Authorization in Azure vs owin and web.config - asp.net

I have a c# app that is hosted on Azure. I have configured the app to use external authentication via a user's Microsoft account, which works ok. However, when I add the authorization node in the web.config file, which defines 'deny users="?"', it makes no difference - a user can seemingly browse the site whether they are logged in or not. They can log in with their MS account if they choose, and that works fine.
So looking into this, I discovered the authorization feature in Azure, which allows me to use Azure Active Directory and enforce authentication for the site via the Azure management portal, which also works fine. But now I don't have access to my role definitions.
So as I am now a little confused, my first question is, does anyone know why the authorization element in the web.config had no effect?
And secondly, am I right in thinking that the external auth provider in the application is totally separate and independent of the Azure authentication provider, and so is there an advantage to using one system over the other? OWIN can use roles, that's an advamtage - is there an advantage to using Azure auth - apart from ease of switching on/off?
Relevant config sections
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="60" defaultUrl="~/" protection="All"/>
</authentication>
<authorization>
<allow users="*"/>
<deny users="?"/>
</authorization>
</system.web>
<system.webServer>
<modules>
<remove name="FormsAuthenticationModule" />
</modules>
</system.webServer>
</configuration>

You are mixing modes of Authorization. Since you are using OWIN and c#, I'll assume your app is an MVC app. You should read through the detailed articles and samples at Getting Started with Asp.Net Identity. The samples are easy to walk through and to deploy to Azure for testing different Authentication/Authorization methods.

Related

Confusion about impersonation, authentication, and authorization in web.config

I'm trying to retrieve the windows login username for the current user in my asp.net website project.
my web.config file has the following items
<identity impersonate="true"/>
<authentication mode="Forms">
<forms name="app" path="/path" loginUrl="/path/login.aspx" protection="All" timeout="100" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*"/>
</authorization>
My understanding is that with this configuration I should be able to retrieve Domain\username from WindowsIdentity.GetCurrent().Name. However, this property returns NT AUTHORITY\IUSR which is the user for anonymous access. If I am not mistaken, I am denying anonymous access to the site in my authorization section. What am I missing?
Also of note:
System.Web.HttpContext.Current.Request.LogonUserIdentity.Name also returns NT AUTHORITY\IUSR and Request.ServerVariables["LOGON_USER"] returns an empty string, which goes against the information found in this KB article http://support.microsoft.com/kb/306359
I am using .net 4.0 and a windows 7 development environment.
Some resources that led me to this point:
http://msdn.microsoft.com/en-us/library/ff647076.aspx
http://support.microsoft.com/kb/306158
http://forums.asp.net/t/1121780.aspx/1?Getting+a+users+DOMAIN+username+from+a+web+application
Thanks for your time.
Edit
It should be noted that I am locked into forms authentication (windows authentication is not an option), as this is a multi tennant site, and the majority of users will not be using this single sign on feature.
If you're using forms authentication then impersonation is meaningless - it only works with Windows authentication. The same applies for Request.ServerVariables["LOGON_USER"].
The reason you're seeing IUSR_ is because that's the Windows account the web site is running as, instead you should use Page.CurrentUser (WebForms) or the User property (MVC Controllers), with no casting. This will return the Forms Auth username.

