Some resources (images) don't appear when I visit the main page after login (using form authentication)
However, setting the attribute of anonymous authentication to 'application pool id' in iis manager works
what windows account is used for form authentication in iis?
Only the login Page need anonymous authorization access. It sounds like you didn't set anonymous authentication correctly.
When we implement form authentication in IIS, Both form authentication and anonymous authentication are enabled side-by-side. Then we will create allow auth rule for all user and deny anonymous user in site level.
<authentication mode="Forms">
<forms name=".MyCookie" loginUrl="Login" protection="All" timeout="60" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
Secondly, we need to create a authorization rule to allow anonymous access to login page.
<location path="Login">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
When you pass the form authentication, IIS will send a form authentication cookie with the username which is decided by your application. It can be a key in appsetting or a username from database.
1.
FormsAuthentication.SetAuthCookie(UserInfo.UserName, false, FormsAuthentication.FormsCookiePath);
2.
FormsAuthenticationTicket
3.
FormsAuthentication.RedirectFromLoginPage(UserInfo.UserName, false);
You need to make sure the auth_user and application pool identity have permission to access the image sources.
https://support.microsoft.com/en-us/help/301240/how-to-implement-forms-based-authentication-in-your-asp-net-applicatio
Related
I have a legacy multi tenancy WebForms app where users authenticate using forms authentication. We are migrating the auth system to IdentityServer4 but can't do it all at once, so we want to gradually introduce this to our tenants. This means we need to run the WebForms app with both Forms Auth and the new OpenIdConnect Auth at the same time.
My problem is that whenever I run HttpContext.Current.GetOwinContext().Authentication.Challenge(), I'm redirected to Login.aspx because of this:
<authentication mode="Forms">
<forms name="AuthCookieName" loginUrl="~/Login.aspx" timeout="60" protection="All" requireSSL="true" enableCrossAppRedirects="true" />
</authentication>
What I want is that whenever someone navigates to /OIDC.aspx, the challenge will redirect the user to IdentityServer as configured using OWIN. For all other requests, the existing Forms auth configuration can handle the authentication.
Is this at all possible?
I managed to prevent the unwanted redirect by setting the Response.SuppressFormsAuthenticationRedirect flag when invoking the authentication challenge, e.g.:
HttpContext.Current.Response.SuppressFormsAuthenticationRedirect = true;
HttpContext.Current.GetOwinContext().Authentication.Challenge(
new AuthenticationProperties { RedirectUri = "/Home.aspx" });
HttpContext.Current.GetOwinContext().Authentication.Challenge() will do an authentication challenge against the default security scheme - in this case, yours is Forms Auth. You can pass in a string denoting what security scheme(s) to use in the challenge, like so HttpContext.Current.GetOwinContext().Authentication.Challenge(OpenIdConnectAuthenticationDefaults.AuthenticationType)
OIDC uses Callback Url. This webform security restricts this url and redirects to login page. Allowing access to that call back url using location tag worked for me.
<authentication mode="Forms">
<forms loginUrl="default.aspx" name=".CLFORMSAUTH" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="authorization-code/callback">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
I wonder if it is possible for an official way or hack to retrieve the windows login of the user currently logged on a asp web page with option "allow anonymous users" ? Or using imported windows dll perhaps ?
I know that normally with the "deny anonymous users" I can easily retrieve the login windows. But for some special reason I would like to retrieve the windows login and accept anonymous users. So that if the windows login is a user in my database I redirects to another web page.
I have ckecked that: (but windowsLogin == always empty)
ASP- C#
string windowsLogin = System.Security.Principal.WindowsPrincipal.Current.Identity.Name;
string windowsLogin = System.Threading.Thread.CurrentPrincipal.Identity.Name;
string windowsLogin = System.Net.CredentialCache.DefaultCredentials.ToString();
string windowsLogin = Request.ServerVariables["LOGON_USER"].ToString();
Web.config
<authorization>
<deny users ="?" /><!-- Deny acces to anonymous users-->
<allow users ="*" /><!-- Allow acces to every users-->
</authorization>
<identity impersonate="true"/>
<authentication mode="Forms">
<forms loginUrl="./WebLogin.aspx" defaultUrl="./default.aspx" timeout="12" path="/" name=".ASPXFORMSAUTH" slidingExpiration="true" />
</authentication>
You'll need to allow anonymous users, it seems, and you might want to try Windows authentication.
