I have successfully set up a test area on my website which is authenticated using forms auth on iis 8. I am using this in integrated mode with asp.net which as I understand should mean that with the correct web.config file I am able to make the server use the asp.net auth on everything not just URLs. If I try and navigate to a page that I haven't entered the credentials for it returns an error 403, which is what I expect. However if I put in the path of a file stored on the site exactly, it downloads the file without the need for credentials to be provided. Here is my current top level web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="false">
</compilation>
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" loginUrl="default.aspx" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="staff/test/test">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<system.webServer>
<modules>
<remove name="FormsAuthenticationModule" />
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="RoleManager" />
<add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
</system.webServer>
The area /staff/test/test has a word document in it. If I type www.website.com/staff/test/test/test.doc into my browser is downloads the file.
What should I change to secure that file?
Thanks for your replies. In the end it turned out to be the security permissions on the root of the website. The code I originally pasted on here worked fine I had the server\users group having read permissions where as I only needed iis_iusers having read permissions.
Thanks again
Related
I have developed a simple ASP.Net MVC 4 application using Windows Authentication to run on our company's local network. It works fine when deployed on IIS. But if I run the application through Visual studio, I get error message
Here is how my Web.Config file looks like
<system.web>
<authentication mode="Windows" />
<roleManager defaultProvider="WindowsProvider" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="WindowsProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime maxUrlLength="32767" maxQueryStringLength="32767" targetFramework="4.5" />
</system.web>
<system.webServer>
<modules>
<!--<remove name="FormsAuthenticationModule" />-->
</modules>
<security>
<requestFiltering>
<requestLimits maxUrl="32767" maxQueryString="32767" />
</requestFiltering>
</security>
For debugging, Application is configured to run using "Local IIS Web Server" with "Use IIS Express" option checked in Applications's Properties ->Web tab.
It turns out to be that I had to Enable Windows Authentication, Disable Anonymous Authentication in the Development Server Properties of my Project.
You need to add to project Web.config this:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="1" />
</authentication>
</system.web>
Where /Account/Login is your login method from controller.
Make sure your Directory Browsing is enabled.
See this link for adding user in IIS.
I have placed a c# web app on our IIS server, creating an application for it. I then changed the "Authentication" type to windows authentication for the site and also for the xml tags in my web config file. Now, when I navigate to the site, it asks me for the login username and password, but then does not authenticate, asking over and over for my credentials. In the browser login popup, i am typing
Domain\Username
Password.
How can I see why it will not authenticate, or find out what is wrong. I have done everything in articles I have found, but cannot find the issue. It is as if the server does not authenticate, but yet I can remote desktop to it with the same credentials, so it is on the domain.
Here is my web.conf file snippet with the settings:
<system.web>
<authentication mode="Windows" />
<identity impersonate="false"/>
<authorization>
<allow users="*"/>
<deny users="?"/>
</authorization>
enable="true" />
I also added the same configuration to the application host file on the IIS server. The entry is below:
<location path="TaxFormerWebApp">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" useKernelMode="true">
<extendedProtection tokenChecking="None" />
<providers>
<clear />
<add value="NTLM" />
</providers>
</windowsAuthentication>
<anonymousAuthentication enabled="false" />
</authentication>
<requestFiltering>
<fileExtensions applyToWebDAV="false" />
<verbs applyToWebDAV="false" />
<hiddenSegments applyToWebDAV="false" />
</requestFiltering>
I have set up member folders in c# asp.net webforms before to only allow certain users and to redirect if the user is not authenticated. I am wondering is this possible / how would I implement the authentication based on weather a Session variable is present(filled with a value) or not authenticate if the Session is null.
I was hoping that something like this would be possible similar to how you can set permissions in we.config for entire folder.
It can be done with help of standart asp.net features. I will try to advice one possible solution for it. First you need to setup "web form authentication" ASP.NET Authentication, you should modify your web.config.
<system.web>
<authentication mode="Forms">
<forms name="Custom" loginUrl="/login.aspx" />
</authentication>
</system.web>
Then you need to specify members locations in the web.config also ASP.NET Authorization.
<location path="folders/memberN">
<system.web>
<authorization>
<allow roles="memberN"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
This will allow all users in group "memberN" to work under "folders/memberN" path.
Next we need to add membership and role providers to your web.config. Membership and role providerse configured based on sql server provider.
