The following posts show how to setup the web.config for a site using Mixed Mode Authentication. IIS7 Mixed Mode Authentication and How to allow mixed-mode authentication in IIS 7.0.
I've got my site setup and working locally (on my developer machine). However, when I run it locally on the server I get 401.2 - Login failed due to server configuration error.
Anyone know how I'm supposed to configure the server, Default Web Site, and My Site?
Edit: Here are the settings in my web.config, including the loginUrl from the Forms authentication node.
<location path="~/Account/WinLogin.aspx">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false"/>
<windowsAuthentication enabled="true"/>
</authentication>
</security>
</system.webServer>
</location>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/WinLogin.aspx" timeout="60"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
Let's start with server roles configuration (this is under server manager, roles, IIS)
You're gonna want to make sure that the windows auth and anonymous auth sections are enabled/installed, and also the forms auth (which presumably you already have). After those are installed/configured, you'll need to define the following stuff:
In your Web.Config you're going to want to have the following sections defined:
<configuration>
<system.web>
<authentication mode="Forms">
<forms cookieless="UseDeviceProfile" defaultUrl="~/Default.aspx" enableCrossAppRedirects="true" loginUrl="~/WindowsLogin.aspx" name=".ASPXAUTH" path="/" protection="All" requireSSL="false" slidingExpiration="true" timeout="10080"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true"/>
<windowsAuthentication enabled="false"/>
</authentication>
</security>
</system.webServer>
</location>
<location path="WindowsLogin.aspx">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false"/>
<windowsAuthentication enabled="true"/>
</authentication>
</security>
</system.webServer>
</location>
</configuration>
Then you'll need two files:
Login.aspx (this does forms auth)
WindowsLogin.aspx (this does Windows auth)
LOGIN does forms, right, so that's just bog standard ASP.NET forms auth
It's WindowsLogin that does the magic (and here's that file)
using System;
using System.Web;
using System.Web.Security;
using App_Code.Biz;
public partial class WindowsLogin : System.Web.UI.Page {
protected string UserIsInRoles = string.Empty;
private static readonly BAL _mBAL = new BAL();
protected void Page_Load(object sender, EventArgs e) {
string redirectUrl = Request["returnurl"] ?? "~/default.aspx";
string username = Request.ServerVariables["LOGON_USER"];
try {
if ( Roles.GetRolesForUser( username ).Length < 1 )
Roles.AddUserToRole( username, Global.defaultRole );
int status;
_mBAL.aspnet_Membership_CreateUser( username, out status );
} catch ( Exception ex ) {
ErrHandler.WriteXML( ex );
}
/* Test to see if the user is in any roles */
if ( Roles.GetRolesForUser( username ).Length < 1 ) {
UserIsInRoles = "<br />" + username + "You are not in any rules. This must be your first visit to our site!<br /> Adding you to the " + Global.defaultRole + " role now!";
} else {
UserIsInRoles = "You are in the following roles: ";
string[] roles = Roles.GetRolesForUser( username );
foreach ( string role in roles )
UserIsInRoles += role + ", ";
UserIsInRoles = UserIsInRoles.Remove( UserIsInRoles.Length - 2 ) + "!";
if ( Login( username, String.Join( ",", roles ) ) )
Response.Redirect( redirectUrl );
}
//we shouldn't get here, so if we do, redirect back to a page they can use.
if ( Page.IsPostBack ) {
if ( Response.StatusCode == 401 )
Response.Redirect( "~/Login.aspx" );
}
}
private bool Login(string strUser, string strRole) {
if ( strRole != null ) {
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, // version
strUser, // user name
DateTime.Now, // create time
DateTime.Now.AddYears(1), // expire time
false, // persistent
strRole ); // user data
string strEncryptedTicket = FormsAuthentication.Encrypt( ticket );
HttpCookie cookie = new HttpCookie( FormsAuthentication.FormsCookieName, strEncryptedTicket );
Context.Response.Cookies.Add( cookie );
return true;
}
return false;
}
}
After all this, you might get a config error for section locked at a parent level. Lock is either by default (overrideModeDefault="Deny") or set explicitly by a location tag ... and if so, then the fastest way to fix that is to open C:\Windows\System32\inetsrv\config\applicationHost.config and edit the following block:
<configSections>
<sectionGroup name="system.webServer">
<sectionGroup name="security">
<sectionGroup name="authentication">
<section name="anonymousAuthentication" overrideModeDefault="Allow">
<section name="windowsAuthentication" overrideModeDefault="Allow">
</sectionGroup>
</sectionGroup>
</sectionGroup>
</configSections>
Also see the chat log: https://chat.stackoverflow.com/rooms/5/conversation/configuring-iis7-and-mixed-mode-authentication-in-asp-net
Related
In my asp.net web application, I'm using asp.net forms authentication with following configuration.
