Tuesday, 10 February 2015

Debugging a Visual Studio Web Application that uses Windows Authentication

In many companies, web applications are developed that use Windows Authentication for validating users of those applications. These are not just internal facing applications either, as many companies either have customer or extranet systems that use Windows Authentication.

Debugging a web application in Visual Studio that uses Windows Authentication can be problematic without making changes to how it is set-up for debugging, and how your browser is configured.

The Set-Up

In order to debug a web application that uses Windows Authentication, you will firstly need to configure your project to use IIS Express, and this is done by setting properties in the Web section of the project's properties page:

Here you need to select Use IIS Express and click the Configure Virtual Directory button, as shown above.

The next step is to select the UI project for your web application (if there are multiple projects in the solution) in the solution explorer window, and press F4 to bring up the properties window:

In the properties window, ensure that Windows Authentication is set to Enabled.

That's it for the Visual Studio changes required, and these are fairly straightforward. The next step is to configure Internet Explorer, even if IE is not your choice of browser to debug with.

The reason we need to configure IE is to stop the automatic passing of credentials to your web application when being debugged. This is particularly important if you need to log on as different users during the debugging process.

In Internet Explorer:

1. Open the Internet Options Dialog
2. Select the Security tab
3. Select the Local Intranet zone
4. Click on the Sites button

This will display another dialog, and you will need to untick the Automatically detect intranet network box. Once this is unticked, click OK and OK again.

The Gotcha

There is a potential gotcha when debugging an application that uses Windows Authentication, and it's all to do with the User Account Control feature in Windows.

Both IIS and IIS Express use an applicationhost.config file that contains server-wide configuration information. With IIS Express, every user owns their own copy of applicationhost.config, which means the user can add sites, remove sites, configure virtual directories, and so on without special privileges.

IIS Express looks for an applicationhost.config file in the user’s Documents folder (for example, %userprofile%\Documents\IISExpress\config on Windows 7). 

It is important to note that IIS Express runs in the context of the logged in user, and this causes a problem with Windows UAC, as UAC may required you to permit the applicationhost.config file to be opened, even if you are logged on as a user who is a member of the administrators group on your development machine.

If you encounter errors when debugging your application, such as CSS files or JS files not loading and returning an access denied error, you may need to follow these steps:

1. Rename or delete the applicationhost.config file
2. Open up your solution in Visual Studio

This should fire an IIS Express dialog window from within Visual Studio, which will create a new copy of applicationhost.config. Once this is created, you should be able to debug as normal, and have all files loaded correctly in your web application.

To work around the gotcha, you could always turn off UAC, or run Visual Studio as an Administrator, however neither of these are recommended for security!

No comments:

Post a Comment