Reputation: 3392
ASP.NET MVC 5: App Pool, Windows Authentication and Active Directory
Background:
I have an MVC 5/C# app that interfaces an outside API. It uses the Active Directory users' Principal Context for authorization. The app checks if the UserPrincipal.Current has their Un/Pw combo stored in the Db to be used for any operations later on the external API.
public bool IsUserSetup()
{
try
{
// find currently logged in user
var user = UserPrincipal.Current; // <- ERRS HERE -----
// check if this user exists in Db with creds
if (user != null)
{
var u = _userProfileRepository.GetUserProfileByUserSID(user.Sid.ToString());
if (u != null
&& !string.IsNullOrEmpty(u.RallyUsername)
&& !string.IsNullOrEmpty(u.RallyPassword)
&& u.IsActive // <-- make sure this person is an active user
)
{
return true;
}
}
}
catch (Exception ex)
{
string exMessage = ex.Message;
//throw ex;
}
return false;
}
- I understand that
UserPrincipal.Currentwill return the App Pool's identity by default. - I also understand setting Impersonate to True IIS will use the current user's context as in:
<system.web> <identity impersonate="true"/>...
However, if I turn Impersonation on (true), then I get this:
An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode.
So, I change the app pool to use 'classic'(Which I don't think is the answer or path I should take), and I get this error:
The page you are requesting cannot be served because of the ISAPI and CGI Restriction list settings on the Web server.
Obviously, this works great in IIS Express, it sees me (domain\username) just fine. But when I switch it to IIS or deploy it to an actual web server, I get these problems.
I need to get the current user/principal so I can store their SID and credentials to the external API in the Db. Then upon using the site/app, it auto-magically uses their creds to do work in the API as needed.
What do I need to do to either:
- setup IIS to allow impersonation to work
- adjust my code to do the same
Upvotes: 3
Views: 1670
Answers (1)
Reputation: 40928
From here, use option 2, which is:
<system.webServer>
<!--When using 'Integrated Pipeline' on IIS on the server, and if your application does not rely on impersonating the requesting user in the 'BeginRequest' and 'AuthenticateRequest' stages (the only stages where impersonation is not possible in Integrated mode), but still requires Impersonation in other areas of the application, ignore this error (500 - Internal Server Error) by adding the following to your application’s web.config-->
<validation validateIntegratedModeConfiguration="false"/>
</system.webServer>
Upvotes: 1
Related Questions
- How do you handle multiple submit buttons in ASP.NET MVC Framework?
- Compile Views in ASP.NET MVC
- How do you create a dropdownlist from an enum in ASP.NET MVC?
- Validate a username and password against Active Directory?
- ASP.NET MVC - Set custom IIdentity or IPrincipal
- Can an ASP.NET MVC controller return an Image?
- File Upload ASP.NET MVC 3.0
- ASP.NET force file access as pool identity when using windows authentication
- How can I get my webapp's base URL in ASP.NET MVC?
- ASP.NET with Active Directory: User Credentials