I am trying to set up an ASP.NET MVC site to use LDAP. I feel like I have everything set up right, but Membership.ValidateUser keeps returning false when I am expecting it to return true. I've read some documentation, like for example this one on AD membership, but one thing I want to make sure I completely understand as I am troubleshooting is this:
Is the defaultProvider attribute value something specific provided by Microsoft? Or is it just an arbitrary name, and we can call it anything?
This is my current web.config setup:
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://dc1.dc2.dc3.dc4/DC=dc1,DC=dc2,DC=dc3,DC=dc4" /
</connectionStrings>
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<clear />
<add name="AspNetActiveDirectoryMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" attributeMapUsername="sAMAccountName" />
</providers>
</membership>
Related
I'm having a problem with a Glimpse installation in a Sitecore 8.1 environment. I'm trying to create a simple Glimpse Security Policy which would check if the current user is a Sitecore admin.
if (!Sitecore.Context.User.IsAdministrator)
{
return RuntimePolicy.Off;
}
This is functionally the same as the example given in the sample code that Glimpse provides on installation through NuGet, which is,
var httpContext = policyContext.GetHttpContext();
if (!httpContext.User.IsInRole("Administrator"))
{
return RuntimePolicy.Off;
}
The problem is that when this code is hit, and the request is directed at glimpse.axd, the user is always reset to extranet\Anonymous. Sitecore always sets an anonymous user when there is none. Any requests that are not to the glimpse handler pass the check and set RuntimePolicy.On.
I have the following in the web.config
<modules runAllManagedModulesForAllRequests="true">
<remove name="WebDAVModule"/>
<add type="Sitecore.Web.RewriteModule, Sitecore.Kernel" name="SitecoreRewriteModule"/>
<add name="Glimpse" type="Glimpse.AspNet.HttpModule, Glimpse.AspNet" preCondition="integratedMode"/>
<add type="Sitecore.Nexus.Web.HttpModule,Sitecore.Nexus" name="SitecoreHttpModule"/>
<add type="Sitecore.Resources.Media.UploadWatcher, Sitecore.Kernel" name="SitecoreUploadWatcher"/>
<add type="Sitecore.IO.XslWatcher, Sitecore.Kernel" name="SitecoreXslWatcher"/>
<add type="Sitecore.IO.LayoutWatcher, Sitecore.Kernel" name="SitecoreLayoutWatcher"/>
<add type="Sitecore.Configuration.ConfigWatcher, Sitecore.Kernel" name="SitecoreConfigWatcher"/>
<remove name="Session"/>
<add name="Session" type="System.Web.SessionState.SessionStateModule" preCondition=""/>
<add type="Sitecore.Analytics.RobotDetection.Media.MediaRequestSessionModule, Sitecore.Analytics.RobotDetection" name="MediaRequestSessionModule"/>
<add type="Sitecore.Web.HttpModule,Sitecore.Kernel" name="SitecoreHttpModuleExtensions"/>
<add name="SitecoreAntiCSRF" type="Sitecore.Security.AntiCsrf.SitecoreAntiCsrfModule, Sitecore.Security.AntiCsrf"/>
</modules>
The question is, why are the requests that are meant for /glimpse.axd not passing along the same authentication cookies as requests to the rest of the site?
I'm working on a website in ASP.NET and unfortunately I have to use MySql to store the site's data.
I'm really struggling to get MySql work with the CreateUserWizard functionality, and I'm just losing it.
Until I defined custom properties in the Web.Config, everything was fine, and I actually managed to register some fake users. Then I wanted to add some other properties, like address, gender, and so on. I added those properties in the Web.Config like this:
Web.Config
<profile enabled="true" defaultProvider="MySqlProfileProvider">
<providers>
<clear/>
<add name="MySqlProfileProvider" autogenerateschema="True" type="MySql.Web.Profile.MySQLProfileProvider, MySql.Web, Version=6.8.3.0, Culture=neutral, PublicKeyToken=C5687FC88969C44D" conectionStringName="connMySql" applicationName="/"/>
</providers>
<properties>
<add name="Nome" type="string"/>
<add name="Cognome" type="string"/>
<add name="Sesso" type="string"/>
<add name="DataNascita" type="datetime"/>
<add name="Indirizzo" type="string"/>
<add name="Citta" type="string"/>
<add name="Provincia" type="string"/>
<add name="CAP" type="int"/>
</properties>
</profile>
Please note that my Connection String is correct, since I used it in other parts of my Web.Config and runs just fine.
