HttpContext.Current.Request.LogonUserIdentity.Name returns more than one user

Question

User-684597927 posted

I'm not sure which forum this should go to so here it is.

I'm using VS 2017, vb.net, framework 4.5, Windows 10, IIS V10.0.17763.1

All authentication is set to WindowsAuthentication, all others are disabled.

In our domain, I have 2 Active Directory accounts, my main account and one for testing. We are trying to upgrade our web apps to VS 2017. "HttpContext.Current.User.Identity.Name" was not working, but changing it to  "HttpContext.Current.Request.LogonUserIdentity.Name" finally gave me users. Now I get an array with both my user accounts in it like this: "A00001@MYDOM T00001@mydom". I can split it to get only the user I need, however, every other function (for example "HttpContext.Current.Request.LogonUserIdentity.Groups") fails because the user of 'LogonUserIdentity' is an array, not a single value, and I can't figure out how to make it only recognize the first user, A00001@MYDOM. I will also have to make it recognize the second user when testing.

How can I specify which user to get when a single user has multiple AD accounts? Is it even possible?

Answer 1

User475983607 posted

Windows authentication is NOT enabled or Anonymous is enable if the following is empty.

HttpContext.Current.User.Identity.Name

This construct will always return something; the anonymous account, impersonation, or windows depending.  So you do not want to use this construct.

HttpContext.Current.Request.LogonUserIdentity.Name

Answer 2

User753101303 posted

Hi,

HttpContext.Current.User.Identity.Name should ALWAYS work. If blank, check User.Identity.IsAuthenticated which is likely false.

HttpContext.Current.Request.LogonUserIdentity likely returns the account under which your code runs which may or may not be what you want depending on the site configuration. Maybe it returns multiple names when you impersonate user B from a process running under  A ? Never saw that until now (but as I said I'm using User.Idendity.Name instead).

Answer 3

User-684597927 posted

Perhaps read the question more carefully, it does NOT return blank, it returns TWO values instead of one.

Answer 4

User753101303 posted

You just said that "it doesn't work". My understanding is that you changed that to HttpContext.Current.Request.LogonUserIdentity.Name which returns two values..

I'm telling I would go back at using HttpContext.Current.User.Identity.Name and check why it doesn't work (I assume it is blank because the user is not authenticated).

Answer 5

User-684597927 posted

These are my settings, they are correct:

IIS:
Anonymous: disabled
Basic: disabled
Windows: enabled
Digest: disabled
Forms: disabled
ASP.NET Impersonation: disabled

In the Web.config file:        <authentication mode="Windows" />

In the applicationhost.config:

<authentication>

<anonymousAuthentication enabled="false" userName="" />

<basicAuthentication enabled="false" />

<clientCertificateMappingAuthentication enabled="false" />

<digestAuthentication enabled="false" />

<iisClientCertificateMappingAuthentication enabled="false">
</iisClientCertificateMappingAuthentication>

<windowsAuthentication enabled="true" overrideModeDefault="Allow">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>

</authentication>

HttpContext.Current.User.Identity.Name returns blank and User.Identity.IsAuthenticated is false, obviously because user is blank. 

HttpContext.Current.Request.LogonUserIdentity.Name returns "A00001@MYDOM  T00001@MYDOM", note that is 2 values, the A00001 is my actual AD account, the T value is my testing AD account.  HttpContext.Current.Request.LogonUserIdentity.IsAuthenticated is of course false because it cannot process an ARRAY.

When I converted the web app to framework 4.5, HttpContext.Current.User.Identity.Name returned blank, and after extensive research, I finally found the suggestion to use instead Request.LogonUserIdentity.Name, which did work, just too many values returned.

Answer 6

User753101303 posted

Hi,

What if you test with something such as :

<configuration>
   <system.web>
      <authorization>
          <deny users="?" />
      </authorization>
   </system.web>
</configuration>

I'm positive that I always used User.Identity.Name which always worked perfectly fine for us regardless of which authentication method is used. "Windows authentication" is a bit special as it is  triggered only when really needed so I suspect it could be still not triggered if for example file permissions are wide open.

This is the same domain for both or you have done a domain migration ? I never heard about this behavior (ie having two names) but anyway you should IMHO fix the issue you have with User.Identity.Name rather than trying to use LogonUserIdentity.

Ah you really get name@domain.com ? According to https://docs.microsoft.com/en-us/dotnet/api/system.security.principal.windowsidentity.name?view=netframework-4.7.2 it is supposed to return DOMAIN\SamAccountName (and this is what I have when  using User.Identity.Name and Windows authentication, it is always domain\username rather than user@domain).

Really User.Identity.Name should ALWAYS work and this is the only thing I'm using...

Edit: at worst create a new site in VS, enable Windows authentication and I expect you'll see that User.Identity.Name returns the expected name (all other methods as well but this is because the code currently runs under your name which is often but not necessarily always the same than the browser side authenticated user).

Answer 7

User-684597927 posted

I tried <deny users="?">, that sent me directly to an error page, can't run the site at all. 

I've always used User.Identity.Name as well, it only stopped working when I tried to migrate to VS 2017, I found a suggestion to use LogonUserIdentity, and it seemed to work, but as you say it returns the wrong format for both my accounts, it should indeed be domain\user like user.identity.name would, and I need that format to make the other functions work as well. 

I also tried creating a new site from scratch but user.identity.name still returns null. I've tried so many different things now my site is totally SNAFU. I'll have to nuke it and start converting again with a fresh copy. I'll keep you posted.

Answer 8

User1724605321 posted

Hi BlakQueen,

Do you have any other config in other application level to override the windows authentication setting , that is quite strange as HttpContext.Current.User.Identity.Name should work :

 Scenario : Windows Authentication in IIS, impersonation off.

HttpContext.Current.Request.LogonUserIdentity.Name	MYDOMAIN\USER1
HttpContext.Current.Request.IsAuthenticated	True
HttpContext.Current.User.Identity.Name	MYDOMAIN\USER1
System.Environment.UserName	ASPNET
Security.Principal.WindowsIdentity.GetCurrent().Name	COMPUTER1\ASPNET

Best Regards,

Nan Yu

Answer 9

User753101303 posted

Until you have User.Identity.IsAuthenticated being false it means that authentication doesn't happen for some reason.  You are using https://quycao.wordpress.com/2016/04/12/change-individual-authentication-to-windows-authentication-mode-in-asp-net-mvc/ to enable "Windows authentication"?

According to https://stackoverflow.com/questions/17043140/windows-authentication-doesnt-works-when-i-run-project-from-visual-studio one had to change settings at the application.config file level (maybe if you have an explicit option here it overrides whatever is declared at the web.config file level).

I would make it work fisrst on my local machine (I assume it is joined to a domain ?)

Edit: not sure which error you have but it seems to confirm that an anonymous user can't access the site (and so you are really not authenticated and no authentication at all is done).