I am honestly at the end of my rope on this. I don't know what else to try. The best way to describe this in 30 seconds or less: It's as if the application starts to process the request, and about 3/4 of the way through, decides 'oh,
I should authenticate'. It does, but decides to throw an authentication error anyway, as if it was part way to that point before it decided it needed to authenticate. Because given enough F5's, it eventually does work properly.
When I go to the site, my expectation is that I should not even be prompted for security, but at minimum, I will get the standard windows Popup asking for userid/password. The reason I don't think I should be prompted, is I.E. should properly pass
Kerberos authentication credentials. It does to other applications.
In reality, I get this popup maybe 50% of the time. Sometimes it does, sometimes it throws me directly to 'login.aspx' (yes, even though it's an MVC app, for whatever reason, Microsoft's infinite wisdom is to send me there).
Sometimes doing a page refresh enough times and it will eventually work, but not always.
My view puts my ADS account printed at the top, so I am 100% sure it's picking it up pretty much every time. Even when that is there, I sometimes (but not always) get denied from my page, but then sometimes doing a refresh works.
I have tried Firefox 28.0, I.E. 10, Chrome 20 (with the Kerberos fix). Nothing works nor fails consistently.
I'm open to ideas, but I've tried dozens of ideas. I'm out of ideas. This seems like programmer 101, but I've got nearly 30 years of experience in programming and I can't get this to work.
Here is my environment:
In a company with ADS security, everything is in one domain. My development machine (Windows 7) is logged into the same ADS that the Web Server is. Everything is intranet. This should make I.E. pass kerberos authentication to my app without
an issue, but it doesn't.
First off, and foremost, I know this is not a problem with ADS, because we have dozens of application that work correctly. I just happen to be doing the first MVC application.
Web Server (I am an administrator) is Windows 2008 R2 SP1. This was created just for my testing. It would be impossible that there is a virus on here, but I won't say it's impossible that there could be a configuration issue. I know for
certain 'Windows Authentication' is turned on in server config.
IIS 7, ASP.NET 4.5, all updates applied
My website takes all defaults except for Authentication. 'anonymous' is disabled. 'Windows authentication' is enabled. I have only 'NTLM' in providers. I removed 'negotiate' in an attempt to resolve this issue, but I had the issue with
'negotiate' in there. Other than this, everything is default
My website is in a folder on this server. Out of desperation I set 'everyone' to full authority (in an effort to rule out some kind of Windows 8 security issue)
My application is the simplest of all. I created a default MVC 4 application. I have one controller (home) 4 views (see below). 'Index' should allow anyone to access. 'KittPage' should allow only me. 'LhamonPage' should allow
only my boss. 'Managers' should not allow anyone, since that role is not defined in our ADS, this is more done to be sure that no one can access this page without that role.
In web config, I have:
<authentication mode="Windows"/>
<authorization>
<deny users="?" />
</authorization>
My controller: (I replaced my domain with ****** for security purposes)
namespace WB.SecurityTesting.Controllers
{
[HandleError]
public class HomeController : Controller
{
public ActionResult Index()
{
return View();
}
[Authorize(Roles = "Managers")]
public ActionResult Managers()
{
return View();
}
[Authorize(Users = "*****\\brianki")]
public ActionResult KittPage()
{
return View();
}
[Authorize(Users = "*****\\brianlh")]
public ActionResult LhamonPage()
{
return View();
}
}
}