If you’re using only Windows Authentication in you’re C# ASP .NET web application, there is no build in support for the user to “log out” or to “Sign in as Different User”, like in Microsoft Office SharePoint Server:
The only way to make this work “cross-browser” (Tested on IE5, IE5.5, IE6, IE7, IE8, FireFox 3.5.5, Google Chrome 3.0.195.33) is to send a 401 HttpResponse to force the browser to re-authenticate it self. Well there are numerous pages describing the fact you should send a 401 HttpResponse within the ASP .NET C# web application, but few give a complete example. This post describers the complete example of sending a 401 HttpResponse to force the browser to re-authenticate it self. In this example I use a IIS server in a domain called “MyDomain”, but this can be replaced by a IIS Server in a workgroup, then you should replace “MyDomain” with the name of the server, eg. “MyIISServer”
– In Microsoft Visual Studio 2008, create a new web application File > New > Project > Visual C# > Web > ASP .NET Web Application
– In Microsoft Visual Studio 2008, make sure you’re website project properties are set to: “Use Local IIS Web server”. Found in menu Project > MyWebSite Properties > Web
– Click on “Create Virtual Directory” to make sure the virtual directory exists in IIS.
– In the IIS 7 Manager, click on “MyWebSite” > “Features View” > “Authentication”
– Disable “Anonymous Authentication”
– Enable “Windows Authentication” (if not shown in Vista, Windows Server 2008 or Windows 7, install it via “Control Panel” > “Programs and Features” > “Turn Windows features on or off” > "Internet Information Services" > "World Wide Web Services" > "Security" > "Windows Authentication")
– Open the Web.config of you’re website in Microsoft Visual Studio 2008 and change the authentication mode to ”Windows” and set the users to allow and deny access.
<system.web> <authentication mode="Windows"/> <identity impersonate="false" /> <authorization> <allow users="MyDomain\User1,MyDomain\User2"/> <deny users="*"/> </authorization>
You should at least deny anonymous users by adding <deny users = “?” />. In this example all users are denied access, except for the users: MyDomain\User1 and MyDomain\User2.
– In Microsoft Visual Studio 2008 add 2 pages: Default.aspx and AccessDenied.aspx
– The Default.aspx should look like:
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="MyWebsite.Default" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head runat="server"> <title>Default page</title> </head> <body> <form id="mainForm" runat="server"> <div> <div><p>Hello <asp:Label ID="UserLabel" runat="server" Text="Label"></asp:Label></p></div> <div><asp:LinkButton ID="SignInAsADifferentUserLinkButton" runat="server" onclick="SignInAsADifferentUserLinkButton_Click">Sign in as a different user</asp:LinkButton></div> </div> </form> </body> </html>
– The Default.aspx.cs should look like:
using System; using System.Web; namespace MyWebsite {
public partial class Default : System.Web.UI.Page { /// <summary> /// Event fires on every page load /// </summary> /// <param name="sender"></param> /// <param name="e"></param> protected void Page_Load(object sender, EventArgs e) { // Show the current logged on user UserLabel.Text = Request.LogonUserIdentity.Name; // Make sure the browser does not cache this page this.DisablePageCaching(); } /// <summary> /// Event fires when user clicks on the "SignInAsADifferentUserLinkButton" /// </summary> /// <param name="sender"></param> /// <param name="e"></param> protected void SignInAsADifferentUserLinkButton_Click(object sender, EventArgs e) { // Redirect to the "log out" page cq "sign in as a different user" page Response.Redirect("AccessDenied.aspx"); } /// <summary> /// Make sure the browser does not cache this page /// </summary> public void DisablePageCaching() { Response.Expires = 0; Response.Cache.SetNoStore(); Response.AppendHeader("Pragma", "no-cache"); } }
}
– The AccessDenied.aspx should look like:
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="AccessDenied.aspx.cs" Inherits="MyWebsite.AccessDenied" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head runat="server"> <title>Untitled Page</title> </head> <body> <form id="form1" runat="server"> <div> </div> </form> </body> </html>
– The AccessDenied.aspx.cs should look like:
using System; using System.Web; namespace MyWebsite {
