HttpContext.Current.User not populated with Windows Authentication enabled

Question

I have an asp.net intranet application using windows authentication. I created the application years ago with VS 2005, and the windows authentication bit was working perfectly. My web.config has the following (inside configuration -> system.web element):

    <authentication mode="Windows" />
    <authorization>
     <deny users="?"/>
    </authorization>

I test this in Firefox to confirm that the credentials are required, and indeed I'm prompted for my network credentials when first accessing the site, and I'm denied if they are invalid.

However, when I try to access HttpContext.Current.User.Identity, the object has empty strings for Name and AuthenticationType, and Authenticated = false. I thought I might need to enable the WindowsTokenRoleProvider after looking around the interwebs, and this did not change anything.

 <roleManager defaultProvider="WindowsProvider" enabled="true" cacheRolesInCookie="false">
  <providers>
   <clear/>
   <add name="WindowsProvider" type="System.Web.Security.WindowsTokenRoleProvider"/>
  </providers>
 </roleManager>

Two things I've done since the last time I've seen it work are upgrade the project to VS 2008 through the conversion wizard, and I also put it down for several months while my co-workers may have worked on it here or there. I was pretty sure that the only thing that affects my User.Identity are the values in the web.config mentioned above, but apparently I'm doing something wrong. Anyone else encounter a similar issue or see something I'm doing wrong? Thanks.

Answer 1

I believe you need to make sure that anonymous access is turned off in IIS for the site/virtual.

Answer 2

Some ideas:

On the site configuration, pull up the 'ASP.NET Configuration Settings' dialog. On the 'Authentication' tab, is the 'Authentication mode' set to 'Windows' ()? On the 'Application' tab, did 'Local impersonation' get set (I think it should be unchecked).

Did your server get dropped off the domain? Did the user running the app pool change? Did domain policies change, preventing the server from impersonating the user for purposes of auth checks (not delegation)?

Have you tried re-installing the asp.net extensions for your site? (This is a big topic in itself.)

You could check the HttpContext.SkipAuthorization flag programmatically.

Answer 3

Try adding to get the behavior you want? When impersonation isn't turned on, a lot still happens under the name of NETWORK SERVICES or the ASPNET user

And here is Hanselman blog post that has the other crazy idea that came to mind:

Answer 4

Have you tried adding identity impersonation:

<identity impersonate="true" />

to the web.config?

Answer 5

Where do you check for this user? In the request cycle there are some events fired before the authorization takes place.

If you are testing on Vista, Windows 7 or Windows Server 2008 there can be other differences, because the ASP.Net and IIS pipeline are integrated on IIS 7's default configuration.

Answer 6

Make sure your <httpModules> section hasn't been cleared. Your machine's web.config file should include a snippet like this:

    <httpModules>
        <!-- ... -->
        <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" />
        <!-- ... -->
        <add name="AnonymousIdentification" type="System.Web.Security.AnonymousIdentificationModule" />
        <!-- ... -->
    </httpModules>

The important element here is WindowsAuthentication. Make sure that it's in your %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\CONFIG\Web.config file. Also, make certain that both your own web site and any web.config file that appears in a "parent" site site or folder does not have a <clear/> tag in its <httpModules> section. Without the WindowsAuthentication module, it doesn't matter if the browser forces you to log in or not... ASP.NET will never actually set the User property without this module included.

Ordering of httpModules is also significant, and in particular I believe the WindowsAuthentication module needs to appear before the AnonymousIdentification one.