Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

IIS7 Permission Settings

Posted on 2012-03-23
26
Medium Priority
?
597 Views
Last Modified: 2012-03-23
I set up IIS7 on a Windows 2008 R2 server and I think maybe I set up the permissions on a website incorrectly. When I use this code
    protected void Page_Load(object sender, EventArgs e)
    {
        string LoggedInUser = Environment.UserName;
        username.Text = LoggedInUser;
    }

Open in new window

I get back the user who IIS was authorized to log in as or something and NOT the currently logged in user to the web page. I'm very new to configuring IIS and I'm not sure what I did wrong. But I remember when I was creating that new website, that I had to put in a "log in as" or something somewhere. Where do I need to correct that so that I can get the currently logged in user's name?
0
Comment
Question by:Carla Romere
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 17
  • 9
26 Comments
 

Author Comment

by:Carla Romere
ID: 37757210
Ok I think it's in the ApplicationPool Identity field. What should that be set to to get the current logged in user? My choices under Built-in account are LocalService, LocalSystem, NetworkService and ApplicationPoolIdentity. I had set it up with a custom account.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 37757211
Try System.Web.HttpContext.Current.Request.LogonUserIdentity.Name
0
 

Author Comment

by:Carla Romere
ID: 37757215
That gives me: NT AUTHORITY\IUSR
What should the identity field be set to in the application pool for that website?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 37757237
Are you running it from a machine that's logged in to an AD network?  

Anonymous visitors (those outside your network) will show up as IUSR (the anonymous credentials).  

Internal users, or those otherwise authenticated to the network should show up with their AD user name.
0
 

Author Comment

by:Carla Romere
ID: 37757247
It is on a network with AD and on our old intranet server it worked, but I can't figure out what's different on this one. I'm convinced it has to do with the way I set it up but I'm not sure what needs to change. It should only allow people to log in who have a network account.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 37757264
Is anonymous access enabled on those pages of the web site?  If so, IIS won't use AD authentication (because it doesn't need to).
0
 

Author Comment

by:Carla Romere
ID: 37757266
Maybe it's under ASP Authentication. This is what I see there now. I think maybe that should be Windows Authentication enabled and All Users disabled maybe?
report-screenshot.png
0
 

Author Comment

by:Carla Romere
ID: 37757274
Make that Anonymous Authentication disabled instead of All Users.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 37757275
Yes, that's what I'm talking about.  Turn on the appropriate Windows authentication types and turn off Anonymous.
0
 

Author Comment

by:Carla Romere
ID: 37757283
Ok I'm doing that now - what is Extended Protection? It's set to Off and Enable kernel-mode authentication is checked... leave those defaults?
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 37757298
Yes, leave everything else default.
0
 

Author Comment

by:Carla Romere
ID: 37757305
Ok did that - now it's prompting me for a userid and password instead of using my windows logon credentials. It should just go to the page without that prompt.
0
 
LVL 34

Accepted Solution

by:
Paul MacDonald earned 2000 total points
ID: 37757307
Yes it should.  What did you enable?  Integrated Windows and Digest are what I recommend.
0
 

Author Comment

by:Carla Romere
ID: 37757309
Not only does it prompt me to log in it completely locks up IE???
0
 

Author Comment

by:Carla Romere
ID: 37757312
I enabled Windows Authentication. Everything else is disabled.
0
 

Author Comment

by:Carla Romere
ID: 37757316
I don't see Integrated Windows. I do see Digest though. I have Anonymous, ASP.NET impersonation, basic authentication, digest authentication, forms authentication and windows authentication.
0
 

Author Comment

by:Carla Romere
ID: 37757354
Ok getting closer. I enabled Digest and Windows and it gives me the correct logged in user, but still prompts me to log in and it shouldn't.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 37757356
Yes, sorry, Integrated Windows is what they used to call it.  Windows and Digest should be adequate for your systems and browsers.  Forms doesn't apply; and Basic passes the information in clear text so I'd avoid that.
0
 

Author Comment

by:Carla Romere
ID: 37757362
Ok Digest and Windows both under response type say "Challenge" - is that why it's prompting me to log in? if so, what do I need to change that to so that it just looks to see if I'm logged in to Windows and then just passes those credentials through to the website?
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 37757395
No.  That is to say, the OS should respond to the challenge (essentially passing your credentials for you).  You can't change those Response Type settings.

Do you have the proper Realm (domain) specified in Digest?  Frankly, it shouldn't be necessary, but...
0
 

Author Comment

by:Carla Romere
ID: 37757403
Well I tried putting sd_corp in there under Realm but it didn't seem to make any differenct. Does it need to be sd_corp.local or something?
0
 

Author Comment

by:Carla Romere
ID: 37757422
Every visit to that website is still prompting me to log in.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 37757450
The name of the AD domain where the IIS server resides is all you should need (and technically you don't need that).

You're not working remotely or anything?  You're on the same network with the IIS server and the domain controller, etc?  I don't know why this isn't working properly for you.  I do the same thing with an administrative portion of my web site and I don't have any problems...
0
 

Author Comment

by:Carla Romere
ID: 37757597
I am working locally on the network. Our AD domain name is SD_CORP. I've tried several combinations and can't get it to log in automatically.
0
 

Author Comment

by:Carla Romere
ID: 37757793
Ok I finally got this working. Digest and Windows are both checked and under Windows advanced settings, set the Extended Protection to Accept and turned OFF Enable Kernel-mode. Then under Providers, I moved NTLM to the top of the list. Now it logs in automatically and I am able to get the currently logged in user's name.
0
 

Author Closing Comment

by:Carla Romere
ID: 37757795
Thanks for your help!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question