I tryed this ways:
Request.ServerVariables["LOGON_USER"]
or
HttpContext.Current.User.Identity.Name
or
User.Identity.Name
-- If i run it by F5 from VS2010, it runs OK.
-- If i run it on IIS (I tryed it on 5.1 and 6.0, other IIS i can't use) there are empty strings.
In web.config i have:
<authentication mode="Windows"/>
<authorization>
<allow users="*"/>
</authorization>
so, all users should by autentificated.
Maybe, there should be more things in web.config.
I tryed it in IE, Firefox, and Chrome.
I post this question before, but there was some misleading information, so i post it again.
so, all users should by autentificated.
Exactly. All users include anonimous.
Any web browser will attempt an anonymous request at first, if it's successful it won't try to authenticate. So you want to deny anonymous requests:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
Note that the order of items in the authorization element is important - they're like any access rules in that they're processed from top to bottom.
In this case the ? is anonymous users and * is all users (including anonymous) but as the deny anonymous user statement comes first - they will be denied and never get to see the allow statement which allows everyone else.
Also, if this is an ASP.NET MVC 3 web application, there're some quirks to be heedy of - please correct me if I'm wrong as I don't recall all the details right now:
<appSettings>
<add key="autoFormsAuthentication" value="false" />
</appSettings>
The autoFormsAuthentication has to be disabled to enable Windows authentication in an MVC 3 web application - or it was anyway, it might have been fixed by now but as it took quite some time to figure it out, I'm including it here. The symptom when not disabling it is every authentication request is redirected to the account forms url (which you might not even have).
Related
I am having the following error:
Failed to load resource: the server responded with a status of 401 (Unauthorized) http://localhost/App/AngularJS/angular.min.js
The project works fine on localhost. But when I run it on IIS (7.5) I get the above exception.
[Image]
My project is .net 4.5 project (Web.API 2.2), I am using AngularJS for UI in this project.
I have tried running "aspnet_regiis - i" as somewhere this was accepted as solution. But it didn't work in my case. I don't know is there any thing required to execute [AngularJS].js files on IIS for Web.API project?
EDIT:
I have made following changes to web.config file:
<location path="AngularJS">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<allow users="*" />
</authorization>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
</system.web>
Also I have set the read/write/modify access for "IUSR" & "IIS_ISURS" users of whole project.
But still I get the same exception on IIS. But same running fine with VS2013.
Error:
When servers respond with access denied message (401 Unauthorized access), it means that the anonymous IIS user account is unable to access the resources because of permission issues.
By default, IUSR account is used for anonymous user.
All you need to do is:
IIS ->
Authentication -->
Set Anonymous Authentication to Application Pool Identity.
Problem solved :)
Also I have set the read/write/modify access for "IUSR" & "IIS_IUSR"
users of whole project.
this was enough for me to get around the same issue.
PS. sorry for using your image, just want to emphasize the step you mentioned that worked for me.
Assuming that you are using form authentication and you are trying to get it before login. You can use the following in your web.config file inside <configuration>.
<location path="AngularJS">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
It will make you files inside AngularJS folder available without login
Well,
It's strange but It worked. The solution was to set the default user for "Connect as" in IIS. See the image given below.
I specified the administrator user & this started to work in IIS. I think this is some kind of requirement with AngularJS to work on IIS.
Thanks for replies.
It will work when you add IUSR into the application folder security.
I had this problem and disabled my VPN and it was solved.
For more than a couple of years, we have successfully used the approach outlined in this post for enabling mixed-mode authentication in our Asp.Net app:
https://stackoverflow.com/a/7735008
We have 2 pages, Login.aspx and WindowsLogin.aspx with appropriate elements as highlighted in above post. Everything has been working fine until recently when it broke and we are unable to figure out why or when it broke down (for a few months, we had been working on major new features in our app, we added a few managed modules and other things, but I have tried eliminating them one at a time with no avail).
