Exception in IIS when using windows authentication

[LiveLikeLastDay]

Hi,

IdentityServer4 released verion 1.0.

Can someone reopen #38 support for windows authnetication?

Thanks.

[rposener]

+1 for that

It works great running behind IIS Express, but as soon as I try to publish to IIS, everything breaks. Just ends up with a 500 error on /Account/ExternalLogin?provider=Negotiate URL.

[rposener]

Looks like you need to configure WebListener. This means not using Kestrel and not using IIS. WebListener is it's own web server. Here are some critical details that seem to be working for me: https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/weblistener .

[leastprivilege]

both WebListener and Kestrel + IIS Integration works.

[rposener]

Any chance some direction on getting this working with Kestrel + IIS Integration would be helpful. As noted, it seems to work fine under IIS Express, but will not work when deployed to IIS. Even just a pointer to some MS article or source that might be useful would be helpful.

When run under Kestrel + IIS Express and it does work it still presents a 500 Error Page momentarily then seems to refresh and the credential is set. Quite odd behavior - I've never seen a 500 error refresh itself.

[brockallen]

Any chance some direction on getting this working with Kestrel + IIS Integration would be helpful.

IIRC our samples/quickstarts were even updated to show how to do this. Do those not work for you?

[rposener]

For what it's worth, here is what I have done that works:

public static void Main(string[] args)
        {
            IWebHost host;
            if (args.Length == 0)
            {
                host = new WebHostBuilder()
                    .UseKestrel()
                    .UseContentRoot(Directory.GetCurrentDirectory())
                    .UseIISIntegration()
                    .UseStartup<Startup>()
                    .Build();
            }
            else
            {
                host = new WebHostBuilder()
                    .UseWebListener(options =>
                    {
                        options.ListenerSettings.Authentication.Schemes = AuthenticationSchemes.Negotiate | AuthenticationSchemes.NTLM;
                        options.ListenerSettings.Authentication.AllowAnonymous = true;
                    })
                    .UseUrls(args)
                    .UseContentRoot(Directory.GetCurrentDirectory())
                    .UseIISIntegration()
                    .UseStartup<Startup>()
                    .Build();
            }
            host.Run();
        }

Then you can either run with Kestrel behind IIS (as normal), or you can just "dotnet run http://localhost:8080" and it will run and start listening there directly using the WebListener server.

Your IIRC samples all work prefect on IISExpress, but do not work on production IIS. As for what I've been following is the Host project in the IdentityServer4 source. It seems to be the only one with everything. When I publish it to my local IIS, I get this error.

[brockallen]

huh, ok. we'll double check it tomorrow.

[rposener]

Didn't mention it in my last post, just for clarity the unmodified Hosts project running this in VS under IIS Express works perfectly when I click the Windows button. Here is my IIS setup:

and I'm just doing a dotnet publish from command line to get it to the directory. Thanks for the help.

[brockallen]

I was able to repro. It's a app identity permissions issue as far as I can tell. I opened an issue here: aspnet/KestrelHttpServer#1288. If I can find a workaround here in IdentityServer, but fundamentally that call should work in ASP.NET Core.

[brockallen]

Looks like this was already reported: aspnet/IISIntegration#231

[brockallen]

As for a workaround, we could use "Windows" as the provider name -- this is really just used to lookup the user's IdP in the identity management system, and it prolly doesn't care if NTLM or Negotiate is used. Really it just cares that the user is a windows user.

[brockallen]

done on dev

[rposener]

Excellent! Thanks for getting to the bottom of it quickly.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.