<configuration>
<connectionStrings>
<add name="SqlServices"
connectionString="Data Source=MySqlServer;Integrated Security=SSPI;Initial
Catalog=aspnetdb;" />
</connectionStrings>
<system.web>
<roleManager defaultProvider="SqlProvider"
enabled="true"
cacheRolesInCookie="true"
cookieName=".ASPROLES"
cookieTimeout="30"
cookiePath="/">
<providers>
<add
name="SqlProvider"
type="System.Web.Security.SqlRoleProvider"
connectionStringName="SqlServices"
applicationName="SampleApplication" />
</providers>
</roleManager>
<membership
defaultProvider="SqlProvider"
userIsOnlineTimeWindow="20">
<providers>
<remove name="AspNetSqlProvider" />
<add name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="SqlServices"
applicationName="/" />
</providers>
</membership>
</system.web>
</configuration>
Finnaly we need to create special tabels in the database (more details).
%WINDOWS%\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe -S <server> -E -d <database> -A all
We use Windows Authentication with a session timeout of 20 seconds.
After 20 seconds, the session expires and the user is redirected to the
sessionExpired page. The problem is this: When the user uses IE,
closes the browser and logs in again using Windows Authentication,
a new session is not created for the same user. The old session remains present,
and the user is redirected to the sessionExpired page again.
What am I missing? What could be the problem?
Update:
My Configuration file is as follows
<system.web>
<roleManager enabled="false"/>
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
<sessionState timeout="20"/>
<membership defaultProvider="MyADMembershipProvider">
<providers>
<add name="MyADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="userName"
connectionPassword="password"/>
</providers>
</membership>
</system.web>
In my previous question here i was experiencing difficulties with Authenticating webservices. With the use of the WcfRestContrib library which i found here i was able to solve this issue. I build a small testapplication and the authentication works like a charm.
But while i'm implementing this in the webapplication where i want to use the webservice authentication part, i keep getting the problem that the used Forms Authentication in the webapplication keeps redirecting me to the login page.
I've got the following configuration part in the web.config of my webapplication. This is the application where i'm trying to call the service by it's url;
http://website.localhost/Services/Info.svc/account
The web.config for the website.localhost contains the following parts;
<location path="Services">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.serviceModel>
<extensions>
<behaviorExtensions>
<add name="webAuthentication" type="WcfRestContrib.ServiceModel.Configuration.WebAuthentication.ConfigurationBehaviorElement, WcfRestContrib, Version=1.0.6.107, Culture=neutral, PublicKeyToken=89183999a8dc93b5"/>
<add name="errorHandler" type="WcfRestContrib.ServiceModel.Configuration.ErrorHandler.BehaviorElement, WcfRestContrib, Version=1.0.6.107, Culture=neutral, PublicKeyToken=89183999a8dc93b5"/>
<add name="webErrorHandler" type="WcfRestContrib.ServiceModel.Configuration.WebErrorHandler.ConfigurationBehaviorElement, WcfRestContrib, Version=1.0.6.107, Culture=neutral, PublicKeyToken=89183999a8dc93b5"/>
</behaviorExtensions>
</extensions>
<behaviors>
<serviceBehaviors>
<behavior name="Rest">
<webAuthentication requireSecureTransport="false" authenticationHandlerType="WcfRestContrib.ServiceModel.Dispatcher.WebBasicAuthenticationHandler, WcfRestContrib" usernamePasswordValidatorType="CMS.Backend.Services.SecurityValidator, CMS.Backend" source="CMS.Backend"/>
<errorHandler errorHandlerType="WcfRestContrib.ServiceModel.Web.WebErrorHandler, WcfRestContrib"/>
<webErrorHandler returnRawException="true" logHandlerType="CMS.Backend.Services.LogHandler, CMS.Backend" unhandledErrorMessage="An error has occured processing your request. Please contact technical support for further assistance."/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
</system.serviceModel>
I'm excluding the Services directory from authentication by giving all anonymous users acces, this is the part causing problems i think.
My service (Info) contains the following attributes
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
[ServiceConfiguration("Rest", true)]
public class Info : IInfo
{
//Some foo hapens
}
The web.config of the service contains this;
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
Whenever i try the above supplied url to make a call to the service i'm being redirected to the login page of the website on http://website.localhost/Logon. How can i prevent this from happening? As far as i know the web.config should be correct.
--THE FINAL SOLUTION--
I modified the web.config to look like this;
<sytem.web>
//site config
</system.web>
<location inheritInChildApplications="false">
<system.web>
<authentication mode="Forms">
<forms name="AllPages" loginUrl="~/Logon/" timeout="360" enableCrossAppRedirects="false" />
</authentication>
</system.web>
</location>
I Also removed this rule from the web.config which i added in an earlier state. Apperently it conflicted with the added location tag and the web.config in the service itsself
<location path="Services" >
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
You should prevent inheritance of the settings that are specified in the associated configuration section and inherited by applications that reside in a subdirectory of the relevant application.
Try to put your site "system.web" section into "location" section:
<location inheritInChildApplications="false">
<system.web>
<!-- your site system web settings -->
</system.web>
</location>
Hope it helpful.