I have a parent website (developed like 5 yrs before) say (sky) which I host in IIS7/IIS7.5 and configure it to use Form authentication and anonymous authentication. The web.config with entries as follows:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All" timeout="480" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="~/Home" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<location path="cloud">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Now I have a child website (developed 2 days ago) say (cloud) which I host under sky and configure it to use Windows authentication and anonymous authentication. Its own web.config has the following entries.
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<identity impersonate="false" />
When I access sky/, I end up on the login form, which is expected. I enter the username/pass and I can browse the parent website absolutely fine.
Unfortunately, when I access sky/cloud/, a username/password prompt box shows up, I enter the correct creds, but it does not authenticate and I cannot browse the child website. It repeatedly throws the creds box.
I switched the priority of authentication provider to do NTLM first over Negotiate on cloud, still no luck.
Why does the new site need to be under the parent site? Gotta blame branding here :(
Any idea's on getting this working would be appreciated.
Related
What are all the ways we can redirect to a page in case of denial of access based on roles?
I can able to get the role based authorization working but I ended up the page redirected to login page always in case of no authorization for one particular role. Please help
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="~/Login.aspx"
defaultUrl="Unauthorizedaccess.aspx" protection="All" path="/"
requireSSL="false"
cookieless="UseUri" domain=""
enableCrossAppRedirects="false" slidingExpiration="true" timeout="2880"></forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
<location path="ABC.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
I am not sure where I need to specify where to redirect in case of access denial. The default URL i specified not seems to be working
I am trying to use Forms Authentication for the first time. This is what I have in my web.config:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name="Login" slidingExpiration="true" timeout="30" path="/">
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
The website I am working on doesn't actually need any authentication because the page should be accessible without logging in. So that's why I'm allowing all users. I am very new to this so there's probably something obvious I'm doing wrong, but all pages seem to redirect to Login.aspx, even though I'm allowing all users.
All help is very much appreciated. Thanks.
UPDATE:
As one answer directed, I changed the code to the below (changed * to ?) but I still have the same problem:
<authorization>
<allow users="?" />
</authorization>
Asterisk stands for any authenticated user which does not include anonymous users. Use question to allow anonymous users:
<allow users="?" />
I came at this page having the same problem, and see that 5 years later this has never been properly answered.. You needed to specify the following in web.config:
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
Meaning that you deny access to all anonymous users, and allowing access to all authenticated users.
I have such section in my web.config to deny access of anonymous users to elmah.axd. Is it possible to make exception and add credentials for admin user to allow that user access protected web page? I would like to display browser authentication dialog and ask user for credentials before accessing elmah.axd url.
<location path="elmah.axd">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Here is how to do it.
http://www.xoc.net/works/tips/forms-authentication.asp
By the way browser authentication forms are usually used in intranets with Windows authentication. And not forms authentication.
Yes:
Add this to <system.web>
<authentication mode="Forms">
<forms name=".ASPXAUTH"
loginUrl="Login.aspx"
protection="All"
timeout="30"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="Login.aspx"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
It will redirect anonymous users to Login.aspx
I have the following ASP.NET Forms Authentication configuration:
<system.web>
<authentication mode="Forms">
<forms name="MembershipCookie"
loginUrl="Login.aspx"
protection="All"
timeout="525600"
slidingExpiration="true"
enableCrossAppRedirects="true"
path="/">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location
If an anonymous user visits the site and requests home.aspx should they be denied access and kicked to the Login.aspx page because the first rule <deny users="?" /> will match and further processing will stop?
The site is running on IIS7.5, ASP.NET 4.0 and the application pool is configured for Integrated Pipeline mode.
Update:
The reason for this question was to sanity check my understanding of ASP.NET 4.0's Forms Authentication behaviour (which was actually correct). There is a related follow up question which describes what looks like a bug in a hotfix (which is also rolled into Windows 2008R2 SP1) - KB980368:
ASP.NET 2.0 and 4.0 seem to treat the root url differently in Forms Authentication
If an user is accessing Home.aspx , it will use the configuration section for Home.aspx specified by <location /> and hence the user will not be kicked out to Login.aspx .
If a user access Home.aspx then the second rule will be applied i.e.
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
The point to note here is: * tells that any authorized user (having any or no role assigned) could access the page, but ? tells unauthorized user could not access the page.
I'm learning how to use the asp authentication, and I have created a test project for it. I have the Default page, the Login page and a Test folder with a Default page inside.
I want that Default page accesible for everyone (so, without authentication) and the "Test/Default.aspx" private. My "Web.config" is like this:
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authentication mode="Forms">
<forms loginUrl="Logon.aspx" name=".ASPXFORMSAUTH" >
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="Empresas">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
This way, when I access to the Test/Default.aspx page, I can enter even without authorization, and I don't know why. However, if I change "deny users=?" for "deny users=*", then I can't access even when I am authenticated, so the location tag is working correctly.
I change the password every time, just in case it was a cookies problem, but it isn't.
QUESTION: What is wrong in my web.config, or what do I have to do to create some pages privated?
Thank you very much in advance
how about allow users="?"
i.e. allow authenticated users