I have an MVC 4 web application that uses Windows Authentication. I deploy that app to real web server with IIS 7. The Windows Authentication function works well with Internet Explorer (IE), FireFox (FF), and Safari, but it does not work with Chrome; I am
using Chrome version 27.
Here, "Works" means when user opens a browser (IE, FF, or Safari) and browses to the web application site, he/she is firstlyprompted to provide valid credentials in a dialog box. Then if his/her credentials are valid, then the user is allowed to view the web site pages.
"Does not work with Chrome" means Chrome always let users browse the web pages right away without seeing the credential dialog box andwithout prompting them to enter credentials in the dialog box as IE, FF or Safari does! That is the security hole issue with Chrome I do not know how to solve although I tried to clear cookies, caches for my Chrome
browser and shut down and open Chrome again. I know the "cookie clear" action for Chrome is not supposed to do because Windows Authentication mode in IIS has nothing to do with cookie like Forms Authentication mode does.
At very first time when I tested my web application with Chrome right after deploy the web application to server, Chrome did prompted me to input credentials in the dialog box, but from the second time on, Chrome does not prompt me any more; it lets me as user
bypass the crendetial dialog to see my MVC web application pages.
My question:
Please let me know what I should do to stop Chrome browser from letting users bypass the credential prompt dialog box. Users should be prompted to provide their credentials before they can see my web pages Thank you in advance.
I followed 3 steps below to make my MVC web application work with IE, FF and Safari, but my application fails with Chrome as mentioned above.
#1
In the web configuration (web.config) file of my MVC 4 web application (Intranet Template), I specify the Windows Authentication function as:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
#2
On the real web server, in IIS version 7, I open my MVC web site application node and head to its Authentication node to enable Windows Authentication, and disable Anonymous Authentication.
#3
I have decorated some actions of a tested controller with [Authorize] attribute