Authentication Ignoring Default Document - asp.net

Today I moved my application from a server with IIS6 to a new one with IIS7.5 (windows server 2008 R2).
The odd thing is that I cannot access the default document although it has been set in the default documents section. The file is the "deault.aspx" and when I try to access the page with ip I am getting http://[IP]/login.aspx?ReturnUrl=%2f, but it works fine If I access it directly.
This is the settings from web.config
<authentication mode="Forms">
<forms protection="All" loginUrl="login.aspx" name="CookieName" timeout="49200" requireSSL="false"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I've already tried to solve this with some of the suggestions that are written here [ Forms Authentication Ignoring Default Document ]
, but with no luck.
I want to solve it by configure somehow the server and not the application.
Thanks
SOLUTION
I don't know if it is the correct one, but I change the mode of the application pool into classic instead of integrated.

Add the following to the web.config and it will allow you to access Default.aspx without requiring prior authentication. All other pages will require authentication.
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Just because a document is added as the default within the IIS configuration does not mean it bypasses the FormsAuthentication.

For me, removing the ExtensionlessUrl-* handler mappers in IIS Manager for the site in question did the trick. Even though all this does is adds the relevant entries to web.config that I had already tried with no luck.

Related

asp.net (IIS 7.5) images/css give 500 error but work fine after login

I have a smart-card enabled website where in IIS, Anonymous Authentication is disabled, SSL is enabled.
The IIS root also has Anonymous Authentication disabled, but Active Directory Client Certificate Authentication enabled.
Static Content role service is also installed.
In the web.config, I have
<authorization>
<deny users="?"/>
</authorization>
Following that, I have
<location path="/css/main.css">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
In both the css and images folders, I also have web.config's consisting of:
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
I use an AppPool running with a custom identity, let's say APUser
On the web server for those folders, I have permissions set to read for APUser, IUSR, Anonymous Logon, Users, IIS_IUSRS, and Everyone.
The url is in trusted sites on the browser.
Initially, the images and css return error 500 (using network capture with dev tools). After logging in, they show fine.
Same issue running on the server itself.
If I enable Anonymous Authentication in IIS, disable Active Directory Client Certificate, and change deny users="?" to allow users="*", everything works fine.
What am I missing to disable Anonymous Authentication, but still show images/css?
web.config authorization settings works sequentially. That is since you are denying unauthenticated users by using following, it does not read anymore of your config.
<authorization>
<deny users="?"/>
</authorization>
Read here.
Remarks At run time, the authorization module iterates through the
and tags until it finds the first access rule that fits
a particular user. It then grants or denies access to a URL resource
depending on whether the first access rule found is an or a
rule. The default authorization rule in the Machine.config file
is so, by default, access is allowed unless
configured otherwise.
Change it so that they come before your deny unauthenticated user part.
<location path="/css/main.css">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<authorization>
<deny users="?"/>
</authorization>
From "Allow" on MSDN here
"users
Required String attribute.
A comma-separated list of user names that are denied access to the resource. A question mark (?) denies anonymous users and an asterisk (*) indicates that all users are denied access."
Now, I take it that there's an error in there and they want to say "allow".
So you want <allow users="?,*" />
Under Group Policy for "Impersonate a client after authentication", add IIS_IUSRS

How to allow anonymous user to browse the Style folder

In my web application I want the anonymous user to browse only the login page, and It's OK now but it appears without style!
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
<location path="Style">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
Any help!
From this article:
Images and CSS files
Say you have all your images and CSS in a seperate folder called images and you are denying anonymous access to your website. In that case you might see that on your login page you cannot see images(if any) and css(if any) applied to your login page controls.
In that case you can add a web.config to the images and css folder and allow access to everyone to that folder. So your web.config in images folder should look as below:
<configuration>
<system.web>
<authorization>
<allow users="*"/> //Allow everyone
</authorization>
</system.web>
</configuration>
The most popular answer of:
<configuration>
<system.web>
<authorization>
<allow users="*"/> //Allow everyone
</authorization>
</system.web>
</configuration>
..is correct.. but if this fails to work then you need to verify that the Authentication is setup as you expect and that the user under which Anonymous is configured to run has read access to all of the folders you need.
NOTE: If you have multiple web.configs you may need to check each folder with its own web.config.
Check the Web Application
Open the "IIS/Authentication" for your web application and click "edit" on the entry marked "Anonymous Authentication".
If a specific user is specified then ensure that the specified user has access to your folders.
If "Application pool identity" is set then you will need to check the application pool configuration.
Check the Application Pool
Find the Application Pool for your app and click on "Advanced Settings" and search for the item named "Identity".
If the identity is "ApplicationPoolIdentity" then the group you will need to give access to your files to "IIS_IUSRS".
For more information on "IIS_IUSRS" please see: http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis/
use
<allow users="*" />
for styles folder, so every user can use the style.
using
<location path="admin">
<system.web>
<authorization>
<deny users="*" />
<allow users="?" />
</authorization>
</system.web>
</location>
you can allow access to Admin folder for only authenticated users.

