I am trying to use the default ASPNetWindowsToken provider to authorize users in an application that I am using Windows impersonation to log users in. If I add a IsInRole to the code behind the page in the page load, I can see the user is in the proper roles, but when I add the authorization to the web.config, I am getting 401 unauthorized errors. Not sure if I am missing something or not, but any help you can give would be appreciated. Below is my web.config.
<system.web>
<compilation debug="true" targetFramework="4.0" />
<customErrors mode="Off" defaultRedirect="Error.aspx" redirectMode="ResponseRewrite" />
<profile>
<providers>
<clear />
<add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/" />
</providers>
</profile>
<authentication mode="Windows" />
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />
<authorization>
<deny users="?" />
<allow roles="DOMAIN\Group" />
</authorization>
</system.web>
Related
Can someone please tell me why my IIS subdirectory authorization rules are not working?
I suspect it's something to do with using a custom membership and role provider.
All users, anonymous AND users who are logged in get a 401.2 Unauthorized error for all files in the /users subdirectory.
I'm trying to restrict access to static files and asp.net pages in a subdirectory. I used the Authorization Rules button in IIS7 manager.
In /users it has created a web.config file with this section:
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Deny" users="?" />
<add accessType="Allow" roles="auth_users" />
</authorization>
</security>
</system.webServer>
In the web.config of the site root are these custom role and membership settings. The membership and role providers are working fine - user are added to the role, it's just the authorization rules that aren't working.
<roleManager enabled="true" defaultProvider="MyRoleProvider">
<providers>
<remove name="AspNetSqlRoleProvider" />
<add name="MyRoleProvider" type="System.Web.Security.SqlRoleProvider" applicationName="MyUsersApp" />
</providers>
</roleManager>
<membership defaultProvider="MyMembershipProvider">
<providers>
<remove name="AspNetSqlMembershipProvider" />
<add name="MyMembershipProvider" type="System.Web.Security.SqlMembershipProvider" applicationName="MyUsersApp" />
</providers>
</membership>
Still playing with this, it looks promising.. but I'm thinking there's probably a more elegant solution out there.
<location path="users">
<system.web>
<authorization>
<allow roles="auth_users" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<handlers>
<add name="HTML" path="*.html" verb="GET, HEAD, POST, DEBUG" type="System.Web.StaticFileHandler" />
<add name="JS" path="*.js" verb="GET, HEAD, POST, DEBUG" type="System.Web.StaticFileHandler" />
<!--More static file types...-->
</handlers>
</system.webServer>
</location>
I am assigned in a new ASP.Net MVC 4.0 project. Traditionally, we used to add configuration values, when testing team raise new new issues (E.g. globalization, maxQueryStringLength, machineKey). For this project, I am planning to take a new route.. All the frequently used configuration values, I am planning to add upfront… I created the following config values.. What are the other most frequently used \ common config values that are needed in an ASP.Net project?
system.web
<system.web>
<!--Culture-->
<globalization culture="en-US" uiCulture="en" />
<!--Remove Custom Errors Mode in Production-->
<customErrors mode="Off"/>
<!--Impersonate-->
<identity impersonate="true"/>
<!--Session Mode and Timeout-->
<sessionState mode="InProc" timeout="60" />
<!--maxQueryStringLength-->
<httpRuntime maxQueryStringLength="6000" />
<!--machineKey-->
<machineKey/>
<!--authentication-->
<authentication mode="Windows">
</authentication>
<!--authorization-->
<authorization>
<allow users="?" />
</authorization>
</system.web>
system.webServer
<system.webServer>
<security>
<requestFiltering>
<!--maxQueryString-->
<requestLimits maxQueryString="6000" />
</requestFiltering>
<!--IIS Setting for Authentication-->
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication>
<providers>
<clear />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
It is a good practice to add connection strings to web.config as well. Not sure whether you require accessing data in this project, but if you do then you need to add the following to the web.config file as well.
<connectionStrings>
<add name="myConnectionString" connectionString="server=localhost;Database=myDb;uid=myUser;password=myPass;" />
</connectionStrings>
I'm new to asp.net, so any pointers would be great
my main web.config code which connects to a sql database from godaddy.
