I created deployment package of my site when I try to use it I get the following error:
The length of the query string for this request exceeds the configured maxQueryStringLength value.
and the adress bar looks like this.this doens't happen in visual studio
http://localhost/MyServer/Login.aspx?ReturnUrl=%2fMyServer%2fLogin.aspx%3fReturnUrl%3d%252fMyServer%252fLogin.aspx%253fReturnUrl%253d%25252fMyServer%25252fLogin.aspx%25253fReturnUrl%25253d%2525252fMyServer%2525252fLogin.aspx%2525253fReturnUrl%2525253d%252525252fMyServer%252525252fLogin.aspx%252525253fReturnUrl%252525253d%25252525252fMyServer%25252525252fLogin.aspx%25252525253fReturnUrl%25252525253d%2525252525252fMyServer%2525252525252fLogin.aspx%2525252525253fReturnUrl%2525252525253d%252525252525252fMyServer%252525252525252fLogin.aspx%252525252525253fReturnUrl%252525252525253d%25252525252525252fMyServer%25252525252525252fLogin.aspx%25252525252525253fReturnUrl%25252525252525253d%2525252525252525252fMyServer%2525252525252525252fLogin.aspx%2525252525252525253fReturnUrl%2525252525252525253d%252525252525252525252fMyServer%252525252525252525252fLogin.aspx%252525252525252525253fReturnUrl%252525252525252525253d%25252525252525252525252fMyServer%25252525252525252525252fLogin.aspx%25252525252525252525253fReturnUrl%25252525252525252525253d%2525252525252525252525252fMyServer%2525252525252525252525252fLogin.aspx%2525252525252525252525253fReturnUrl%2525252525252525252525253d%252525252525252525252525252fMyServer%252525252525252525252525252fLogin.aspx%252525252525252525252525253fReturnUrl%252525252525252525252525253d%25252525252525252525252525252fMyServer%25252525252525252525252525252fLogin.aspx%25252525252525252525252525253fReturnUrl%25252525252525252525252525253d%2525252525252525252525252525252fMyServer%2525252525252525252525252525252fLogin.aspx%2525252525252525252525252525253fReturnUrl%2525252525252525252525252525253d%252525252525252525252525252525252fMyServer%252525252525252525252525252525252fLogin.aspx%252525252525252525252525252525253fReturnUrl%252525252525252525252525252525253d%25252525252525252525252525252525252fMyServer%25252525252525252525252525252525252fLogin.aspx%25252525252525252525252525252525253fReturnUrl%25252525252525252525252525252525253d%2525252525252525252525252525252525252fMyServer%2525252525252525252525252525252525252f
Seems that you have circular navigation. Please give code of page load event of login.aspx and the 2nd page which you are accessing.
Just a hunch: it might be that your login page is not accessible for anonymous users. So it redirects to the login page, that in turn redirects to the login page.
Have a look at the web.config to set the proper access rights.
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
It looks like your solution in Visual Studio has been built from one of the templates that has some sort of forms - based authentication built in. I'm pretty sure that you can disable this in the web.config.
Related
I've got an ASP.NET MVC 4 application that I run under the site level of an IIS web site.
So the dir structure looks like this:
\IIS
\Site
\bin
\Content
\Views
The MVC 4 app uses Forms Authentication via Username and Password, but I have a requirement to lock down the full site and turn off anonymous authentication at the IIS level.
The goal of this requirement is to allow users only to land on a home page and logon page. The problem is if I turn off anonymous authentication then users can't even get to home or login.
Another thing we want to prevent a user from being able to go to /Content/Scripts/MyScript.js in their browser.
I'm using bundling so those file are there and don't get used by me besides when I bundle things up.
Is this even possible since IIS and MVC 4 auth are at completely different level? If it is possible what options do I have?
Chris Pratts answer is correct. You can successfully turn of anonymous authentication and let MVC4 handle all of that for you.
Make sure in your web.config you have the following
<modules runAllManagedModulesForAllRequests="true"></modules>
In your system.webserver section.
Another thing you can do is make use of the locations tags in IIS to prevent user access to different parts of the site.
For example, you could put this in your web.config
<location>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
This ensures that only authenticated users can access the site. You can then further refine this.
<location path="External">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Basically, now any request to /External will be allowed for all users (regardless of authentication). You will probably want to put all your scripts in here that you need unauthenticated users to access.
If there was a specific directory you didn't want anyone to access, you could do something like
<location path="/Content/Scripts">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
Now any access to that location will be prevented by default in IIS. Give that a try, it should satisfy your requirement to have the scripts available for bundling, but not accessible if someone browses directly to it.