<authorization>
<allow users ="*" /><!-- Allow acces to every user and do not deny anonymous -->
</authorization>
<authentication mode="Windows" />
It seems ServerVariables have been depreciated for C# in some instances.
If so, you'll need to do it this way:
string login = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
If you really want to use ServerVariables, keep in mind they are CaSe Sensitive in C#. The correct casing is almost always UPPER, and here is the list of them:
List of ServerVariables
ASP.NET: I have created a website with login authentication. Before the user can visit any of the pages in it he needs to login first. How do I prompt the user to login first before he can view any of the contents of the website?
The Examining ASP.NET's Membership, Roles, and Profile series is a good starting point. It covers all the security part of ASP.NET and your required stuff, Login before visiting the page via LoginUrl as your login page. starting doing this How To: Use Forms Authentication with SQL Server in ASP.NET 2.0
Some setting to be made in web.config and then handle of these things on code behind.
<forms name=".ASPXAUTH" loginUrl="login.aspx"
defaultUrl="default.aspx" protection="All" timeout="30" path="/"
requireSSL="false" slidingExpiration="true"
cookieless="UseDeviceProfile" domain=""
enableCrossAppRedirects="false">
<credentials passwordFormat="SHA1" />
</forms>
Add the following element under the element in the Web.config file. This allows all authenticated users to access your Web site.
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>`
code behind
if (Membership.ValidateUser(username, password))
{
// User has supplied valid credentials
// In the following method call, the second Boolean parameter
// determines whether a persistent authentication cookie
// is created.
FormsAuthentication.RedirectFromLoginPage(username, rememberMeIsChecked);
}
Reference:
Starting ASP.NET Forms Authentication
ASP.NET Authentication
Explained: Forms Authentication in ASP.NET 2.0
Try to do this in your web.config
If we want to deny access to anonymous users, configure the Authorization section in the following manner,
<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
For more info look here
This is huge subject to cover on posting code example here so I would recommend following steps.
Use asp.net mvc3, learn how membership provider work, customize it if to fit your needs, user role provider to assign users to specific groups which you will use to protect specific area of site.
Create roles and assign them to user and after that you can secure pages using decorated [Authorize] attributes or secure for selected users like this
[Authorize(Roles = "Admin, Super User")]
Use your web.config in configuration system.web section to indicate what membership and role provider is used in app.
This is short info, but I hope that you have concise mental picture now.
I would like my asp .net web application to only allow users belonging to DomainName\Domain Users to access the site. Right now I have "Anonymous access" disabled and "Windows Integrated Security" enabled on IIS. I also have the following code in my web config:
<authentication mode="Windows" />
<authorization>
<allow roles="DomainName\Domain Users" />
<deny users="*" />
</authorization>
When I attempt to access the website it prompts me for the username and password to connect to webserver.example.com. I am a member of the domain users group but it does not allow me access. What am I doing wrong either in the syntax or in my IIS settings?
Is Anonymous Authentication Disabled in IIS ? Only Integrated Windows Auth should be enabled on the web application.
EDIT from comments:
I see you have Anonymous disabled. Try adding <identity impersonate="true" /> within <system.web> and see if your behavior changes.
I have a web application and I want to provide anonymous access to a couple of the web services in it so that we can access the web services from computers without a windows login on our network.
I've tried the stuff here Disable authentication on subfolder(s) of an ASP.NET app using windows authentication. I've done this:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
...
<location path="Tests/QService.asmx">
<system.web>
<authorization>
<allow users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
These both "work" in that they allow access to the web service for anonymous users. However, it seems that IIS still sends an authorization challange because when I access the service from a browser I get a box to enter my username and password. If I hit cancel I get access to the page anonymously. However, some of our clients don't handle this well and just fail because of the 401 return code.
Is there a way to completely disable the windows authentication on that single location such that IIS will not try and establish a windows authentication?
You need to disable Windows Authentication on the Virtual Directory for that single location. Then you shouldn't be challenged.