I just start to learn web programming using IIS 7.5 in windows 2008 R2, and ASP.Net 4.
I notice that both IIS and ASP.Net can define Authentication rules. In IIS, there is a form authentication setting where I can redirect user to specified page for authentication, like below:
And then, in ASP web.config file, I find similar settings:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
When I finish both settings, I assume any page request will be redirect to the login.aspx page. But it didn't. So I am confused. How do the 2 sets of configs work together? And why page request is not redirected?
Thanks
Update
Finally I get it working and I think I understand it now. My website structure is like below:
It is about modifying Autherization rules. Deny all unauthorized users for root:
<authorization>
<deny users="?" />
</authorization>
CSS files should be allowed for all users, so I have Styles\web.config:
<authorization>
<allow users="*" />
</authorization>
and only allow unauthorized users to access register.aspx, so I have Account\web.config:
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
There's another component you need to configure: authorization. If you don't, unauthorized users have access to all pages and will not be redirected to the login page. For example:
<authorization>
<deny users="?" />
</authorization>
This specifies that all unauthenticated users are denied access to pages in your application. The authorization element is part of the system.web configuration section.
When you set something in IIS with authentication ( in your case form authentication). It also change your mapped project webconfig file with the same settings. That's why you see same information in both modules.
Related
I have a smart-card enabled website where in IIS, Anonymous Authentication is disabled, SSL is enabled.
The IIS root also has Anonymous Authentication disabled, but Active Directory Client Certificate Authentication enabled.
Static Content role service is also installed.
In the web.config, I have
<authorization>
<deny users="?"/>
</authorization>
Following that, I have
<location path="/css/main.css">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
In both the css and images folders, I also have web.config's consisting of:
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
I use an AppPool running with a custom identity, let's say APUser
On the web server for those folders, I have permissions set to read for APUser, IUSR, Anonymous Logon, Users, IIS_IUSRS, and Everyone.
The url is in trusted sites on the browser.
Initially, the images and css return error 500 (using network capture with dev tools). After logging in, they show fine.
Same issue running on the server itself.
If I enable Anonymous Authentication in IIS, disable Active Directory Client Certificate, and change deny users="?" to allow users="*", everything works fine.
What am I missing to disable Anonymous Authentication, but still show images/css?
web.config authorization settings works sequentially. That is since you are denying unauthenticated users by using following, it does not read anymore of your config.
<authorization>
<deny users="?"/>
</authorization>
Read here.
Remarks At run time, the authorization module iterates through the
and tags until it finds the first access rule that fits
a particular user. It then grants or denies access to a URL resource
depending on whether the first access rule found is an or a
rule. The default authorization rule in the Machine.config file
is so, by default, access is allowed unless
configured otherwise.
Change it so that they come before your deny unauthenticated user part.
<location path="/css/main.css">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<authorization>
<deny users="?"/>
</authorization>
From "Allow" on MSDN here
"users
Required String attribute.
A comma-separated list of user names that are denied access to the resource. A question mark (?) denies anonymous users and an asterisk (*) indicates that all users are denied access."
Now, I take it that there's an error in there and they want to say "allow".
So you want <allow users="?,*" />
Under Group Policy for "Impersonate a client after authentication", add IIS_IUSRS
Today I moved my application from a server with IIS6 to a new one with IIS7.5 (windows server 2008 R2).
The odd thing is that I cannot access the default document although it has been set in the default documents section. The file is the "deault.aspx" and when I try to access the page with ip I am getting http://[IP]/login.aspx?ReturnUrl=%2f, but it works fine If I access it directly.
This is the settings from web.config
<authentication mode="Forms">
<forms protection="All" loginUrl="login.aspx" name="CookieName" timeout="49200" requireSSL="false"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I've already tried to solve this with some of the suggestions that are written here [ Forms Authentication Ignoring Default Document ]
, but with no luck.
I want to solve it by configure somehow the server and not the application.
Thanks
SOLUTION
I don't know if it is the correct one, but I change the mode of the application pool into classic instead of integrated.
Add the following to the web.config and it will allow you to access Default.aspx without requiring prior authentication. All other pages will require authentication.
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Just because a document is added as the default within the IIS configuration does not mean it bypasses the FormsAuthentication.
For me, removing the ExtensionlessUrl-* handler mappers in IIS Manager for the site in question did the trick. Even though all this does is adds the relevant entries to web.config that I had already tried with no luck.
I have the following ASP.NET Forms Authentication configuration:
<system.web>
<authentication mode="Forms">
<forms name="MembershipCookie"
loginUrl="Login.aspx"
protection="All"
timeout="525600"
slidingExpiration="true"
enableCrossAppRedirects="true"
path="/">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location
If an anonymous user visits the site and requests home.aspx should they be denied access and kicked to the Login.aspx page because the first rule <deny users="?" /> will match and further processing will stop?
The site is running on IIS7.5, ASP.NET 4.0 and the application pool is configured for Integrated Pipeline mode.
Update:
The reason for this question was to sanity check my understanding of ASP.NET 4.0's Forms Authentication behaviour (which was actually correct). There is a related follow up question which describes what looks like a bug in a hotfix (which is also rolled into Windows 2008R2 SP1) - KB980368:
ASP.NET 2.0 and 4.0 seem to treat the root url differently in Forms Authentication
If an user is accessing Home.aspx , it will use the configuration section for Home.aspx specified by <location /> and hence the user will not be kicked out to Login.aspx .
If a user access Home.aspx then the second rule will be applied i.e.
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
The point to note here is: * tells that any authorized user (having any or no role assigned) could access the page, but ? tells unauthorized user could not access the page.
I am a beginner of asp.net..I currently have a login page with forgot password link button on the bottom of the screen. I am also using forms authentication to prevent an unauthorized user from accessing the other pages. The authentication seems to be working fine except for one thing. It prevents the user from accessing the password recovery page once the user click on the link button. How do I allow all users access to the login/password pages and also prevent them from viewing the other pages if they are not authenticated?
The code below is to prevent from other anonymous view other pages without access. But i got no idea on how to allow them to access password recovery page...
<authentication mode="Forms">
<forms loginUrl="/Presentation/Display/Login.aspx" name=".ASPNETAUTH" protection="All" path="/" timeout="120" cookieless="UseDeviceProfile" slidingExpiration="true"/>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?"/>
</authorization>
You need to use the <location> element to apply settings to a specific path, then add an <allow /> for non-logged-in users.
For example:
<location path="PasswordRecovery.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location path="Presentation/Display/PasswordRecovery.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
This allows anonymous users to view your password recovery page. You might want to do the same for the directory where your CSS and/or image resources are stored, in case they are required by your login page and/or your recovery page.
Use Location:
<location path="passwordrecovery.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I'm learning how to use the asp authentication, and I have created a test project for it. I have the Default page, the Login page and a Test folder with a Default page inside.
I want that Default page accesible for everyone (so, without authentication) and the "Test/Default.aspx" private. My "Web.config" is like this:
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authentication mode="Forms">
<forms loginUrl="Logon.aspx" name=".ASPXFORMSAUTH" >
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="Empresas">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
This way, when I access to the Test/Default.aspx page, I can enter even without authorization, and I don't know why. However, if I change "deny users=?" for "deny users=*", then I can't access even when I am authenticated, so the location tag is working correctly.
I change the password every time, just in case it was a cookies problem, but it isn't.
QUESTION: What is wrong in my web.config, or what do I have to do to create some pages privated?
Thank you very much in advance
how about allow users="?"
i.e. allow authenticated users