im building a asp.net web site with 2.0 framework.
I've been "fighting" with web.config, i've changed it quiet some times.
So to start from scracht this is what i have:
<?xml version="1.0" encoding="utf-16"?>
<configuration>
<connectionStrings>
<remove name="LocalSqlServer"/>
<add name="ABC" connectionString="Database=jsilvaqqc.mdf; Data Source=*****;Initial Catalog=jsilvaqqc;User ID=****;Password=*****;" providerName="System.Data.SqlClient"/>
<add name="LocalSqlServer" connectionString="Database=jsilvaqqc.mdf; Data Source=*****;Initial Catalog=jsilvaqqc;User ID=*****;Password=*****;" providerName="System.Data.SqlClient"/>
</connectionStrings>
<location path="Members">
<system.web>
<authorization>
<allow users="*"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
<system.web>
<compilation debug="true"/>
</system.web></configuration>
It works fine im my machine. I've created the users for the login and the role to access the "Members" folder.
But in my host company, it doesnt work. I have the aspnet database from my computer in that databese "jsilvaqqc.mdf".
When i try to log on pops up box requiring autentication. But i've alreadu given that in the log in form.
Do i need aspnet "authentication" tag?
Why dont i need it in my machine if i access the same database?
Here is the print of the box that comes up, when i log. And only when i log with a valid user.
Link: http://www.freeimagehosting.net/image.php?c9425ff727.jpg
Thanks for you help.
It sounds like the pop-up login box you talk about is probably IIS asking for Windows Authentication. If you only want to use forms authentication, change the permissions on the Virtual Directory in IIS to allow anonymous access.
Related
I have an ASP.Net web forms app running under IIS 7+
The entire app is currently secured using Windows Authentication and URL Authorization, configured in the web.config via IIS. The .NET doesn't care who the user is, there are no profiles or roles or anything at the moment.
<system.web>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="AppXUsers" />
<deny users ="?" />
</authorization>
</system.web>
I wish to add an additional page (in a subfolder), which will be accessible to subset of users, so I would modify the web.config like so:
<location path="mySubFolder">
<system.web>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="AppXPowerUsers" />
<deny users ="?" />
</authorization>
</system.web>
</location>
The client is free to then add or remove AD groups as they see fit.
However, as it stands users who are in the AppXUsers group but not in the AppXPowerUsers group still get shown links to the pages in mySubFolder. When they click the links they get access denied as it should be.
Is there any way I can detect whether or not the current user has access to "mySubFolder"?
I feel it would be a bit overkill to introduce User/RoleManagement at this stage - the application has no need to store any information relevant to users and it doesn't care who the user is beyond "can they access this page or not", which is currently handled at the IIS stage.
Take a look at this: http://msdn.microsoft.com/en-us/library/system.web.security.urlauthorizationmodule.checkurlaccessforprincipal.aspx
which is referenced here:
Determine if user can access the requested page?
UrlAuthorizationModule.CheckUrlAccessForPrincipal requires that the authorization rules are set in <system.web><authorization>
If you're introducing this into your web.config, though - why are you reluctant to use it in code?
Another way to check would be:
Context.User.IsInRole("somerole")
I have looked for this issue on the internet and nothing specifies how to solve my problem.
It is a very small web application hosted on IIS7. In my web.config i have this code:
<system.web>
<authorization>
<allow users="WORKGROUP\SOMEONE"/>
<deny users="?"/>
</authorization>
<roleManager enabled="true" />
<compilation debug="true" targetFramework="4.0" />
</system.web>
When i access my website, it gives me the following error
401 - Unauthorized: Access is denied due to invalid credentials.
I want to authenticate only one domain user and I think i have used everything correctly. Please Guide Me What am i missing here
You'll need to install Windows Authentication and enable that on the IIS website.
See this post for details on how to install and configure Windows Authentication on Windows 7 and Windows Server 2008R2: http://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication
I have a website that is hosted on my local machine for development. I have a virtual directory named "content" that contains the images for my website (mapped to the physical path "C:\Content" in IIS). The problem is that when a user is not logged into my website, the images don't show up. I've tried putting a web.config file in the content folder using this
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
but that doesn't work. I've also tried adding this to my website's web.config file
<location path="Content">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
but that's not working either. Any suggestions?
