Develop Reference

How to set up file download that requires authentication in ASP.NET?

Do I have to create an API for token authentication or is there another way I can create some kind of login that would allow me to download a .csv file? I need a status code of 200 on successful authentication, otherwise the request should return a 401 status code and the file should not be downloaded. Does anyone have any advice on how I can achieve this? Ideally it should be as simple as possible to implement.

I have two suggestions about this.
You can put all download resources in the same folder, and the folder
will have a url pointing to it whether it is inside the application
or as an independent application. In the structure tree on the left
side of IISManager. As long as you select the folder and enable
authentication and disable Anonymous Authentication in the
Authentication module, any request to access the folder will be
required to verify identity.
WIthout setting on IIS, you can use filters of Web Api.
Authentication filters let you set an authentication scheme for
individual controllers or actions.
[Authorize] // Require authenticated requests.
public class HomeController : ApiController
{
public IHttpActionResult Get() { . . . }
[IdentityBasicAuthentication] // Enable Basic authentication for this action.
public IHttpActionResult Post() { . . . }
}

SignalR WinAuth does not Work

I have a problem in SignalR connection with Win Auth. When I enable anonymous in IIS Authorize settings, it works but sometimes it gives HTTP 403 Forbidden error. After I researched, I found that I need to disable Anonymous Connections. But when disable and enable the windowsAuth in IIS then there is always HTTP 401.2 UnAuthorized error. How I can connect with WinAuth? For my project I need to use WinAuth.
Not1 : I am using Silverlight 5.
Not2 : I have already tried possible solutions on StackOverflow but none of them worked.
So why cant I use WinAuth? It is enabled everywhere in config files, in IIS settings as well as in my web.config.
I spent 2 days but still I could not find a solution. If you need more information just write a comment. I am not sure what else information I can share. I dont want to put here lots of unnecessary texts.
EDIT:
When I use this code, i.e if I enter the username and password explicitly then it works. Internet Explorer first uses Anonymous Authentication and then it fails then it uses NetworkCredentials directly. This is the code
hubConnection = new HubConnection("URL");
hub = hubConnection.CreateHubProxy("HUBNAME");
hubConnection.Credentials = new System.Net.NetworkCredential("ID", "PASSWORD");
(The ones with capital letters are specific to my app.)
So how can I get Windows Credentials for my Silverlight App? DefaultCredentials does not work for silverlight.

Have you added authorization to your hub?
[Authorize(Roles = "Admin")]
public class AdminAuthHub : Hub
{
}

ASP.NET mvc 3 Anonymous Authorization not working

I have a strange issue that of course only occurs on our production box. It works on our test server and on my box.
I have an ASP.NET MVC 3 controller that is serving exposing a RESTful API. I have enabled anonymous users to call these service with the code shown below. Calling these methods via GET works just fine (using WebRequest). However, when trying to POST data (using HttpClient) it fails with a 401 error.
This web service is hosted within another IIS site which uses Windows Auth. But I configured this directory to allow Anonymous and disabled windows auth. It lives in /Areas/Services under the main site.
I have configured IIS to allow Anonymous authentication and even enabled it in the web.config. However, when I try to POST data to this controller, I get back "401 - Unauthorized: Access is denied due to invalid credentials". I don't want any credentials! Again, GET on this same controller works fine anonymously.
This seems to be a configuration issue (since it works in QA) but I do not know any other things to configure. I have been configuring IIS websites for anonymous/windows/forms auth for 10 years but have never run into anything like this before.
Here is the code that allows MVC 3 to serve these methods up to anyone:
[AuthorizeAnonymous]
public class LtWebsiteController : Controller
{
...
}
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = false)]
public class AuthorizeAnonymousAttribute : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
if (!(filterContext.Controller is LtWebsiteController))
base.OnAuthorization(filterContext);
}
}
This is driving me nuts! Please help.

You are likely missing HTTP headers for NTLM authentication. I would configure HttpClient to send the right credentials as part of the request.
HttpClientHandler handler = new HttpClientHandler()
{
UseDefaultCredentials = true
};
HttpClient client = new HttpClient(handler);
It's confusing since you are enabling anonymous authentication. But, with Windows Authentication the request needs to have proper headers. A 401 tells me the server flat out rejects the HTTP request.
http://www.asp.net/web-api/overview/security/integrated-windows-authentication

DotNetOpenAuth AspNet request status_update permission

I am using DotNetOpenAuth.AspNet for Facebook authentication. And everything works well.
However, I have to change app permissions so when a user logins I should request status_update permission. I've changed Permissions in Facebook app configuration, but I didn't get updated Login Window in my application.
Also I tried to handle OAuthWebSecurity.RegisterFacebookClient method call with passing extra data scope attribute, but without any access.
Does someone know how to request additional Facebook permissions using DotNetOpenAuth.AspNet?
EDIT:
When I try to do post I got this error:
(OAuthException - #200) (#200) The user hasn't authorized the application to perform this action
And this is what I get when I try to login to my app:
There is no status_update permission.
Thanks.

At this point you can't. Deep in the innards of DotNetOpenAuth.AspNet there is a class called FacebookClient. Within class is a method which is called "GetServiceLoginUrl".
This method in version 4.3.0 hardcodes the scope to "email".
If you go to the Nuget prerelease repository however, and get the prelease version 4.3.1 from there, the FacebookClient class comes with an additional parameter in the constructor - scope. You can add the permissions in there, and it will add them to the request url.
The pre-release package source is http://teamcity.dotnetopenauth.net:82/guestAuth/app/nuget/v1/FeedService.svc/
new FacebookClient(appId, secret, new[] {"email","manage_pages"});
and you should be good to go.

Windows Authentication - Getting current user name

In my MVC application I want to render a table in a cshtml file, if the current log in user is some x person. I am using windows authentication and I have made the following changes in web.config file.
<authentication mode="Windows">
</authentication>
And in my controller when I am trying to access the current user name I am not getting any user name. I am trying the following:
ViewBag.LogInUserName = Request.RequestContext.HttpContext.User.Identity.Name;
This above line was working before. But I don't know whats wrong now. Also I have hosted my application on IIS now.

Take a look at the web project's properties, in particular:
Anonymous Authentication - Set to "Disabled"
Windows Authentication - Set to "Enabled"
By default these are set to the opposite of what you're probably looking for.
(Image sourced from MSDN)

You need to put the [Authorize] attribute on your controller.
You can use User.Identity.Name in your controllers.
[Authorize]
public class YourController : Controller
{
public ActionResult SomeAction()
{
var userName = User.Identity.Name;
}
}

A little bit late, but this may serve others in the future.
I had the same problem once after deploying my site to a new IIS server, and the anonymous authentication was enabled, so make sure that anonymous authentication is disabled and it should work.