I am using asp.net identity and GenerateEmailConfirmationTokenAsync gives me a token for email confirmation. I cannot use this code in confirmation url, because it gets an error :
The request filtering module is configured to deny a request that contains a double escape sequence.
The solution for that issue was to allowDoubleEscaping in web.config, but how can I do it in appsettings.json? I should write this code somehow in appsettings, or in Startup.cs:
<system.webServer>
<security>
<requestFiltering allowDoubleEscaping="true"/>
</security>
</system.webServer>
It's still an IIS setting if you're running in IIS.
Create a web.Release.config file (you don't need a web.config file in your actual project) with the following:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<location>
<system.webServer>
<security xdt:Transform="InsertIfMissing">
<requestFiltering allowDoubleEscaping="true" />
</security>
</system.webServer>
</location>
</configuration>
When you publish a release build this will get added. Very important to include the part InsertIfMissing or it will be ignored.
You DON'T need a third party package such as this. 7
See also https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/transform-webconfig?view=aspnetcore-3.1
Related
We have an .net core Web application which simply hosts files for some of our client applications updates.
We decided to add Application insights in one of these client applications, and the file ApplicationInsights.config is a part of update.
The request to https://server/path/to/update/ApplicationInsights.config throws 404 error.
So far I’ve tried :
Add “.config” extension in static files definition on the startup : no effect (This worked for .exe and .dll)
Enable folder browsing for this folder, still no effect
It seems to be related to some out-of-box requests filtering.
The question is :
How do I disable all download restriction on a specific folder (Best)
OR
How do I disable ALL filtering for *.config files
Thank you in advance
That's because the default FileExtensionContentTypeProvider doesn't provide a mapping for *.config files.
To make it serve *.config files, simply create your own ContentTypeProvider, or add mapping for *.config :
var myContentTypeProvider= new FileExtensionContentTypeProvider();
myContentTypeProvider.Mappings.Add(".config","text/plain");
app.UseStaticFiles(new StaticFileOptions{
RequestPath = "/path/to/update",
FileProvider = new PhysicalFileProvider(
Path.Combine(Directory.GetCurrentDirectory(),"path/to/update"),
ExclusionFilters.None
),
ContentTypeProvider = myContentTypeProvider,
});
[Update]
After a discussion, the following Web.Config ( by OP) works:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
<add fileExtension=".config" allowed="true" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</configuration>
I am working on WEB API Windows Authentication. I have added below config in web.config
Getting this issue:
This configuration section cannot be used at this path.
This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false"
Please help me on this. Please provide steps how to achieve window authentication in web api
The reason why this error encounters is probably because of the
settings to enable windowsauthentication in IIS via the
web.config file. To resolve this you have to adjust the applicationhost.config file of the IIS server. You need to tell IIS that his own configuration may be overwritten:
For IIS Express follow these instructions
For IIS Server follow 'section applicationhost.config'
Below steps (simple scenario) to allow windows authentication
Assure the webapi project is using windows authentication.
<system.web>
<authentication mode="Windows"></authentication>
</system.web>
Set IIS to windowsAuthenthication and nothing else by configuring the config file
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="false"/>
</authentication>
</security>
</system.webServer>
Adjust the applicationhost.config of IIS like described above.
i did like i saw in many threads, like going to Internet Information Server Manager then to the site then Request Filtering and then on the right Edit Feature Settings... then i set the Maximum allowed content length to 1000000000, and restart the web site, but it didn't work, the second method i tried is that i have added the following:
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="1000000000" />
</requestFiltering>
</security>
</system.webServer>
in the Web.config file in the web site and i restarted the web site,but still getting the error Maximum request length exceeded.
so is there any solution or any other step i missed ?
I'm testing out a REST service in WCF on .net 4 - i.e. no svc file. It works great when running against the VS dev server but when I switch it to run against IIS I get 404s when trying to browse the help page or hit any of the service methods.
I've dropped back to a bare bones service to just get it running on IIS but I'm not sure what's wrong with it.
