proper IIS 6 configuration for forms authentication - asp.net

I'm using Forms Authentication in my current ASP.NET Web Application (not MVC) and my IIS 6 server is configured with the following options:
in the [directory security tab] -> [Authentication Methods] I have:
the anonymous access Enabled
Integrated windows authentication Enabled
Do the above options prevent Forms Authentication from working properly? In other words, what is the proper IIS 6 configuration for Forms Authentication?
EDIT
I just made test with the two options above enabled and the Forms Authentication session expired and redirected me to the login page, but all the answers so far advise that [Integrated windows authentication] should be off!

Here is a check list for using ASP.NET Forms Authentication on IIS6
Configure IIS:
In IIS, Site Properties -> Directory Security -> Authentication and Access Control
Enable Anonymous Access
Disable all Authenticated access methods
Configure Forms Authentication:
Configure Forms Authentication in your site's web.config:
<authentication mode="Forms">
<forms name="MySite"
path="/"
loginUrl="~/logon.aspx"
protection="All"
timeout="30"
slidingExpiration="true" />
</authentication>
Your name and loginUrl may vary. The slidigExpiration attribute is used to keep extending the forms authentication cookie lifetime rather than just kicking the user off of the site after the timeout has expired. The timeout value is in minutes.
Configure Session Timeout:
You need to configure your session state timeout to be longer than your Forms Authentication ticket expiry. If you don't do this then an idle session can time out the session but leave the user logged in. Code that expects Session values to be present will throw exceptions because they are gone even though they are still authenticated. The timeout value is also in minutes.
<sessionState mode="InProc" timeout="40" />

Because forms authentication does not rely on IIS authentication, you should configure anonymous access for your application in IIS if you intend to use forms authentication in your ASP.NET application.
See here http://msdn.microsoft.com/en-us/library/ff647070.aspx for more information.

The anonymous access should be enabled, I don't think integrated windows authentication makes a difference but if you're not going to need it then it's best to turn it off. The important thing to remember is to make sure it's turned on in web.config:
<authentication mode="Forms" />
Here's a basic tutorial that might be useful:
Overview of Forms Authentication

Anonymous access -> checked
All other option on the security tab -> unchecked
Note, forms authentication is done by .NET - not by IIS. Also, Windows Authentication MUST be off as well.
Rather technical explanaitions by MS.

Related

Is Session timeout when using Windows authentication possible?

I have implemented SSO into my ASPX application and set the authentication mode as follows:
<authentication mode="Windows" />
Is it possible to enforce a session timeout for applications which use the authentication mode from above?

asp.net form authentication timeout settings ignored

In web.config I've configured forms authentication as follows:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx"
timeout="20"
slidingExpiration="true"/>
</authentication>
Initially the ASPXAUTH cookie is set correctly. Using Firefox's cookie viewer I can see the cookie and the expiration period is correct (20 mins).
Sliding expiration also sets an updated cookie correctly (20 more mins added).
But after that any new http request (even if made within the next 5 mins) will result in 302 error and redirects to Login.aspx as if authentication has expired.
Application details below:
target asp.net 4
iis 7.5
shared hosting but with dedicated pool (recycling did not help).
Login.aspx uses the asp Login control for authentication (no custom cookie).
Any ideas?
This could have many reasons.
Is this happening on your local machine, too? Have you maybe configured a httpCookie Domain in web.config which doesn`t match your local host environment?
Have you configured a machinekey (validation/encryption)? This can be important in load balanced scenarios.
Do you use dynamic content caching in IIS?
Have a look into your event log. Per default 302 errors based on a failed forms authentication are logged there. Are there any entries telling why you have are considered being unauthenticated? It could help identifying the root cause (ticket expired, could not be decrypted etc.)
Also keep in mind, that the expiration of a forms authentication cookie is not extended on each request. A forms authentication cookie is refreshed after 50% of the original timeout has passed (in your case 10 mins). So configure your session timeout appropriately.

How to get the current logon user name in asp.net?

I have a web app, in the web.config, I have following settings:
<authentication mode="Windows"/>
<identity impersonate="true" userName="domain01\user01" password="***"/>
I deployed the app to Windows 2008 (IIS 7), the Identity of the application pool is domain01\user01, and in the Authentication of the app, I have following set:
Anonymous Authentication Disabled
ASP.NET Impersonation Enabled
Basic Authentication Disabled
Digest Authentication Disabled
Forms Authentication Disabled
Windows Authentication Enabled
Now I need to get the user name who is currently logged on the machine, could be any authorized user with different domain. But no matter what I tired, I always got the impersonated user domain01\user01. I tried, HttpContext, WindowsIdentity, etc. Does anybody know how do I get the correct user name without changing my settings?
You are specifying domain01\username as the identity that you want to impersonate. That is why the current user is always that. If you remove the configured identity you will get the actual logged in user.
<identity impersonate="true" />
This is documented here:
http://msdn.microsoft.com/en-us/library/xh507fc5(v=vs.85).aspx

Windows Authentication succeeds but IsAuthenticated == false

Environment is IIS 7 integrated pipeline, ASP.NET 4.0. I have a .aspx page configured without anonymous authentication and with windows authentication:
<location path="auth/windows">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
When I request the page, a normal Windows auth (NTLM/Negotiate) challenge response happens, and ultimately the page is returned.
I have an HttpModule in which I handle the PostAuthorize event. As expected, this event is only raised once the challenge-response authentication has succeeded and access to the page has been authorized.
However, the Request.IsAuthenticated property is false; and HttpContext.Current.User.Identity reflects an unauthenticated user (.Name returns the empty string). Interestingly, Request.ServerVariables["LOGON_USER"] does return the value of the authenticated Windows user.
I'd have thought that once the user was authenticated (and authorized, for that matter), the request would reflect being authenticated; and the User / Identity for the request would have been properly set.
Any thoughts on why this is not the case?
Thanks,
Donnie
It turns out that the native handling of Windows authentication works when you have Forms authentication enabled in Web.config. But the managed part of Windows authentication - associating the authenticated Windows user with an IIdentity-derived object representing that user - only happens if Windows authentication is enabled in Web.config. Looks like I'll have to rely on the Request.ServerVariables["LOGON_USER"] value.
windows Authentication is enabled in IIS and authentication mode set to windows in my web.config file.
<authentication mode="Windows">
</authentication>
My site is asking for credentials and it's working fine. but when check using
HttpContext.User.Identity.Name
is empty string
Or
HttpContext.User.Identity.IsAuthenticated is false;
I used Request.ServerVariables["LOGON_USER"].Tostring(); to get logged in user credentials.
It worked for me, Thanks for Posting soccerdad.

Asp.net and windows authentication

My application needs to be designed so that an administrator can, via a web interface select if their users login via windows authentication or forms authentication.
This means I cant specify the authentication mode in the web.config i.e.:
<system.web>
<authentication mode="Windows"/>
</system.web>
How do I approach this?
Use Forms authentication mode, whereby the login form can determine the user and the preferred authentication method for that user. If the user can be windows authenticated, you don't need to present the login form, just set the user as authenticated and redirect accordingly.

Resources