I have these settings in my web.config file. Only two authorization tags. One to deny anonymous users and another for the register page so anyone can access it. How can I achieve that?
<configuration>
<system.web>
<authorization>
<deny users="?"/>
<!--Deny access to unauthorized users-->
</authorization>
...
</system.web>
<location path="Account/Register.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
These settings above give me the following error when I click on the Register button.
Access is denied.
Description: An error occurred while accessing the resources required
to serve this request. The server may not be configured for access to
the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server
configuration. Verify that you have permission to view this directory
or page based on the credentials you supplied and the authentication
methods enabled on the Web server. Contact the Web server's
administrator for additional assistance.
The login page is accessible. I have a user in the web.config to test and it works fine. I can login and access all pages. But how can I make register page accessible?
You are right #Seyed Morteza Mousavi, my problem was in the register link!
The default looked like this when I created the site.
<asp:HyperLink runat="server" ID="RegisterHyperLink" ViewStateMode="Disabled">Register</asp:HyperLink> if you don't have an account.
I changed it to be this.
<asp:LinkButton runat="server" ID="lnkRegister" PostBackUrl="~/Account/Register.aspx" CausesValidation="false">Register</asp:LinkButton> if you don't have an account.
It works now. I don't know why default one doesn't work but I don't care anymore. Also, the Register link in the Site.Master next to Login link does not work. It keeps redirecting to Login page! Again not sure why. But this is OK for now.
Related
I have asp.net web application. I want to allow only Authenticated users to this application. Any anonymous users should get access denied error or should get redirected to login page. So I added the “Authorization” element in config file to deny all anonymous users. I excluded login.aspx page so anonymous users can access it.
<system.web>
<authentication mode="None" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
NOTE: This application use Azure AD for authentication thats why you see authetication mode="None". When user access login page it just redirect user to Azure site for authentication. And this authentication piece is working fine.
Questions
1. Consider my application is hosted in local IIS. Since only
login.aspx is excluded from Authorization, if I type
http://localhost I get access denied error. I have to explicitly
type http://localhost/login.aspx to for login. How do I change this
so when I type http://localhost IIS will redirect to
http://localhost/login.aspx (I have already tried setting
login.aspx as first page under default document in IIS)
2. What configuration I need to do, so if anonymous user try to
access any resource under http://localhost he would get redirected
to http://localhost/login.aspx (This would also take care of 1st
question)
Add your Startup page name in Default document option like the below snagit:
Open IIS(Internet Information Service) Manager
Select “Default Document”
Add your file path to be homepage
I am using my own authentication method by cookies and username and password verification from database but when I debug my application i can access any folder and image, pdf etc. type files by directly typing the url of that without Log-In. So i want to all these type of unauthorized access to folders and files both to be redirected to default.aspx page.
please help me.
Try this,
<location path="[subdir1]">
<system.web>
<authorization>
<deny users ="?" />
<allow users ="*" />
</authorization>
</system.web>
</location>
change the [subdir] to the folder you want to protect. For more info see Here
Try these
Use Asp.net Authentication, for more info Go here
Use global.asax file beginrequest event, do your custom code there to check valid user, for more info Go here
I have a create_account.aspx page with a CreateUserWizard control on it. It has the LoginCreatedUser property set to true.
Once the account has been created and some further wiring up has occurred in CreateUserWizard_CreatedUser I do the following:
Response.Redirect("~/dashboard/default.aspx")
The individual is then redirected to the login.aspx page as if they are not authenticated? Why?
I have a suspicion that it may be related to the fact that default.aspx is in a sub-directory in which I have a web.config file stating,
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Any thoughts?
You might want to try setting the CreateUserWizard ContinueDestinationPageUrl property to the required URL ie. ContinueDestinationPageUrl="~/dashboard/default.aspx".
Can be done programatically also.
I am trying to secure an application in IIS7 using .NET Authorization Rules.
By default, the web server allows all users access (which is inherited).
I have added, just for this one application directory, a deny all users command, as well as an allow command for specific users.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authorization>
<allow users="myusername" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
I have Windows Authentication enabled, and I can verify that without the line that my REMOTE_USER is MYDOMAIN\myusername.
