locked
Simple Basic Auth RRS feed

  • Question

  • User1716836463 posted

    I'm trying to get Basic Auth setup in front of our Legacy MVC .Net app that is hosted in a Windows Server 2016 Docker Container.

    The issue is almost certainly more to do with how I'm setting up things in windows and in the web.config more so than anything to do with docker. I'm not a windows or IIS guy. So help is very much appreciated.

    So the instance is a base image of Windows Server 2016 in which I'm running these commands to setup IIS and users:

    Dockerfile

    FROM microsoft/aspnet:4.7.1-windowsservercore-ltsc2016
    ARG source
    
    
    WORKDIR /inetpub/wwwroot
    COPY ${source:-obj/Docker/publish} .
    
    # Install Url Rewrite
    ADD https://download.microsoft.com/download/C/9/E/C9E8180D-4E51-40A6-A9BF-776990D8BCA9/rewrite_amd64.msi /install/rewrite_amd64.msi
    RUN Start-Process msiexec.exe -ArgumentList '/i', 'c:\install\rewrite_amd64.msi', '/quiet', '/norestart' -NoNewWindow -Wait
    #RUN ["powershell", ". /Windows/System32/inetsrv/appcmd.exe set config 'Default Web Site' -section:system.webServer/security/authentication/basicAuthentication /enabled:'True' /commit:apphost"]
    #RUN $Acl = Get-Acl 'C:\inetpub\wwwroot'; $Ar = New-Object  system.security.accesscontrol.filesystemaccessrule('client','FullControl','Allow'); $Acl.SetAccessRule($Ar); Set-Acl 'C:\inetpub\wwwroot' $Acl
    
    
    #RUN New-LocalUser -Name 'client' -FullName 'Basic Auth User' -Description 'Basic Auth User' -Password (ConvertTo-SecureString 'NOTTELLING' -AsPlainText -Force)
    #RUN dism /online /enable-feature /featurename:IIS-BasicAuthentication
    
    RUN Import-Module ServerManager; Add-WindowsFeature Web-Basic-Auth
    RUN Net user client NOTELLING /add /fullname:"client" /expires:never
    RUN c:\\windows\\system32\\inetsrv\\appcmd.exe unlock config \"Default Web Site\" /section:system.webServer/security/authentication/anonymousAuthentication /commit:apphost
    RUN c:\\windows\\system32\\inetsrv\\appcmd.exe unlock config \"Default Web Site\" /section:system.webServer/security/authentication/windowsAuthentication /commit:apphost
    RUN c:\\windows\\system32\\inetsrv\\appcmd.exe set config \"Default Web Site\" /section:system.webServer/security/authentication/windowsAuthentication /enabled:\"False\" /commit:apphost
    RUN c:\\windows\\system32\\inetsrv\\appcmd.exe unlock config \"Default Web Site\" /section:system.webServer/security/authentication/basicAuthentication /commit:apphost
    RUN c:\\windows\\system32\\inetsrv\\appcmd.exe set config \"Default Web Site\" /section:system.webServer/security/authentication/basicAuthentication /enabled:\"True\" /commit:apphost

    And this is in my Web.Debug.config

    <security>
       <authentication>
          <anonymousAuthentication enabled="false" />
          <basicAuthentication enabled="true" />
       </authentication>
    </security>

    The result is that the browser indeed things build ok, but the browser opens to the site, with no Basic Auth prompt.

    I've also tried a few other things in the web.config that of netted out with successfully getting the BA prompt but when I enter the password for the 'client' user above... it gets rejected.

    What I'm trying to do here should be very straight forward. What works on native IIS will work on a dockerized version, I just don't even know what I'm doing with the native one. 

    Help appreciated!

    Tuesday, July 10, 2018 12:43 PM

All replies

  • User690216013 posted

    Your Dockerfile missed a line to disable anonymous authentication.

    Besides, IIS only processes web.config file. Web.Debug.config is usually a temp file during ASP.NET development, so changes to it as you showed won't take effect.

    Please find an ASP.NET/IIS guy in your team/company to help out, or open a support case via http://support.microsoft.com , as to move further I think more experience is required.

    Tuesday, July 10, 2018 7:05 PM
  • User121216299 posted

    Hi IDVB,

    1. Open Internet Information Services (IIS) Manager:

    2. In the Connections pane, expand the server name, expand Sites, and then click the site, application or Web service for which you want to enable basic authentication.
    3. Scroll to the Security section in the Home pane, and then double-click Authentication.
    4. In the Authentication pane, select Basic Authentication, and then, in the Actions pane, click Enable.
    5. In the Authentication pane, select Anonymous Authentication, and then click Disable in the Actions pane.

    You can also use Appcmd to enable it.

    appcmd.exe set config "Contoso" -section:system.webServer/security/authentication/basicAuthentication /enabled:"True" /commit:apphost

    For detailed information, you can refer link below.

    Basic Authentication <basicAuthentication>

    Regards

    Deepak

    Thursday, July 12, 2018 7:46 AM