Why MVC 4 Intranet Applications Throw Access Denied!

The Task/Issue:


Let's assume that you are logged-in to your company's domain. Your boss comes in your cube and asks you to create an intranet application for internal company use. She dictates the requirement but before she completes the first sentence, her cell phone rings and off she goes. You are the kind of go-get-it type that she likes. So you start your development process by simply firing up your VS and creating an MVC 4 application based on the Intranet template. You hit F5 for a quick test. Unexpectedly you get an access denied! That feels like a punch in the nose... If you, the developer get access denied to your own little creation, nobody else will be able access it. Is MS pulling your legs or what?


 The Questions:


Well, Windows Authentication is *disabled* by default in MVC application! More surprisingly, the Anonymous Authentication is *enabled* by default! This design is based on the understanding that the majority of developers who are creating Intranet application are not developing against an Active Directory Server sitting somewhere in you company’s premises or hosting cloud (I am *not* one of those… Wonder if you are!). Isn’t this a strange assumption? Why should one create an intranet app, if one doesn’t have an AD authentication service or a fire-walled environment?? Also, apart from creating a security hole in your app, what’s the point in enabling Anonymous Auth especially if it doesn’t allow you, the developer, in anyways? Nevertheless, using the approach mentioned in the following paragraph, your application be able to authenticate against the AD correctly.


The Fix:


Make sure the Intranet project is your active project by clicking its name in the Solution Explorer. Use the View > View Properties menu. Note the value of the "Windows Authentication" property. By default it is set to "Disabled". You need to set this value to "Enabled". Your company's AD does not normally allow "Anonymous Access". So you might as well set the value of this property to "Disabled" to ensure that your application is a little more secure. Hit F5 and you will note that the access denied is not thrown, instead your will see a greeting message on the top right corner of your application window. So you are in. So will everybody else with a company set of credential be able to log-in to your app magically (without filling a log-in form). Well, almost "magically"…


 IE Settings:


The behavior actually depends on two setting in the IE. Firstly, the http://Localhost must be identified as an intranet site. So please drop it in your intranet site using the "Internet Options" dialog box. Secondly, the User Authentication in the Intranet Security Should be set to “Automatic logon Only in Intranet Zone”. This setting can be configured via Internet Options, using “Local Intranet > Custom Level… > User Authentication > Logon”.  Then the “Magic” becomes more prevalent.