Using Forms Authentication without .Net providers - asp.net

I want to protect a section of my website using forms authentication with the username and password as defined by me in the web.config. When I attempt to login I get the message below.
Server Error in '/' Application.
Could not find stored procedure 'dbo.aspnet_CheckSchemaVersion'.
I'm guessing this is happening because it's attempting to use the Membership tables as defined by the LocalSqlServer connection string. I don't want to use the Membership features, how do I configure my web app to do that?
Will I need to write the Authenticate function myself for the in-built Login control?

The problem isn't with your config file, it's with the Login control.
The Login control uses the default Membership Provider that is defined in the machine.config. (It's a SqlMembershipProvider that points to a SQL Express database).
You don't want to use the default Membership Provider at all. Simply create your own login page and use the following server-side logic to validate the credentials and log the user into the site:
if( Page.IsValid )
if (FormsAuthentication.Authenticate(txtName.Text,txtPassword.Text))
FormsAuthentication.RedirectFromLoginPage(txtName.Text, false);
else
lblMsg1.Text = "Wrong name or password. Please try again.";

Try this:
<authentication mode="Forms">
<forms loginUrl="Login.aspx">
<credentials>
<user name="Joe" password="Smith" />
</credentials>
</forms>
</authentication>

Related

Authentication cookie not working after aplication pool reloads

I use Form Based Authentication in my site
In my login page I have:
FormsAuthentication.SetAuthCookie(user.userName, true)
When I want to check if the user is authenticated I do:
HttpContext.Current.User.Identity.IsAuthenticated
I'm not using Asp.net Membership, instead i use my on SQL-DB verification
do i have to use Asp.net Membership ?
This is working for me most of the times
The problem is that sometimes after 5 hours or something after 30 hours
The Application pool gets restarted for some reason (I’m on a shared server)
And after that the “User.Identity.IsAuthenticated” returns with false, every time until the user logs in again.
This is strange to me because I can see that the client still have the persistent authCookie so why the user is not authenticated ?
My Web.Config reference:
<authentication mode="Forms">
<forms
name="AuthCookie"
loginUrl="~/mySite/ManageLogin.aspx"
timeout="5256000"/>
</authentication>
Any help will be appreciated.
My site www.mentallica.co.il
This may be due to the automatic generation of the machinekey at the application start. You can prevent that by specifying a machinekey for your app in your web.config:
<machineKey
validationKey="410E4E2B06BE457709F2D8C72BB02957A3B4E8BA327F3A6103696857AD3A88598D454489B9D4CAAFC2D5E35E8795B311EE2E94DAA485FD64D7184272A4AE4D8B"
decryptionKey="EFAFA0917D0D8F137F05B26AE053397C48D34DE688E73483D15C8EDAF0D6FD4F"
validation="SHA1"
decryption="AES" />
You shouldn't use this one - you may create your own easily at http://aspnetresources.com/tools/machineKey .
More information about machinekeys: http://msdn.microsoft.com/en-us/library/ff649308.aspx

Role-based Security without Forms Authentication in ASP .NET

I would like to take advantage of:
Page.User.IsInRole("CustomRole");
Page.User.Identity.IsAuthenticated
when working inside Page methods, as well as authorization section in web.config:
<authorization>
<allow roles="Administrators, Supervisors" />
<deny users="*" />
</authorization>
and also apply rules on classes and methods level:
[PrincipalPermission(SecurityAction.Demand, Role = "Administrators")]
In my application I authenticate with ... custom mechanism that provides me user identity in ... http header. I get users PIN number (some kind of ID) + roles. But that is a side plot. It doesn't matter.
What I actually want to achieve is to take advantage of ASP .NET build in Authorization features but having my custom authentication mechanism. I guess I have to implement IPrincipal and IIdentity, is that right? I saw plenty of samples on the web but all of them include web.config configuration that specifies providers, and also FormsAuthentication like classes, that I guess I don't need. I just need to inject my user object (which is prepared by me) into request and that's it.
So:
what's the easiest way to achieve it?
what is the difference between GenericPrincipal / IPrincipal?
how to get/create IIdentity object? I saw samples with:
var id = new FormsIdentity(authTicket);
but I'm not using FormsAuthentication.
Thanks
In short, you have to implement your own authentication module.
An authentication module is just an ASP.NET module but having special purpose. Its AuthenticateRequest method should populate HttpContext.Current.User property with an instance of IPrincipal.
Answering your other questions: IPrincipal is just an interface while GenericPrincipal is one of its implementations. You can use it, as the name suggests it's just a generic implementation which means that it should suit you. Since IPrincipal is just IIdentity plus roles, you probably will also need GenericIdentity.
Other implementations, like RolePrincipal + FormsIdentity are designed for specific purposes, these two for example are used by the Forms Authentication Module.
There are some good examples available, just google for "custom authentication module".
Before you do (create/implement your own), have you tried/considered adapting Forms Authentication to your existing auth scheme?
I think you're "almost there" (using all of the built-in ASP.net auth/membership/profiles/roles), and it maybe easier/simpler to just "plug in" your existing auth scheme into Forms Authentication.
This snippet of code should give you an idea of how flexible Forms Authentication can be:
if ((UserEmail.Text == "jchen#contoso.com") && (UserPass.Text == "37Yj*99Ps"))
{
FormsAuthentication.RedirectFromLoginPage
(UserEmail.Text, Persist.Checked);
}
else
{ ... }
So, it works with a hard coded "auth scheme" (not that you should, but gives you an idea of the possibilities), or even a list in web.config - again, just a sample:
<authentication mode="Forms">
<forms name=".FUBAR">
<credentials passwordFormat="MD5">
<user name="foo" password="b7ab5072e8fba7bed20384cc42e96193"/>
<user name="bar" password="1c42e49a360aa7cc337a268a1446a062"/>
<user name="john" password="5f4dcc3b5aa765d61d8327deb882cf99"/>
<user name="jane" password="7c6a180b36896a0a8c02787eeafb0e4c"/>
</credentials>
</forms>
</authentication>
Just a thought - hth....

