Ok, I've published a site using forms authentication. It works on my staging server. it does not work on the production server. The only thing different is sql is on a different machine for production.
The site does work, showing data from sql, but when I use the login link on the site, it brings up the login form, I login, it redirects to the main page, where it still says "login" instead of "logout".
I've tried aspnet_regsql to uninstall / install forms authentication for the server. I've restarted the www service. Here's a portion of my web.config
<membership>
<providers>
<remove name="AspNetSqlMembershipProvider"/>
<add name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="LocalSqlServer"
enablePasswordRetrieval="true"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
applicationName="/TriState"
requiresUniqueEmail="true"
minRequiredPasswordLength="4"
minRequiredNonalphanumericCharacters="0"
passwordFormat="Clear"
maxInvalidPasswordAttempts="5"
passwordAttemptWindow="10"
passwordStrengthRegularExpression="" />
</providers>
</membership>
How are you creating the roles and users in the production environment? Do you use a back up of the development database? In that case pay attention to the aspnet_Applications table. Make sure that the name of the application in the development and the production environment are the same. If not, try to edit the table by hand.
Is your login page by any chance named login.aspx?
I had a problem with this in the past, since it creates the same class name as the login control and a conflict occurs. In my case I got the "Yellow Screen of Death" i.e. the stack trace since it threw an exception, but then I renamed the page and it was ok.
You should explicitly set your application name. Check your database for the application table. If you have two entries there, then the system is using a different application name for your dev box and the server. If you explicitly set the name, there will be no conflict.
Is it possible that the application is serving the wrong cookies? On our testing servers the hostname is different than the production servers and the cookies end up in a different domain. The testing and production servers need to know the domains they are serving to send the right cookies back (this is done by storing the names and domains in the database).
Have you tried backing up the database from the staging server and restoring it on the production server? (here are instructions to do that.)
This will confirm that the database you are using isn't the issue.
Ok have you tried doing a manual login to bypass the membership check? This will rule out forms authentication itself being the problem.
if (Request.QueryString["ReturnUrl"] != null)
{
FormsAuthentication.RedirectFromLoginPage("someuserid", false);
}
else
{
FormsAuthentication.SetAuthCookie("someuserid", false);
Response.Redirect("~/SomePage.aspx");
}
Check your users are set up with whatever roles you have allowed in authorization.
<authorization>
<deny users="?"/>
<allow roles="Public"/>
<allow roles="AdminUser"/>
</authorization>
Check if there any web.configs further down (inheriting from higher level folder web.configs) which allow or deny any user's roles by specifying authorization.
Make sure your application name is the same in the production database:
applicationName="/TriState"
Related
I am working on a project in ASP.NET using MembershipProvider for my login system. Our issue is that the ASPNETDB file generated by ASP.NET upon creation of the login system seems to be empty or is not properly storing member information. Our project is a Web Site project, and we ran into a weird case of not being able to maintain login info. I gave my colleague my ASPNETDB file, he overwrote his and yet the login system was still using his old member information, it would not recognize the new ASPNETDB file. So I'm assuming the issue is that the member information is not being stored in that specific file as I was expecting.
How do we remedy this? We need to install this system for a client, so we will probably host the site sometime soon, how do we localize the membership information so that it's consistent across multiple workstations? Right now the membership info seems to be tied to specific computers. And when we go into the ASPNETDB file there doesn't seem to be anything there.
Can anyone shine some light on this? Its been happening for a while now.
I still don't know how to make it so that it always pulls from the
same location (project directory) instead of SQL server.
In ASP.NET Membership, connection strings for memership and roleManager are in web.config. You just need to update them accordingly.
<configuration>
<connectionStrings>
<remove name="SqlConnection"/>
<add name="SqlConnection" connectionString="..."/>
</connectionStrings>
<system.web>
<membership>
<providers>
<clear/>
<add connectionStringName="SqlConnection" ... />
</providers>
</membership>
<roleManager enabled="true">
<providers>
<clear/>
<add connectionStringName="SqlConnection" ../>
</providers>
</roleManager>
</configuration>
I'm experimenting with the Microsoft Azure portal in order to see how my legacy application performs with the least amount of rewrite. Authentication is a problem.
Background: this ASP.NET web application currently uses the SqlMembership Provider for Users, Roles, Profiles and Personalization. Yep, there has been a lot of blogging about the ASP.NET Identity, Simple Membership, Universal Providers and that the asp.net SqlMembership Provider is being phased out. But, if possible I'd still rather use the legacy asp.net membership on Azure.
Currently, I am able to publish my VS.NET 2013 solution to Azure but I am not able to login. As soon as I navigate to the url, it auto-logs me in as the Azure Portal user. It almost appears that Windows Authentication is active, rather than forms. Here's how I got here:
I created the sql membership tables on Sql Azure using special Azure-friendly scripts for Sql Azure (here: https://support.microsoft.com/kb/2006191).
