Adding
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
</system.webServer>
with the impersonate above gives:
Dev Machine: (Same as first run)
IIS 7.5 Server (localhost):
IIS 7.5 Server (FQDN: http:// Test.mysite.net): Never-ending security challenge
I’ve spent several hours combing through the posts here and elsewhere on Google. I don’t know if this is a .Net 4.5+ thing or if I just missed something. How can I get it to properly read the roles and authenticate to the folders?
And why when I try to get to the page using the full URL does it completely fail authentication?
For 90% of this, it turns out the Active Directory server had an expired certificate, so refused to authenticate requests from the web server. Strangely, it did authenticate all the users signing in to the Windows accounts on the PC's. I'm posting this in case anyone else comes across a similar problem. Though, I still can't figure out why on the server itself, navigating to the full URL still does not authenticate, but going to Localhost works just fine.