I've got an ASP.NET application which uses forms authentication.
We're adding on an HttpModule that responds to requests in the /webdav folder and below. We need to use basic/digest authentication for these requests.
With <authentication> set to Forms in the root web.config, requests from webdav clients are receiving a 302 redirecting the user back to the login page.
Is MADAM the best way to achieve this?
I think MADAM would work well for you.
I'm using MADAM to make RSS feeds available that are specific to logged in users accessible to RSS Readers. I am also planning on using it when we implement mobile app access into our application. That way we can use the same controller logic and change the authentication using MADAM.
I would suggest that you use HTTPS requests if you're doing BASIC authentication. Also, if you are using IIS 7, make sure you add the http modules configuration into the system.webServer/modules section. I wasn't paying much attention and wasted time diagnosing why it was working locally and not on the development server in IIS 7.
Related
I have an ASP.Net side that right now works with Forms Authentication. I'm implementing several Rest webservices with Web API and, in order to use them outside the browser context (e.g. a console app) it feels like I'll need Basic Authentication (refer to http://www.asp.net/web-api/overview/security/forms-authentication)
However, when I try to enable both Forms and Basic Authentication at the same time in IIS, IIS Manager tells me the following: "Challenge-based and login redirect-based authentication cannot be used simultaneously".
What should I do and how can I enable Basic Authentication so I can use Web API services outside a browser context?
Thank you.
Check this post which solves your issue http://kevin-junghans.blogspot.com/2013/02/mixing-forms-authentication-basic.html
I have am asp.net 3.5 web site with a asmx web service and a test aspx page (the page tests the web service using javascript).
I need to run this site with anonymous authentication, so I setup the site in IIS as such.
Now, if I am trying to open the test page in the browser, I get 401.3-Unauthorized error.
Any ideas what should I do to fix it? Do I have to give read access for the physical file to Anonymous Login?
Also, what version of IIS are you using? Also if you are using the IIS mgr and you check anonymous authentication, you need to give it a valid username and password, have you done this?
A 403 can mean several things. It can mean you don't have authentication correctly configured, or it can mean that the ASP.NET worker process does not have rights to access the pages (the security is set to only allow you to access them, for instance). There are other scenarios as well, but these are the two most common.
I would like to apply a basic 2nd level of security by adding some form of web folder password protection, so that we only allow users with the global username and password to be able to access the logon page, where we are using forms based authentication.
I am not sure whether this is done from the IIS Manager (Windows 7) or by editing a web.config file ?
If you google for "Forms Authentication IIS", first item returned is this:
http://msdn.microsoft.com/en-us/library/ff647070.aspx
This does a good cover of the issue.
If you need to apply that to a particular folder, use location and authorization in web.config as below:
http://msdn.microsoft.com/en-us/library/b6x6shw7(v=vs.100).aspx
I have been in the same situation. Given that you can't enable forms authentication and basic/windows authentication at the same time in IIS we ended up using Helicon Ape and .htaccess files for the digest based authentication and configured the web app itself to use forms authentication. It works well so far. We needed this because of client requirements. I wouldn't really recommend this in practice. It's fairly annoying for users having to log in twice.
I don't have much experience with ASP.NET and IIS -
But I created some simple web site and i put it on IIS server -
I want to make the access to be only for those users, who are know the access password.
How can I do it ?
You can easily do this with Forms Authentication in asp.net. Take a look at some information on the web about this.
http://msdn.microsoft.com/en-us/library/ff647070.aspx
http://www.codeproject.com/KB/aspnet/ASPDOTNETauthentication.aspx
http://msdn.microsoft.com/en-us/library/7t6b43z4.aspx
It is pretty easy to get this working, most of the work is in the web.config and it gives you a lot of control about what pages are secure and what pages are not.
I've got an ASMX web service that works great through an SSL conection, but I would like to make these web services inaccessible without SSL.
In web forms, I would just use the following code:
if (!Request.IsSecureConnection) Response.Redirect ("SomeOtherPage.aspx");
I know that WCF promises to be better in every way, but it's a real PITA to get something simple done with a tool as complicated as WCF.
I have some other stuff on my site that is open to the public, so I chose not to take the IIS route. I did find a simple way in the asmx service to take care of the problem:
if (!this.Context.Request.IsSecureConnection)
return null;
Easy. Make a website in IIS that is only SSL and put this page in it.
Don't allow non-SSL connections to this website
In IIS (I can't remember exactly which version so it may have moved) under the security tab of the website or virtual directory you can set it to 'require secure channel'. This will force it to require https unless I'm mistaken.