I have installed an ASP.NET 4 Web Forms app on a remote Win2K8R2 virtual machine. I cannot remotely deploy anything to this box, so I shipped a VS2012 Web Deployment Package which I installed locally. I installed the IIS Recommended Configuration through WebPI 4.6.
I started out using the Default Application Pool (mine will be the only web app on IIS) in Integrated Pipeline mode with LocalSystem identity. This is the exact same configuration that I successfully have used for other web apps on a Win2K8 VM and a Win2K8 physical box.
I am using Forms/Anonymous Authentication. The Account directory Authorization is configured this way:
My application Authorization is configured like this:
UPDATE:
My application Authentication is configured like this:
My Membership Provider is configured like this:
<membership defaultProvider="ActsMembershipProvider">
<providers>
<clear />
<add connectionStringName= [myString]
name= [providerName]
type= [assemblyName].[providerName] />
</providers>
</membership>
My Forms Auth is configured like this:
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="~/Account/Login.aspx" defaultUrl="~/" protection="All" timeout="30" path="/" requireSSL="false" slidingExpiration="true" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" />
</authentication>
UPDATED: After searching SO, here's what I have tried:
Re-registering ASP.NET with IIS. (aspnet_regiis -ir)
With IUSR as Anonymous Authentication user, granted full web app directory rights to IUSR.
Switched App Pool identity to NetworkService and granted app directory rights to NETWORKSERVICE.
Switched Anonymous Authentication user from IUSR to my server username (xxxx/s_usr_acts, as shown in previous screenshots) and gave s_usr_acts full rights to web app directories.
aspnet_regiis at the app level.
I can reach my Login page, but I keep getting the 401.2 error when I try to log in. Anything else I can check or try?
Additional Info:
UPDATE: I have this same application successfully configured on a Rackspace Win2k8 production box and an in-house Win2k8 VM.
I am authenticating via the ASP.NET Membership Provider.
I am running EF5 against Oracle's Data Provider.
UPDATE2: When I ran my Web Deployment Package from root of the C: drive on our client's server, I encountered the 401.2. However, when I ran it from the Desktop, I no longer encountered the 401.2, and "progressed" to Oracle connection errors. I have this as an answer because my findings addressed the specific problem, although I don't consider this canonical in any way. I am still hoping for something closer to a canonical answer.
I had the same problem and I solved it when changing Anonymous Authentication Credentials at IIS Authentication panel. When I selected "Aplication pool Identity" the error dissapeared. I don't know why this is the solution. Although I don't know what is the origin of this mistake neither, because I only wanted to update my web application copying the files from the deploy folder except the web.config file.
Now, after putting out fire, i'll investigate why it happens. For the moment i think that can help somebody.
Related
I am very new to Azure and have deployed a .net application to an Azure web Service over FTP and am getting the below error in the web config at the top line of the section below:
It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level.
<authentication mode="Forms">
<forms loginUrl="~/Account/Logout" defaultUrl="~/Home" timeout="120" slidingExpiration="true"/>
</authentication>
I have searched online and problem seems to generally come when there are multiple web configs, which isnt the case here. Is there something specific I need to configure in Azure? The application runs fine on local web server.
For additional information the application is in a sub directory in the root and I have added a virtual application in the Azure app portal for the root directory of the application.
I have a web application that allows the users to access the pages if their Windows login name to the domain is in the web config's app settings.
For example:
Logged on username: SampleDomain\SampleUser
on Web.config:
<appSettings>
<add key=AuthorizedUsers value="SampleUser,SampleBooger" />
</appSettings>
<authentication mode="Windows"/>
*successful scenario: SampleUser should be able to browse the website.
I was able to do it successfully during development (locally on my machine), but when I deployed it to a server then I try to browse it from my local machine, the Windows login that it gets is NT AUTHORITY\NETWORK SERVICE so it redirects to my customized error page. I, SampleUser, am in the AuthorizedUsers. I should be able to browse it.
Please help me.
Thank you very much.
You need to use ASP.NET impersonation feature.
When using impersonation, ASP.NET applications can execute with the Windows identity (user account) of the user making the request. Impersonation is commonly used in applications that rely on Microsoft Internet Information Services (IIS) to authenticate the user.
