As title, I want to disable Anonymous Authentication for my ASP.NET Boilerplate web site (MVC) in IIS Server and use Form Authentication instead. Is it possible to do this because if I disable Anonymous Authentication, my website cause an error "HTTP Error 404.15 - Not Found"
Update 1: Here is my web.config
<system.web>
<globalization culture="auto" uiCulture="auto" />
<compilation debug="true" targetFramework="4.6.1">
<assemblies>
<add assembly="System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</assemblies>
</compilation>
<httpRuntime targetFramework="4.5.1" />
<customErrors mode="Off">
<error statusCode="404" redirect="~/Error/E404" />
</customErrors>
<httpHandlers>
<add path="Reserved.ReportViewerWebControl.axd" verb="*" type="Microsoft.Reporting.WebForms.HttpHandler, Microsoft.ReportViewer.WebForms, Version=11.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" validate="false" />
</httpHandlers>
<authentication mode="Forms" />
</system.web>
I still remember the first time I had to implement Forms Authentication in ASP. All I can say is there is a reason I only do linux based web-development now!
It is a real pain, but this should work if you don't intend on using a database to manage the users.
If you do intend to use a database then prepare yourself for a long road. U need to have the correct MSSQL database for the correct Visual studio tool and they also removed the management interface completely so you either have to design your own or use a tool that is available on the internet somewhere. I still remember I got so frustrated by the whole idea of it, that I literally wrote my own management tool I could deploy on developed sites. If it wasn't on a broken harddrive I would give it to you.
<authentication mode="Forms">
<forms loginUrl="login.aspx" defaultUrl="welcome.aspx">
<credentials passwordFormat="Clear">
<user name="abhishek" password="abhi#123"/>
<user name="Kantesh" password="sinha#123" />
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
If you plan on using a database to store your users google some tutorials.
The reason why you are getting a 404 is because you are not specifying loginUrl or it is incorrect and pointing to a non-existant page.
Hope this helps
When you disable anonymous access to all pages you cannot let users to see login page as well. what you need to to do is allowing some specific pages like login or register to be accessible.
This might not completely fits for you but you get the idea.
If it doesn't work, try removing the backslash "/" for the "/account/login" and set it like "account/login"
<configuration>
<system.web>
<authentication mode="Forms" />
<authorization>
<deny users="?" /> //this will restrict anonymous user access
</authorization>
</system.web>
<location path="/account/login"> //path here is path to login page
<system.web><authorization><allow users="*" /> // this will allow access to everyone to login page
</authorization></system.web></location>
</configuration>
Related
I am trying to add "authorization" elements to web.config, like it used to work in classic asp.net:
global configuration - should limit access "globally":
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="AD\some.user" />
<deny users="*" />
</authorization>
...
"location" based configuration:
<configuration>
<location path="RelativePath" >
<system.web>
<authorization>
<allow roles="AD\some.user" />
<deny users="*" />
</authorization>
</system.web>
</location>
both versions appear to be not working at all for aspnet.core hosted in IIS
What does work is this:
"global":
<configuration>
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="AD\johannes.colmsee" />
</authorization>
</configuration>
"location" based:
<configuration>
<location path="RelativePath" >
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="AD\denis.kopic" />
</authorization>
</security>
</system.webServer>
</location>
This works fine.
Now to my question:
does aspnet core not support the "first version" at all? Or is it something I do wrong?
ASP.NET Core does not support nor use web.config. The published web.config is there only for IIS hosting, since IIS requires this. If you happened to publish to a different web server, you could discard web.config entirely.
It should be apparent from looking at the contents of the published web.config, that it is extremely bare. Pretty much the only thing that exists is the AspNetCoreHosting module config, which of course is necessary for hosting ASP.NET Core inside IIS.
Now, as for why the second version actually did work, that's because it was placed inside system.webServer, which is directly for configuration of IIS, so IIS is doing the authorization at a very high-level before anything is handed off to your ASP.NET Core app. That may work for your needs, but it's an extremely rough-shod approach, as you'll have to likely end up defining many such sections for different paths, users, and authorization levels, and then keep that in sync with anything you end up changing in the ASP.NET Core app. Because IIS is looking at this as just static paths, if you move or rename anything, you can end up accidentally opening a hole in your security, since IIS will not yet have been configured to authorize that new location.
Long and short, you should remove all this and handle authorization via your ASP.NET Core app. Windows Auth is still supported.
My server which hosts my IIS site has just rebooted, now when i navigate to my internal site, im getting a 401 challenge, it should be windows integrated. it doesnt accept credentials either.
below is the current config, it all worked prior to the reboot and i havent changed any code since. any ideas?
