ASP.NET Forms authentication requires Anonymous enabled - asp.net

I am working with ASP.NET application that uses Forms Authentication. However, if I turn off all authentication methods except for forms, I will get a
HTTP Error 401.2 - Unauthorized
When trying to browse any page. However, enabling Anonymous authentication fixes it. What causes this behavior? Thanks!

By doing this your only allowing users to visit pages (other than the login page) if they have logged into your site.
Direct from MSDN:
Forms authentication lets you authenticate users by using your own code and then maintain an authentication token in a cookie or in the page URL. Forms authentication participates in the ASP.NET page life cycle through the FormsAuthenticationModule class. You can access forms authentication information and capabilities through the FormsAuthentication class.
By setting a loginUrl in the web.config you're instructing your app that the login page is ok to visit for anonymous users. If the user tries to visit a page OTHER than the loginUrl then they will be redirected TO that loginUrl.
Quite often a site would use both anonymous as well as forms. Anonymous to allow visiting of public pages and the forms auth to hide the pages from those not logged into your website.
It's great to use (forms auth) if you're using the ASP.Net Membership and login controls along side, though if you don't plan on using these then you won't need to worry about Forms Authentication as you can build your own method of letting users gain access.
So all that's to say, if you want to lock it all down bar one page, then set a loginUrl in your web.config
<authentication mode="Forms">
<forms name="myLogin" loginUrl="/Login.aspx">
</forms>
</authentication>

An element of answer here:
http://forums.iis.net/t/1159935.aspx/1
A more detailed explanation:
http://www.asp.net/learn/security/tutorial-02-cs.aspx
http://www.asp.net/learn/security/tutorial-03-cs.aspx

Related

Sustainsys Saml2 start authentication for ASP.NET Web Forms Example

I found the information below to start auth for web forms from Anders Abel. I can't find any actual example code anywhere on how to use the HttpModule to start the auth redirect. Can someone provide some please? I have multiple idps, so I would need a way to specify one.
You should use the HttpModule with Web forms. To start authentication
redirect the user to /Saml2/SignIn.
Or protect the entire application with automatic redirection by
settings in web.config:
Authentication mode Forms with a login url of /Saml2/SignIn Set
Authorization rules in web.config to disallow anonymous access to all
pages.
You can download the code from github...
https://github.com/Sustainsys/Saml2
and still there but you need to go back a little bit in time to commit
62552e250cccd8a7663d9ce29b3239eae51ce498
to get the example

ADFS SSO integration - aspx exceptions

We have implemented SSO on our web app and it's working fine. Users are redirected to the ADFS login before accessing our app and we accept the ADFS token and authenticate accordingly. We're happy.
The question is for some of the aspx pages, we don't require authentication. Is there a place to list those exceptions in the web.config (or other)?
Yes - you can use the location tag with allow / deny.
Refer: Setting authorization rules for a particular page or folder in web.config.

Cross Web Application Authentication Not Authenticating Unless Redirected From Second Site

I have 2 asp.net web applications using Forms Authentication setup to have cross application authentication. I have placed the following code in webApp1 and webApp2 web.config files within the
system.web tag.
<forms timeout="11520" loginUrl="https://App1/logon.aspx" cookieless="AutoDetect" name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="fsenet.companyname.net" />
</authentication>
<machineKey
decryption="AES"
validation="SHA1"
decryptionKey="306C1FA852AB3B0115150DD8BA30821CDFD125538A0C606DACA53DBB3C3E0AD2"
validationKey="61A8E04A146AFFAB81B6AD19654F99EA7370807F18F5002725DAB98B8EFD19C711337E26948E26D1D174B159973EA0BE8CC9CAA6AAF513BF84E44B2247792265" />
Scenario 1 Works: If I try to access a page on webApp2 and I'm un-authenticated it will redirect me back to webApp1 logon page, I then logon and are redirected back to the page on webApp2, All works as expected when using this redirect method.
Scenario 2 Problem: If I Log on using webApp1 and have a link on a page within webApp1 and try to navigate to a page within webApp2 I automatically get redirected back to the logon page. As I understand it I should be already authenticated to access the page on webApp2 and should not be asked to authenticate again.
I use this code to identify if I'm authenticated
User.Identity.IsAuthenticated.ToString()
Scenario 2 shows False reason for redirection and Scenario 1 shows True.
Am I missing some setting that allows me to access the content on webApp2 after Authenticating with webApp1?
It is very important that you set FBA settings correctly for cross-application SSO. There are already blog posts covering such tricks, and I can see that you missed multiple steps, and then one app cannot get the authenticated info from another.
http://geekswithblogs.net/bjackett/archive/2009/09/03/single-sign-on-across-.net-web-apps-using-forms-based-authentication.aspx
Ok what I was doing wrong was not access both sites with the same domain e.g. while I was debugging I was logging in via
http:/localhost/Site1
(localhost being the mistake) and then linking from their to http://domianname.net/Site2/Page1.aspx when I should have been accessing them both via http://domianname.net/Site1 and http://domianname.net/Site2/Page1.aspx (Both the with the domain) which allows the authentication cookie to be picked up from the correct location I believe.

How do I create an Authentication Cookie in a custom MembershipProvider?

I'm trying to create a custom MembershipProvider and I was wondering how I would add my user information to the Authentication Cookie that ASP.NET uses. My goal is to get my authentication to work for both the website and the WCF service with ASP.NET Compabatibility mode enabled.
You are using MembershipProvider in your application, so all you have to do is just use the inbuilt login control and set it's provider property to the type of your MembershipProvider. FormsAuthentication will take care of creating authentication cookies for your users.
You need to specify URL of your default page [where your users will go after successful login] and the URL of the login page which hosts the Login control. FormsAuthentication will check if user is authenticated, if it founds user not logged and your asp.net page demands authentication, then FormsAuthentication will redirect the user to the Login page specified in web.config's FormsAuthentication section.
That is how you leverage Providers in ASP.NET 2.0+, you need not do things explicitly, everything is configurable.
Here are some links for your reference, which will guide you through what you need.
http://msdn.microsoft.com/en-us/library/879kf95c.aspx
http://quickstarts.asp.net/QuickStartv20/aspnet/doc/ctrlref/login/login.aspx
http://www.asp.net/learn/videos/video-7420.aspx
http://www.asp.net/learn/videos/video-148.aspx
http://www.asp.net/learn/videos/video-47.aspx

Asp.net and windows authentication

My application needs to be designed so that an administrator can, via a web interface select if their users login via windows authentication or forms authentication.
This means I cant specify the authentication mode in the web.config i.e.:
<system.web>
<authentication mode="Windows"/>
</system.web>
How do I approach this?
Use Forms authentication mode, whereby the login form can determine the user and the preferred authentication method for that user. If the user can be windows authenticated, you don't need to present the login form, just set the user as authenticated and redirect accordingly.

Resources