ASP.NET site with Anonymous authentication - asp.net

I have am asp.net 3.5 web site with a asmx web service and a test aspx page (the page tests the web service using javascript).
I need to run this site with anonymous authentication, so I setup the site in IIS as such.
Now, if I am trying to open the test page in the browser, I get 401.3-Unauthorized error.
Any ideas what should I do to fix it? Do I have to give read access for the physical file to Anonymous Login?

Also, what version of IIS are you using? Also if you are using the IIS mgr and you check anonymous authentication, you need to give it a valid username and password, have you done this?

A 403 can mean several things. It can mean you don't have authentication correctly configured, or it can mean that the ASP.NET worker process does not have rights to access the pages (the security is set to only allow you to access them, for instance). There are other scenarios as well, but these are the two most common.

Related

ASP.Net MVC IIS6 and ACL Errors

I have an asp.net mvc 3 app installed on IIS6 and I am getting ACL errors (401.3 errors) when trying to access it. It is running as a virtual app under the default web. I have gone through what I believe are the correct security setting on the respective folders.
I have given the Network Service and in IUSER_ users access to the root folder of the default web. I have also given access to the microsoft.net, temp and system32 folders under c:\windows.
I still get the 401.3 error. When I set the app to use both anonymous and windows authentication I get prompted for credentials. Entering the credentials allows me to access the app. This means that there is some file/folder that needs permissions.
So I used FileMon to see what was going on. I hit the site and get the ACL error but I see no ACCESS DENIED errors in FileMon nor so I see any reference to the site itself. It is like I never made a request. (Yes I cleared my cache).
I am tapped out on what to do next. Any suggestions on where to look to determine what resources needs permissions?
Thanks in advance!
In order for MVC to work on IIS6, you need to do some configuration changes in IIS. Specifically, you should tell IIS to handle all request, in order to ensure that the .NET routing engine kicks in.
http://haacked.com/archive/2010/12/21/asp-net-mvc-3-extensionless-urls-on-iis-6.aspx/
This is one of the best tutorials on getting MVC to work with IIS6.

IIS 7.5 and asp.net ; How secure the login page

I would like to apply a basic 2nd level of security by adding some form of web folder password protection, so that we only allow users with the global username and password to be able to access the logon page, where we are using forms based authentication.
I am not sure whether this is done from the IIS Manager (Windows 7) or by editing a web.config file ?
If you google for "Forms Authentication IIS", first item returned is this:
http://msdn.microsoft.com/en-us/library/ff647070.aspx
This does a good cover of the issue.
If you need to apply that to a particular folder, use location and authorization in web.config as below:
http://msdn.microsoft.com/en-us/library/b6x6shw7(v=vs.100).aspx
I have been in the same situation. Given that you can't enable forms authentication and basic/windows authentication at the same time in IIS we ended up using Helicon Ape and .htaccess files for the digest based authentication and configured the web app itself to use forms authentication. It works well so far. We needed this because of client requirements. I wouldn't really recommend this in practice. It's fairly annoying for users having to log in twice.

anonymous authentication on iis7 LOGON_USER is empty

I have a application on iis7 using anonymous authentication. I want to retrieve the LOGON_USER from the server variables. It is currently empty. Microsoft suggests how to populate the values of serer variables in this post.
But that is for iis5 & 6. How to do it in IIS7?
Actual problem I am trying to solve is: the application is for intranet and internet users and is a sitecore application running on iis7. If I use windows authentication, I get the domain and username and I can bypass login for intranet users, but for external users, i need to have anonymous authentication also. Having both together will not populate values in the server variables. Have been going through many posts. Also this which says to use Forms and windows authentication.
Not able to solve it properly.
Any help is appreciated.Thanks!!!
In order to track a user profile, the user will need an ASP.Net profile created.
There is programming involved to associate a Sitecore DMS/OMS visitor profile with an actual Asp.net profile. If you want to continue to track Sitecore user profile, you would have to use the Tracker.Visitor.ExternalUser and not iis to determine the current visitor on the internet site.

Make web site to be seen to known password

I don't have much experience with ASP.NET and IIS -
But I created some simple web site and i put it on IIS server -
I want to make the access to be only for those users, who are know the access password.
How can I do it ?
You can easily do this with Forms Authentication in asp.net. Take a look at some information on the web about this.
http://msdn.microsoft.com/en-us/library/ff647070.aspx
http://www.codeproject.com/KB/aspnet/ASPDOTNETauthentication.aspx
http://msdn.microsoft.com/en-us/library/7t6b43z4.aspx
It is pretty easy to get this working, most of the work is in the web.config and it gives you a lot of control about what pages are secure and what pages are not.

Is it possible to have both Forms Authentication and Windows Authentication in an ASP.NET site?

I have a site where the vast majority of the content will be secured using Forms Authentication. However there is one sub folder that will be used internally by the administrative staff. I would like to secure this folder using Windows Authentication. Is that possible? Would I have to make the admin folder a virtual directory?
CLARIFICATION: There is no need for the administrative staff to access the main site. They are really two separate sites/apps. Regular users will access the main application via Forms Authentication (and never access the admin folder). And admin users will access the admin application via Windows Authentication (and never access the main site).
Thanks,
Corey
Yes, it's possible but you have to build a custom membership provider or an interface to allow for it. It is not possible to specify individual authentication methods on sub-folders unless they are in completely separate projects/application domains.
One method to accomplish this would be to use an LDAP membership provider and change the ldap connection based on the username (if there is a discernible method of doing this).
One other method would be to provide a separate website that uses the Windows authentication to perform the login and then constructs a custom cookie for the user and transfers them back to the original website identifying the individual as a member of the administrative staff.
Then the folder could be secured using the <location> elements in the web.config.
If I was going to build a site with Mixed authentication, I would setup the site to use webforms. I would then setup a virtual application inside of this application that consisted of the same forms auth web.config information but set to use Windows Auth.
On the login page of the windows auth site after you validate their credentials I would then manually call FormsAuthentication to create the auth token. At this point you can then redirect the user to the Forms Auth site and they should be logged in (as long as all the forms auth cookie information is the same for both sites, this might also include needing to setup the same machine keys for both applications).
I haven't done this specifically but this should definitely be a viable (and probably one of the most optimal) solutions.
It may be as simple as right-clicking on the admin folder in Windows Explorer and setting the rights in the Security tab.
Put the administration site in its own application - by right clicking on the folder in IIS manager and and choose convert to application.
Once that's done you can adjust the authentication method on the application by highlighting the application folder in IIS manager and then choosing authentication and adjusting them (or you can do it the hard way via web.config if you can't remote into the machine).

Resources