Thanks
webconfig
<system.web>
<globalization requestEncoding="utf-8" responseEncoding="utf-8" culture="en-GB" />
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<deny users="?" />
</authorization>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<clear />
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
</providers>
</roleManager>
<customErrors mode="Off" />
<compilation debug="true" targetFramework="4.0">
IIS Settings
Authentication
Anyon: Enabled
ASP.net Imper Enabled
Windows Auth Enabled
Application Pool
.net 4.9
Managed pipeline intergrated
identity applicationpoolidentity
I fixed this. my server needed an SPN adding
BaseLine: ServiceStack sample works for me in a stock MVC 4 app. I am using the variant, followed all the instructions in the readme, no problems.
Plugin Framework
I am building a plugin framework for MVC and servicestack.net is one of the plugins, that being all the assemblies are plugins which get loaded, using BuildManager.AddReferencedAssembly(assembly);
BuildManager.AddCompilationDependency(assembly.FullName);
All the ServiceStack dlls are found and successfully loaded from my personal shawdowFolder.
webconfig:
<location path="api">
<system.web>
<httpHandlers>
<add path="*" type="ServiceStack.WebHost.Endpoints.ServiceStackHttpHandlerFactory,ServiceStack" verb="*" />
</httpHandlers>
</system.web>
<!-- Required for IIS 7.0 -->
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<add path="*" name="ServiceStack.Factory" type="ServiceStack.WebHost.Endpoints.ServiceStackHttpHandlerFactory,ServiceStack" verb="*" preCondition="integratedMode" resourceType="Unspecified" allowPathInfo="true" />
</handlers>
</system.webServer>
</location>
*NOTE: I am calling from Application_Start AppHost.Init(), and I can step it so ServiceStack is truly loaded and usable before the ASP.NET app goes into full swing.*
On first launch: /api/metadata results in:
Server Error in '/' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
Requested URL: /api/metadata
Stopping the debugger and simply relaunching, which deletes all assemblies from my personal shawdowFolder, copies them, loads them, references them, results in.
A working ServiceStack.net
StarterTemplate ASP.NET Host
The following operations are supported. For a formal definition, please review the Service XSD.
etc.
I suspect that this problable has to do with .NET's shadowfolder and appdomain, but perhaps it is something with ServiceStack. Where would I find logs to see if ServiceStacks httphanderfactory is having problems.
I Changed my config as follows :
SetConfig(new EndpointHostConfig
{ ServiceStackHandlerFactoryPath = "ss"}
and my config :
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<add type="DevExpress.Web.ASPxClasses.ASPxHttpHandlerModule, DevExpress.Web.v13.1, Version=13.1.4.0, Culture=neutral, PublicKeyToken=b88d1754d700e49a" name="ASPxHttpHandlerModule" />
<add name="FormsAuthenticationDisposition" type="ServiceStack.ServiceInterface.SuppressFormsAuthenticationRedirectModule, ServiceStack.ServiceInterface" />
</modules>
<handlers>
<add type="DevExpress.Web.ASPxUploadControl.ASPxUploadProgressHttpHandler, DevExpress.Web.v13.1, Version=13.1.4.0, Culture=neutral, PublicKeyToken=b88d1754d700e49a" verb="GET,POST" path="ASPxUploadProgressHandlerPage.ashx" name="ASPxUploadProgressHandler" preCondition="integratedMode" />
<add type="DevExpress.Web.ASPxClasses.ASPxHttpHandlerModule, DevExpress.Web.v13.1, Version=13.1.4.0, Culture=neutral, PublicKeyToken=b88d1754d700e49a" verb="GET" path="DX.ashx" name="ASPxHttpHandlerModule" preCondition="integratedMode" />
<add path="ss*" name="ServiceStack.Factory" type="ServiceStack.WebHost.Endpoints.ServiceStackHttpHandlerFactory, ServiceStack" verb="*" preCondition="integratedMode" resourceType="Unspecified" allowPathInfo="true" /></handlers>
<validation validateIntegratedModeConfiguration="false" />
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="30000000" />
</requestFiltering>
</security>
</system.webServer>
Now I have to type in the following to get to my servicestack area : http://localhost/ss/
My take on what is going wrong is that mvc/asp.net forms/ servicestack each needs one entry point to map its handler to an url route, servicestack is overriding the url route for "/" your MVC project hence no resources is found.
Thus in my application I used to seperate entries points:
*http://localhost/* .... is my normal entrypoint for webforms (in your case MVC4[stock])
http://localhost/ss .... is my servicesstack entrypoint
If you are using the MVC razor engine you won't run into this.
We have a internal NuGet server (ASP.net app using the NuGet.Server package) and we want to use it with Octopus to deploy packages. So the first thing you hit is that the packages are too large.
When you push a package larger than around 7 Meg you get:
Failed to process request. 'Request Entity Too Large'.
The remote server returned an error: (413) Request Entity Too Large..
