I've a strange issue with a .NET 4.0 website published on IIS6.
It implements the Forms Authentication, and in my Web.Config I've something like:
<authentication mode="Forms">
<forms loginUrl="~/login.aspx" timeout="2880" name="AUTH_TOKEN" />
</authentication>
<authorization>
<allow roles="__AUTHUSER__" />
<deny users="*" />
</authorization>
And I've the Default.aspx setted as default document in the website.
If I try to access the www.site/default.aspx it redirects me to the www.site/login.aspx?ReturnUrl=%2fDefault.aspx
And it is fine.
The problem is that if I try to access www.site/default.aspx?ReturnUrl= it gave me a 401.2 error page: not authorized.
It's happening that this is a rebuild of an intranet application and many users actually (for some reason) have the www.site/default.aspx?ReturnUrl= url saved in the bookmarks... so I need to get it work.
Any ideas?
Related
I have the following setup in my Web.Config:
<authentication mode="Forms">
<forms loginUrl="Landing/Login.aspx" defaultUrl="~/Member/Dashboard.aspx">
<credentials passwordFormat="SHA1"></credentials>
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
This correctly redirects when testing on locahost, but when published to Azure, logging in just redirects to http://mysite.azurewebsites.net/ and not http://mysite.azurewebsites.net/Member/Dashboard.aspx as described in the Web.Config. Interestingly enough, however, trying to navigate to a page without logging in correctly redirects to the defined loginUrl="Landing/Login.aspx". Should I be using the FQDN in this case for the defaultUrl? Are forms authentication not setup on IIS of my Azure server? Please advise.
I have an ASP.NET WebForms application that was installed on IIS6 and working fine for quite some time. We are attempting to move that application to an IIS7 site, and the forms authentication is not working.
I am NOT using the Microsoft out of the box login control.
I am redirected properly to the login page. When I enter the credentials, the logging indicates that the credentials were correct. The code then redirects to the ReturnUrl query string value as expected. The cookie appears to be correctly created in the browser.
However, when the browser GET's the ReturnUrl, it redirects again to the login page.
web.config entry for the protected page:
<location path="HomeScreen.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow roles="trm_members" />
<allow roles="trm_clients" />
<deny users="*" />
</authorization>
</system.web>
</location>
web.config entry for authentication:
<authentication mode="Forms">
<forms name=".ASPNETAUTH" loginUrl="Account-Registration/Account-Login.aspx" protection="None" timeout="30" />
</authentication>
I am using FormAuthencation in my current web application with ASP.NET 4.5. I have placed a check on Login page if (User.Identity.IsAuthenticated){ } then redirect to main page , but strange without even login i am getting User.Identity.IsAuthenticated = true i do not understand why that giving true.
Web.Config
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" name=".ASPNETAUTH" defaultUrl="~/Account/Welcome.aspx" protection="All" timeout="30" path="/"></forms>
</authentication>
Thanks
Ravi Mittal
If this is published in IIS, you need to disable anonymous access via IIS (you can see how to do that on this page).
It would also help to make sure the <authorization> section of your web.config has something like this:
<authorization>
<deny users="?"/>
</authorization>
This will block "unauthorized" users from your app.
We are getting a null reference exception from the following line in iis 7.5
if (!User.Identity.IsAuthenticated)
we are using forms authentication and also have anonymous authentication enabled. This works just fine in iis 7. Following is our configuration in web.config
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="/Auth/Login" defaultUrl="/" timeout="600" path="/" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
<identity impersonate="true" />
This form authentication option also doesn't show up under iis site authentication configuration for this site. The only options I see there are Anonymous Authentication and ASP.NET Impersonation.
So, maybe it is not reading from Web.config for some reason? Any help is greatly appriciated.
This is fixed. I saw that the site didn't have references to FormsAuthentication and Anonymousidentificationmodule. I ran aspnet_regiis -i for asp.net 4.0 and now the site works fine.
I have the following ASP.NET Forms Authentication configuration:
<system.web>
<authentication mode="Forms">
<forms name="MembershipCookie"
loginUrl="Login.aspx"
protection="All"
timeout="525600"
slidingExpiration="true"
enableCrossAppRedirects="true"
path="/">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location
If an anonymous user visits the site and requests home.aspx should they be denied access and kicked to the Login.aspx page because the first rule <deny users="?" /> will match and further processing will stop?
The site is running on IIS7.5, ASP.NET 4.0 and the application pool is configured for Integrated Pipeline mode.
Update:
The reason for this question was to sanity check my understanding of ASP.NET 4.0's Forms Authentication behaviour (which was actually correct). There is a related follow up question which describes what looks like a bug in a hotfix (which is also rolled into Windows 2008R2 SP1) - KB980368:
ASP.NET 2.0 and 4.0 seem to treat the root url differently in Forms Authentication
If an user is accessing Home.aspx , it will use the configuration section for Home.aspx specified by <location /> and hence the user will not be kicked out to Login.aspx .
If a user access Home.aspx then the second rule will be applied i.e.
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
The point to note here is: * tells that any authorized user (having any or no role assigned) could access the page, but ? tells unauthorized user could not access the page.