<configuration>
<connectionStrings>
<add name="XXXXXX" connectionString="Data Source=XXXXXX; Initial Catalog=AllMobileDB; User ID=XXXXXX; Password=XXXXXX#;" providerName="System.Data.SqlClient"/>
</connectionStrings>
<system.web>
<roleManager enabled="true"/>
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
</assemblies>
</compilation>
<authentication mode="Forms">
<forms loginUrl="login.aspx"/>
</authentication>
<membership defaultProvider="SqlProvider">
<providers>
<clear/>
<add connectionStringName="XXXXXX" applicationName="/" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" passwordFormat="Hashed" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" name="SqlProvider" type="System.Web.Security.SqlMembershipProvider"/>
</providers>
</membership>
</system.web>
<system.net>
<mailSettings>
<smtp from="XXXXXX">
<network enableSsl="true" host="smtp.gmail.com" userName="XXXXXX" password="XXXXXX" port="25"/>
</smtp>
</mailSettings>
</system.net>
</configuration>
I have a folder called admin and a page called adminpage i set up username and folder access via Web Site Administration Tool
my web.config in my admin folder code
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Adminstator" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
it should let only people who is signed in to view the page however as of right now any one can access it. Any idea how to fix this thank you.
Set the location element
<system.web>
<authentication mode="Forms">
<forms loginUrl="Admin/login.aspx" defaultUrl="Admin/default.aspx"/>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="Admin">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Try changing deny element to question mark:
<authorization>
<allow roles="Adminstator" />
<deny users="?" />
</authorization>
Try spelling Administrator correctly:
<allow roles="Administrator" />
I have been searching the internet for an answer to my problem and have read through the msdn site on ASP.Net controls, security and authentication but either cannot find the answer or missed it with all the information I have read.
I am building a website in ASP.Net v2.0 to be hosted on a remote server. I am using MySQL as the back end which also contains the user tables. I have used the same user table structure as that used in the default membership table. The folders in the application all have the default role privileges assigned to them.
The following problem is occurring in my testing on my local computer.
When I login a user using the ~/Account/Login.aspx page I redirect the user to ~/Account/AccountDetails.aspx, which contains a LoginView. After logging in, the user name is visible on this page inside the LoginView and they are Authenticated.
When I then go to ~/Default.aspx, and using the same code for the LoginView, the username is not displaying and they are no longer Authenticated.
I do not want to create multiple pages to show the same data, as both logged in and anonymous users need to see the same information in the ~/Default.aspx page. I was just hoping to show that the user is logged in on the Default.aspx page or any page in the ~/ folder.
I know it is going to be a simple setting or change that is required, like a role or membership or something, but I cannot figure it out.
I have looked through stackoverflow and found a lot of LoginView questions, but cannot seem to find one that answers my question.
I was hoping someone might be able to point me in the right direction.
Here is the code used on both the Default.aspx and AccountDetails.aspx pages. It is the default LoginView code from the template ASP.Net website application.
<div class="loginDisplay">
User Authenticated? <%= Page.User.Identity.IsAuthenticated %>
<asp:LoginView ID="HeadLoginView" runat="server">
<AnonymousTemplate>
[ Log In ]
</AnonymousTemplate>
<LoggedInTemplate>
Welcome <span class="bold"><asp:LoginName ID="HeadLoginName" runat="server" /></span>!
[ <asp:LoginStatus ID="HeadLoginStatus" runat="server" LogoutAction="Redirect" LogoutText="Log Out" LogoutPageUrl="~/"/> ]
</LoggedInTemplate>
</asp:LoginView>
</div>
The ~/Account/web.config file contains the following:
<?xml version="1.0"?>
<configuration>
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
The ~/web.config file contains the following information. I have edited some of the values for username and passwords. I have also removed the commented lines.
