The problem
Last month we move our asp.net website farm from Server 2008 R2 to Server 2012 R2 and upgraded to asp.net 4.5. We are using cookied forms authentication to prevent unauthorized access to the website.
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
We have certain assets and pages (ex: sign in page) that are whitelisted in the web.config:
<location path="signin">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Over the last few months we've been noticing that IIS/Asp.net randomly stops obeying the whitelist and assume everything needs to be authenticated. All requests to the site on that server will be redirected to the signin page which then throws a 500 error. No whitelisted assets can be retrieved.
There are then 2 errors in the event viewer that we can see when IIS is messed up. The first:
Exception type: NullReferenceException
Exception message: Object reference not set to an instance of an object.
at System.Web.PipelineModuleStepContainer.GetNextEvent(RequestNotification notification, Boolean isPostEvent, Int32 eventIndex)
at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)
at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)
at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
This second one doesn't show up all the time:
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied has expired.
The iis process will be working find for hours then all the sudden start doing this weirdness. As soon as we recycle the app pool, or even just modify the web.config the site starts working again.
Things we've tried
Honestly we are quite stumped. This wasn't happening on our old servers, but we've made quite a few changes to our site since then but nothing related to authentication.
We are in a webfarm and we define our machine key inside of our web.config.
<machineKey validationKey="XXX" decryptionKey="XXX" validation="SHA1" decryption="AES" />
We are targeting asp.net 4.5
<httpRuntime targetFramework="4.5" executionTimeout="120" maxQueryStringLength="4096" minFreeThreads="72" minLocalRequestFreeThreads="88" maxRequestLength="32768" />
We recreated the application pool within IIS.
Not sure if it matters but we use IIS Shared Config and shared certificates.
The issue is happening on all of the web servers in the farm, not just one.
We reinstalled the OS on one of the servers yesterday... so we'll see if that fixes anything.
It doesn't seem to be tied to memory usage. Sometimes iis is only using 4gb, sometimes 6gb.
It doesn't seem to be tied to a certain page execution that we can tell.
I've run debug diag against a memory dump and there aren't any threads that are running long nor crazy memory usage.
Yea, we are stumped. Any help is appreciated.
I had a similar experience, changing IIS to allow anonymous authentication solved it for me. In your case, I would recommend 2 things:
Try Enabling Anonymous Authentication in IIS (Visit http://technet.microsoft.com/en-us/library/cc770966%28v=ws.10%29.aspx to see how)
Modifiy your code as shown below
<location path="signin">
<system.web>
<authorization>
<allow users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
I hope this helps
I'll answer my own question with what we did to solve the issue, even though we never did find the root cause. We noticed that the server would start ignoring the whitelist rules when it got too heavy under load. Not much load, maybe 40% utilization over the course of 5 minutes. After that it would start ignoring things.
The simple solution for us was to throw more hardware at the issue. We are running 6 webservers instead of 3. We haven't seen the whitelist issue since then. So honestly... we have no idea what's up.
While I can't say exactly what the issue is, I can share a similar experience.
We had a site that used forms authentication and also assumed it was failing and forcing everyone to authenticate. What we discovered was that the website was crashing and IIS was returning the default website instead. It took us a while to figure out. You might want to check to make sure you're not looking at a similar situation.
Can you show your Authentication node from your web.config ?
It should be something like this :
<authentication mode="Forms">
<forms name="Logon" loginUrl="~/Logon.aspx" protection="All" timeout="60" defaultUrl="~/Default.aspx" />
</authentication>
Are you using the asp.net session state server ? If you do check if the service asp.net state server is started.
Related
Having deployed the latest build of a C# MVC app to a test server this is the error I'm getting.
This all works fine when run locally in VS2013.
I'm using a custom provider and I'm pretty sure this worked ok before.
The relevant part of web.config looks like this:
<system.web>
<authorization>
<allow users="*" />
</authorization>
<authentication mode="Windows" />
<roleManager defaultProvider="MyRoleProvider" enabled="true">
<providers>
<clear />
<add name="MyRoleProvider" type="CWC_Service_Plan.Security.MyRoleProvider" />
</providers>
</roleManager>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
</system.web>
The Authorisation config in IIS looks like this:
Enabling anonymous access makes no difference.
Having trudged through the answers in SO without finding the solution I'm aware that there is a lot out there on this, but I haven't yet found anything that can resolve this issue. For example, the problem is not a database security issue, the password for the site identity user has not expired, etc.
Does anyone have any suggestions on how to proceed? I'll supply additional details as requested.
And thanks for the help!
[Edit]
When the site is browsed locally (on the server) the error is mildly more helpful:
This would still suggest a problem connecting to the database as the User.IsInRole function checks the database for role membership, but I'm sure this is ok.
[Edit2]
Looking through the Windows logs shows the following error:
SSPI handshake failed with error code 0x8009030c, state 14 while
establishing a connection with integrated security; the connection has
been closed. Reason: AcceptSecurityContext failed. The Windows error
code indicates the cause of failure. The logon attempt failed
[CLIENT: 10.184.23.141]
What does that mean in English, apart from "Login failed"?
[Edit3]
Apparently this could mean that no Service Principal Name has been set up for the service user.
https://technet.microsoft.com/en-us/library/bb735885.aspx
Am currently investigating this angle...
I never found an entirely satisfactory answer to this.
In the end I switched to using SQL Authentication for the database access, thus removing the problem, so more of a work-around than a fix really.
