In IIS 7 is there a way to edit the forms authentication portion of the web.config without editing the web.config directly? That is, using the IIS 7 GUI to make changes to the authentication?
You'll need to modify the web.config directly for this case.
Related
I am having trouble using Mixed Forms Authentication and Windows Security.
I am not too familiar with IIS and security. I found this article today:
https://msdn.microsoft.com/en-us/library/ms972958.aspx#mixedsecurity_topic5
I first started by adding an authentication mode to my web.config file:
<authentication mode="Forms">
<forms loginUrl="~/Login"></forms>
</authentication>
the tutorial above says my loginURL should be WinLogin.aspx, I guess this is where my confusion starts.
As in the tutorial above it states the following:
Using the IIS Manager, right-click the WinLogin.aspx file, click Properties, and then go to the File Security tab to edit the authentication and access control for this single file. Then simply un-check Enable anonymous access and check Integrated Windows authentication.
I don’t see WinLogin.aspx in my IIS Manager.
My question is, do I need to create a site in my IIS Manager and create a WinLogin.aspx file my project?
I am using MVC, so if I add my project to IIS, do I follow the same steps for WinLogin.aspx but for my Login Controller file? LoginController.cs ? I am very confused on this subject.
Thanks,
According to the tutorial, you'll need two files, WebLogin.aspx and WinLogin.aspx. WinLogin.aspx just exists to test the Integrated Windows Authentication, otherwise users would login via WebLogin.aspx. The tutorial for WinLogin.aspx should be in the source code for the article (linked to at the top of the article).
Instead of WebLogin.aspx, you can provide a route to your MVC login page.
I have discovered that apparently even though encrypted identities are supported in ASP.NET (via encrypting in the web.config), IIS 7 will not allow you to change the authentication settings in the IIS Manager. You get a message like this
A workaround for this is to temporarily comment out (using "<!-- -->") the identity section in the web.config and then IIS 7 Manager will allow you to view/modify authentication section. Then remember to uncomment the section in web.config.
I have never used Windows Authentication for ASP.NET MVC web applications before, but Forms Authentication. Recently, I have had an ASP.NET MVC 4 web application that requires a Windows Authentication implementation for users who are granted to log in my company web server. So, I have some questions regarding Windows Authentication. I am using Visual Studio 2012.
How does Windows Authentication work?
How do I implement Windows Authentication correctly in the web.config file?
How do I test if the Windows Authentication really works for my ASP.NET MVC 4 web site? In other words, how do I test it on my local development PC with local IIS (version 8), and on my company real web server with IIS version 7?
For IIS 8.5 and MVC 4:
How does Windows Authentication work?
In this mode, User.Identity (as in HttpContext.Current.User.Identity) is populated by the underlying web server. This might be IIS Express in the link from #R Kumar demonstrated, or full blown IIS as in the video by #Thomas Benz.
Specifically, User.Identity is a WindowsIdentity object. E.g. the following cast will work:
WindowsIdentity clientId = (WindowsIdentity)HttpContext.Current.User.Identity;
How do I implement Windows Authentication correctly in the web.config file?
<system.web>
<authentication mode="Windows" />
...
How do I test if the Windows Authentication really works for my ASP.NET MVC 4 web site? In other words, how do I test it on my local development PC with local IIS (version 8), and on my company real web server with IIS version 7?
First, change the ASP.NET authorization to exclude the current user. E.g.
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="yourdomain\someotheruser" />
<deny users="*" />
</authorization>
Second, enable Windows Authentication for your site using IIS Manager. It's under the 'Authentication' feature. And disable anonymous authentication.
Note that older explanation will suggest you make changes under element of your site's web.config. However, recent IIS implementations prevent this for security reasons.
Three, point your browser at the webpage. The browser should ask you to provide credentials, because the current user is not allowed access to the website. Provide the ones that are authorized for the site, and your MVC code should run.
Four, check the user identity. E.g.
WindowsIdentity clientId = (WindowsIdentity)HttpContext.Current.User.Identity;
I have done this with ASP.NET MVC 1.0. That was a relatively long time ago. I remember the IIS settings being confusing. I just did some checking, and it does not look like things have changed much to ASP.NET MVC 4.0 as far as attributes on the controllers.
For your questions:
How does it work? The following references pretty much sum things up pretty well. Authenticating Users with Windows Authentication (C#)
is NOT exactly right for ASP.NET MVC 4.0, but it has some background.
How to Create an Intranet Site Using ASP.NET MVC is for ASP.NET MVC 3.0.
I am too new to post more than two links, so you will have to search MSDN for "AuthorizeAttribute Class" for .NET Framework 4.
What settings for web.config? - I just remember changing one element, "authentication mode".
As far as testing, my Windows OS versions matched better, and my development machine was on the same Windows domain. But if I remember correctly, this just worked. YMMV, but one thing I do remember considering was implementing my own authorization. Maybe that is an avenue for your case, to roll your own, and then switch to Windows authentication in production. But I would suggest a couple of test iterations with a test server if you can set one up on the company domain.
I found out a helpful video that was very useful to me by showing step by step to implement and test Windows authentication for an ASP.NET MVC web site. So, I close this question.
Video from a very kind poster:
How to implement windows authentication in ASP.NET MVC 3 ( Model view controller) application?
I dont have access to IIS server, but I need to make the ASPSession cookies created by IIS HttpOnly. So my question is that how can I make the cookies HttpOnly by coding and not by any setting on IIS ? Please help its urgent and I have been looking for the solution but didn't get anything that related to my problem. I know the server version is IIS 6. On my testing server I have used ISAPI filter and it solved my problem but for that I needed to access the IIS and add ASAPI filter there which I cant do on the live server.
If you're using ASP.NET 2.0 or greater, you can turn it on in the Web.config file. In the <system.web> section, add the following line:
<httpCookies httpOnlyCookies="true"/>
You can edit this programmatically : http://www.dotnetcurry.com/ShowArticle.aspx?ID=102
When I submit a form to other page in my ASP.NET site, it asks for windows authentication. How do I remove this?
There are two ways to set up windows authentication. One is in IIS and one is in web.config. So basically you need to check that there is no <authentication mode="windows"> tag in your main web.config or in a web.config in the specific folder where the aspx page in question is located. Furthermore you also need to go to the IIS manager (inetmgr) and make sure that windows authentication is not enabled in the folder in question.