public partial class AccessDenied : System.Web.UI.Page { private int _authenticationAttempts = 0; public int AuthenticationAttempts { get { if (!string.IsNullOrEmpty(string.Format("{0}", Session["AuthenticationAttempts"]))) { int.TryParse(Session["AuthenticationAttempts"].ToString(), out _authenticationAttempts); } return _authenticationAttempts; } set { _authenticationAttempts = value; Session["AuthenticationAttempts"] = _authenticationAttempts; } } private string _currentUser = string.Empty; public string CurrentUser { get { _currentUser = Request.LogonUserIdentity.Name; Session["CurrentUser"] = _currentUser; return _currentUser; } set { _currentUser = value; Session["CurrentUser"] = _currentUser; } } private string _previousUser = string.Empty; public string PreviousUser { get { _previousUser = string.Format("{0}", Session["PreviousUser"]); return _previousUser; } set { _previousUser = value; Session["PreviousUser"] = _previousUser; } } /// <summary> /// This event fires on every page load /// </summary> /// <param name="sender"></param> /// <param name="e"></param> protected void Page_Load(object sender, EventArgs e) { // Make sure the browser does not cache this page this.DisablePageCaching(); // Increase authentication attempts this.AuthenticationAttempts = this.AuthenticationAttempts + 1; if (this.AuthenticationAttempts == 1) { // Change previous user to current user this.PreviousUser = this.CurrentUser; // Send the first 401 response this.Send401(); } else { // When a browser is set to "automaticaly sign in with current credentials", we have to send two 401 responses to let the browser re-authenticate itself. // I don't know how to determine if a browser is set to "automaticaly sign in with current credentials", so two 401 responses are always send when the user // does not switch accounts. In Micrososft Office sharepoint the user has to supply the credentials 3 times, when the user does not switch accounts, // so it think this is not a problem. if (this.AuthenticationAttempts == 2 && this.CurrentUser.Equals(this.PreviousUser)) { // Send the second 401 response this.Send401(); } else { // Clear the session of the current user. This will clear all sessions objects including the "AuthenticationAttempts" Session.Abandon(); Session.Clear(); // Redirect back to the main page Response.Redirect("Default.aspx"); } } } /// <summary> /// Make sure the browser does not cache this page /// </summary> public void DisablePageCaching() { Response.Expires = 0; Response.Cache.SetNoStore(); Response.AppendHeader("Pragma", "no-cache"); } /// <summary> /// Send a 401 response /// </summary> public void Send401() { // Create a 401 response, the browser will show the log-in dialogbox, asking the user to supply new credentials,
// if browser is not set to "automaticaly sign in with current credentials" Response.Buffer = true; Response.StatusCode = 401; Response.StatusDescription = "Unauthorized"; // A authentication header must be supplied. This header can be changed to Negotiate when using keberos authentication Response.AddHeader("WWW-Authenticate", "NTLM"); // Send the 401 response Response.End(); } }
}
– Set the Default.aspx as Start Page and start debugging the website.
In IE depending on the setting Tools > Options > Security > Local intranet > Custom level… > User Authentication > Logon, the browser will show the windows logon dialog box.
If the site is not in the “Local Intranet Zone” you adjust the same setting on “Internet” and “Trusted Sites”
– Login to the website
– The website will show:
– Click on the “Sign in as a different user”, this will show the windows dialog box
– The windows dialog box will always appear, but when the user supplies the same credentials as the logged in user and IE security setting for “User Authentication” > “Logon” is set to “Prompt for user name and password”. The user will be asked to supply the credential 2 times.
– I think this is not a problem, because you want to sign in as a different user, so this will never occur.
– After supplying the correct credentials the new user is logged in.
By looking at the MSIL code of the Microsoft.SharePoint.ApplicationPages.dll, I guess this is the way Microsoft Sharepoint does it, using the _layouts\AccessDenied.aspx
you rock !!!!!!! (just like wix)
Thanks alot, your post was exactly what I needed. Thanks!
Hello, your post is very usefull. I need the exact same thing, logout from IIS with Windows Authentication, using Response 401.
