Here's my scenario:
Using SQL Server sessions (due to web farm)
customErrors is On using redirect
There is a membership provider that uses sessions to store user information
In web.config, there are <location> sections that <allow users="*">. This is used for static content (e.g. images)
Whenever I try to access the error page or even static content, the session tries to start up (probably due to membership provider). If the SQL Server is down, that throws an exception.
Is there any way to prevent the membership provider and/or sessions from trying to initialize when I'm accessing certain folders (i.e. static content)?
It turns out most of my problem is because of differences between IIS6, IIS7, and the development server:
http://www.asp.net/hosting/tutorials/core-differences-between-iis-and-the-asp-net-development-server-cs
In IIS 6, ASP.NET only runs for extensions that are configured under Site properties > Virtual Directory > Configuration > Mappings > Application extensions. For example, .aspx points to aspnet_isapi.dll. Static content will not go through the ASP.NET by default.
In IIS 7, it's similar (under Handler Mappings), however thanks to the new integrated pipeline, in the web.config you can also have static content check for authentication. See Performing Forms-Based Authentication and URL Authentication on Static Files with IIS 7 in the URL above.
Also based on the above URL, in the ASP.NET Development Server (based on Cassini):
Every request that comes into the
ASP.NET Development Server, whether
for an ASP.NET page, an image, or a
JavaScript file, is processed by the
ASP.NET runtime.
Related
I have a few older ASP .Net Framework (web forms and mvc) sites on an IIS server which run in an app pool which uses a custom AD account. Serving any static files (images, js, css) from the Content folder of the site has always worked fine - but this began failing a few weeks ago. All requests for static content return a 500 error. The dynamic content still runs fine. When I switch the app pool to use the built-in ApplicationPoolIdentity, then the static content is returned fine. I verified that the custom AD account has read access to the static files on file system. There are no messages in the event log and the IIS logs only show the 500 response with no details. As this works fine using the built-in account, I am assuming the static file handler is still installed and running as expected.
Any thoughts on what may have changed, what would cause static files to fail for custom accounts only, or where I can look for more details on the error IIS is encountering?
EDIT: After further testing, I find that using my personal AD account for the app pool allows the site to serve static files. So guessing the issue relates to the custom account's privileges in some way?
So, thanks to the link from Lex Li above, I was able to enable failed request tracing and this pointed me to an authentication error - "Either a required impersonation level was not provided, or the provided impersonation level is invalid. (0x80070542)" By adding the custom AD account for the app pool to the local Admin group on the server, the issue was corrected.
We have a site that uses Windows Authentication to allow access to the webpages. Most if not all pages are written in classic asp. I recently added a "public" homepage written in asp.net so that users can change their password if they forget it. I tried setting up the homepage as the default in IIS 6, and set all the associated files with that homepage to allow anonymous access.
Problem is, we still get the popup for Windows Authentication. If you type in directly: http://www.website.com/default.aspx the page pulls up no problem. But when you try to navigate to simply http://www.website.com, we keep getting the windows authentication prompt.
I tried removing the global.asa file and an unused global.asax file thinking it was hitting one of these first, but that didn't work. Here are the files that allow anonymous access:
default.aspx
/Homepage -- directory with all code files and other public webpages
web.config
/bin -- folder containing the code generated by VS 2010]
I feel like something that doesn't allow anonymous access is getting accessed first, but can't figure out what it is. Any ideas?
I imagine you have two applications under your Default Website in IIS Manager (IIS 6.0?) One is your classic asp application, with anonymous authentication, and it uses an application pool with "No Managed Code". The other is your ASP.NET application, with windows authentication, which uses an application pool set up for .NET 4.0, or something.
Make sure the Default Website is set for anonymous authentication. Those settings get inherited.
I have am asp.net 3.5 web site with a asmx web service and a test aspx page (the page tests the web service using javascript).
I need to run this site with anonymous authentication, so I setup the site in IIS as such.
Now, if I am trying to open the test page in the browser, I get 401.3-Unauthorized error.
Any ideas what should I do to fix it? Do I have to give read access for the physical file to Anonymous Login?
Also, what version of IIS are you using? Also if you are using the IIS mgr and you check anonymous authentication, you need to give it a valid username and password, have you done this?
A 403 can mean several things. It can mean you don't have authentication correctly configured, or it can mean that the ASP.NET worker process does not have rights to access the pages (the security is set to only allow you to access them, for instance). There are other scenarios as well, but these are the two most common.
In visual studio MyProject properties I set the Login.aspx page as startup page and it works fine when I use the local host, however when I publish to the external host server the startup page is ignored and the aspx page in the URL is displayed. What am i doing wrong? host server has IIS6, 3.5 FrameWork
Startup Action, and specific page in this case is only used for Debugging purposes, not for the initial page to load on your web host.
If your web host is using IIS7, you can use the <defaultDocument> web.config element.
Otherwise, you can set the value in IIS (see here), or possibly find a workaround elsewhere.
The startup page is only for the ASP.NET Development server that is created by Visual Studio..used for testing & debugging your code.
Since you're publishing to IIS 6.5, you can set your default documents(s) on the website's Documents tab in IIS. Add your default starting page to the list there & move it to the top.
On II6 if you right click the web site --> Properties then go to Documents, there is a Enable Default Document. That list is where the default document is set.
I have two virtual servers from two different hosting companies. Publishing the same MVC3 site on each server produces different results for a folder that is supposed to be protected by forms authentication. The files are of various extensions.
On one server, requesting the file redirects the user to the login page (correct behaviour for our app) but the other allows the downloads.
Both web.config files are the same for everything that's relevant as far as I can see, so where does this get set?
TIA
Is the file type (for example somefile.xyz) mapped to asp.net or are you running an older version of IIS or in classic mode?
if .xyz is not mapped to asp.net then IIS will allow the download (in some cases - unknown extensions depending on the version of iis will result in a 404 for security purposes)
Are they different versions of IIS? If one is setup for classic mode (the worker process) or its an older version of IIS (6 for example) the file request won't funnel through IIS unless you setup a wildcard mapping.
If it is running in integrated pipeline mode, then it will funnel through IIS and you would see the login (assuming users, auth, and forms auth are setup correctly)