The <system.web><authorization> element only refers to content handled by the ASP.NET runtime, not IIS itself (which is <system.webServer> and has a totally different schema). However the Cassini/dev server in VS does use <system.web><authorization> for all resources because ASP.NET handles every request under Cassini.
Check your IIS Authentication rules, as well as your NTFS ACLs. Ensure that Anonymous Authentication is enabled and the correct user identity is set. You can do this in IIS Manager.
Hello guys i have an website online wich access the database. The database access for the connection String called GardenLadies is fine and works. I've added to the host database also the localsqlServer database info.
My problem is when i log in it gives me "Server Error in '/' Application.".
hereĀ“s my web config
<?xml version="1.0"?>
<configuration>
<connectionStrings>
<remove name="LocalSqlServer"/>
<add name="GardenLadies" connectionString="Database=GardenLadies.mdf; Data Source=195.22.11.199;Initial Catalog=GardenLadies;User ID=****;Password=*****;" providerName="System.Data.SqlClient"/>
<add name="LocalSqlServer" connectionString="Database=GardenLadies.mdf; Data Source=195.22.11.199;Initial Catalog=GardenLadies;User ID=****;Password=****;" providerName="System.Data.SqlClient"/>
</connectionStrings>
<system.web>
<authentication mode="Forms"/>
<authorization>
<allow users="*"/>
<deny users="?"/>
</authorization>
<compilation debug="true"/>
</system.web>
</configuration>
I've used this formula of webconfig in other website and it has worked for me, i don't get what i'm missing here.
Thanks
This tells me that the problem is not the BD or the login, but an image that i use in masterpage.
"Access to the path 'E:\inetpub\vhosts\garden-ladies.pt\httpdocs\images\Imagens\fundo.jpg' is denied. "
I have other images in similar location but in anonymous pages.
Any ideas?
Sounds like you have a conflict with some information in your machine config.
What does your provider section look like?
AND why do you have two connection strings with the same info? which is asking for issues.
Clear them all in your web config and set your default providers to use your GardenLadies connection string.
Hi guys i've solved it, problem was with permissions in some folders in host.
Gave the permissions and everything worked.
Thanks for the help.
In my ASP.NET Application, I have an asmx Web Service which is in it's own directory. For this WS I have set the basic authentication under IIS 6.0 and put the separate web.config for that folder, with following nodes:
<system.web>
<authorization>
<allow users="domain\username"/>
<deny users="*"/>
</authorization>
</system.web>
With settings like these I get
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.
when webmethod is invoked with SOAPUI or with browser. If I remove the deny node, any valid user in domain can get a web service response.
Any suggesstions how to make it work for one domain user only?
Maybe I should mention also, that authentication in main web.config is set to "Windows".
updated:
Oops, I overlooked the fact that you have a parent involved, my fault. Once permission defaults are set on the parent, you can just setup per-user access to the child web service/app.
The tightest configuration I could setup was the following.
For the parent, I used this barebones setup (nobody is allowed in):
<?xml version="1.0"?>
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<compilation debug="true" />
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
Then for the child (web service, in your case), I used this setup (only the DOMAIN\username principal is allowed in):
<?xml version="1.0"?>
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<allow users="DOMAIN\username" />
</authorization>
</system.web>
</configuration>
This resulted in no access at the parent level, but only the given user at the child (web service) level. Also, as you mentioned, setting the authentication mode doesn't work on the child web.config.
Without setting up at least one allow entry at the child web.config, though, nobody can get in, as the parent's deny entry takes precedence.
original
Your settings work for me, but I believe you are missing a few elements.
Try including the impersonation element, make sure the authentication mode is set to Windows, and if deploying for IIS, make sure the IIS location has anonymous access off.
Try the following barebones config, with debug on or off as needed:
<?xml version="1.0"?>
<configuration>
<appSettings />
<connectionStrings />
<system.web>
<compilation debug="true" />
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<allow users="DOMAIN\username" />
<deny users="*" />
</authorization>
</system.web>
</configuration>