Your example works perfectly integrated in my solution (when I say integrated I mean I created 2 extra aspx pages exactly like yours, in my solution).
The problem is that the same solution code put in my specific aspx pages don’t work as it should.
What I was able to find out when debugging is that the first Send401() [the one from if (this.AuthenticationAttempts == 1) ] call is not forcing the browser to display the login box. Because of this, it goes to the second Send401() [the one from if (this.AuthenticationAttempts == 2 && this.CurrentUser.Equals(this.PreviousUser)) ] and then it shows the login box.
Because of this strange behavior, the account are delayed with one login, and it is totally frustrating.
I will put my code here, maybe you have an idea, because I am out of solutions to try.
The page corresponding to your Default.aspx page is this:
public partial class LoginAfterLogout : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
// Make sure the browser does not cache this page
this.DisablePageCaching();
}
///
/// Event fires when user clicks on the “SignInAsADifferentUserLinkButton”
///
///
///
protected void SignInAsADifferentUserLinkButton_Click(object sender, EventArgs e)
{
// Redirect to the “log out” page cq “sign in as a different user” page
Response.Redirect(“AccessDenied.aspx”);
}
///
/// Make sure the browser does not cache this page
///
public void DisablePageCaching()
{
Response.Expires = 0;
Response.Cache.SetNoStore();
Response.AppendHeader(“Pragma”, “no-cache”);
}
}
The page corresponding to your AccessDenied.aspx is this:
public partial class AccessDenied : System.Web.UI.Page
{
private int _authenticationAttempts = 0;
public int AuthenticationAttempts
{
get
{
if (!string.IsNullOrEmpty(string.Format(“{0}”, Session[“AuthenticationAttempts”])))
{
int.TryParse(Session[“AuthenticationAttempts”].ToString(), out _authenticationAttempts);
}
return _authenticationAttempts;
}
set
{
_authenticationAttempts = value;
Session[“AuthenticationAttempts”] = _authenticationAttempts;
}
}
private string _currentUser = string.Empty;
public string CurrentUser
{
get
{
_currentUser = Request.LogonUserIdentity.Name;
Session[“CurrentUser”] = _currentUser;
return _currentUser;
}
set
{
_currentUser = value;
Session[“CurrentUser”] = _currentUser;
}
}
private string _previousUser = string.Empty;
public string PreviousUser
{
get
{
_previousUser = string.Format(“{0}”, Session[“PreviousUser”]);
return _previousUser;
}
set
{
_previousUser = value;
Session[“PreviousUser”] = _previousUser;
}
}
///
/// This event fires on every page load
///
///
///
protected void Page_Load(object sender, EventArgs e)
{
// Make sure the browser does not cache this page
this.DisablePageCaching();
// Increase authentication attempts
this.AuthenticationAttempts = this.AuthenticationAttempts + 1;
if (this.AuthenticationAttempts == 1)
{
// Change previous user to current user
this.PreviousUser = this.CurrentUser;
// Send the first 401 response
this.Send401();
}
else
{
// When a browser is set to “automaticaly sign in with current credentials”, we have to send two 401 responses to let the browser re-authenticate itself.
// I don’t know how to determine if a browser is set to “automaticaly sign in with current credentials”, so two 401 responses are always send when the user
// does not switch accounts. In Micrososft Office sharepoint the user has to supply the credentials 3 times, when the user does not switch accounts,
// so it think this is not a problem.