<authentication mode="Forms">
<forms defaultUrl="~/ManagePage/Default.aspx" loginUrl="~/Account/Login.aspx" slidingExpiration="true" timeout="2880"></forms>
</authentication>
<roleManager enabled ="true" defaultProvider ="MyRoleProvider">
<providers>
<clear />
<add name="MyRoleProvider" type="MyRoleProvider" connectionStringName="dbTaxiRaniConnectionString" applicationName="/" />
</providers>
</roleManager>
And this is login button code :
if (Page.IsValid)
{
if (Page.User.Identity.IsAuthenticated)
{
Alert.Show("Your Loged in ");
}
else
{
if (CheckLogin(UserName.Text.Trim(), Password.Text.Trim()) == true)
{
FormsAuthentication.SetAuthCookie(UserName.Text.Trim(), RememberMe.Checked);
if (Roles.GetRolesForUser(UserName.Text.Trim())[0] == "Admin")
{
Session["CounterLogin"] = 0;
Response.Redirect("../ManagePage/Default.aspx");
}
else if (Roles.GetRolesForUser(UserName.Text)[0] == "Suport")
{
Session["CounterLogin"] = 0;
Response.Redirect("../ManagePage/Default.aspx");
}
}
else
{
int i = (int)Session["CounterLogin"];
Session["CounterLogin"] = i + 1;
i = (int)Session["CounterLogin"];
if (i > 3)
{
Response.Redirect("~/Default.aspx");
}
}
}
}
And this is web.config code include in admin folder :
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny roles="member"/>
<allow roles="Admin,Suport" />
<deny users="*"/>
</authorization>
</system.web>
</configuration>
after click on login button user login work true but don't redirect to ~/ManagePage/Default.aspx and show again login page.how can solve this problem ?
I'm building an ASP.NET MVC web application and I'm trying to restrict access to pages.
I've specified that I want to use forms authentication in my Web.config:
<system.web>
...
<authentication mode="Forms">
<forms loginUrl="~/login" timeout="20" protection="All" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
...
</system.web>
This will deny access to all pages, but I want to make some pages public. I can do this in Web.config as well:
<location path="about-us">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="contact-us">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
…
This works all fine. The problem is the start page, more precisely when the user goes to "http://www.mydomain.com/", with no further path specified. How can I specify that this page should be public?
I've tried some variations, but nothings seems to work. I always get an error:
No path
<location>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Empty path
<location path="">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Dot
<location path=".">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Slash
<location path="/">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Any suggestions?
You don't need to manage authentication in your web.config for MVC. Trying using the [Authorize] attribute on your Controller classes and methods:
[Authorize] // everything here requires auth
public class AdminController()
{
public ActionResult Dashboard() { ... }
}
public class ReportController()
{
[Authorize] // only this method requires auth
public ActionResult SecretReport() { ... }
public View PublicReport() { ... }
}
// everything here is accessible
public class HomeController()
{
public ActionResult Index() { ... }
public ActionResult AboutUs() { ... }
public ActionResult ContactUs() { ... }
}
In ASP.NET MVC you can use [AllowAnonymous] which allows you to do exactly that on a specific method
The start page just your default Controller that you provide in RouteConfig. So if you are using the default values you need to allow acces to HomeController and the Index() method. When working with MVC and authorization I find this very valuable.
i wrote a login menu and control panel for users,
but during short time it takes me out, see the codes
you know in the config file i wrote that "Admin" folder is secure and it's timeout is 30 minutes but when i'm logging maybe in 40-50 sec it take me out, where am i wrong ?
please help me
Web.config codes :
<authentication mode="Forms">
<forms name="MyAppCookie" path="/" loginUrl="Login.aspx" protection="All" timeout="60" defaultUrl="Admin" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
<customErrors mode="Off" />
<pages validateRequest="false" enableEventValidation="false" viewStateEncryptionMode="Never" enableViewStateMac="false" />
<!--<sessionState timeout="1440"></sessionState>-->
</system.web>
<location path="Admin">
<system.web>
<authorization>
<deny users="?" />
<deny users="Users" />
</authorization>
</system.web>
</location>
Login Menu :
var login = (from u in DataContext.Context.Core_Users
where u.UserName == txtuid.Text && u.Password == txtPwd.Text
select u).FirstOrDefault();
if(login != null)
{
var role = (from r in DataContext.Context.Core_Roles
where r.RoleID == login.RoleID
select r).FirstOrDefault();
if(role != null)
{
string RoleName = role.RoleName;
FormsAuthenticationTicket AuthTicket = new FormsAuthenticationTicket(1, txtuid.Text, DateTime.Now, DateTime.Now.AddDays(1),false,RoleName,FormsAuthentication.FormsCookiePath);
string encryptedTocket = FormsAuthentication.Encrypt(AuthTicket);
HttpCookie AuthCookie = new HttpCookie(FormsAuthentication.FormsCookieName,encryptedTocket);
Response.Cookies.Add(AuthCookie);
Response.Redirect(FormsAuthentication.GetRedirectUrl(txtuid.Text, chkRemember.Checked));
}
else
{
lblMessage.Text = "Role Deleted";
}
}
else
{
lblMessage.Text = "Wrong username or password";
}
And secure pages :
if (!IsPostBack)
{
//Start Authorization Section
if (!Page.User.Identity.IsAuthenticated)
{
FormsAuthentication.RedirectToLoginPage();
}
// End of Authorization Section
}
Sessionstate timeout property is mentioned in minutes
In webconfig file...