We have this defined for our global authentication:
<system.web>
<authentication mode="Forms">
<forms cookieless="UseCookies" loginUrl="~/Login.aspx" slidingExpiration="true" timeout="10" />
</authentication>
</system.web>
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<basicAuthentication enabled="false" />
<digestAuthentication enabled="false" />
<windowsAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
Then appropriate elements exactly as in the referenced post. Now when I visit WindowsLogin.aspx directly in browser, it 302 redirects me to Login.aspx with return url set to WindowsLogin.aspx. I have tried simplifying web.config by eliminating all unneeded configuration until all remained was bare bones authentication and other pieces. Still WindowsLogin.aspx redirects to Login.aspx (i.e. Forms authentication is kicking on WindowsLogin.aspx page).
The interesting thing is if I change loginUrl to WindowsLogin.aspx (with everything else remaining exactly same), then WindowsLogin.aspx shows me the native browser authentication challenge as expected.
I have tried and exhausted all options I could think of to get this work with loginUrl set to Login.aspx, but it simply doesn't work.
I enabled IIS tracing rules for 302 redirect and captured a log file where WindowsLogin.aspx was redirecting to Login.aspx (with loginUrl set to Login.aspx). The trace file is available here:
http://imbibe.in/public/fr000001.xml
Can someone please help me in figuring out why is FormsAuthentication module kicking on WindowsLogin.aspx page when its WindowsAuthentication module that is supposed to do the auth there. And why does just switching the login url raises the 401 challenge on Windows Auth page. We are working with IIS 7.5 on Win Server 2008.
UPDATE: I created a simple web app with only 3 pages, Default, Login and WindowsLogin and followed the mixed-mode authentication approach on the same server and it worked. Which obviously means its something in our application/app pool that is interfering. I am hoping the IIS Trace log provided can shed some light on it.
If I completely remove <authentiction mode="Forms"> from our app's web.config (which essentially means no auth is enabled), then Login and WindowsLogin pages work fine.
But with the current configuration only, going to WindowsLogin redirects back to Login.aspx.
You need to add some location exceptions in your web.config file (anywhere outside the regular System.Web section):
<!-- Providing it's in the root - No leading slashes! -->
<location path="WindowsLogin.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
This will allow all non-authenticated FORMS users to access the page. Otherwise your users will keep getting redirected to the FORMS login page (as they should).
I am trying to secure an application in IIS7 using .NET Authorization Rules.
By default, the web server allows all users access (which is inherited).
I have added, just for this one application directory, a deny all users command, as well as an allow command for specific users.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authorization>
<allow users="myusername" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
I have Windows Authentication enabled, and I can verify that without the line that my REMOTE_USER is MYDOMAIN\myusername.
However, when I try to deny all users, I am prompted with the typical Windows domain username/password box. If I enter the username password, the prompt comes back up again 3 times until finally presenting me with a failure message. (I have also tried to no avail)
Looking in the event viewer, it appears as if my login using the username and pw is successful in the audit ... and to further that point, my account is not being locked out (which it would if I were failing to login over and over). So it's as if I am logging in, but the configuration is not seeing what I entered as matching my login.
Below is the message I see (even when connecting from the server using localhost):
**Access is denied.
Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.**
First off, the main problem was that IIS6 Authorization is also included in IIS7, and at least in my case was the default. First, make sure that you have IIS7 Authorization installed. Complete directions can be found here:
http://www.iis.net/ConfigReference/system.webServer/security/authorization
The confusion occurs because in IIS7, there is an item in your application menu called ".NET Authorization Rules" (under the ASP.NET section). This is NOT what you want for IIS7 Authorization. For this, you must make sure that it is installed (see link above), and then click on the link under the IIS section of your application called "Authorization Rules"
Another note worth mentioning, if you put the following config in place:
<configuration>
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Deny" users="unknownname" />
<add accessType="Allow" users="knownname" />
</authorization>
</security>
</system.webServer>
</configuration>
This will cause everyone to be denied. It appears that if you deny a username or role that does not exist, EVERYONE is denied. If the denied user is recognized, then it works fine.