if (this.AuthenticationAttempts == 2 && this.CurrentUser.Equals(this.PreviousUser))
{
// Send the second 401 response
this.Send401();
}
else
{
// Clear the session of the current user. This will clear all sessions objects including the “AuthenticationAttempts”
Session.Abandon();
Session.Clear();
// Redirect back to the main page
Response.Redirect(“Default.aspx”, true);
}
}
}
///
/// Make sure the browser does not cache this page
///
public void DisablePageCaching()
{
Response.Expires = 0;
Response.Cache.SetNoStore();
Response.AppendHeader(“Pragma”, “no-cache”);
}
///
/// Send a 401 response
///
public void Send401()
{
// Create a 401 response, the browser will show the log-in dialogbox, asking the user to supply new credentials, // if browser is not set to “automaticaly sign in with current credentials”
Response.Clear();
Response.Buffer = true;
Response.StatusCode = 401;
Response.StatusDescription = “Unauthorized”;
// A authentication header must be supplied. This header can be changed to Negotiate when using keberos authentication
Response.AddHeader(“WWW-Authenticate”, “NTLM”);
// Send the 401 response
Response.End();
}
}
The page after successful login is called Default.aspx(confusing maybe):
public partial class Default : System.Web.UI.Page
{
#region Constants
///
/// The text/xml content type
///
public const string TEXT_XML_CONTENT_TYPE = “text/xml”;
///
/// The text/html content type
///
public const string TEXT_HTML_CONTENT_TYPE = “text/html”;
///
/// The json content type
///
public const string APPLICATION_JSON_CONTENT_TYPE = “application/json”;
#endregion
#region Private members
///
/// The session manager.
///
private SessionManager sm = null;
///
/// The authenticated user.
///
private UserDetails authenticatedUser = null;
///
/// The log4net instance
///
private log4net.ILog log = null;
#endregion
///
/// Method used to handle the request made by the ajax client
///
///
///
/// The ajax caller should have a url parameter called method
protected void Page_Load(object sender, EventArgs e)
{
Response.Expires = 0;
Response.Cache.SetNoStore();
Response.AppendHeader(“Pragma”, “no-cache”);
sm = Session[“SESSION_MANAGER”] as SessionManager;
authenticatedUser = sm.GetUserDetails();
log = sm.GetLogger();
string method = Request[“method”];
if (method != null)
{
string clientReponse = null;
try
{
clientReponse = GetType().InvokeMember(
method,
System.Reflection.BindingFlags.InvokeMethod,
null,
this,
null) as string;
log.WriteLog(Log4netExtensions.LogTypes.Info, “Method ” + method + ” Called”);
}
catch (Exception ex)
{
log.WriteLog(Log4netExtensions.LogTypes.Error, “The Following Exception Occured: ” + ex.ToString());
}
finally
{
// in a very limited number of cases (e.g. Upload) we are forced to return something else than text/xml responses
if (“html” == Request[“contentType”])
{
Response.ContentType = TEXT_HTML_CONTENT_TYPE;
}
else
{
if (sm.ResponseType == ResponseType.XML)
{
Response.ContentType = TEXT_XML_CONTENT_TYPE;
}
else if (sm.ResponseType == ResponseType.JSON)
{
Response.ContentType = APPLICATION_JSON_CONTENT_TYPE;
}
else
{
throw new Exception(“Unknown client-server comunication protocol.”);
}
}
Response.Write(clientReponse);
Response.End();
}
}
}
}
The only difference noticeable is that I use 3 aspx pages, and you use only 2, realizing a loop between them.
Thanks in advance and I hope you will answer this. I am available on bugheanurazvan@gmail.com if you need more details.
Thanks a lot for this article!!!
Definitely a good article. Saved me a lot of time. “Few complete examples” is precisely this one. I have not found any other. I was looking for this for several hours.
Many thanks!
I’ve tried your technique for a Silverlight application and it works but I have a strange behavior. I use a WCF Web service in my application. And if I do two async calls on my page, the switch user does not work well. Most of the time it will keep the previous user. If I keep refreshing the page, it wil randomly display the previous or the new user. Do you have any idea what could cause this behavior?
Thanks
Well that’s a pretty strange behavior, but I did not test the code with Silverlight and WCF, only with ASP .NET.
I suspect it has something to do with the asynchronous calls to the WCF service and the session of the user not being cleared.
Ok I did some changes and found interesting stuff. In the AccessDenied.aspx file, when I was doing the Response.Redirect to my aspx page hosting the Silverlight Application, it never releoded the page, I had a break point and it was skipping it. If User Server.Transfer instead, it works, excepts that the URL on top is still poiting to AccessDenied.aspx
Also I changed the place where the user identification comes from, it’s now done in the aspx hosting my Silverlight Application, this works all the time and fixes the weird issue I had before when I was getting user from the server side hosting the WCF service.