Such behavior can be configured in web config using the following code:
<configuration>
<system.web>
<identity impersonate="true"/>
</system.web>
</configuration>
More info: http://msdn.microsoft.com/en-us/library/xh507fc5%28v=vs.100%29.aspx
I'm trying to use IIS 7 management API but stuck with a security issue. My application is regular ASP.NET site running on .NET 4 (integrated pipeline). The machine is Windows 7 x64 (the app pool is default, running under ApplicationPoolIdentity, x64). The site uses the following settings:
<identity impersonate="true" />
<authentication mode="Windows" />
<customErrors mode="Off" />
<authorization>
<deny users="?" />
</authorization>
My site tries to read other site's details via IIS management API (at localhost). I'm logged in as a member of local Administrators. In IE i try to open my page but get this:
Site 'mysite' at 'myhost' is unknown.System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at Microsoft.Web.Administration.Interop.IAppHostProperty.get_Value()
at Microsoft.Web.Administration.ConfigurationElement.GetPropertyValue(IAppHostProperty property)
at Microsoft.Web.Administration.Site.get_State()
I don't understand why. I'm damn sure the code runs in impersonation context of my account (can see this is debugger watching System.Threading.Thread.CurrentPrincipal). What am i doing wrong?
p.s.
UAC is on, but i believe that's not important.
Checked NTFS permissions on C:\Windows\system32\inetsrv\config folder - full access for Administrators.
UAC is indeed the root of all evil. Impersonation behavior is broken when it's on. Something is really over-complicated here :(
When UAC is enabled and the current security context is impersonated, the principal reports he's not a member of local Administrators group. But he is. It has something to do with interactive/non-interactive sessions.
Try set temp directory into web.config to folder with full permissions.
<compilation tempDirectory="c:\temp" ... ></compilation>
I have setup an ASP.NET MVC3 website using Windows Authentication and am getting a 401.1. The error code is 0x8009030e on the 401 page. Users should be able to access the site using their domain credentials.
I don't get the error if I logon to the machine and hit the website via localhost (http://localhost/mysite). However, even logged onto the server, if I hit the website through the server name (ie http://machinename.com/mysite) I still get the error.
The website uses it's own .net 4.0 app pool and using integrated mode. The site is configured for Windows Authentication only in the config.
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
...and in IIS. I don't have extended properties configured, and have enabled kernel-mode authentication (both are the default). I've tried toggling "IIS Manager Permissions" without any luck.
Any ideas?
I had to do two things to get this working properly:
Make the app pool use "Classic" instead of "Integrated" mode. After making, the change I was getting a 403.x error.
I solved the 403.x error by granting (Read/Execute) NTFS permissions to the "Domain Users" group.
I hope this is not to paradoxal, but I don't know how this should be done...
I have a VS2008 ASP.NET MVC Project with the following Web.Config entry:
<authentication mode="Windows">
<forms name=".ADAuthCookie" timeout="10" />
</authentication>
This makes the visitor logon automatically with their DOMAIN\username login which they used to logon to Windows. (Right?)
This works with my development server (http://localhost:xxxx), but not with my IIS server (http://localhost). Probably because the development server is 'started' by my local user (which has ActiveDirectory read-rights on the domain) and because IIS is 'started' by the IUSR_WORKSTATION user which does not. (Right?)
If all of the above is true, how can I impersonate the IIS user (for instance to my own username) to solely authenticate the current user with the Windows login name? (like the example below)?
Or should the IUSR_WORKSTATION user be granted ActiveDirectory? read-rights (not preferred as I will be switching servers / IUSR_ users a lot)
<identity impersonate="true" userName="DOMAIN\myuser" password="mypass"/>
<authentication mode="Windows">
<forms name=".ADAuthCookie" timeout="10" />
</authentication>
<identity impersonate="false"/>
Windows authentication is poorly named (IMO). It's not using Windows as the authentication, but rather it delegates the authentication process to IIS. So you need to configure IIS's authentication, which then flows down to ASP.NET
How you do this depends on your version of IIS, in IIS7 expand out the tree and click your web site, then click Authentication and enable Windows Authentication