The global.asax simply has
protected void Application_Start(object sender, EventArgs e)
{
RouteTable.Routes.Add(new ServiceRoute("", new WebServiceHostFactory(), typeof(DataPortalService)));
}
and the service itself is as simple as it gets:
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
public class DataPortalService : IDataPortalService
{
[WebGet(UriTemplate = "Test/TestMethod")]
public string TestMethod()
{
return "Hi!";
}
}
[ServiceContract]
public interface IDataPortalService
{
[OperationContract]
string TestMethod();
}
and config file of
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
<standardEndpoints>
<webHttpEndpoint>
<standardEndpoint name="" helpEnabled="true" automaticFormatSelectionEnabled="true" />
</webHttpEndpoint>
</standardEndpoints>
</system.serviceModel>
</configuration>
Hitting the /help page or the method gives me a 404.0.
I presume I'm just missing some setting in IIS to kick it in to life although it's a bit daft that it works fine on the dev server but not IIS.
Solved it after a dig around some other forums.
I initially added the following to my web config:
<system.webServer>
<handlers>
<remove name="svc-Integrated-4.0" />
<add name="svc-Integrated-4.0" path="*" verb="*" type="System.ServiceModel.Activation.ServiceHttpHandlerFactory, System.ServiceModel.Activation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
Clearly by default IIS doesn't know what to do with the extensionless requests and passed them on to the static file handler.
Given that MVC is using the same routine architecture I figured that the basic MVC site template must have some config in similar to the above since my MVC sites have worked fine when moved to IIS.
It turns out that they have a slightly different config and have the following entry instead:
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
Both configs seem to work ok but I settled on using the 2nd option in this case.
I had runAllManagedModulesForAllRequests="true" in my web.config but still couldn't get past the 404.0. Also tried installing "IIS 7 Recommended Configuration" without any luck. Rerunning aspnet_regiis solved the problem to me.
In the Run dialog box, type cmd, and then click OK.
At the command prompt, use the cd command to change the directory of the Aspnet_regiis.exe version you want to use. By default, Aspnet_regiis.exe is located in the following directory: systemroot\Microsoft.NET\Framework\versionNumber
Then run the following command: aspnet_regiis -ir
This will register "svc-Integrated-4.0" in the Handler Mappings.
HTTP 404 code can be returned also if you don't have some components of .NET framework installed.
There's for instance Windows Communication Foundation HTTP Activation feature in .NET Framework 3.5 and in .NET Framework 4.6 there are HTTP Activation, Message Queuing (MSMQ) Activation and a few more.
In Windows 10 these features aren't installed by default, so please keep in mind to take a look at Windows Features.
On IIS 5.1 on my machine, the .svc page was served only when I added HTTP Handler at Web Site level as well as virtual folder level. This should ideally work by inheritance!
Extention : .svc
Executable :
c:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll
When I host the "WCF 4 Rest Service Template" project (from template) in IIS Developer Express I get the following:
IIS specified authentication schemes 'IntegratedWindowsAuthentication, Anonymous', but the binding only supports specification of exactly one authentication scheme. Valid authentication schemes are Digest, Negotiate, NTLM, Basic, or Anonymous. Change the IIS settings so that only a single authentication scheme is used.
I have not changed any configuration explicitly other than setting automaticFormatSelectionEnabled to false in order to return JSON:
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
<standardEndpoints>
<webHttpEndpoint>
<!--Configure the WCF REST service base address via the global.asax.cs file and the default endpoint
via the attributes on the <standardEndpoint> element below-->
<standardEndpoint name=""
helpEnabled="true"
automaticFormatSelectionEnabled="false"
/>
</webHttpEndpoint>
</standardEndpoints>
</system.serviceModel>
If the endpoint configuration not being set explicitly is the issue then how would I do so for this kind of service, in order to set the authentication scheme for the service explicitly to avoid this issue with iis developer express?
Note: I have the following assemblies Microsoft.Web.dll & Microsoft.Web.Administration.dll in the web service projects /bin folder of the application as described in workaround for hopsting WCF services here on the iss team blog:
http://blogs.iis.net/vaidyg/archive/2010/07/21/wcf-workaround-for-webmatrix-beta.aspx
You will need to disable the authentication scheme that is not needed, my guess Windows authnetication. So:
Launch Notepad
Open in Notepad file: %userprofile%\Documents\IISExpress8\config\applicationhost.config
Search for <windowsAuthentication
Change the enabled attribute from
true to false
Save
That will disable Windows Authentication for all sites, you could alternatively add a location path at the bottom of the file right before the last </configuration> line for the specific site (YourSite in this case) add:
<location path="YourSite" overrideMode="Allow">
<system.webServer>
<security>
<windowsAuthentication enabled="false" />
</security>
</system.webServer>
</location>
This will only disable that for the specific site.