I recently updated a legacy 4.5 C#.NET webforms app to use ADFS for authentication, but somehow it only works if I also have Windows authentication enabled in IIS. When I have windows auth enabled, after a user signs into our ADFS server, a Windows auth pop-up box shows up which requires the user to log in twice. That is not the result I wanted, so I turned off Windows authentication in the hopes that the second login would go away, but now after signing into ADFS, the user gets a 401 Unauthorized error.
If I have to keep Windows auth enabled for this legacy app to successfully login, is there something I should add to the code to prevent the Windows auth pop-up from presenting itself after a user logs into ADFS?
Startup.Auth.cs
public partial class Startup
{
private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseWsFederationAuthentication(
new WsFederationAuthenticationOptions
{
Wtrealm = realm,
MetadataAddress = adfsMetadata
});
// This makes any middleware defined above this line run before the Authorization rule is applied in web.config
app.UseStageMarker(PipelineStage.Authenticate);
}
}
Startup.cs
public partial class Startup
{
public void Configuration(IAppBuilder app)
{
ConfigureAuth(app);
}
}
UPDATE: I just confirmed that my dev site works fine - meaning the Windows auth box DOES NOT show up after authenticating with ADFS. It has the same code, the same web.config, the same set up in IIS on the dev server compared to live, and the same setup on the ADFS server. The ONLY difference that I can see is that the live server is Windows Server 2019 Datacenter
and the dev server is Windows Server 2012 R2
.
Are there differences between these 2 servers that would make that Windows authentication box pop up after ADFS authentication? Could it be that the legacy app will only behave on a legacy server and not a newer one?
CodePudding user response:
I just found the answer I needed here: 401 Unauthorized: Access is denied due to invalid credentials
- Open IIS
- Select The Site
- Open Authentication
- Edit Anonymous Authentication
- Select Application Pool Identity