We have a website that is protected with Forms Authentication in IIS. We would like to make one page in this website accessible to everyone without any authentication.
All the resources I saw mentions using tag but it's not working for us for some reason.
web.config:
<configuration>
<location path="public.htm">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="UserLogin.aspx" />
</authentication>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
Both public.htm and UserLogin.aspx are in the same folder. When we browse public.htm, we get 401.2.
If disable Forms Authentication, public.htm is accessible.
UPDATE (5/21):
Disabled Forms Authentication in but still getting 401.2 error.
<configuration>
<location path="public.htm">
<system.web>
<authentication mode="None" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="UserLogin.aspx" />
</authentication>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
It sounds just like your anonymous authentication has been disabled or your current login user don't have permission to view the public.htm.
If you are hosting it in VS, please ensusre Enabled anonymous authentication has been selected and you current logon user have permission to access the htm file.
If you are hosting it in IIS, please ensure anonymous authentication has been enabled and the authorization rule would looks just like
<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>
The authentication in applicationhost.config would looks like
<location path="Sitename">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
And the authorization rule for public.htm would be.
<location path="public.htm">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
Please remember to grant IUSER read permission to access public.htm.
Related
I want to restrict access to my ASP.NET Core application by only configuring it in IIS (10).
This is not the problem, as I enable only "Windows authentication" and then I can do
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\MyDLL.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" >
</aspNetCore>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="user.withaccess />
</authorization>
</security>
</system.webServer>
</location>
This works fine, but every user without access just gets a 401 response and no error page.
Normally you could configure something like that:
<location path="." inheritInChildApplications="false">
<system.webServer>
<!-- ... -->
<httpErrors errorMode="Custom" existingResponse="PassThrough">
<remove statusCode="401" subStatusCode="-1" />
<error statusCode="401" subStatusCode="2" prefixLanguageFilePath="" path="401.htm" responseMode="File" />
</httpErrors>
</system.webServer>
</location>
but the custom error page is only accessible by users who already can access the application (trying to open the error page results in a 401 too for unauthorized users).
Now in my case it's currently not possible to change the ASP.NET Core application itself, so I have to do it in IIS.
What do I have to configure that the custom error page can be served, but everything else is protected?
I am developing a net core 3.1 web application.
One of authentication schemes is Certificate, so I want to protect a page with client certificate authentication.
This is Web.config IIS configuration (Obviously i set <section name="access" overrideModeDefault="Allow" in solution applicationHostConfig ):
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile="\\?\%home%\LogFiles\stdout" hostingModel="inprocess">
<environmentVariables>
<environmentVariable name="ASPNETCORE_HTTPS_PORT" value="44300" />
<environmentVariable name="COMPLUS_ForceENC" value="1" />
<environmentVariable name="ASPNETCORE_ENVIRONMENT" value="Development" />
</environmentVariables>
</aspNetCore>
</system.webServer>
</location>
<location path="certificate/login">
<system.webServer>
<security>
<access sslFlags="Ssl,SslNegotiateCert,SslRequireCert" />
</security>
</system.webServer>
</location>
<system.webServer>
<security>
<access sslFlags="Ssl" />
</security>
</system.webServer>
</configuration>
Application starts successfully, and when I call localhost://33400/Certificate/login, browser show certificate page handshake correctly, I choose a certificate and ... IIS surprise me with
404 Static File Handler! All others pages work perfectly.
I am struggle with this error, please someone help me.
Thanks to #treborgero in aspnet core issue Optional client certificates #21193
TIP: Make sure you remove the <location path="." inheritInChildApplications="false"> tag
and it work like a charm!
I have a non logged web application that contain 50 pages, I need to have one logged page "testpage" How can do this:
<authentication mode="Forms">
<forms loginUrl="~/Login/LoginExpiration.aspx" defaultUrl="~/Home/Default.aspx" slidingExpiration="true" timeout="120" />
</authentication>
<authorization>
<allow users="?" />
</authorization>
<location path="testpage">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
In your config file location means not the page name but a folder.
Create a folder called testpage, place your page there and it will work
I want to use the location path , allow user and deny user to restrict access in my MVC app. This is the section that I added to the web.config
<location path="Views/Admin/Ticketing/Seasons.aspx">
<system.web>
<authorization>
<allow users="admin" />
<deny users="user1" />
</authorization>
</system.web>
</location>
It is not working. non-admin users, like user1 can still view the page. I am not sure if it is because I have the routing set up differently or wrong.
This is the URL of the tab I want to block
http://marilyndenisservices.localhost/Admin/TicketingSeasons
This is the physical path of this page on disk
D:\dev\MarilynDenisServices\src\Web\Views\Admin\Ticketing\Seasons.aspx
And this is how I configured it on the view model
<div id="menucontainer">
<ul id="menu">
<li><%= Html.ActionLink("Ticketing", "TicketingSeasons", "Admin") %></li>
</ul>
</div>
This is my action
public ActionResult TicketingSeasons()
{
return View("Ticketing/Seasons");
}
Can someone tell me what I am doing wrong?
Try this location path:
<location path="Admin/TicketingSeasons">
<system.web>
<authorization>
<allow users="admin" />
<deny users="user1" />
</authorization>
</system.web>
</location>
I receive the following request error from my WCF Rest web service when using forms Authentication and Authorization. It works fine without the Authentication and Authorization:-
"The server encountered an error processing the request. Please see the service help page for constructing valid requests to the service."
Its built in .net 4 so no .svc file, here is the service code:--
namespace WcfRestService1
{
[ServiceContract]
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
[ServiceBehavior(InstanceContextMode = InstanceContextMode.PerCall)]
public class Service1
{
[OperationContract]
[WebGet(ResponseFormat = WebMessageFormat.Json)]
public string GetHelloMessage()
{
return ("hello from web service");
}
}
}
Here is the web config code:--
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<add name="UrlRoutingModule" type="System.Web.Routing.UrlRoutingModule, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</modules>
</system.webServer>
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
<standardEndpoints>
<standardEndpoint name="" helpEnabled="true" crossDomainScriptAccessEnabled="true" defaultOutgoingResponseFormat="Json" automaticFormatSelectionEnabled="true"/>
</webHttpEndpoint>
</standardEndpoints>
</system.serviceModel>
<system.web>
<authentication mode="Forms">
<forms defaultUrl="Service1" timeout="20"
ticketCompatibilityMode="Framework40"
loginUrl="login.aspx" name=".Mobile-Rest-Api" cookieless="UseCookies"/>
</authentication>
<authorization>
<deny users="?" />
<allow users="*"/>
</authorization>
<!--<authentication mode="None"/>-->
</system.web>
<location path="login">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
Any help on this would be great, thanks in advance.
The problem is that you are using a authentication method that does not support a services call.
Forms authentication is used when a user is accessing a site, if the user is not authenticated he is directed to a login form, in which he fills out user name and password.
When a service is making a call, the service gets a redirect response, which it is not able to handle, therefore the error.
You need to select a different authentication method.