login control forms authentication

I setup a login control to use on my web application and having issues validating the users. I created the membership tables in my own database in sql server 2008 using a suggestion on another site. Then I opted to just use forms authentication and created two users in the WSAT and thought that this would work fine. But it returns false for all users including the two I created. Why this is so I am not sure and if I were to use the sql database tables how would I do this?
<authentication mode="Forms">
</authentication>
<authorization>
<allow users="boy"/>
<allow users="girl"/>
</authorization>
<roleManager enabled="true" />
code behind login:
If Page.IsValid then
If username <>"" and password <>"" then
If FormsAuthentication.Authenticate(username,passwprd) = False then
Return false
else
response.redirect("~/default.aspx")
End If
End If
End If
You need to configure your web.config to use the MembershipProvider.
Take a look here for more info. Are you trying to use the SqlMembershipProvider?
To authenticate using MembershipProvider use the Login user control or you can create your own and call the following methods:
if (Membership.ValidateUser(username, password))
{
FormsAuthentication.SetAuthCookie(userName, createPersistentCookie);
FormsAuthentication.RedirectFromLoginPage(userName, createPersistentCookie);
}

Multiple membership providers in ASP.NET (web.config + sql)

I know this question is asked (and answered) a lot already, but I believe my situation is unique.
We are using the ASP.NET SqlMembershipProvider. However, we also have some less-secure content we would like to secure by adding users directly to the web.config, like so...
<forms loginUrl="login.aspx" defaultUrl="default.aspx">
<credentials passwordFormat="Clear">
<user name="user1" password="123" />
<user name="user2" password="456" />
</credentials>
</forms>
Is it possible to use this method alongside a SQL Membership Provider? If so, how?
I know it's bad practice to do this. This is only a stepping stone as we move parts of our website into the asp.net application. We would like some of those password to be easily editable without going to the database.
We would like some of those password
to be easily editable without going to
the database.
What is that logic I don't understand. Why you need two of them while you have built-in feature to change password easily in membership provider.
Now, you can use both at a time but you will need mechanism to decide when you use what or you will have to to two times authentication i.e. first validate user against web.config and if it fails then validate against membership DB.
But if you have other stuff depending on Membership explicitly, then some of those things won't work on your site.
So authentication, yes it is doable as you want.
I found my answer here: ASP.NET - Login Control with Credentials in web.config file
For my ValidateUser logic, I needed to use:
if (_provider.ValidateUser(username, password)) {
return true;
}
else {
return FormsAuthentication.Authenticate(username, password);
}
I knew how to authenticate using a provider, but the key was the ELSE clause, and authenticating using the web.config credentials.

Basic authentication for the web service

I'm having problems to set up the basic authentication for the web service.
I'm writing standard web service (not WCF) using .NET 4.0
In the web.config I have the following settings:
<configuration>
<system.web>
<identity impresionate="true" />
<authentication mode="Windows" />
</system.web>
...
</configuration>
The web service has one method:
[WebMethod(Description = "Returns currently logged in user.")]
public string WhoAmI()
{
return "You are logged in as: " + System.Threading.Thread.CurrentPrincipal.Identity.Name;
}
The test server is virtual machine located on the same domain as my machine. When I access it, I don't get anything for the CurrentPrincipal.Identity.Name.
I also tried to access the web service using the soapUI. I entered my username, password and domain but I still can't get it to work.
Any help would be appreciated.
On IIS (inetmgr) you can find Authendication Method window.(WebService1->Properties->Directory Security->Authendication Controls->Edit Button)
You can choose Authendicated access. (Diggest,Basic,Integrated Authendication)
After that changing your method will work as you want.
Does it work if you change impresionate to impersonate?

Resources