ASP.NET Forms Authentication

I have the following ASP.NET Forms Authentication configuration:
<system.web>
<authentication mode="Forms">
<forms name="MembershipCookie"
loginUrl="Login.aspx"
protection="All"
timeout="525600"
slidingExpiration="true"
enableCrossAppRedirects="true"
path="/">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location
If an anonymous user visits the site and requests home.aspx should they be denied access and kicked to the Login.aspx page because the first rule <deny users="?" /> will match and further processing will stop?
The site is running on IIS7.5, ASP.NET 4.0 and the application pool is configured for Integrated Pipeline mode.
Update:
The reason for this question was to sanity check my understanding of ASP.NET 4.0's Forms Authentication behaviour (which was actually correct). There is a related follow up question which describes what looks like a bug in a hotfix (which is also rolled into Windows 2008R2 SP1) - KB980368:
ASP.NET 2.0 and 4.0 seem to treat the root url differently in Forms Authentication
If an user is accessing Home.aspx , it will use the configuration section for Home.aspx specified by <location /> and hence the user will not be kicked out to Login.aspx .
If a user access Home.aspx then the second rule will be applied i.e.
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
The point to note here is: * tells that any authorized user (having any or no role assigned) could access the page, but ? tells unauthorized user could not access the page.

Authentication settings in IIS 7.5 and ASP.Net, what is difference?

I just start to learn web programming using IIS 7.5 in windows 2008 R2, and ASP.Net 4.
I notice that both IIS and ASP.Net can define Authentication rules. In IIS, there is a form authentication setting where I can redirect user to specified page for authentication, like below:
And then, in ASP web.config file, I find similar settings:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
When I finish both settings, I assume any page request will be redirect to the login.aspx page. But it didn't. So I am confused. How do the 2 sets of configs work together? And why page request is not redirected?
Thanks
Update
Finally I get it working and I think I understand it now. My website structure is like below:
It is about modifying Autherization rules. Deny all unauthorized users for root:
<authorization>
<deny users="?" />
</authorization>
CSS files should be allowed for all users, so I have Styles\web.config:
<authorization>
<allow users="*" />
</authorization>
and only allow unauthorized users to access register.aspx, so I have Account\web.config:
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
There's another component you need to configure: authorization. If you don't, unauthorized users have access to all pages and will not be redirected to the login page. For example:
<authorization>
<deny users="?" />
</authorization>
This specifies that all unauthenticated users are denied access to pages in your application. The authorization element is part of the system.web configuration section.
When you set something in IIS with authentication ( in your case form authentication). It also change your mapped project webconfig file with the same settings. That's why you see same information in both modules.

ASP.NET Authentication doesn't work

I'm learning how to use the asp authentication, and I have created a test project for it. I have the Default page, the Login page and a Test folder with a Default page inside.
I want that Default page accesible for everyone (so, without authentication) and the "Test/Default.aspx" private. My "Web.config" is like this:
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authentication mode="Forms">
<forms loginUrl="Logon.aspx" name=".ASPXFORMSAUTH" >
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="Empresas">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
This way, when I access to the Test/Default.aspx page, I can enter even without authorization, and I don't know why. However, if I change "deny users=?" for "deny users=*", then I can't access even when I am authenticated, so the location tag is working correctly.
I change the password every time, just in case it was a cookies problem, but it isn't.
QUESTION: What is wrong in my web.config, or what do I have to do to create some pages privated?
Thank you very much in advance
how about allow users="?"
i.e. allow authenticated users

Resources