I am creating a new MVC 4 app for a client that I had previously created ASP.Net 3.5 (VS 2008) apps for. I created a gateway app to launch several other ASP.Net 3.5 web apps, with the gateway app handling the login and the forms authentication ticket.
As long as all of the other web apps have the same settings for the forms authentication and machine key sections all other apps were able to use the forms auth objects to see if the user was authenticated.
I am now creating a new MVC 4 app using the same forms authentication settings in VS 2010 on an XP development box using IIS 5.x. (I have to do this) The problem is that the gateway app launches the MVC app fine with no login; however, if I add the Authorize attribute to initial controller the MVC app goes to the login and then the launch page as expected, however the link to the MVC app goes right back to the gateway login page.
Here are the web config sections
<authentication mode="Forms"> <forms
slidingExpiration="true"
timeout="3"
loginUrl="http://localhost/MYGateway/Login.aspx"
path="/"
name=".PGSA"
protection="All"
defaultUrl="http://localhost/MYGateway/home.aspx"
>
</forms>
<machineKey validationKey="C5123C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" decryptionKey="8A9BE8FD67AF6979E7D29998CFEA50DD3D3799C77AF2B72F" validation="SHA1" decryption="3DES" />
Any help would be appreciated
Thanks,
Paul
I was finally able to get this solved, thanks to this question's second answer by James H Upgrading to ASP.NET 4.5/MVC 4 forms authentication fails
The trick is this
<system.web>
<machineKey compatibilityMode="Framework20SP2" />
</system.web>
Related
In our company, we have a large base of application built with Asp.net Web Forms 4.0 that use forms authentication as a single-sign-on authentication. Configured something like this:
<machineKey decryptionKey="..." validationKey="..." />
<authentication mode="Forms">
<forms cookieless="UseCookies" loginUrl="/url/to/login" />
</authentication>
Last times we are working on some projects that use Owin Cookie authentication. According to the searches I did, both methods are not compatible. However I found this post OWIN Self-Host CookieAuthentication & Legacy .NET 4.0 Application / FormsAuthenticationTicket in which I could have a possibility to get both of them working together, but I can't get entire code working very well. In fact I don't know how to develop the remainder codes.
I would ask you if anybody have some solution to this issue or a more simple way to do this?
I need to tell you I have no very much knowledge about the details of Microsoft Implementation of Forms Authentication.
I have never used Windows Authentication for ASP.NET MVC web applications before, but Forms Authentication. Recently, I have had an ASP.NET MVC 4 web application that requires a Windows Authentication implementation for users who are granted to log in my company web server. So, I have some questions regarding Windows Authentication. I am using Visual Studio 2012.
How does Windows Authentication work?
How do I implement Windows Authentication correctly in the web.config file?
How do I test if the Windows Authentication really works for my ASP.NET MVC 4 web site? In other words, how do I test it on my local development PC with local IIS (version 8), and on my company real web server with IIS version 7?
For IIS 8.5 and MVC 4:
How does Windows Authentication work?
In this mode, User.Identity (as in HttpContext.Current.User.Identity) is populated by the underlying web server. This might be IIS Express in the link from #R Kumar demonstrated, or full blown IIS as in the video by #Thomas Benz.
Specifically, User.Identity is a WindowsIdentity object. E.g. the following cast will work:
WindowsIdentity clientId = (WindowsIdentity)HttpContext.Current.User.Identity;
How do I implement Windows Authentication correctly in the web.config file?
<system.web>
<authentication mode="Windows" />
...
How do I test if the Windows Authentication really works for my ASP.NET MVC 4 web site? In other words, how do I test it on my local development PC with local IIS (version 8), and on my company real web server with IIS version 7?
First, change the ASP.NET authorization to exclude the current user. E.g.
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="yourdomain\someotheruser" />
<deny users="*" />
</authorization>
Second, enable Windows Authentication for your site using IIS Manager. It's under the 'Authentication' feature. And disable anonymous authentication.
Note that older explanation will suggest you make changes under element of your site's web.config. However, recent IIS implementations prevent this for security reasons.
Three, point your browser at the webpage. The browser should ask you to provide credentials, because the current user is not allowed access to the website. Provide the ones that are authorized for the site, and your MVC code should run.
Four, check the user identity. E.g.
WindowsIdentity clientId = (WindowsIdentity)HttpContext.Current.User.Identity;
I have done this with ASP.NET MVC 1.0. That was a relatively long time ago. I remember the IIS settings being confusing. I just did some checking, and it does not look like things have changed much to ASP.NET MVC 4.0 as far as attributes on the controllers.
For your questions:
How does it work? The following references pretty much sum things up pretty well. Authenticating Users with Windows Authentication (C#)
is NOT exactly right for ASP.NET MVC 4.0, but it has some background.
How to Create an Intranet Site Using ASP.NET MVC is for ASP.NET MVC 3.0.
I am too new to post more than two links, so you will have to search MSDN for "AuthorizeAttribute Class" for .NET Framework 4.
What settings for web.config? - I just remember changing one element, "authentication mode".
As far as testing, my Windows OS versions matched better, and my development machine was on the same Windows domain. But if I remember correctly, this just worked. YMMV, but one thing I do remember considering was implementing my own authorization. Maybe that is an avenue for your case, to roll your own, and then switch to Windows authentication in production. But I would suggest a couple of test iterations with a test server if you can set one up on the company domain.
