Asp.Net ViewState behind CDN - asp.net

I have an Asp.Net app running under IIS with two backend servers with Loadbalancing + machinekey configured. Once I've activated a CDN (Varnish with caching disabled), I'm redirected to login page every time I navigate between pages.
I believe that the postbacks are cached somewhere and the app logs don't help.
I've seen similar answers like here, but none of them suggested a solution.
Any idea how to track this down without changing the App config?
On the browser, this is what I see :
https://example.com/
302 redirection to https://example.com/login.aspx?ReturnUrl=%2f
successful login redirects to https://example.com/accueil.aspx with some errors (see attached)
selcting https://example.com/pages/module.aspx?PAGEID=-00000001 reurn a 302 redirection to loginn page https://example.com/login.aspx?ReturnUrl=%2fpages%2faccueil.aspx%3fMSG%3dIdentification+obligatoire
enter image description here

Related

Website does not automatically redirect to adfs log in

I am trying to set up a company website to use an adfs log in system, using the instructions found on https://www.linkedin.com/pulse/how-implement-sso-aspnet-mvc-application-adfs-tuomas-kesti, but my site does not redirect to the adfs page, and instead loads the home page of the site as if nothing happened. Looking at the network page in inspect element shows that the site never calls or redirects to the adfs page.
In my web.config file, the realm and reply values are set up to the main site, with the issuer value being the adfs site and follows the same format of "https://sts.domain.com/adfs/ls/". The adfs site is up and running with and the thumbprint from its certificate is added in the tag. passiveRedirectEnabled is set to true in the tag.
Im not sure what the problem is, and looking it up online doesn't find me any results. If anyone has an idea on why my site isn't autocratically redirecting, that would be appreciated.
Yes, it seems that the code in your tutorial doesn't redirect automatically when no JWT is available. I.e. the last code sample should contain an 'else' that responds with a redirect to the ADFS login page.
Have a look at these samples for Azure AD:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-code-samples
I found them very helpful and they can (mostly) be used with a standalone ADFS as well. Most of all, they cover all sorts of solution architectures and framework versions.

Forcing a site to SSL (via IIS) causes WebResource.axd loading issues

We have forced the LIVE site to use SSL (for authentication reasons) and now the site won't get past the Login page.
The Login page displays fine, but after entering Username/Password and hitting Login, the page reloads.
Looking at the Developer Tools in Chrome reveals a 404 error loading
https://myapplication.com/login.aspx/WebResource.axd
Research on internet suggests a web.config setting - but I can't find what setting to use.
The site works absolutely fine when not in SSL mode - and has been working for a while until forcing IIS to run site over SSL at all times.
Any ideas?
Check that you have bindings on 443 for all the URI's possible. For example, you have myapplication.com. You probably have a binding on 80 to that URI, but what about 443? What about www.myapplication.com on 80 and 443? IIS will only respond if told to. It will not infer URLs from the application that it should serve up. You have to specifically allow them on all ports.

How can I set the default page for https requests?

We have a website which has a Virtual Directory containing the secure portion of the website.
If users come to http://www.mydomain.com, they should get directed to default.aspx of the main site, but if they go to https://www.mydomain.com, they should go to default.aspx of the virtual directory.
The default page for the main site works fine, as does the secure page if I navigate to it using the full name, however I can't figure out how to set the default page for https traffic that doesn't specify a specific page.
http://www.mydomain.com - Works
https://www.mydomain.com - Page Not Found
https://www.mydomain.com/myvirtualdirectory - Page Not Found
https://www.mydomain.com/myvirtualdirectory/default.aspx - Works
What do I need to do to make links 2 and 3 load the default page show in 4?
My website is running on IIS 6.0 in Windows Server 2003
Overall, this is an anti-pattern as you state the entire behavior of the site changes based on the port. I am not stating definitively you are doing this, but consider the following:
If you are redirecting due to a user needing to see other things, you can make conditional controls that display only when in HTTPS. The same can be done for authenticated and authorized versus not.
If you are redirecting because an HTTP user needs to log in, the more consistent pattern is to have them click a log in button. And, you can force HTTPS at this point without breaking the pattern.
If you really need to redirect for some reason, there are a couple of ways of handling this:
In IIS
HTTP Handlers
URL Rewrite - requires the URL Rewrite bits for IIS 7
I imagine there are some other ways to solve this.
I finally figured out my issue. In my case, it turns out the problem was an old URL Rewrite rule I wasn't aware of that was transferring all https traffic that didn't have a file name specified to index.php, which of course didn't exist.
I found this out by viewing the IIS error logs, which was telling me the 404 was being caused by index.php

Anonymous Authentication in IIS over https does not fire a postback

I recently decided to change from using Windows Authentication for my internal web applications to Forms Authentication. I've not used the latter very much and one site explained you have to enable both Forms and Anonymous for this to work. The idea is to verify user passwords against an active directory then grant them access accordingly. I had this working just fine locally and when publishing to IIS 7.5 it still worked. It was just a basic Visual Studio project that would redirect to our homepage.
The problems arose when I tried accessing this same project securely with https, I included the full domain and it would load the new login page but when I clicked login it would do nothing. Since then I've scoured the web and found numerous mentions of this and that and tried many of them to no avail.
It was only later I created a blank project with a single button and one line of the code on the page to see if a post back had fired. After publishing I only enabled Anonymous Authentication in IIS and browsing to this basic test app using http when you clicked the button, false on the page changed to true - indicating a post back. Yet with https it just remains false. I think this may be why the active directory login wasn't working as it too had Anonymous enabled.
I'm still pretty new at the secure side of things but with the details passing over I have to use a secure connection just for the login then it can redirect to the usual applications we use internally.
I'd appreciate any thoughts you may have regarding this.
Thanks!
We use this configuration (anonymous IIS access, forms authentication, and https) successfully all of the time.
There are three things that you should do to track this issue down:
1) Verify that there are no javascript errors in the page that break the button (i.e. a javascript file not being delivered to the page)
2) Check the windows event logs for exceptions from asp.net/iis.
3) Install and run fiddler, select Fiddler Options... from the Tools menu, click on the HTTPS tab and ensure all of the checkboxes are checked, then run your website and look at the requests and responses, particularly when you press the button.

Redirecting to a page using IIS6

I have a site .net 2.0 and I redirected users to a
login page when the hit the site. (I think the default.aspx page)
But i cant remember how i did it.
I am now wanting upgrade to asp.net mvc app
but the redirect is still there to a nonexistent page.
Any ideas how to find the redirect?
Malcolm
Use WireShark Network Analyzer or Fiddler to find out what type of Redirect you have and the location that's redirecting.
You can then use IIS management console to see if there are any redirects in the site or virtual directory properties.
And finally check the source of the script that handles the request for Response.Redirect() or Server.Transfer().

Resources