The article is very interesting, I made the example step by step and it works great. I wonder how to integrate this example in sharepoint so that when I click “log in as different user” logging my custom work. Many thanks in advance!!
Hello
I also finally found the solution in this article. I wonder if someone knows now if there is a possibility to return back to the current logged user. I would like to provide a logout function, which would lead back to the original logged user (the same user with the windows logon on the machine).
Thanks a lot for this excelent article.
Hi,
What will happen if click cancel button during signing in as a different user?
I wrote a ASP.NET web application. Its IIS authentication types are set to enable both anonymous and windows integrated authentication. Its ASP.NET authentication type is set to Windows in web.config.
The pages which need user domain identity return 401 status code back to ask user do IIS windows integrated authentication. Here are the codes:
string user = Request.ServerVariables[“LOGON_USER”];
if (string.IsNullOrEmpty(user)) {
Response.Expires = 0;
Response.Cache.SetNoStore();
Response.AppendHeader(“Pragma”, “no-cache”);
Response.Buffer = true;
Response.StatusCode = 401;
Response.StatusDescription = “Unauthorized”;
Response.AddHeader(“WWW-Authenticate”, “NTLM”);
Response.End();
} else{
// Continue to use authenticated domain account
}
And it works well when I input right domain credentials. However, if I only click cancel button for several times in pop-up credential required dialog box, the following message is saw:
XML Parsing Error: no element found
Location: http://localhost/WebServer/Login.aspx
Line Number 1, Column 1:
What I want is it redirects to one specified page when click cancel button. I tried to change static custom error html page for 401 error in its IIS properties dialog. But It did not work.
Could you please give any suggestions?
Thank you SO much for this example. I just can’t understand why google didn’t choose this artice with my queries.
First example that worked exactly as I wanted.
And thanks also, to Matthew T on the asp.net forum for guiding me to this article! Great!
Hi Roel.
I know that it’s been a while since you posted this article, but I’m wondering:
Is there a way to use this solution while the “Automatic logon only in Intranet zone” is set in Internet Explorer?
I need to support single signon (no prompt) the first time the user enters the site, but still allowing the user to change credentials like given in this example.
Apparently the example works, but when integrated in my solution, the application switches from previous to current user randomly when changing pages (after logging in as different user).
Thanks in advance.
Hello Roel,
Excellent example and it works as advertised. However, like Anders, I am trying to implement this with Automatic Logon in Intranet zone. I get a strange behavior where the current user randomly switches back and forth between the previous user and new user. There appears to be no rhyme or reason to the switches. I am using Asp.Net 4.0 with IIS 7. Any ideas on where to look to correct this issue?
Thanks,
Brian
I’m in Brian and Anders boat. I click to login as a different user and that works. However, if I hit refresh over and over… it switched back and forth between current user and previous user.
Hi,
Thanks for the solution for the ‘Sign in as Different User’ when using Windows Authentication.
But I’ve detected the same behavior reported by Brian, Anders and Paul… User data appears somewhat ‘confused’ when I hit refresh or navigate through my app, changing between previous and current user…
Interesting is that I’ve only detected this while using IE8. In Firefox 3.6 it has never happened (until today).
Do you know the reason behind this and some workaround that we can use?
Thanks
Hi have also had a similar problem reported by Brian, Anders and Paul and Nuno using this ‘Sign in as Different User’ approached.
One workaround I have is to switch to basic authentication (on IIS6 on our 2003 server anyway). Though I know this isn’t a great workaround, were using SSL anyway.
Hello,
I also have experienced the same issue as Andy, Brian, Anders, Paul and Nuno. It seems to have disappeared since I changed this:
// Redirect back to the main page
Response.Redirect(“Default.aspx”);
to this:
// Redirect back to the main page
Response.Redirect(“Default.aspx”, true);
I have the same problems like Pete, Andy and others, username is changing randomly. Well, using Petes code didn’t help.
Any ideas?
Hey, Guys…
Roel, an excelent article, saved me tons of time.
I was experiencing the same problem as Björn, Pete and others. And I figured out what happens: before the redirect to the default.aspx the user is correct. But, when the default.aspx loads the user is wrong. At this moment, if you press CTRL+F5 in your browser you will note the user is right again.
