5

I am trying to use Windows Authentication for ASP.NET Core MVC application. Following is the problem statement.

When application is run with IISExpress, it runs without any issues. But when it is configured as a site in IIS and run, it prompts for credentials and even after entering corrected credentials application shows error page with status 401.

Details: Application is a plain boiler plate ASP.NET Core MVC application with Windows Authentication enabled. I am experimenting to find a solution to use in the actual application.

Framework : .NET Core 2.2

Environment: Visual Studio 2019 on Windows Server 2019 machine with IIS 10.0

Following are the changes I made in the boiler plate application. Changes in Startup.cs file to use authentication.

public void ConfigureServices(IServiceCollection services)
{
    services.Configure<CookiePolicyOptions>(options =>
        {
            // This lambda determines whether user consent for non-essential cookies is needed for a given request.
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.None;
        });

        services.Configure<IISOptions>(options =>
        {
            options.AutomaticAuthentication = true;
        });

        services.AddAuthentication(IISDefaults.AuthenticationScheme);

        services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
}

Added following line of code in Configure method in Startup.cs file.

app.UseAuthentication();

Enabled windows authentication for debug in Project Properties and configured IIS hosting with OutProcess hosting model.

[Screen capture of Web project properties]

Configured application as a website in IIS with Windows Authentication enabled.

[Screen capture of IIS]

Things I have tried.

  1. Tried adding forwardWindowsAuthToken="true" in web.config file.
  2. Tried adding the site in Local Intranet sites in Internet options of browser. [Screen Capture of Local Intranet sites]
  3. Tried using UseIIS() in Program.cs for WebHostBuilder.

Suggestions from StackOverflow questions I tried.

Asp.Net core MVC application Windows Authentication in IIS

ASP.Net Core: keep windows authentication

Asp.Net Core Windows Authentication Not Working in IIS

If I enabled Windows Authentication on both IIS and on Application, the application prompts for credentials when browsed. Even after entering current credentials it does not go thru and re-prompts. After attempting 3 times the application shows error page with 401 error.

I believe configurations are correct if I application is prompting for credentials, but I am fail to understand why it is not accepting the user login even after providing corrected credentials.

Note : All the activities, development, debugging, hosting etc are happening on the same Windows 2019 server machine. And the machine is hosting a domain controller too and login is attempted with one of the valid domain users.

I am completely clueless right now and anything I try results in the same issue at the end. Feel free to ask if any more details required.

EDIT 1 ----------------------------------------------

I got little success with configuring my site on IIS with port 8081 and with not binding name.

enter image description here

This way when I browse http://localhost:8081 it logs the current user in without any problem. But when I configure it with any binding name such as sample.localapp.com it starts prompting for credentials but never accept it.

Thanks in advance.

Improve this question
10
  • 2
    support.microsoft.com/en-ca/help/926642/… Avoid the famous loopback check first. Commented Aug 2, 2020 at 14:33
  • I am not sure changing any registry will be possible for client's production server @LexLi. To give more context, the target application will be as intranet application used by the company employees only from inside the corporate network. So the expectation is to log in the employee with their current AD user. Commented Aug 3, 2020 at 2:10
  • "And the machine is hosting a domain controller" is never a good way to go. DC should be DC only, and all other roles like web server should be moved to another machine. You cannot test the web app on the same server either, due to issues like the famous loopback check. Launch browsers from other machines and see what happens. Commented Aug 3, 2020 at 5:16
  • You are right @LexLi. Since things are in Development/Test phase, everything is on the same machine. I didn't try hosting/browsing the application from other machine. I need to see how can I achieve that... as this is the only machine made available by client for dev/test. Commented Aug 3, 2020 at 5:31
  • Dev/test environment should mirror the production one, so using a single server only gives you more headaches than necessary. With virtualization solutions like Docker/Hyper-V, it is rather easy to spin out a bunch of test machine instances without much resource consumption. Commented Aug 3, 2020 at 6:42

4 Answers 4

Reset to default
2

I was having this same issue on Windows 10. The solution turned out to be detailed in first comment on the question described here

  1. Open RegEdit
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
  3. Right-click MSV1_0 and create a new multi-string value called BackConnectionHostNames
  4. Double click BackConnectionHostNames and enter the DNS name of your local site.
  5. Reboot your computer.
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

It's also working Windows Server 2019. If you working on custom hostname written on host file, windows authentication only work after made this. Thank! you saved my day!
1

When you use a hostname (e.g., http://myapp.mydomain.com), Windows Auth tries Kerberos first. Kerberos requires that the hostname you’re using is registered as a Service Principal Name (SPN) for the application pool identity or computer account in Active Directory.

If the SPN isn’t set, or if loopback check blocks it, IIS falls back to NTLM — but NTLM fails in this cross-hostname scenario → hence the browser credential prompt.

The Fix

1. Register the SPN

If your site is accessed as http://myapp.mydomain.com, and the IIS App Pool runs under DOMAIN\MyAppPoolUser, run this on a domain controller:

setspn -S HTTP/myapp.mydomain.com DOMAIN\MyAppPoolUser
setspn -S HTTP/myapp DOMAIN\MyAppPoolUser

Then do an iisreset.

2. Loopback Check (for dev/testing on same server)

If you’re testing by browsing from the same server (http://myapp.mydomain.com from inside the server itself), Windows security blocks it (loopback check).
You can disable it only for that hostname:

New-ItemProperty `
   -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" `
   -Name BackConnectionHostNames `
   -Value myapp.mydomain.com `
   -PropertyType MultiString

  • Restart the server after this.

  • From Internet Options add http://myapp.mydomain.com to Local Intranet Zone (so Windows auth auto logon works). Otherwise, the browser will always pop up for credentials.

Improve this answer

Comments

0

Please add IIS_IUSRS to the publish folder or where your web application located

enter image description here

Improve this answer

Comments

0

Hello friend I know you put the answer in the question but I try to elaborate more:

Delete your binding name in c:\windows\system32\drivers\etc\host file and in IIS manager goes to your website right click it and choose Edit Bindings... option, edit your binding website clearing the Host Name: field, and you now can write in the browser url http://servername:port/

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.