I found out a helpful video that was very useful to me by showing step by step to implement and test Windows authentication for an ASP.NET MVC web site. So, I close this question.
Video from a very kind poster:
How to implement windows authentication in ASP.NET MVC 3 ( Model view controller) application?
I have several web applications running on an Windows Server 2003 with IIS 6.0.
The applications are running under Asp.net 2.0.
Recently I have installed a MVC 3 Web application which is in it's nature asp.net 4 based. The forms ticket is not recocnized in this new application.
I have the same machineKey settings in the machine.config files of the different asp.net versions that have been created using this link: http://aspnetresources.com/tools/machineKey
The configuration in the login web application is like this:
<authentication mode="Forms">
<forms name=".WEBAUTH"
loginUrl="login.aspx"
protection="None"
slidingExpiration="true"
enableCrossAppRedirects="false"
timeout="43200"
path="/" />
</authentication>
And accordingly the configuration of the mvc app is:
<authentication mode="Forms">
<forms name=".WEBAUTH"
loginUrl="http://path2theloginapp/login.aspx"
protection="None"
slidingExpiration="true"
enableCrossAppRedirects="false"
timeout="43200"
path="/" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
The login works, but the mvc application always redirects back to the login page.
Now if i change the asp.net Version of the login web application in IIS configuration to asp.net 4.0, it works. But then all the other applications running on asp.net 2 no more works.
Has anybody solved formsbased authentication in a similar situation?
I had to go the long way and opened a support case with Microsoft.
As it turned out, the relevant security updates from Microsoft Security Bulletin MS11-100 were missing:
http://technet.microsoft.com/en-us/security/bulletin/ms11-100.
Choose your operatingsystem and install the updates for .Net 2.0 and 4.0.
This updates fixed forms-based authentication without reconfiguration of the involved web applications.
It's one of the breaking changes in ASP.NET 4.0:
Default Hashing Algorithm Is Now HMACSHA256
ASP.NET uses both encryption and hashing algorithms to help secure
data such as forms authentication cookies and view state. By default,
ASP.NET 4 now uses the HMACSHA256 algorithm for hash operations on
cookies and view state. Earlier versions of ASP.NET used the older
HMACSHA1 algorithm.
Your applications might be affected if you run mixed ASP.NET
2.0/ASP.NET 4 environments where data such as forms authentication cookies must work across.NET Framework versions. To configure an
ASP.NET 4 Web application to use the older HMACSHA1 algorithm, add the
following setting in the Web.config file:
<machineKey validation="SHA1" />
I have several web applications running on an Windows Server 2003 with IIS 6.0.
The applications are running under Asp.net 2.0.
Recently I have installed a MVC 3 Web application which is in it's nature asp.net 4 based. The forms ticket is not recocnized in this new application.
I have the same machineKey settings in the machine.config files of the different asp.net versions that have been created using this link: http://aspnetresources.com/tools/machineKey
The configuration in the login web application is like this:
<authentication mode="Forms">
<forms name=".WEBAUTH"
loginUrl="login.aspx"
protection="None"
slidingExpiration="true"
enableCrossAppRedirects="false"
timeout="43200"
path="/" />
</authentication>
And accordingly the configuration of the mvc app is:
<authentication mode="Forms">
<forms name=".WEBAUTH"
loginUrl="http://path2theloginapp/login.aspx"
protection="None"
slidingExpiration="true"
enableCrossAppRedirects="false"
timeout="43200"
path="/" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
The login works, but the mvc application always redirects back to the login page.
Now if i change the asp.net Version of the login web application in IIS configuration to asp.net 4.0, it works. But then all the other applications running on asp.net 2 no more works.
Has anybody solved formsbased authentication in a similar situation?
I had to go the long way and opened a support case with Microsoft.
As it turned out, the relevant security updates from Microsoft Security Bulletin MS11-100 were missing:
http://technet.microsoft.com/en-us/security/bulletin/ms11-100.
Choose your operatingsystem and install the updates for .Net 2.0 and 4.0.
This updates fixed forms-based authentication without reconfiguration of the involved web applications.
It's one of the breaking changes in ASP.NET 4.0:
Default Hashing Algorithm Is Now HMACSHA256
ASP.NET uses both encryption and hashing algorithms to help secure
data such as forms authentication cookies and view state. By default,
ASP.NET 4 now uses the HMACSHA256 algorithm for hash operations on
cookies and view state. Earlier versions of ASP.NET used the older
HMACSHA1 algorithm.
Your applications might be affected if you run mixed ASP.NET
2.0/ASP.NET 4 environments where data such as forms authentication cookies must work across.NET Framework versions. To configure an
ASP.NET 4 Web application to use the older HMACSHA1 algorithm, add the
following setting in the Web.config file:
<machineKey validation="SHA1" />
I setup a test website on my IIS 7.5, I created a Web Application project in VisualStudio and set up a web site in a new application pool in Classic Pipeline Mode.
I have this line in C:\Windows\System32\drivers\etc\hosts:
192.168.50.142 dev.mybigdomain.org.uk
Now if I access my website with http://localhost/testHello/Default.aspx it works fine,
but when I try http://dev.mybigdomain.org.uk/testHello/Default.aspx I get a "Windows security" window asking for authentication, but if enter "administrator" and password it does not recognise them and just asks again.
How can I disable the authentication?
Have you try to change the web.config authentication mode to Forms or None?
<system.web>
...
<authentication mode="Forms">
instead of
<system.web>
...
<authentication mode="Windows">