I’ve made a quick search about this behavior but I didn’t find anything. I solved the problem removing the Session.Abandon() call and setting my new user session data before the Response.Redirect(“default.aspx”).
I hope it helps!
Heverson pls post your code. I still have problem with switching users (when i refresh or go to other page it always switch between users).
Hi,
It works perfectly!
One question, how to clear the password? I need the user to key in the password again
Thanks
This is exactly what I have been looking for, thank you very much for providing a total working example of how to prompt for a new user login prompt, worked perfect, thanks again.
Having the same problem as Björn, Pete and others with switching users randomly. I’ve been able to track down what’s causing it but not been able to solve it. I had it working in a separate solution but when I added it to my current web site the user kept changing back and forth randomly.
It turns out that if the site have referenced more than one CSS file this happens, if I remove the CSS files it works correctly or if I combine all the CSS files into one it also works.
I’m clueless, tried all sorts of things.
Found the solution, no more randomly switching between new and old user. Had to add another aspx page between Default.aspx and AccessDenied.aspx called ClearAuthenticationCache.aspx and it looks like this:
$(document).ready(function () {
document.execCommand(‘ClearAuthenticationCache’, false);
parent.location.href = “AccessDenied.aspx”;
});
You are a genious mannn!!!!!!!!!
Very Very usefull!!!
Twitted on my account: http://twitter.com/#!/AndreaRegoli
TNX
Thanks! Very usefull atricle! 🙂
The only thing – I had to disable caching in IIS – it seemed to make strange behavior – user was switching from user1 to user 2 and back after relogon and hitting F5 in IE
Hi Roel,
i had a request from a customer to come up with a solution for switching the user account. After a quick search on bing I found your solution. But I’ve needed something more “deployable” and modified your code to run without sessions and work as an HTTP Handler. I’ve credited you on the codeplex page. Let me know if you are not fine with it.
http://signinas.codeplex.com/
Ciao Marco
http://marcoscheel.de
Good job, it’s fine by me.
As Neil mentioned, this works perfectly,
however, is there a way to clear the password field if clicking log on as different user again?
Thanks
Works great. I was getting strange behaviour at first where it would only work the first time I tried switching. I added _authenticationAttempts = 0; to the final else just before the redirect to “Default.aspx”.
Apparently the page was being cached for some reason… but that fixed it.
Clicking after “Sign in as a different user”, windows dialog box shows up. If I click “cancel” that dialog box, it shows to Accessdenied.aspx page. It suppose to show IIS access denied page.
I have two users, both in the Administrators group. When I first login, the call to HttpContext.Current.User.IsInRole(“Administrators”) returns true. However, after changing user, this call returns false. Is anyone else experiencing this behavior or does anyone have a solution?
Thanks
This has been the most helpful site I’ve seen in my entire time on the project I’ve been working on. I was searching this error all morning and everything I was reading was saying that you can’t log out of Windows Authentication. I knew it had to be possible, and you have shown that it is. Your code worked great. I used it in my web application and replaced the Log Out button that the Site.Master page comes with with the “Sign in as a different user” button and it worked really well. This way the user can switch to a different user from any page. Thank you so much! I’ll be able to use this in many future projects that I already have planned.
Thank you. It works well. I implemented this in MVC. Initially my style-sheets were breaking, but when in published on server, it worked well. Good Job.
Thank you. I need to implement the same for MVC. Prateek, please provide the source code?
Great solution….Thanks
I also need the same for MVC.
Pratek or Varsha, could you provide me the code?
Don’t want to reinvent the wheel 😉
Thx
Thanks! Great article.
However, Is there any way to clear the password field if user clicks on “Sign as Different User”??
Because In my application, i am trying to use this functionality for login again to the appilication from logout page. If credentials are stored there is no use of prompting the dialog again. Is there any code fix for clearing the old credentials?
How we do this in AngularJS?
I’ve been working with this in a webforms site. I notice that the Send401() method throws and exception at Response.End() which I read is by design. My problem is that if I enter bad credentials the login just disappears as if it took them.
What is the expected behavior when bad credentials are entered?