<system.web>
.......
<sessionState timeout="1440"></sessionState>
</system.web>
The session will get expired if the webform is idle for 24 hrs continuously.
You can have this sessionstate block only within .
So I'm making a login system for my asp.net site. There are 3 different types of users. I've discovered that FORMS can manage roles so I decided to try this.
I have everything working with authentication in FORMS currently - but without roles. I found this piece of code that should limit access to a specific page. But everyone can still access that page. which is odd because I haven't added anyone to the role "member". to start off with I only added 1 role to see if people were blocked from the page.
<configuration>
<connectionStrings>
//EDITED
</connectionStrings>
<system.web>
<roleManager enabled="true" />
<customErrors mode ="Off">
</customErrors>
<authentication mode="Forms">
<forms name=".ASPXAUTH"
loginUrl="login.aspx"
protection="All"
timeout="30"
path="/">
</forms>
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
<location path="RandomPage.aspx">
<system.web>
<authorization>
<allow roles="Member" />
<deny users="*" />
</authorization>
</system.web>
</location>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
Code for adding the roles to FormsAuthenticationTicket. P.Userole contains the string"Member"
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, //Ticket version
p.firstName, //username
DateTime.Now,
DateTime.Now.AddMinutes(30),
false, //true for persistant user cookie
p.userRole+"",
FormsAuthentication.FormsCookiePath);
string hashCookies = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashCookies);
Response.Cookies.Add(cookie);
Response.Redirect("Default.aspx");
I am sure, you did not add roles to the FormsAuthenticationTicket after successfull login. It should be like...
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, "UserId",
DateTime.Now, DateTime.Now.AddMinutes(30), false, "ListOfRolesCommandSeperate", FormsAuthentication.FormsCookiePath);
string hashCookies = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashCookies);
Response.Cookies.Add(cookie);
You need to pass the roles of the logged in user to the FormsAuthenticationTicket to get it work. As you just added permission rights only in the web.config file.
I am using forms authentication on ASP.NET. If I try to access a page by copying the query string and pasting it into the browser, it allows me access to the page.
How can this be prevented? I want the user to always have to login.
You have to set the authentication mode in your web.config
<authentication mode="Forms">
<forms name="Authen" protection="All" timeout="60" loginUrl="login.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
You could restrict access to certain pages by using the <location> element. So for example to restrict access to the sub-folder admin:
<system.web>
<!-- enable Forms authentication -->
<authentication mode="Forms">
<forms
name="MyAuth"
loginUrl="login.aspx"
protection="All"
path="/"
/>
</authentication>
</system.web>
<!-- restrict access to the admin subfolder
and allow only authenticated users -->
<location path="admin">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
You should add something similar in the web.config file:
<authorization>
<allow users="user1, user2"/>
<deny users=”?”/>
</authorization>
That should fix the problem. See: http://support.microsoft.com/kb/815151
Apart from configuring authentication in the web.config file, you can also use the Global.asax Session_Start(...) method to check for users new session, also be sure you revise the session cookie, if it is null you should redirect the user to the login page:
public class Global:System.Web.HttpApplication
{
protected void Session_Start(object sender, EventArgs e)
{
if(Session.IsNewSession)
{
if (Request.Headers["Cookie"] != null)
{
if (Request.Headers["Cookie"].IndexOf("Web_App_Login_Cookie", StringComparison.OrdinalIgnoreCase) >= 0)
{
FormsAuthentication.SignOut();
Context.User = null;
Response.Redirect("~/logOn.aspx");
}
}
}
}
}
Also, if you store user session information in some class you can override the OnInit(...) method in some base class to ensure the user already exists in some custom session collection, if not once again you should redirect to login Page.
public class SessionBasePage : System.Web.UI.Page
{
protected override void OnInit(EventArgs e)
{
base.OnInit(e);
if (HttpContext.Current != null && HttpContext.Current.Session != null)
{
UserSession = HttpContext.Current.GetUserSession();
if (UserSession != null)
{
LoggedUserInfo = HttpContext.Current.GetLoggedUserInfo();
HttpContext.Current.UpdateLoggedUserInfo();
}
else { Response.Redirect("~/logOn.aspx", true); }
}
}
}