Later on, in my sign up page, I wrote this code (after validating the input, of course), to update the created user.
register.aspx.cs
protected void wizard1_CreatedUser(object sender, EventArgs e)
{
ProfileCommon p = (ProfileCommon)ProfileCommon.Create(wizard1.UserName, true);
p.Nome = ((TextBox)wizard1.CreateUserStep.ContentTemplateContainer.FindControl("Nome")).Text;
p.Cognome = ((TextBox)wizard1.CreateUserStep.ContentTemplateContainer.FindControl("Cognome")).Text;
p.Sesso = ((DropDownList)wizard1.CreateUserStep.ContentTemplateContainer.FindControl("Sesso")).SelectedValue;
p.DataNascita = System.Convert.ToDateTime(((TextBox)wizard1.CreateUserStep.ContentTemplateContainer.FindControl("DataNascita")).Text);
p.Indirizzo = ((TextBox)wizard1.CreateUserStep.ContentTemplateContainer.FindControl("Indirizzo")).Text;
p.Citta = ((TextBox)wizard1.CreateUserStep.ContentTemplateContainer.FindControl("Citta")).Text;
p.Provincia = ((TextBox)wizard1.CreateUserStep.ContentTemplateContainer.FindControl("Provincia")).Text;
p.CAP = System.Convert.ToInt32(((TextBox)wizard1.CreateUserStep.ContentTemplateContainer.FindControl("CAP")).Text);
p.Save();
}
All the controls are well positioned into the .aspx page.
So, when I run the page, I can see the form and type the data in. Then my code validates the input, and if it's all correct, it creates the user and gets into the wizard1_CreatedUser function, where it stops at the p.Nome = ... part, which actually is the first instruction that makes use of the MySqlProfileProvider.
It just says Host 'Hostname' is not allowed to connect to this MySQL server BUT MySqlRoleProvider and MySqlMembershipProvider work just fine. In fact, the user is created, but my custom profile data aren't, since the code stops there.
I'm using a DB User with all the privileges.
I'm probably missing something, but I don't really know what.
Thank you.
Turns out that I needed to enable Full Trust.
Also, some files were mispositioned (they were not in the very root of the website).
Up to now, I can create Custom Membership Provider and Custom Role Provider, but I have problem with Custom Profile Provider. After looking at some demo, I've found out that they use web.config to define the schema for the Profile. For example, in the tag <profile>:
<properties>
<add name="AddressName"/>
<add name="AddressStreet"/>
<add name="AddressCity"/>
<add name="AddressState"/>
<add name="AddressZipCode"/>
<add name="AddressCountry"/>
</properties>
To access that field, they use Profile.AddressName, Profile.AddressStreet, etc...
My question is: is that the only way to define the profile schema? If I want to use my UserProfile table in my database, what should I do? I need the way to read I write the data.
Thanks for your help.
Probably not much of use to the original poster, but it looks like you can do as described in this blog post. The gist is that you let the generated profile class inherit your own class which in turn inherits from ProfileBase, and finally override ProfileProvider:
<profile inherits="Acme.MyApplication.ProfileCommon,MyApplication" defaultProvider="EfTableProfileProvider">
<providers>
<clear />
<add name="EfTableProfileProvider" type="Acme.MyApplication.EfTableProfileProvider,Facade" connectionStringName="ApplicationServices" applicationName="/MyApplication"/>
</providers>
</profile>
I've created an MVC 4 app and for the first time I am trying to use membership.
I have a sql database where I have created the membership tables and using "ASP.NET Configuration" I have selected my providers, added roles and a user.
When I try to login using the login page, I get the error;
To call this method, the "Membership.Provider" property must be an
instance of "ExtendedMembershipProvider".
I am not using azure nor am i using NuGet.
My config file looks like;
<membership defaultProvider="SqlMembershipProvider">
<providers>
<add connectionStringName="ApplicationServices" name="SqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="SqlRoleProvider">
<providers>
<add connectionStringName="ApplicationServices" name="SqlRoleProvider"
type="System.Web.Security.SqlRoleProvider" />
</providers>
</roleManager>
That's all that was added for me.
My account controller has the following attribute but removing it makes no difference.
[InitializeSimpleMembership]
and it fails on this line;
if (ModelState.IsValid && WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
What do I need to do to be able to log users in?
You set SqlMembershipProvider in config but trying to use SimpleMembershipProvider
Pick one and cofigure your app accordingly.
If you set up db against SimpleMembersip (most frequently one table with UserId, Username and other fields), then change your config as follows and make sure InitializeSimpleMembershipFilter looks for userId, username fields as they are set up in your table:
<membership defaultProvider="SimpleMembershipProvider">
<providers>
<clear/>
<add name="SimpleMembershipProvider" type="WebMatrix.WebData.SimpleMembershipProvider, WebMatrix.WebData" />
</providers>
</membership>
<roleManager defaultProvider=“SimpleRoleProvider“>
<providers>
<add name=“SimpleRoleProvider“ type=“WebMatrix.WebData.SimpleRoleProvider, WebMatrix.WebData“/>
</providers>
</roleManager>
Otherwise, to set up SqlMembershipProvider you may refer to the bottom of this page: http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.aspx
I've implemented a challenge-response scheme as an Ajax handler.
