IIS7 Permission Settings

I set up IIS7 on a Windows 2008 R2 server and I think maybe I set up the permissions on a website incorrectly. When I use this code
    protected void Page_Load(object sender, EventArgs e)
    {
        string LoggedInUser = Environment.UserName;
        username.Text = LoggedInUser;
    }

Open in new window

I get back the user who IIS was authorized to log in as or something and NOT the currently logged in user to the web page. I'm very new to configuring IIS and I'm not sure what I did wrong. But I remember when I was creating that new website, that I had to put in a "log in as" or something somewhere. Where do I need to correct that so that I can get the currently logged in user's name?
Carla RomereDirector of Information TechnologyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Carla RomereDirector of Information TechnologyAuthor Commented:
Ok I think it's in the ApplicationPool Identity field. What should that be set to to get the current logged in user? My choices under Built-in account are LocalService, LocalSystem, NetworkService and ApplicationPoolIdentity. I had set it up with a custom account.
0
Paul MacDonaldDirector, Information SystemsCommented:
Try System.Web.HttpContext.Current.Request.LogonUserIdentity.Name
0
Carla RomereDirector of Information TechnologyAuthor Commented:
That gives me: NT AUTHORITY\IUSR
What should the identity field be set to in the application pool for that website?
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Paul MacDonaldDirector, Information SystemsCommented:
Are you running it from a machine that's logged in to an AD network?  

Anonymous visitors (those outside your network) will show up as IUSR (the anonymous credentials).  

Internal users, or those otherwise authenticated to the network should show up with their AD user name.
0
Carla RomereDirector of Information TechnologyAuthor Commented:
It is on a network with AD and on our old intranet server it worked, but I can't figure out what's different on this one. I'm convinced it has to do with the way I set it up but I'm not sure what needs to change. It should only allow people to log in who have a network account.
0
Paul MacDonaldDirector, Information SystemsCommented:
Is anonymous access enabled on those pages of the web site?  If so, IIS won't use AD authentication (because it doesn't need to).
0
Carla RomereDirector of Information TechnologyAuthor Commented:
Maybe it's under ASP Authentication. This is what I see there now. I think maybe that should be Windows Authentication enabled and All Users disabled maybe?
report-screenshot.png
0
Carla RomereDirector of Information TechnologyAuthor Commented:
Make that Anonymous Authentication disabled instead of All Users.
0
Paul MacDonaldDirector, Information SystemsCommented:
Yes, that's what I'm talking about.  Turn on the appropriate Windows authentication types and turn off Anonymous.
0
Carla RomereDirector of Information TechnologyAuthor Commented:
Ok I'm doing that now - what is Extended Protection? It's set to Off and Enable kernel-mode authentication is checked... leave those defaults?
0
Paul MacDonaldDirector, Information SystemsCommented:
Yes, leave everything else default.
0
Carla RomereDirector of Information TechnologyAuthor Commented:
Ok did that - now it's prompting me for a userid and password instead of using my windows logon credentials. It should just go to the page without that prompt.
0
Paul MacDonaldDirector, Information SystemsCommented:
Yes it should.  What did you enable?  Integrated Windows and Digest are what I recommend.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Carla RomereDirector of Information TechnologyAuthor Commented:
Not only does it prompt me to log in it completely locks up IE???
0
Carla RomereDirector of Information TechnologyAuthor Commented:
I enabled Windows Authentication. Everything else is disabled.
0
Carla RomereDirector of Information TechnologyAuthor Commented:
I don't see Integrated Windows. I do see Digest though. I have Anonymous, ASP.NET impersonation, basic authentication, digest authentication, forms authentication and windows authentication.
0
Carla RomereDirector of Information TechnologyAuthor Commented:
Ok getting closer. I enabled Digest and Windows and it gives me the correct logged in user, but still prompts me to log in and it shouldn't.
0
Paul MacDonaldDirector, Information SystemsCommented:
Yes, sorry, Integrated Windows is what they used to call it.  Windows and Digest should be adequate for your systems and browsers.  Forms doesn't apply; and Basic passes the information in clear text so I'd avoid that.
0
Carla RomereDirector of Information TechnologyAuthor Commented:
Ok Digest and Windows both under response type say "Challenge" - is that why it's prompting me to log in? if so, what do I need to change that to so that it just looks to see if I'm logged in to Windows and then just passes those credentials through to the website?
0
Paul MacDonaldDirector, Information SystemsCommented:
No.  That is to say, the OS should respond to the challenge (essentially passing your credentials for you).  You can't change those Response Type settings.

Do you have the proper Realm (domain) specified in Digest?  Frankly, it shouldn't be necessary, but...
0
Carla RomereDirector of Information TechnologyAuthor Commented:
Well I tried putting sd_corp in there under Realm but it didn't seem to make any differenct. Does it need to be sd_corp.local or something?
0
Carla RomereDirector of Information TechnologyAuthor Commented:
Every visit to that website is still prompting me to log in.
0
Paul MacDonaldDirector, Information SystemsCommented:
The name of the AD domain where the IIS server resides is all you should need (and technically you don't need that).

You're not working remotely or anything?  You're on the same network with the IIS server and the domain controller, etc?  I don't know why this isn't working properly for you.  I do the same thing with an administrative portion of my web site and I don't have any problems...
0
Carla RomereDirector of Information TechnologyAuthor Commented:
I am working locally on the network. Our AD domain name is SD_CORP. I've tried several combinations and can't get it to log in automatically.
0
Carla RomereDirector of Information TechnologyAuthor Commented:
Ok I finally got this working. Digest and Windows are both checked and under Windows advanced settings, set the Extended Protection to Accept and turned OFF Enable Kernel-mode. Then under Providers, I moved NTLM to the top of the list. Now it logs in automatically and I am able to get the currently logged in user's name.
0
Carla RomereDirector of Information TechnologyAuthor Commented:
Thanks for your help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.