Firstly I just want to say I'm not an ASP developer, I'm PHP through n through...
So my problem is this, all of a sudden a client site has started prompting for users to be logged in when viewing pages in a sub directory, when I download the web.config file I can see the authentication mode set to "Windows" this would appear to be an issue but it was working up until now, so I set it to None and uploaded the file (there isn't a web.config in the sub directory, just the site root) and it continues to prompt me for the login.
Is there something I need to do to "refresh" the server or something? I've looked through the hosting control panel and can't find anything about anonymous access or restarting the server, its on a shared hosting account and the control panel is pretty below average
Any help is greatly appreciated!! I'm in a panic and the hosting company don't have ASP support on hand
Thanks,
Mark
In the folder that you want anonymous access, just use the web.config authorization section to allow anonymous users:
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
The * essentially means Everyone so it just saying that for the current directory, everyone is allowed access- you only need this in the web.config...nothing more.
If you are still receiving prompts after this, then the folder itself must have permissions at the operating centre level (NTFS permissions) which do not allow Anonymous access...Although you say the ASP support isn't at hand, I presume you can raise help tickets with them to enable this access?
Edit
I should add that this setting of authorization is different to setting an Authentication scheme (Windows Authentication, Forms Authentication etc). For example, you might have Forms Authentication for your website but specifically want anonymous access to a folder (like this case) so setting your authentication option isn't actually relevant.
Related
I'm working on a ASP.NET MVC intranet site that uses windows authentication. My web.config is set up with:
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
Access to some parts of the site is also restricted using roles.
My main account is given the site administrator role, meaning that I have access to everything. This is fine for normal testing, but there are certain parts of the site that have more complex restrictions (e.g. user has role administrator or (user has role X and user is assigned to a group Y in the database)).
I've tried running site through Visual Studio, then opening another web browser as a different user, and when I access the site it pops up a windows authentication box but it won't accept any other logins - only when I enter my main account will it allow access. Roles don't have any affect on this, even when I add my second account as a site administrator it's denied access using this method.
^^If you think this is a duplicate of Testing intranet site that uses Windows authentication you didn't read the previous paragraph.^^
What am I doing wrong here? Is there some other method to test using multiple users?
Create a Virtual PC and attach it to your network, then log in as various users and test your site on there. I had the same issue and this did the trick.
Virtual PC download here - https://www.microsoft.com/en-us/download/details.aspx?id=3702
I eventually stumbled on the answer to this. The second user account that you want to test with needs to be given permissions to read the directories where the Visual Studio project is stored. Once that's done, running another browser instance with a different account works fine.
The issue is I can't view the page using Window Authentication.
This is my steps.
I created a website in my server Windows Server 2003 IIS 6 with .Net Framework 2.
Then Inside the root folder, I created a folder. Let's call it "FolderA".
In "FolderA", I created a page. Let's call it "fileA.aspx".
The website is running fine. As I turn on the Anonymous Access.
But for "fileA.aspx", I need to turn on the Window Authentication coz I don't want everyone to go in and view that page.
So, I select "FolderA", go to Properties,
So, I turn off the Anonymous Access and make sure Window Authentication is turned on.
Then I browse from my PC. It prompted me the Login Diaglog Box.
I key in my credentials I used to log in for the server and I can access the page.
That is working fine.
However, when I view it from the server itself, it prompted me the Login Diaglog Box.
But when I key in my credentials, it is saying "Access Denied".
I even tried using Administrator credentials.
It is still access denied.
Is there any setting to set or anything to change in web.config?
http://support.microsoft.com/kb/896861
Review event logs on the server to see if you happen to hit this.
Did you allow authenticated users and deny not authenticated users?
<authorization>
<allow users="*"/>
<deny users="?"/>
</authorization>
I have a webpage that emits files (images) (through Response.TransmitFile) that is working ok.
However, when I publish the site to IIS (5.1), it starts randomly to emit 401 and 403 status codes instead of the expected files(images)
The IIS site is supposed to have Windows Integrated Authentication without allowing anonymous users, however, I configured the locations on my web.config to allow users to get the files
<location path="ViewFile.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I have set permissions for The users \IUSR_, \ASPNET, My own domain user, and even for everyone, but i don't get to solve the problem.
Any suggestions at how can I handle the problem?
Edit 1:
When I activate anonymous authentication in IIS, the site works fine, but then the domain authentication doesn't appear. I understand that the anonymous authentication prevails over anyother authentication
Some points to get you started:
What do you see in the Windows Event
log?
If you take out the authorization
configuration, does it work OK -- or
do you still get 401 and 403 codes?
You mentioned that it happens
'randomly' -- is it connected with
certain users? Or times of heavier
load? Or certain files?
TransmitFile doesn't buffer in memory
-- are these large files?
Update 6/29/2011 5:02pm - You didn't mention you were publishing locally before. Have you tried this configuration hack? I have had to use it when using Windows Authentication and IIS locally.
I need to let an aspx.cs file run code to enumerate the contents of a directory on another server altogether. Basically, use a Directory object, etc.
Here is what I can piece together (I'm really not a network rights guy at all, so this is all confusing to me.) When a user loads my aspx page, that page, code behind, is actually running under some kind of windows user account. IUSR_ or something.
For some reason, the server I need to reach (it's a Page Flex server) will not let me change the "Location" to search for users in so I can't go find /IUSR... and give it rights.
Is there some way to pass credentials as I try to enumerate the contents of a remote server's directories?
I really hope that made sense.
I don't know all your security constraints, but you may want to look into delegation
http://msdn.microsoft.com/en-us/library/aa291350(VS.71).aspx
There's lots of other articles on it if you search google
EDIT:
From: http://msdn.microsoft.com/en-us/library/xh507fc5(VS.71).aspx
<!-- Web.config file. -->
<identity impersonate="true" userName="contoso\Jane" password="pass"/>
The idea is to have the web request run as whatever domain user does have access to the share, instead of the default (IUSR_* or ASPNET user, I can't remember)
I believe you can do this for just a subdirectory or script if you want to limit what scripts are running as this user, see http://msdn.microsoft.com/en-us/library/b6x6shw7.aspx
<location path="ReadUNC.aspx">
<system.web>
<identity impersonate="true" userName="contoso\Jane" password="pass"/>
</system.web>
</location>
And if you want to do the impersonation programmatically, maybe this will help get you started: http://www.west-wind.com/WebLog/posts/1572.aspx
I currently have an ASP.NET 3.5 SP1 running on IIS 7. I have enabled forms authentication using .NET Membership and setup some folders that are restricted according to roles I have created. For instance, if an anonymous visitor tries to access the file http://www.example.com/restricted/foo.txt, he/she will be redirected to a login page, as expected. So far so good.
What I would like to do is provide access to protected files by allowing visitors to specify their login credentials in a query string, something alone the lines of:
http://www.example.com/foo.txt?user=username&pass=pwd
Is this possible at all?
you should be able to write an http module that intercepts the request and authenticates the user based on the querystring. However, just for the sake of completeness, I'd like to question whether it's a good idea to provide users their username and (in particular) password in plaintext.
You could easily create a download page that would authenticate the user and then forward them to the requested file. Something like navigating to Download.aspx?user=username&pass=pwd&file=foo.txt.
This however is NOT recommended. You should never require users to pass login information via a URL.
A secondary answer based on comments you've made to other questions is that you could simply put your download page in a directory. The subfolder could have a web.config that allows unauthenticated users access to the contents within :-)
something like:
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>