I have a problem with an incredibly simple website using simple Forms authentication.
I have a a single page Default.aspx and a Login.aspx.
Default.aspx is protected by <deny users="?" />
The Login.aspx calls
FormsAuthentication.RedirectFromLoginPage( tbUserName.Text, chPersist.Checked );
I used Fiddler to check if the redirect works. It does. But the Default page always redirects back to the Login page (HTTP/1.1 302 Found).
The cookie is created as expected and Fiddler tells me it's there. But it just won't load the default page.
I tried so many combinations, but the only thing that makes the default page load "successfully" is when I turn off the deny="?" rule in IIS/web.config. But then all users can get to the page, which is not what I want.
Web.config on the server and my machine:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH" defaultUrl="Default.aspx" cookieless="UseCookies" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
Ironically all this is working great in any case when I debug the site in Visual Studio, but upon deployment it does not work. The web.config is deployed with the site.
I have no idea why this still isn't working.
Anyone?
Try recycle the application pool.. and then restart the IIS server.
This can be as one solution for you.
If you have the following line of code in your web.config file remove it.
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
</modules>
</system.webServer>
You could check, that IIS has activated Forms Authentication for that site. If this is disabeld, it might result in odd behaviour when trying to authenticate via form.
I have an ASP.NET 4.5 webforms site and trying to setup forms authentication. I have an Account folder with a Login.aspx page within. The main web.config contains the following:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880"/>
</authentication>
<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>
When I browse to the site, it appropriate redirects to Account/Login.aspx and then throws a browser error indicating
Too Many Redirects
. I am at a loss as to what could be wrong or where to go to troubleshoot next. Any assistance would be appreciated.
Please check if you have somewhere on your page that you have redirected to same page that you are in, or somewhere global, this endless loop.
eg Response.Redirect("Login.aspx");
I have seen this before and the issue was resolved by clearing cookies and browser history.
Check that your ASP .net State Service is running. Starting this service resolved this problem for me.
Having an older version of the .Net Framework Runtime than is used by the application would also be the cause of this type of error.
I developed an ASP.NET web application that is installed on a "live" IIS 7.5. The web app uses http sessions to pass parameters between pages for logged in users. This works great on my development machine (tested with local IIS in VS2010 IDE), but when this web app is uploaded to a client's IIS and they start using it (Google Chrome and IE browsers), at some random moments the session variables seem to disappear. My first guess was to increase the session timeout setting via web.config file by adding this line:
<configuration>
<system.web>
<sessionState timeout="20"></sessionState>
</system.web>
</configuration>
But that doesn't seem to fix the issue. So it made me wonder, what other settings are there concerning sessions? Something like an internal folder that keeps a cache of all sessions that gets overflown on an actual IIS? Any ideas?
EDIT: Following #wy__'s suggestion, I modified the web.config file and started seeing the same issue on my dev machine. Here's the whole system.web section as I have it now:
<system.web>
<compilation targetFramework="4.0" debug="false"/>
<pages validateRequest="false"/>
<httpRuntime requestValidationMode="2.0" executionTimeout="110" maxRequestLength="262144"/>
<sessionState timeout="20" cookieless="true" regenerateExpiredSessionId="true"></sessionState>
</system.web>
I also checked and there's only one w3wp.exe process running.
By default, the session uses cookies to track user sessions. If you are not sure whether users turn them off or not, you can configuring cookieless session.
i.e.
<configuration>
<system.web>
<sessionState cookieless="true" regenerateExpiredSessionId="true" />
</system.web>
</configuration>
I'm working on a website that has been coded by someone else. The application contains three layers. A website, a web service and a library. The Web service is up for other application to call methods and everything. The website is used by workers to performs queries and everything.
The problem is : The website use the web service that use the library instead of going directly to the library. I want to remove the web service usage and use the library straight away instead. Unfortunately, the library isn't able to connect an external server when called directly from the web site.
The web service used the impersonate method in his web config like so :
<?xml version="1.0"?>
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<compilation defaultLanguage="c#" debug="true" />
<authorization>
<allow users="*" />
</authorization>
<authentication mode="Windows" />
<identity
impersonate="true"
userName="USERNAME_HERE"
password="PASSWORD_HERE" />
<sessionState
mode="InProc"
stateConnectionString="tcpip=10.96.8.37:42424"
sqlConnectionString="data source=10.96.8.37;Trusted_Connection=yes"
cookieless="false"
timeout="20" />
</system.web>
When the web service use the library, the library identity turns out to be the username specified in the web.config. But when I call it from the website directly the user turns out to be : MY_COMPUTER\ASPNET
How can I sucessfully impersonate within the library itself?
Thanks!
EDIT
Ok, I thought of adding the impersonate piece of code in the website's web.config instead. It turned out that the library used the correct user but the request takes forever and never end. Do you know what could be wrong?
At first glance, you could use these entries in the web.config of your transactional website.
<authorization>
<allow users="*" />
</authorization>
<authentication mode="Windows" />
<identity
impersonate="true"
userName="USERNAME_HERE"
password="PASSWORD_HERE" />
However you want to be really sure this is the right thing to do before you do it.
Security is a big thorny problem that can turn around and bite you in the ass pretty hard. Whichever user you use here should be single purpose. It should have exactly the permissions you need and no more.
Why can't you give the MY_COMPUTER\ASPNET user permissions on the external server?
There are ways to impersonate for a short time which will probably solve your problem more cleanly. I will let someone who actually knows that answer tell you what it is though.