However, when I try to deny all users, I am prompted with the typical Windows domain username/password box. If I enter the username password, the prompt comes back up again 3 times until finally presenting me with a failure message. (I have also tried to no avail)
Looking in the event viewer, it appears as if my login using the username and pw is successful in the audit ... and to further that point, my account is not being locked out (which it would if I were failing to login over and over). So it's as if I am logging in, but the configuration is not seeing what I entered as matching my login.
Below is the message I see (even when connecting from the server using localhost):
**Access is denied.
Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.**
First off, the main problem was that IIS6 Authorization is also included in IIS7, and at least in my case was the default. First, make sure that you have IIS7 Authorization installed. Complete directions can be found here:
http://www.iis.net/ConfigReference/system.webServer/security/authorization
The confusion occurs because in IIS7, there is an item in your application menu called ".NET Authorization Rules" (under the ASP.NET section). This is NOT what you want for IIS7 Authorization. For this, you must make sure that it is installed (see link above), and then click on the link under the IIS section of your application called "Authorization Rules"
Another note worth mentioning, if you put the following config in place:
<configuration>
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Deny" users="unknownname" />
<add accessType="Allow" users="knownname" />
</authorization>
</security>
</system.webServer>
</configuration>
This will cause everyone to be denied. It appears that if you deny a username or role that does not exist, EVERYONE is denied. If the denied user is recognized, then it works fine.
Also, specifying deny for * and allow for certain users will not work, it will deny for all. You need to simply remove the * user (as in my example above), and then only allow for your target audience. Everyone else is denied by default.
Configure Basic Authentication in IIS 8 on Windows Server 2012
01-Authentication-Add Features
02-Authentication-Server Roles
03-Authentication-Server Management
04-Authentication-Set Password for user
05-Authentication-Authentication in IIS setup
Could you change your code as below
<deny users="*" />
<allow users="myusername" />
I spent 4 hours trying to set this up (to use domain role) :). Final solution was to use domain name in the role too:
`<system.web>
<authorization>
<allow roles="DOMAINNAME\rolename" />
<deny users="*" />
</authorization>
</system.web>`
We have an existing publicly accessible web application with user controls, data access libraries, graphics, etc. We want to create a new secure section of the site that accesses some of the already existing resources.
Initially we created the new section of the site as a virtual directory which (we hoped) would allow us to access the parent site's resources. We added the appropriate location information to the base web.config (authentication and authorization) but we continue to see the following error "Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS."
In response to that error we created the directory as a new application. This allows us to authenticate properly but has the drawback of not being able to access any of the resources in the parent directory (since it's outside the application scope).
Is there any way to secure the new section of the site while at the same time utilize the already existing resources?
In your web.config file in the root of your site, if you add:
<location path="relativePathToDir">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
This is working for me using FormsAuthentication, the user gets redirected to the default login page if not authenticated
I typed up a summary since many were facing the same situation regarding subfolder authentication.
Subfolder Authorization
ASP.NET can only have a single
authentication mode for one
application.
The different
applications CANNOT share resource
among them.
Scenario
Let's say the home page should not prompt login dialog. It should let users pass through without whatever login is. However, in the same applicatiopn, in a different folder presumably, another page needs to check user permission against database table using user network login ID. By default IE treats all web site with only hostname a Intranet. By its default intranet setting, it will not prompt the login dialog and pass user login and password to the application if Windows Authentication is used. However, the tricky party is, if the application has an actual domain, IE will think it is an Internet site, and it will prompt the login and password if Windows Authentication is used.
The only way to not to promopt login dialog for Internet site using Windows Authentication, is to also turn on the anonymous authentication in IIS. However, you will lose the ability to capture the login info because the Anonymous has precedence over the Windows Authentication. The good news is there is a way to resolve that issue. If an application subfolder needs to capture the login information, you will need to overwrite the parent authorization in Location element in web.config.
1 In IIS, configure Authentication as follows:
Enable Anonymous Authentication,
Enable Windows Authentication
2 Add the followings in Web.Config.
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
<!-- secured is the relative subfolder name. deny anonymous user, so only the authenticated login will pass through -->
<location path="secured" allowOverride="true">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Remove the application, then add this to the top-level web.config:
<configuration>
<system.web>
<!-- applies application wide -->
</system.web>
<location path="securedirectory" allowOverride="false">
<system.web>
<!-- applies only to the path specified -->
</system.web>
</location>
</configuration>
MSDN Reference