ASP.net quick and dirty authentication

I'm currently working on a page within one of my company's internet sites that is in response to some production issues we have. The page will be published with the rest of the web site to our DMZ, however I'd like to set-up some quick authentication so only users on our domain (assuming they access the site internally) can access the page. I'd like to use Windows authentication to do so.
Is there a quick way to accomplish this?
If I understand the question correctly, you want to enable security just on one page in your application - not the entire app.
Under IIS, you can manage the security settings on a page by page basis. In the IIS manager, pick the page, and change the security settings so that anonymous is off, and only Windows auth is accepted. You should get prompted for a login when you visit that page.
From Scott Gu's blog
To enable Windows Authentication
within an ASP.NET Application, you
should make sure that you have
“Integrated Windows Authentication”
(formerly called NTLM authentication)
enabled within IIS for the application
you are building. You should then
add a web.config file to the root
directory of your ASP.NET application
that contains an
section which sets the mode to
“Windows”.
You should also then add an
section to the same
web.config file that denies access to
“anonymous” users visiting the site.
This will force ASP.NET to always
authenticate the incoming browser user
using Windows Authentication – and
ensure that from within code on the
server you can always access the
username and Windows group membership
of the incoming user.
The below web.config file demonstrates
how to configure both steps described
above:
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
EDIT:
You can apply the auth settings to just a path in this way:
<location path="mypath.axd">
<system.web>
<authorization>
<allow roles="MyRole, AnotherRole" />
<deny users="*" />
<deny users="?" />
</authorization>
</system.web>
</location>
You can simply use Windows Authentication settings in IIS. Just turn off Anonymous Access in IIS and set your NTFS permissions on the Web folder to the users whom you want to have access to the site. Your IIS admin should be able to handle this quite easily.

MVC app suddenly requiring authorization for everything after Windows/IIS reinstall

I recently reinstalled Windows (on an SSD!) and I'm in the process of setting up IIS and all my web projects.
One of my MVC project keeps asking for authentication on everything, including on resources like .css files and images. I'm using the default MVC template login with a custom provider that I'm using for dev purposes.
I've tried rolling back my web.config to before I moved the project file and re-set IIS, but that didn't make much of a difference -- aside from changing authentication mode from Windows to Forms.
Can you see anything wrong with my config?
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
<membership defaultProvider="SuperSimpleMembershipProvider">
<providers>
<clear />
<add name="SuperSimpleMembershipProvider" type="Website.Helpers.SuperSimpleMembershipProvider" />
</providers>
</membership>
I don't have any <authorization> element or anything else related to login, since I'm doing everything via MVC.
Update: Tried <authorization><allow users="*"/></authorization>, still not working.
Have you checked the configuration settings in IIS for that particular website? There are authentication options there which will help.
Turns out I had too allow IUSR read access to the site folder, since that's the user that Anonymous Authentication allows.

How to deploy and secure an ASP.NET web app to be available to internal and outside users?

My company has several web applications written in ASP.NET. We need to make these applications available to Intranet users as well as authenticated external users. Most of the features are the same for the two groups, though there are some extra features available to the Internal users. The two different sets of users would use a slightly different security setup... our internal people will be authenticated using LDAP against Exchange, whereas the external users will have accounts in SQL Server.
What is the best approach for deploying our web apps? Should we deploy 2 copies to different servers, one configured for an Intranet and one for outside users? Or is there a better way to share the code between the 2 servers, yet have the flexibility to use different web.config settings for security??
This is what you are after: http://msdn.microsoft.com/en-us/library/ms972958.aspx
It is specifically about mixed windows and forms authentication.
You can secure folders by adding an additional web.config file to that folder:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
What this does is allows anyone with the role "admin" and denies every other user from accessing resources in the folder. There are lots of combinations and possibilities available. Note that the order of declaring permissions here is important. It is worth experimenting with so that you fully understand how this works.
Page-specific settings can be handled like this:
<location path="page.aspx">
<system.web>
<authorization>
<allow roles="Administrators" />
</authorization>
</system.web>
</location>

How to set the forms authentication in asp .net 3.5?

When I copy my URL and paste in other browser, the page opens which should not happen. This shows lack of security. I want the forms authentication. How to do that?
If you set cookieless="true" (or UseDeviceProfile and browser has cookies disabled) in your web.config file, authentication information is appended to the URL and this url will be valid across other browsers. If you use cookies to identify users, then only the current browser will have the user authenticated.
You need to set this up in your web.config file:
<system.web>
<authentication mode="Forms">
<forms loginUrl="login.aspx" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
As described in this MSDN article.
Forms Authentication is not a newly added concept in asp.net 3.5. It is tried and tested technique in existence from asp.net 1.0. There are lot of books and tutorials available to show you how to do this. The simplest way you can achieve this is using membership provider models such as SqlMembershipProvider. Models provide you ready-made infrastructure which you can use for authentication.

Resources