I have written an asp.net application that only hosts a series of web services (.asmx) .
I would like to be able to use a custom basic authentication mechanism to authenticate requests.
I have found this article that describes how to do that :
I have written a HttpModule as It said and I have added it in my web.Config. No authentication scheme is set in web.config (no authentication tag) and also there's no authorization tag in web.config.
The problem is this module never hit no matter if I enable basic authentication in IIS or disable it (and enable anonymous access).
The question is what am I doing wrong or missing ?
UPDATE :
config file :
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<httpModules>
<add name="BasicAuthHttpModule" type="WebServiceWrapper.BasicAuthHttpModule, WebServiceWrapper"/>
</httpModules>
</system.web>
Related
I have a simple MVC web api 2 IIS hosted application which I want to enable windows authentication (initially not using Owin). I am running this on my development machine and running as local IIS.
So, from what I could find, I need to add the following to the web.config
1: to the following section the authentication mode="Windows"
<system.web>
<compilation debug="true" targetFramework="4.5.1"/>
<httpRuntime targetFramework="4.5.1"/>
<authentication mode="Windows" />
</system.web>
2: Then add the following
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true"/>
</authentication>
</security>
When I add the above and run the application (in debug from Dev studio), I get the following error
HTTP Error 500.19 - Internal Server Error
Config Error This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
and then it specifically points to this web config entry
Config Source:
37: <authentication>
38: <windowsAuthentication enabled="true"/>
39: </authentication>
Anyone have any ideas why I would be getting this?
Also, I noticed when I switch to IIS express, that in the project properties, the Windows Authentication is set to disabled, and grayed out so I cannot set it here either.
Thanks in advance for any help!
If you read applicationHost.config, you will see that authentication related sections are locked down and cannot be overridden in web.config,
<section name="windowsAuthentication" overrideModeDefault="Deny" />
Thus, you need to specify that in applicationHost.config, instead of web.config. Both IIS and IIS Express have such restriction.
Server Error in '/educational/timecalculator' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a "web.config" configuration file located in the root directory of the current web application. This tag should then have its "mode" attribute set to "Off".
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>
Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's configuration tag to point to a custom error page URL.
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
</system.web>
</configuration>
This website was working before but was moved over to IIS and now getting this error. The webpage will run locally but not remotely. Perhaps the .NET framework isn't 4.5 on IIS?
This is my Web.config file in asp.net
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<system.web>
<customErrors mode="Off" />
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
</system.web>
</configuration>
In IIS verify that the Application Pool for the website is set to use the correct .NET Framework.
I developed an ASP.NET web application that is installed on a "live" IIS 7.5. The web app uses http sessions to pass parameters between pages for logged in users. This works great on my development machine (tested with local IIS in VS2010 IDE), but when this web app is uploaded to a client's IIS and they start using it (Google Chrome and IE browsers), at some random moments the session variables seem to disappear. My first guess was to increase the session timeout setting via web.config file by adding this line:
<configuration>
<system.web>
<sessionState timeout="20"></sessionState>
</system.web>
</configuration>
But that doesn't seem to fix the issue. So it made me wonder, what other settings are there concerning sessions? Something like an internal folder that keeps a cache of all sessions that gets overflown on an actual IIS? Any ideas?
EDIT: Following #wy__'s suggestion, I modified the web.config file and started seeing the same issue on my dev machine. Here's the whole system.web section as I have it now:
<system.web>
<compilation targetFramework="4.0" debug="false"/>
<pages validateRequest="false"/>
<httpRuntime requestValidationMode="2.0" executionTimeout="110" maxRequestLength="262144"/>
<sessionState timeout="20" cookieless="true" regenerateExpiredSessionId="true"></sessionState>
</system.web>
I also checked and there's only one w3wp.exe process running.
By default, the session uses cookies to track user sessions. If you are not sure whether users turn them off or not, you can configuring cookieless session.
i.e.
<configuration>
<system.web>
<sessionState cookieless="true" regenerateExpiredSessionId="true" />
</system.web>
</configuration>
I'm working on a website that has been coded by someone else. The application contains three layers. A website, a web service and a library. The Web service is up for other application to call methods and everything. The website is used by workers to performs queries and everything.
The problem is : The website use the web service that use the library instead of going directly to the library. I want to remove the web service usage and use the library straight away instead. Unfortunately, the library isn't able to connect an external server when called directly from the web site.
The web service used the impersonate method in his web config like so :
<?xml version="1.0"?>
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<compilation defaultLanguage="c#" debug="true" />
<authorization>
<allow users="*" />
</authorization>
<authentication mode="Windows" />
<identity
impersonate="true"
userName="USERNAME_HERE"
password="PASSWORD_HERE" />
<sessionState
mode="InProc"
stateConnectionString="tcpip=10.96.8.37:42424"
sqlConnectionString="data source=10.96.8.37;Trusted_Connection=yes"
cookieless="false"
timeout="20" />
</system.web>
When the web service use the library, the library identity turns out to be the username specified in the web.config. But when I call it from the website directly the user turns out to be : MY_COMPUTER\ASPNET
How can I sucessfully impersonate within the library itself?
Thanks!
EDIT
Ok, I thought of adding the impersonate piece of code in the website's web.config instead. It turned out that the library used the correct user but the request takes forever and never end. Do you know what could be wrong?
At first glance, you could use these entries in the web.config of your transactional website.
<authorization>
<allow users="*" />
</authorization>
<authentication mode="Windows" />
<identity
impersonate="true"
userName="USERNAME_HERE"
password="PASSWORD_HERE" />
However you want to be really sure this is the right thing to do before you do it.
Security is a big thorny problem that can turn around and bite you in the ass pretty hard. Whichever user you use here should be single purpose. It should have exactly the permissions you need and no more.
Why can't you give the MY_COMPUTER\ASPNET user permissions on the external server?
There are ways to impersonate for a short time which will probably solve your problem more cleanly. I will let someone who actually knows that answer tell you what it is though.
I have created a blank asp.net website consisting of a blank default.aspx page, its .cs file, a login.aspx page and its .cs and a web.config. I'm looking to test .net authentication as seen in here on the MSDN site. I've copied everything as shown in the article. I set up the site in IIS6 now when I go to the site I get the runtime error with the:
"To enable the details of this specific error message to be viewable on remote machines, please create a tag within a "web.config" configuration file located in the root directory of the current web application. This tag should then have its "mode" attribute set to "Off"."
message. when I add the customErrors mode="On" tag to the web.config I still get this error like its not looking at the web.config. I've triple checked IIS and its definitely looking at the right site folder. Here's my web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<customErrors mode="On"/>
<authentication mode="Forms">
<forms loginUrl="Logon.aspx" name=".ASPXFORMSAUTH">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
<compilation debug="false" targetFramework="4.0" />
</system.web>
</configuration>
I usually set sites up through CMS installations. This is the first time I've done one from a blank site in visual studio. Is there more you need to add to web.config?
set
<customErrors mode="Off"/>
to see the actual error.
You need to set
Not "On" to see the actual error with stacktrace.