I recently decided to change from using Windows Authentication for my internal web applications to Forms Authentication. I've not used the latter very much and one site explained you have to enable both Forms and Anonymous for this to work. The idea is to verify user passwords against an active directory then grant them access accordingly. I had this working just fine locally and when publishing to IIS 7.5 it still worked. It was just a basic Visual Studio project that would redirect to our homepage.
The problems arose when I tried accessing this same project securely with https, I included the full domain and it would load the new login page but when I clicked login it would do nothing. Since then I've scoured the web and found numerous mentions of this and that and tried many of them to no avail.
It was only later I created a blank project with a single button and one line of the code on the page to see if a post back had fired. After publishing I only enabled Anonymous Authentication in IIS and browsing to this basic test app using http when you clicked the button, false on the page changed to true - indicating a post back. Yet with https it just remains false. I think this may be why the active directory login wasn't working as it too had Anonymous enabled.
I'm still pretty new at the secure side of things but with the details passing over I have to use a secure connection just for the login then it can redirect to the usual applications we use internally.
I'd appreciate any thoughts you may have regarding this.
Thanks!
We use this configuration (anonymous IIS access, forms authentication, and https) successfully all of the time.
There are three things that you should do to track this issue down:
1) Verify that there are no javascript errors in the page that break the button (i.e. a javascript file not being delivered to the page)
2) Check the windows event logs for exceptions from asp.net/iis.
3) Install and run fiddler, select Fiddler Options... from the Tools menu, click on the HTTPS tab and ensure all of the checkboxes are checked, then run your website and look at the requests and responses, particularly when you press the button.
Related
So we have this web application running, but we wanted to make a Teams app (personal tab) from it. We used App Studio to create the app (manifest and all), but when running it from the sidebar we won't get past the login screen. On successful login, you get redirected back to the login page (everything happens on the same domain).
But when we tried to run the "app" as a tab within a group, this worked. So we need to find out why this doesn't work when we run it as a Teams "app".
Any ideas would be appreciated :)
The problem was that since it's running inside an iframe (in practice), the cookie set by ASP.NET State needs to state SameSite="None" and Secure="true".
Applications that use <iframe> may experience issues with sameSite=Lax or sameSite=Strict cookies because <iframe> is treated as cross-site scenarios. - https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite
So I had to upgrade the .NET Target Framework to 4.7.2, and make the changes stated in this document: https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite
I am trying to enable SSL on one of my ASP .NET Web Site.
While doing so I am performing below two steps.
After doing above two settings if i try to browse site I should see below two popup.
But I am not getting above two popup instead I am getting below message on IE.
This page can’t be displayed
Make sure the web address https://localhost:2698 is correct.
Look for the page with your search engine.
Refresh the page in a few minutes.
Note: Please ignore PortNumber I have taken screen from other website.
If they don't appear, then you've probably clicked "Don't ask me again", and VS is doing exactly what you asked it to do - not ask you.
You can reset that by editing the registry and removing
HKCU\Software\Microsoft\VisualStudio\12.0\WebProjects\HideTrustIISCertificatePrompt
Then when you restart VS and attempt to enable SSL on your project you should be prompted again.
I have an ASP.net website which is set to operate on Windows Authentication. It runs on IIS7 with windows authentication on. Every user who isn't from administrator group, Internet Explorer keep prompting for user credenials. Though when user clicks on cancel, the web site runs ok as long as user does not click on any page control.
I have a master page with telerik controls on it. This page contains AJAX Manager and ScriptManager. If user call an aspx page without master page, the credential windows doesnt appear.
Telerik resources are registered in web.config..and as I said the website works without problem for admin group. Normal users are also from the same domain..but for them login windows keep coming...
any idea?
The website is not registerd under trusted intranet sites..but this shouldnt be a problem as otherwise admin should also get error message.
Regards
I am answering my own question as it might be helpful for others too.
