I would like to be able to detect, from ASP.NET code, whether IIS currently has "Windows Authentication" "available"?
Starting from my application installed and currently running under "Anonymous Access", I want to detect:
- "Windows Authentication" component has actually been installed in IIS (e.g. some IIS7 have it not
installed by default); and...
- "Windows Authentication" is actually "Enabled" on my virtual root/location.
I want this information to let the Administrator know whether he needs to take action in IIS before he actually attempts to switch it on on my application.
(Hence, for example, I think IIS7: How to define that windows authentication is turned on? does not help me, as that is looking at whether it is already on for my application; I want to know whether it is installed/can be turned on.)
My "solution" would need to work (or at least not "fail") with versions of IIS prior to 7 as well as 7 itself, so if there are differences there I need to know. Thanks.
My answer is based on @Paul Stovell's minimum requirements (that it only needs to work for IIS 7). When WindowsAuthentication is installed, the applicationHost.config file will have the following entry in the <globalModules> section:
<add name="WindowsAuthenticationModule" image="%windir%\System32\inetsrv\authsspi.dll" />
Using Microsoft.Web.Administration.dll, which can be found in %windir%\System32\inetsrv\, one can check for the existence of the WindowsAuthenticationModule with the following code:
ConfigurationSection globalModulesConfig = config.GetSection("system.webServer/globalModules");
ConfigurationElementCollection globalModulesCollection = globalModulesConfig.GetCollection();
bool installed = globalModulesCollection.FirstOrDefault(a => a.GetAttribute("name").Value.Equals("WindowsAuthenticationModule")) != null;
Since the applicationHost.config file resides in %windir%\System32\inetsrv\config, the application making this query requires elevated privileges.
On the default aspx page check if the user is set to a type of WindowsPrincipal. If Windows authenication is not enabled then the type will be different.
Also for windows authenication to work, the browser should be configured for the NTLM handshake.
Will add some code later!
When Windows Authentication is enabled, IIS returns this HTTP header in response :
WWW-Authenticate: NTLM
It's possible to send a testing HTTP request with a WebClient, wait for it and check the header presence.
This isn't an answer so much as just an idea to point you in a possible direction.
A web application is normally isolated to itself and runs under least privilege so I don't think you can see global settings like this from an application's ASP code.
I would guess that you would want to look at the WMI classes. You can query them using ADO or the WMI objects. You may need to impersonate higher credentials to call it though.
See this post
TechNet Article
The following checks web.config/IIS settings I believe. You could add more checks at each instantiation to see if the config sections defined etc...
System.Configuration.Configuration config = WebConfigurationManager.OpenWebConfiguration("~");
SystemWebSectionGroup configSection = (SystemWebSectionGroup)config.GetSectionGroup("system.web");
AuthenticationSection auth = configSection.Authentication;
if (auth.Mode == AuthenticationMode.Forms) { }
else if (auth.Mode == AuthenticationMode.Windows) { }
