MVC5 vs Windows Authentication in IIS 7.5: unable to login

Question

I'm trying to secure Asp.Net MVC5 application to use Windows authentication.

I have mostly followed this article: http://msdn.microsoft.com/en-us/library/gg703322%28v=vs.98%29.aspx

And when I go to pages, I'm presented with login/username textboxes:

I type correct username/password and I'm asked for the same details again. And again and again. I've tried to do add machine name before the login ( local machine does not have a domain), but no luck.

In web.config I have:

<authentication mode="Windows" />

In IIS 7.5 I have the following for the authentication:

Controller action I request looks like this:

public partial class HomeController : BaseController
{
    private readonly IMediator mediator;

    public HomeController(IMediator mediator)
    {
        this.mediator = mediator;
    }

    public virtual ActionResult Index()
    {
        var model = mediator.Request(new MenuModelQuery());
        return View(model);
    }

If I turn off any authentication (enable anonymous) - everything works fine. I have tried playing with different user for Application Pool for the web-site - no change. I have added [AllowAnonymous] attribute to the controller action - no change. I have tried [Authorize(User="trailmax")] - no change in the behaviour.

Fiddler shows that authenticate header is passed every time when I put username/password in:

Request:

GET http://reporting.dev/ HTTP/1.1
Host: reporting.dev
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Negotiate TlRMTVNTUAABblahblahblahblah=
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Response:

HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate TlRMTVNTUAACAAA_some_long_stringkLP9zgEAAAAA
Date: Fri, 20 Dec 2013 18:44:50 GMT
Content-Length: 341
Proxy-Support: Session-Based-Authentication

I'm out of ideas. Can you suggest anything?

Answer 1

I have found the source of the problem - hosts file. Every time I do web-site development, I create a record in hosts file, so it is slightly more user friendly.

As soon as I have tried accessing the site via http://localhost:81 windows authentication worked fine and took in the password from the first attempt.

Don't know why exactly this did not work via domain name via hosts. But I can guess that IIS got confused with site domain-name and local workgroup/domain name. Some sort of security feature.

Answer 2

Since you request the integrated authentication, the login prompt means that it doesn't work. My guess is that Chrome just doesn't support it and by the look of the login prompt I suspect you are using Chrome.

Either switch to IE and make sure you are in the domain or if you want to stick with Chrome and still see the login prompt, enable the Basic Authentication and disable the Windows authentication.