For some reason it stopped working after working fine for a couple months.
Investigating the issue showed that Context.Session[KEY] had lost its value between the challenge and the response calls.
I put Session_Start and Session_End (and a few other) methods in Global.asax.cs with some logging there and I see a new Session_Start event being fired with the same session ID and there was no Session_End event
Question is: why does IIS lose the session values?
Update: I tried switching to SQLServer sessions but there was no change in behavior. On rare occasions sessions work as intended, not sure why. I tried all "session losing variables" troubleshooting guides I could find to no effect
UPDATE 2: I narrowed down the issue to a missing session cookie, but modifying my.browsers config didn't resolve the issue after several attempts. When I call the ajax handler from a browser the session cookie "ASP.NetSessionId" shows up as expected. I changed the cookie name in IIS settings for both the site and the server to "SessionId" but I kept seeing ASP.NET, even after restarting the server. I would still like to give the bounty to someone who has an idea what's going on. In the meanwhile I worked around this problem by setting a session cookie in code.
Pseudo code for Login.ashx:
string login = GetParameter("login", context);
string passhash = GetParameter("pass", context);
string challenge = "" + Context.Session["CHALLENGE"];
if (!string.IsNullOrEmpty(challenge))
{
// this is the 'response' part
string challengeResponse = Crypto.GetChallengeResponse(Challenge, UserFromDB.PassHash);
if (challengeResponse == passhash)
{
// Great success, challenge matches the response
Log.I("Success");
return "SUCCESS";
}
else
{
Log.W("Failed to respond");
return "FAILED TO RESPOND";
}
}
else
{
// if passed login or session-stored challenge are empty - issue a new challenge
challenge = "Challenge: "+ Crypto.GetRandomToken();
Context.Session["CHALLENGE"] = challenge;
Log.I("Sent Challenge"); // this is what's in the log below
return challenge;
}
Here's the log, Session started appears with each call, Session.Keys.Count stays 0 even though Session["CHALLENGE"] should have been set:
// This is the challenge request:
[] **Session started**: sr4m4o11tckwc21kjryxp22i Keys: 0 AppDomain: /LM/W3SVC/1/ROOT-4-130081332618313933 #44
[] Processing: <sv> **MYWEBSITE/ajax/Login.ashx** SID=sr4m4o11tckwc21kjryxp22i
[] Sent Challenge #Login.ashx.cs-80
// this is the response, note that there's another Session started with the same id
// and the session didn't keep the value ["CHALLENGE"], there are no session-end events either
[] **Session started**: sr4m4o11tckwc21kjryxp22i Keys: 0 AppDomain: /LM/W3SVC/1/ROOT-4-130081332625333945 #93
[] Processing: <sv> **MYWEBSITE/ajax/Login.ashx?login=MYLOGIN&pass=RuhQr1vjKg_CDFw3JoSYTsiW0V0L9K6k6==**
[] Sent Challenge #Login.ashx.cs-80 >Session: sr4m4o11tckwc21kjryxp22i
web config, sanitized
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<!-- For more information on Entity Framework configuration, visit http://go.microsoft.com/fwlink/?LinkID=237468 -->
<section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=4.4.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
</configSections>
<appSettings>
<add key="IncludeStackTraceInErrors" value="false" />
</appSettings>
<connectionStrings>
<add name="ApplicationServices" connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|\aspnetdb.mdf;User Instance=true" providerName="System.Data.SqlClient" />
<add name="MYConnection" connectionString="metadata=res://*…. and a bunch of other stuff that works" providerName="System.Data.EntityClient" />
</connectionStrings>
<system.web>
<compilation targetFramework="4.5">
<assemblies>
<add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</assemblies>
</compilation>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
</providers>
</membership>
<profile>
<providers>
<clear/>
<add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/" />
</providers>
</profile>
<roleManager enabled="false">
<providers>
<clear/>
<add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
</providers>
</roleManager>
<pages controlRenderingCompatibilityVersion="4.0" />
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
<entityFramework>
<defaultConnectionFactory type="System.Data.Entity.Infrastructure.SqlConnectionFactory, EntityFramework" />
</entityFramework>
</configuration>
What is the default value for Idle Time-out ? If the app pool times out your session goes bye bye
See Application Pool (Advanced Settings) -> Idle Time-out
I think it defaults to five minutes.
See this link for advice on setting the idle timeout
You could also experience your issue if your running as a webgarden when it's not needed; look at Maximum Worker Processes, try setting it to 1 and retest
I can see you are using handler for that purpose which would always return null.
You need to implement IReadOnlySessionState.
Check out http://www.hanselman.com/blog/GettingSessionStateInHttpHandlersASHXFiles.aspx
Add IRequiresSessionState to your handler implimentation
ex
public class handler_name:IHttpHandler, IRequiresSessionState