0

I have an MVC 4 web application that uses Windows Authentication. I deploy that app to real web server with IIS 7. The Windows Authentication function works well with Internet Explorer (IE), FireFox (FF), and Safari, but it does not work with Chrome; I am using Chrome version 27.

Here, "Works" means when user opens a browser (IE, FF, or Safari) and browses to the web application site, he/she is firstly prompted to provide valid credentials in a dialog box. Then if his/her credentials are valid, then the user is allowed to view the web site pages. "Does not work with Chrome" means Chrome always let users browse the web pages right away without seeing the credential dialog box and without prompting them to enter credentials in the dialog box as IE, FF or Safari does! That is the issue I do not know how to solve although I tried to clear cookies, caches for my Chrome browser and shut down and open Chrome again. I know the "cookie clear" action for Chrome is not supposed to do because Windows Authentication mode in IIS has nothing to do with cookie like Forms Authentication mode does.

At very first time when I tested my web application with Chrome right after deploy the web application to server, Chrome did prompted me to input credentials in the dialog box, but from the second time on, Chrome does not prompt me any more.

Please let me know what I should do to stop Chrome browser from letting users bypass the credential prompt dialog box. Thank you in advance.

I followed 2 steps below to make my MVC web application work with IE, FF and Safari:

1

In the web configuration (web.config) file of my MVC 4 web application (Intranet Template), I specify the Windows Authentication function as:

<authentication mode="Windows" />
    <authorization>
      <deny users="?" />
    </authorization>

2

On the real web server, in IIS version 7, I open my MVC web site application node and head to its Authentication node to enable Windows Authentication, and disable Anonymous Authentication.

Thomas.Benz
  • 7,303
  • 8
  • 33
  • 55

2 Answers2

1

Take a look at Securing your ASP.NET MVC 4 App and the new AllowAnonymous Attribute.

You cannot use routing or web.config files to secure your MVC application (Any Version). The only supported way to secure your MVC application is to apply the Authorize attribute ...

Quote

MVC uses routes and does not map URLs to physical file locations like WebForms, PHP and traditional web servers. Therefore using web.config will definitely open a security hole in your site.

The product team will have a communication if this changes in the future, but for now it is without exception the rule.

Examples:

Start with the default ASP.Net MVC project (internet/intranet).

Edit the web.config adding:

<location path="Home">
  <system.web>
    <authoirzation>
      <deny users="*">
    </authoirzation>
  </system.web>
</location>

Run the project, by default you will use the Default route /Home/Index and you see content, simply bypassing the web.config with no changes to the default template. Why? Because the ASP.Net pipeline is comparing the URL requested to the location specified in the web.config. However, after the Authorization Event has been executed in the pipeline the routing taking place (Default routing or custom routing) and allows access to the supposedly restricted area.

Additionally, any MVC Redirect() will also by-pass the same security measures as again the routing takes place after the Authorization Pipeline Event.

Erik Philips
  • 48,663
  • 7
  • 112
  • 142
  • if I use the Authorize attribute and want anyone who is authenticated (means he provide valid credentials or windows net work account to access web server), how can I implement the code for the Authorize attribute? – Thomas.Benz Jun 22 '13 at 21:21
  • [How to Create an Intranet Site Using ASP.NET MVC - with windows authentication](http://msdn.microsoft.com/en-us/library/gg703322(v=vs.98).aspx). I would highly recommend AGAINST using impersonation. – Erik Philips Jun 22 '13 at 21:34
  • Security hole with Chrome still persists although I tried to decorate my test controller's actions with [Authorize] attribute as in Forms Authentication; Chrome still ignores the logon prompt dialog and let users see web pages ! How can I to solve that security hole with Chrome? – Thomas.Benz Jun 24 '13 at 19:08
  • Either page is being cached by Chrome, Chrome is configured (not sure how) to automatically log into the website as [Luke mentioned](http://stackoverflow.com/a/17245184/209259), or your website is actually delivering html it's not suppose to (you can test by looking at the network tab in chrome tools). – Erik Philips Jun 24 '13 at 19:10
  • if Chrome causes that security issue, it is impossible to go to all computers of users to "disable Auto Logon User Authentication for Google Chrome". I have no control over user browser! – Thomas.Benz Jun 25 '13 at 15:36
0

You need to add the site to your local intranet zone. We do this via group policy.

See How to enable Auto Logon User Authentication for Google Chrome

Community
  • 1
  • 1
Not loved
  • 30,848
  • 21
  • 111
  • 180