I was finaly abled to track down the issue with the help of Process Monitor. http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
It turned out that one of the CSS file didn't have enough permissions for normal users.
From Flex we call a Upload.aspx page which is configured for anonymous authentication. Most of the time, it works like a charm, but once in a while, the browser does prompt a enter credentials popup...
The whole site is configured for Windows Authentication, but some pages and folders are set to use anonymous authentication. This is done using the location tag in web.config.
What could be the reason for this?
UPDATE:
Only happening in Internet Explorer... they should deport it.
If you use FireFox with FireBug, open up the Net panel, it will show you the request making the permissions request. If you cancel it, it will show an access denied in red, and that will easily help you hunt the issue down.
Maybe it's because a file (image, css, etc.) is being referenced that doesn't exist?
A couple of things I would check out:
Are there any images/other files that are added to your page using the FQDN? If so, are any of these pointing to an external site or staging site that might require credentials?
Is it possible that someone has removed permissions from the application pool credentials on the web server for some specific file or files the site is requesting?
Is the site load balanced or part of a farm? It could be that one or many servers are configured incorrectly, and the rest are ok. Then if by chance you hit the bad servers, you could get the prompt.
When using Visual Studio's built in web server, every time I make a page request the standard login box pops up and asks for credentials. It doesn't work if I actually put in my credentials, so I just have to hit cancel 5 times so it will go away.
When I run the application through IIS (locally or on test server) it works just fine (no login box comes up).
Anyone know how to fix this or have any idea what might be causing it?
I assume you mean JavaScript alert box-looking login dialog, right? This dialog pops up when you make a request to a portion of website where anonymous access is disabled from IIS. It is different from ASP.NET authentication.
Do you have some portion of web site protected? Or are you making any HTTP request to external sites, like images and etc?
If your page looks ok after hitting cancel multiple times, it must be one of those HTTP request to protected file like images, css, js or whatever.
I'd look in Fiddler or Firebug to see if any request is failed when you hit cancel in that login dialog.
I'd also try clearing cache/authenticated session on the page that runs on IIS to see if it actually shows you that login dialog.
I had this same issue. However, my solution was different and the issue seemed different as well.
I had been working on a ASP.NET 2.0 web application, using VS 2008. Everything was working fine with the built-in IIS server. I hadn't opened this project for about a week and then when I chose "View in browser" in VS, I was prompted for my windows login creds. This project never did this before, so I was a bit baffled. I checked all the web.config settings and everything seemed fine. My project settings seemed correct as well. I decided to test the project by opening this same project in VS on a separate dev box on my network using a network path. I again chose "View in browser" and it worked fine. No logon prompt.
This told me that the issue wasn't with the actual web project itself, rather my dev environment. I checked all my browser settings as suggested above, and they were correct. I then compared my project settings while I had the same project (same physical files) opened in both dev boxes. I noticed a difference...
Under the Start Option in the Property Pages, the Web Server was set to use the Default Web server in both cases. However, on the box that was asking for my creds, the NTLM Authentication checkbox was selected. I unselected this and it resolved the issue.
I'm not sure how this was possible since I was opening the same project files, and would assume the project settings would be exactly the same. And the fact it was working fine a week ago really perplexed me. I chalked it up to an issue with VS 2008 on the box with the issue. I hope this helps anyone else that may be running into this issue.
This was because localhost was not in my trusted sites so it wouldn't do automatic NTLM authentication... I'm not sure why it was that way, but it was... adding localhost to the list fixed it.
In your project, there should be a vwd.webinfo file.
The following lines control authentication when debugging (in IISExpress). Set as follows to avoid all dialogs.
<VisualWebDeveloper>
<iisExpressSettings anonymousAuthentication="enabled" windowsAuthentication="disabled" useClassicPipelineMode="false"/>
</VisualWebDeveloper>
If windowsAuthentication="enabled" you may still get a dialog, even if anonymousAuthentication="enabled" :-)