<?xml version="1.0"?>
<configuration>
<connectionStrings>
<add name="MySqlMembershipConnection" connectionString="Data Source=mydatasource;user id=dotnet;password=dotnet;" providerName="MySql.Data.MySqlClient" />
<add name="mycs" connectionString="Dsn=mydsn" providerName="System.Data.Odbc" />
<remove name="LocalMySqlServer" />
<add name="LocalMySqlServer" connectionString="database=mydsn;server=localhost;User Id=dotnet;password=dotnet" providerName="MySql.Data.MySqlClient" />
</connectionStrings>
<system.web>
<sessionState mode="Custom" cookieless="false" regenerateExpiredSessionId="true" customProvider="MySqlSessionStateProvider">
<providers>
<add name="MySqlSessionStateProvider" type="MySql.Web.SessionState.MySqlSessionStateStore, MySql.Web, Version=6.4.4.0, Culture=neutral, PublicKeyToken=c5687fc88969c44d" applicationName="/" description="" connectionStringName="LocalMySqlServer" writeExceptionsToEventLog="False" autogenerateschema="True" />
</providers>
</sessionState>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="30" name=".ASPXFORM$" path="~/" requireSSL="false" slidingExpiration="true" defaultUrl="~/Default.aspx" enableCrossAppRedirects="false" />
</authentication>
<membership defaultProvider="MySQLMembershipProvider">
<providers>
<clear />
<remove name="MySQLMembershipProvider" />
<add name="MySQLMembershipProvider" type="MySql.Web.Security.MySQLMembershipProvider, MySql.Web, Version=6.4.4.0, Culture=neutral, PublicKeyToken=c5687fc88969c44d" applicationName="/" description="mydescription" connectionStringName="LocalMySqlServer" writeExceptionsToEventLog="False" autogenerateschema="True" enablePasswordRetrieval="False" enablePasswordReset="True" requiresQuestionAndAnswer="True" requiresUniqueEmail="False" passwordFormat="Clear" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression="" />
</providers>
</membership>
<profile defaultProvider="MySQLProfileProvider">
<providers>
<clear />
<remove name="MySQLProfileProvider" />
<add name="MySQLProfileProvider" type="MySql.Web.Profile.MySQLProfileProvider, MySql.Web, Version=6.4.4.0, Culture=neutral, PublicKeyToken=c5687fc88969c44d" applicationName="/" description="" connectionStringName="LocalMySqlServer" writeExceptionsToEventLog="False" autogenerateschema="True" />
</providers>
</profile>
<roleManager enabled="true" defaultProvider="MySQLRoleProvider">
<providers>
<clear />
<add applicationName="/" name="AspNetWindowsTokenRoleProvider"
type="System.Web.Security.WindowsTokenRoleProvider" />
<add applicationName="/" description="" connectionStringName="LocalMySqlServer"
writeExceptionsToEventLog="False" autogenerateschema="True"
name="MySQLRoleProvider" type="MySql.Web.Security.MySQLRoleProvider, MySql.Web, Version=6.4.4.0, Culture=neutral, PublicKeyToken=c5687fc88969c44d" />
</providers>
</roleManager>
<customErrors mode="Off" />
<compilation debug="true" />
</system.web>
<system.net>
<mailSettings>
<smtp from="user#domain.com">
<network host="mail.domain.com" password="mypassword" userName="myusername" />
</smtp>
</mailSettings>
</system.net>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
</configuration>
So after much testing I figured out where the problem was. Firstly, I had three connection strings, one for the data and two for the forms authentication. I combined the two forms authentication connection strings into a single connection string. This allows me to have one connection string for data and one for authentication.
Next, I wanted to find out where my problem was occurring, so I created a new blank ASP.NET website in VS 2010 and then step by step, added in support for MySQL. This was done by adding in the MySQL Data and Web references first, then the connection strings and then finally the forms authentication.
I noticed in the forms element in the system.web authentication element, that it only included the loginURL and timeout attributes, so I tested the application by adding in additional attributes for the forms element until I found the attribute causing the problem.
In my forms element the path attribute was set to '~/'. When I changed this to '/' the application started to work correctly.
how can I add default users in my web.config to test my asp: login control
Thanx
I was wrong wrong wrong in my initial answer. You can set default users in Web.config if you do some simple authentication by yourself, but it doesn't seem to work when you are using the Login control.
I did some research, and it seems that, if you use the Login control, you can't set default users in Web.config and you have no way but setting a provider (as in a database) to store users credentials.
You can follow this tutorial from MSDN to configure what database to use:
Configuring an ASP.NET Application to Use Membership
The Web.config stuff:
<configuration>
<connectionStrings>
<add name="MySqlConnection" connectionString="Data
Source=MySqlServer;Initial Catalog=aspnetdb;Integrated
Security=SSPI;" />
</connectionStrings>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add
name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="MySqlConnection"
applicationName="MyApplication"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
requiresUniqueEmail="true"
passwordFormat="Hashed" />
</providers>
</membership>
</system.web>
</configuration>