Also, specifying deny for * and allow for certain users will not work, it will deny for all. You need to simply remove the * user (as in my example above), and then only allow for your target audience. Everyone else is denied by default.
Configure Basic Authentication in IIS 8 on Windows Server 2012
01-Authentication-Add Features
02-Authentication-Server Roles
03-Authentication-Server Management
04-Authentication-Set Password for user
05-Authentication-Authentication in IIS setup
Could you change your code as below
<deny users="*" />
<allow users="myusername" />
I spent 4 hours trying to set this up (to use domain role) :). Final solution was to use domain name in the role too:
`<system.web>
<authorization>
<allow roles="DOMAINNAME\rolename" />
<deny users="*" />
</authorization>
</system.web>`
I am using
<authentication mode="Forms" >
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH" />
</authentication>
Every thing works fine except that, there are some pages like About Us, Contact Us, Privacy Policy etc, which do not need to login to view them.
In my case i need to login to view all pages. I want these common pages to be viewable without having to log on.
I have tested my application on local IIS as well as on deployment server, but same problem occurs.
Please help!
Thanks for sharing your valuable time.
You need to create exceptions to your security policy:
<!-- files in the "Public" folder don't require authorization -->
<location path="Public">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Alternately, you can make page-specific exceptions:
<location path="AboutUs.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Appearantly you want some pages to be available without logging in. The way to go about this is to set permission on subdirectories instead of the website root, and put these pages in the web root (usually they are in teh root)
If thats too much work, put your pages in a directory and allow anonymous users to access it.
There could be a large number of possible answers to such an open question. We will need more specifics to answer. Here are just a few places to look:
Have you checked your web.config file to see if anonymous authentication is off?
Have you checked the web.config to see if you are denying anonymous users access to your root directory?
Have you checked IIS to see if anonymous authentication is off?
Have you checked the pages' source code files to see if you are doing manual denial of service to anonymous users?
I have an asp.net web site, I want restrict all users to access a folder named "log" and I have this element in web.config:
<location path="log">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
and this element before it in system.web:
<authorization>
<allow users="*"/>
</authorization>
but still I have access to this url: http://www.mydomain.com/log/log.txt
Any ideas?
Thanks.
.txt files are not handled by ASP.NET by default. You'll have to block access to the folder from within IIS.
If you're using IIS 7 you can use Request Filtering to achieve this.
to avoid this confusions I usually create one web.config file at the directories i need to set different permissions.
If you place a web.config file inside your log folder it will work ok (and it will become easier to check the applied permissions at the folder)
Example:
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
I typed up a summary since many were facing the same situation regarding subfolder authentication.
Subfolder Authorization
ASP.NET can only have a single
authentication mode for one
application.
The different
applications CANNOT share resource
among them.
Scenario
Let's say the home page should not prompt login dialog. It should let users pass through without whatever login is. However, in the same applicatiopn, in a different folder presumably, another page needs to check user permission against database table using user network login ID. By default IE treats all web site with only hostname a Intranet. By its default intranet setting, it will not prompt the login dialog and pass user login and password to the application if Windows Authentication is used. However, the tricky party is, if the application has an actual domain, IE will think it is an Internet site, and it will prompt the login and password if Windows Authentication is used.
The only way to not to promopt login dialog for Internet site using Windows Authentication, is to also turn on the anonymous authentication in IIS. However, you will lose the ability to capture the login info because the Anonymous has precedence over the Windows Authentication. The good news is there is a way to resolve that issue. If an application subfolder needs to capture the login information, you will need to overwrite the parent authorization in Location element in web.config.
1 In IIS, configure Authentication as follows:
Enable Anonymous Authentication,
Enable Windows Authentication
2 Add the followings in Web.Config.
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
<!-- secured is the relative subfolder name. deny anonymous user, so only the authenticated login will pass through -->
<location path="secured" allowOverride="true">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>