However, when I run my application on the azure site vs. when I run it locally I see different behavior. On azure a different authentication mechanism takes hold: first, I'm prompted to login with my organizational ID (this is my msdn email), then after I enter my login for Azure, I automatically get logged into my application as live.com#myazureid#domain.com and I am not redirected to default.aspx but login.aspx and none of the web.sitemap menus appear other than the ones available to non-authenticated users. I also created a second user in the portal jeff#mydomain.onmicrosoft.com and I am prompted to login thru live then I am autologged into the application. Basically it acts like windows authentication is active, not forms auth. (Clarification: I found out later that this behavior is Azure Active Directory.)
In contrast, when my application runs locally (vs.NET 2013) with my connection strings pointing to the same sql azure data source (the membership tables) I login as I'd expect: I enter my membership username/password and I see my default page and pages tied to my roles are accessible, the user exists in users table, etc.. Obviously my local runtime environment and azure are different and it seems that Azure is somehow overriding my web.config provider settings and using its own mechanism.
My web.config:
<authentication mode="Forms">
<forms cookieless="UseCookies" defaultUrl="~/Default.aspx" loginUrl="~/PagesAnon/userLogin.aspx" requireSSL="false" slidingExpiration="true" timeout="45" />
</authentication>
<membership defaultProvider="AspNetSqlMembershipProvider" userIsOnlineTimeWindow="2">
<providers>
<clear />
<remove name="AspNetSqlMembershipProvider" />
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="4" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression="" />
</providers>
</membership>
<roleManager defaultProvider="AspNetSqlRoleProvider" enabled="true" cacheRolesInCookie="true">
<providers>
<clear />
<remove name="AspNetSqlRoleProvider" />
<add name="AspNetSqlRoleProvider" connectionStringName="LocalSqlServer" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
Thanks to Simon W above, I found my problem. In the Azure Portal, there is a setting that controls "Azure Websites Authentication / Authorization". Its found under Websites, then Configure, then scroll down a bit to "Azure Websites Authentication / Authorization". In my case there was an entry there: my website was tied into the "Directory" for my account and the "application" was set to my "tenant" (I think that's the Azure term).
To fix this, I simply removed the entry in the portal and I am able to login to my web application perfectly. Forms authentication wired up to Membership is working as I'd expect.
I believe that I published the original website using VS.NET 2013 Publish (using Server Explorer with the Azure SDK tools installed) and maybe there is a default setting that enables Azure AD in that scenario. I won't know until I retrace my steps and confirm this later. When I create a new website using the Portal, it does not default to this scheme.
Simon, I don't know how to give you credit for the answer... you basically got my head pointed in the right direction (just the use of "Azure AD authentication" got be googling the right terms) and facilitated the fix.
I have an MVC4 project which was upgraded from MVC2. While debugging with the VS development server the user validation works fine. But when I tried to debug with Local IIS the login fails, because of a wrong password.
On the production system the user validation also works fine.
The only difference between the development server / production system and local IIS is, that the website is running in an virtual directory on local IIS. So the URLs are
on development server / production something like:
http://localhost:12345/ OR http://the.production.server/
but on local IIS it is somthing like:
http://localhost/mymvcproject/
If I move the website to the root directory on local IIS the login works fine.
In the web.config membership is configured like:
<membership>
<providers>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ApplicationServices" enablePasswordReset="true" passwordFormat="Encrypted" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="50" minRequiredPasswordLength="6" passwordAttemptWindow="10" applicationName="/" />
</providers>
</membership>
I think the problem is the applicationName parameter, but I haven't changed it.
Things I checked:
the database data were always the same
to create and validate an new user does work on local IIS when in virtual directory
I tested it also with the original MVC2 project, same problem
Am I on the right path?
Is there a way make validation/password encryption/decryption independend from the URL/application name?
Is there a way make validation/password encryption/decryption
independend from the URL/application name?
No. Instead, ASP.Net Membership provider uses Machine Key (in addition to salt) to encrypt and decrypt a password.
Normally, you want to include a machine key in application's web.config explicitly to avoid that kind of saturation.
If you know the machine key, save that in Local IIS's web.config explicitly.
If you do not know the machine key, use the following method to retrieve it.
http://aspnetresources.com/blog/how_to_read_auto_generated_machinekey
Update: 7/9/2013
If you do not assign machine key explicitly, the application will use the auto-generated key by default.
I solved it. Thanks to #Win, you pushed me to the machine key. Just to make it clear, I know the machine key.
I did not see the little IsolateApps parameter in the machine key setting, which is the "key".
With a machine key configured like this:
<machineKey validationKey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,IsolateApps" decryptionKey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,IsolateApps" validation="AES" />
I have the behavior like I described in my question. But without the IsolateApps like this:
<machineKey validationKey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" decryptionKey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" validation="AES" />
Everything works fine, no matter if the application is in root or a virtual directory. But there's a catch! I you change the machine like this (not the values, only remove the IsolateApps parameter), the user validation fails for existing users. Only new created users can be validated.