I only halfway got what I wanted, but here is what I ended up doing. I have anonymous authentication enabled at the site level and used Forms authentication for specific controllers. This was how I originally had it so nothing changed here.
Since I am using bundles the users never really need to look at the .js so I used Request Filtering by file extension so block any .js and even .css I don't want exposed.
This works because the bundling doesn't make http requests to those files and the bundles themselves don't have the normal JavaScript and CSS file extensions.
You don't handle this at the IIS-level. You simply allow Anonymous Auth and then add [Authorize] to every controller. Then only on your home and login actions add the attribute [AllowAnonymous].
As to the second part of your question, you can't really stop this. MVC bundles on the fly, so it needs the actual files to be there. If they're never referenced, though, they're black holes: the user would have no way of knowing what file to request, so it's kind of security by obscurity.
I have added a web application to an existing site. The existing site uses basic authentication over https, but the new web application is running in a subfolder where I disabled basic authentication and enabled anonymous authentication (which is disabled for the rest of the site).
So a straight html page works as expected, you can access it without credentials. You can even see it yourself here: https://csssreg.fhcrc.org/physicianSurvey/faq.html
But I placed the new application's aspx page in this folder and I get the 401.2, as you can see here: https://csssreg.fhcrc.org/physicianSurvey/physicianPathologySurvey.aspx
I've been wracking my brain and straining my fingers googling this issue, but nothing solid has turned up. Does anyone have any suggestions as to how I can allow anonymous access to the aspx page? Any help would be greatly appreciated.
This:
<authorization>
<allow users="*" />
</authorization>
Grant access to any authenticated user.
To grant anonymous access you need to use
<authorization>
<allow users="?" />
</authorization>
It turns out there was an error in the global.asax that was causing the page to be redirected to a default error page, and that page was the 401 culprit. Go figure! But thanks to both commenter for at least helping me change my perspective just enough to get the thing.
I have a website that I've recently set up with asp.net forms authentication. It is authenticating through Active Directory. On the website are two folders which I've made public using location tags in the root web.config file, like this:
<location path="FolderA">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="FolderB">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
FolderA contains a PHP application that uses jQuery's ajax function to get json data from a controller which resides within FolderA.
FolderB contains a ClickOnce application (an Outlook add-in).
I am able to navigate to both of those folders in all current browsers without getting prompted to log in. If I go to other non-public areas of the site, I am prompted to log in. That's exactly the way I want it.
But I have a few users on IE9 who have experienced failure when they hit a view in FolderA that tries to get the json data. The users, of course, aren't prompted to log in, but the data never loads, and there is an error message in the dev console saying access denied. Oddly, I am not able to duplicate this behavior with IE9 on my machine.
Additionally, when I try to install the ClickOnce application, it downloads and installs successfully, but when Outlook tries to load the add-in I get a message saying that authentication with the application failed. It used to work fine; the only thing that has changed is that I added forms authentication to the site. I've tried designating the folder as an application in IIS with anonymous authentication, but no luck.
I'm running IIS7, and the site is using .Net Framework 2.0.
I'm having trouble understanding this behavior, and I was hoping someone could give me guidance on how to address it. I'm pretty much at a loss and the users are getting restless.
I have just noticed a problem accessing a CSS file using forms authentication from an ASP.NET application.
Until I have logged in, then any styles I have set in my login page are not used, as IIS seems to be preventing the login page from accessing this file.
Is there an easy solution for this?
Place the css file in a publicly accessible folder. This will require a change in your web.config that will look something like this:
<location path="css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Granted, this shouldn't be how you setup the permissions in the first place. The css folder ought always to be publicly accessible.
My CSS didn't display in the login page as well.
I noticed that Anonymous Access was using the IUSR account not the IIS_IUSRS account so I just added IUSR to the website folder and everything got back to normal.
When using a gridview and not logged into a asp.net website, the java scrpit does not appear to work.
If I am logged in as a user, any pages with gridviews work fine.
The only error I'm getting when checking the javascript with Firebug is
'ReferenceError: DES_ValOnSubmit is not defined.'
This is a reference to a Peter Blum javascript function, but have no idea why it would fail for anonymous users, and it does for logged in users.
Thanks for any help.
I'm not sure what your authentication scheme might be, but if you are using the authorization tags in the web.config file, you might need to make an explicit exception for your javascript if you are denying the anonymous user to sections of your web site. Something like this:
<location path="MyScriptFolder/MyPeterBlumJS.js">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
You can also just set the path to "MyScriptFolder" to allow all users access to your javascript as needed.