Request.Server variables blank for classic ASP

[how2trainyourdragon]

We are running a classic ASP app, and the upgrade to IIS 8.5 caused our Request.Server variables to be blank:
AUTH_USER
LOGON_USER

Windows Auth is the default authentication type, and server admin has verified all other options are disabled like Anonymous Authentication

Anything else we should be trying?
I saw this in another forum, but not sure how to use:
Response.Write(User.Identity.Name.ToString())

...the above line with User.Identity breaks our ASP page.

Tried both:
<% WindowsIdentity.GetCurrent().Name %>
<% HttpContext.Current.User.Identity.Name %>

...and it breaks the page.

 

[GriffMG]

These are .net rather than classic

<% WindowsIdentity.GetCurrent().Name %>
<% HttpContext.Current.User.Identity.Name %>

The problem you have is that your server is using an anonymous authentication, so it doesn't
have an ID or login to tell you about.

You might find something in the web.config that you could change, I *think* it is something like this:

   <system.webServer>
      <security>
         <authentication>
            <anonymousAuthentication enabled="false" />   <!--This line you need-->
            <basicAuthentication enabled="true" />
            <windowsAuthentication enabled="true" />
          </authentication>
      </security>
   </system.webServer>

I am not convinced it will work though as that will probably be locked at the parent level.

Regards

Griff
Keep [Smile]ing

There are 10 kinds of people in the world, those who understand binary and those who don't.

I'm trying to cut down on the use of shrieks (exclamation marks), I'm told they are !good for you. ​

 

[how2trainyourdragon]

Our admin states we're on Windows Auth.
Is there a way to write back to the page showing the site is still using anonymous?

The web.config file is:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<tracing>
<traceFailedRequests>
<remove path="*.asp" />
<add path="*.asp">
<traceAreas>
<add provider="ASP" verbosity="Verbose" />
<add provider="ASPNET" areas="Infrastructure,Module,Page,AppServices" verbosity="Verbose" />
<add provider="ISAPI Extension" verbosity="Verbose" />
<add provider="

http://WWW Server"

areas="Authentication,Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI" verbosity="Verbose" />
</traceAreas>
<failureDefinitions timeTaken="00:00:00" statusCodes="500" />
</add>
</traceFailedRequests>
</tracing>
<httpErrors errorMode="Detailed" />
</system.webServer>
</configuration>

 

[GriffMG]

I think if AUTH_USER and LOGON_USER are coming back blank, that means it is accepting anonymous access.

Regards

Griff
Keep [Smile]ing

There are 10 kinds of people in the world, those who understand binary and those who don't.

I'm trying to cut down on the use of shrieks (exclamation marks), I'm told they are !good for you. ​

 

[how2trainyourdragon]

Admin says it's set to Windows..."everything else is disabled".
Anything we can run to prove it's running anonymous?

Admin is only one that can log in to IIS, so we're relying on what he's saying.

 

[GriffMG]

I think if AUTH_USER and LOGON_USER are coming back blank, that means it is accepting anonymous access.

Set up another server yourself and see. You can do it on a PC...

A little more digging gave me this:

https://social.msdn.microsoft.com/F...er-blank-site-not-anonymous?forum=aspsecurity

Regards

Griff
Keep [Smile]ing

There are 10 kinds of people in the world, those who understand binary and those who don't.

I'm trying to cut down on the use of shrieks (exclamation marks), I'm told they are !good for you. ​

 

[how2trainyourdragon]

Thanks for the link. We saw that one last week too, and I highlighted to our admin the disabling Anonymous Auth. He said it's disabled:

Jesus tapdancing **** 7 years later and this was the only place I could find an answer to this infuriating question! Many thanks, tad_n, for bothering to post this. Disabling Anonymous Authentication was the trick. IIS 8.5 now.​

I did try via Edge & Firefox browser >> New InPrivate Window / New Private Window, and no credential prompt.
Would that further support anonymous authentication is on for some reason?

 

[GriffMG]

Sometimes you have to wait 7 years for a penny to drop... send your admin the link? Probably won't help.

Regards

Griff
Keep [Smile]ing

There are 10 kinds of people in the world, those who understand binary and those who don't.

I'm trying to cut down on the use of shrieks (exclamation marks), I'm told they are !good for you. ​

 

[how2trainyourdragon]

LOL...yeah, already did...and copy/highlighted that last forum reply.

 

[GriffMG]

He/she will probably be grumpy bumps by now then.



Regards

Griff
Keep [Smile]ing

There are 10 kinds of people in the world, those who understand binary and those who don't.

I'm trying to cut down on the use of shrieks (exclamation marks), I'm told they are !good for you. ​

 

[how2trainyourdragon]

If we hit site in private browser tab and no prompt for credentials >> looks like anonymous is still allowed in some way.
IIS anonymous is disabled...see attachment.

 

[how2trainyourdragon]

Admin set authentication property on main/root site and that seemed to fix the issue.

 

[GriffMG]

Penny dropped a lot sooner than 7 years then

Regards

Griff
Keep [Smile]ing

There are 10 kinds of people in the world, those who understand binary and those who don't.

I'm trying to cut down on the use of shrieks (exclamation marks), I'm told they are !good for you. ​