The according MSDN page is http://msdn.microsoft.com/en-us/library/vstudio/w8h3skw9(v=vs.100).aspx.
This is sort of a two part question. So I'll start with the first which will lead into the second. I'm hosting a site at GoDaddy where at the root is the main web application. However in a sub-folder I have created a second web application. Both of which use Forms Authentication backed with ASP.NET Membership on a shared database. Meaning both are using the database aspnetdb. What I'm trying to accomplish is the ability to log into one and therefore be logged into both. A Single Sign On (SSO) if you will. What I have found so far is if the applications are on the same server (IIS instance) they therefore share the same MachineKey. From what I have found and from my understanding Forms Authentication uses the MachineKey to generate the Authentication Ticket. So therefore should be no modifications necessary as long as the application name for the Membership, Role and Profile providers match.
Am I accurate so far?
But I have not been able to get this to work. So I tried two other ideas with no prevail.
I added the following to both Web.config files (separately, not together of course).
<machineKey decryptionKey="AutoGenerate"
validation="SHA1" validationKey="AutoGenerate" />
or
<machineKey
validationKey="93A258D47F48AF07AB8BE3EF56C9D32897B9C458F2E14DB6F9AA47D77E40F4CA763D4BD56C2900B507073023F4C43C583A1F7086C2DD327C879368B0449EFB10"
decryptionKey="6BE371E3CDE768B71D0D261370127BAE094984D207EFD4B55FB24384FE1795D1"
validation="SHA1" decryption="AES" />
Generated from http://aspnetresources.com/tools/machineKey
And an example Membership configuration
<membership
defaultProvider="SqlProvider"
userIsOnlineTimeWindow="20">
<providers>
<remove name="AspNetSqlProvider" />
<add name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="aspnetdb"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
passwordFormat="Hashed"
applicationName="/" />
</providers>
</membership>
So my first question, will this work and am I on the right track? Because I have not been able to get this to work.
The next question is, if this works and someone were to download an application and load it to their website. And, if in the application Web.config the MachineKey is specified, like the one generated above, and they leave the default application name, like '/', could this be a security risk? Meaning if person A loaded an app and person B loaded the same app could a user authenticate on one and therefore be authenticated on the second installation. Mind you person A and person B have no relationship other than they both loaded the same application and left it with the default settings.
References:
http://msdn.microsoft.com/en-us/library/ff649308.aspx
http://help.ablecommerce.com/faqs/ablecommerce_7/how_do_i_install_to_a_shared_hosting_environment_.htm
http://rtur.net/blog/post/2009/03/30/Using-machineKey-with-ASPNET-Membership.aspx
Using one Asp.net Membership database with multiple applications Single Sign On
[Update]
- I'm determined to find the solution to this issue soon. If you are also search for a solution stay tuned...
I recently deploy an application that uses asp.net membership (SqlMembershipProvider) and I dont know why but it automatically log out after 1 minute of inactivity. This doesn´t happen on my development environment. I even set the userIsOnlineTimeWindow to 60 which is supposed to be in minutes. Any ideas why this is happening?
Im deploying to a virtual directory on a shared hosting environment.
Here is how I set up the membership provider
<membership defaultProvider="FaceMoviesMembership" userIsOnlineTimeWindow="60">
<providers>
<clear/>
<add name="FaceMoviesMembership" type="System.Web.Security.SqlMembershipProvider" connectionStringName="FaceMoviesAuthConnectionString"
enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" maxInvalidPasswordAttempts="10"
passwordAttemptWindow="60" requiresUniqueEmail="false" passwordFormat="Clear" applicationName="FaceMoviesWeb"
minRequiredPasswordLength="5" minRequiredNonalphanumericCharacters="0"/>
</providers>
Found the solution on this Blog. Here's an abstract:
It is well known that you need to specify the same machine key entry when running in a web farm. This is due to the fact that things such as FormsAuthTicket or the AntiForgeryToken in ASP.NET MVC by default use the machine key values for encrypting details. Otherwise the user will be redirected back to the login form or validation will fail, when they are load balanced to a different server. This occurs when the decrypted results do not match the cookie in the case for FormsAuth. Causing the user to keep wondering why he’s having to sign-in over and over.
Having encountered this problem with 2 different web host providers, it turns out hosting providers spin up several virtual instances of your app. This recreates the web farm scenario.
As stated, your problem could be an instancing issue.
The dynamically generated machineKey, which is used for encryption/decryption/hashing, is going to be different on every machine resulting in tickets that are not recognized by different instances of your application.
Explicitly specifying a machineKey section in your web.config will ensure that all instances of your application will honor a ticket regardless of source.
Generate a machineKey section here http://www.developmentnow.com/articles/machinekey_generator.aspx
and paste it into the <system.web> section of your app so that all instances of your app will use the same encryption keys.
This may solve your problem.