Based on the documentation on Octopus, I updated the web.config file to have the changes.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<sectionGroup name="elmah">
<section name="security" requirePermission="false" type="Elmah.SecuritySectionHandler, Elmah"/>
<section name="errorLog" requirePermission="false" type="Elmah.ErrorLogSectionHandler, Elmah"/>
<section name="errorMail" requirePermission="false" type="Elmah.ErrorMailSectionHandler, Elmah"/>
<section name="errorFilter" requirePermission="false" type="Elmah.ErrorFilterSectionHandler, Elmah"/>
</sectionGroup>
</configSections>
<system.web>
<compilation debug="true" targetFramework="4.0"/>
<httpModules>
<add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah"/>
<add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah"/>
<add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah"/>
</httpModules>
<httpRuntime maxRequestLength="419430400" executionTimeout="3600"/>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules runAllManagedModulesForAllRequests="true">
<add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" preCondition="managedHandler"/>
<add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" preCondition="managedHandler"/>
<add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" preCondition="managedHandler"/>
</modules>
<staticContent>
<mimeMap fileExtension=".nupkg" mimeType="application/zip"/>
</staticContent>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="419430400"/>
</requestFiltering>
</security>
</system.webServer>
<elmah>
<security allowRemoteAccess="false"/>
<errorLog type="Elmah.XmlFileErrorLog, Elmah" logPath="~/App_Data"/>
</elmah>
<location path="elmah.axd" inheritInChildApplications="false">
<system.web>
<httpHandlers>
<add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah"/>
</httpHandlers>
</system.web>
<system.webServer>
<handlers>
<add name="ELMAH" verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" preCondition="integratedMode"/>
</handlers>
</system.webServer>
</location>
<appSettings>
<add key="apiKey" value="KeyHere"/>
<add key="packagesPath" value=""/>
</appSettings>
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
</system.serviceModel>
</configuration>
That does not work. Other posts talk about running something like (IIS7):
appcmd.exe set config -section:system.webServer/serverRuntime /uploadReadAheadSize:"419430400" /commit:apphost
or (IIS6):
cscript adsutil.vbs set w3svc/1/uploadreadaheadsize 419430400
I tried both to no avail. Neither command returned an error, so I assume that the value '419430400' is correct for all of the calls (bytes vs. some other unit of size).
Anyone have any idea what I am missing?
I ended up just copying the package to a share on the web server, but I would really like the push command to work.
Not exactly answering the OP's question, but related to the topic, I was getting the (413) Request Entity Too Large error while using NuGet push to push to a local SymbolSource server - turned out I was submitting to a slightly incorrect URL, once I corrected the command to point to the base /NuGet/ URL, it ran just fine.
No idea why an incorrect URL results in the 413 error, but there you go. Hope this helps someone.
EDIT: based on comments below, you may have more luck just referencing the base http://www.myserver.com/ URL rather than including the /NuGet as well. Worth playing around a bit.
I know this is an old question, but today I was faced with the same error. It's worth noticing that I'm using TeamCity package building and publishing. Anyway, when I try to Publish my huge package (about 200 MB) I was blocked with this. The solution was simple:
Instead of publishing to http://mynugetserver/api/v2/, use: http://mynugetserver/
You'll have to set these guys to higher values:
system.web - httpRuntime - maxRequestLength to, say, 1048576
system.webserver - security - requestFiltering - requestLimits -
maxAllowedContentLength to, say 1073741824
Both values are in a different unit so the second one should be larger than the first.
Also, have a look at www.myget.org which I found great when working with Octopus Deploy.
Check your serverRuntime configuration.
The maxRequestEntityAllowed and uploadReadAheadSize attributes respectively configure limits for the maximum number of bytes allowed in the entity body of a request and the number of bytes a Web server will read into a buffer and pass to an ISAPI extension.
More details: http://www.iis.net/configreference/system.webserver/serverruntime
My guess is that you are using SSL and setting uploadReadAheadSize will solve the issue. Because during client renegotiation process,the request entity body must be preloaded using SSL preload. SSL preload will use the value of the uploadReadAheadSize property, which is used for ISAPI extensions.
Here are the defaults
<location path="Default Web Site">
<system.webServer>
<serverRuntime enabled="true"
uploadReadAheadSize="49152"
maxRequestEntityAllowed="4294967295" />
</system.webServer>
</location>
Based on #Keith and #Nubigetter's answers, I did some further research, because the behavior seemed really weird to me.
The answer is actually in the documentation for Nuget.Server (if you look very carefully), it's just not very obvious:
use http://mynugetserver/nuget for list/restore
use http://mynugetserver/ for push
I've raised this with the Nuget team here https://github.com/NuGet/NuGetGallery/issues/2903 because I regard this behavior as 'presenting opportunity for improvement'.
This is due to nginx limitations, the nuget server in Linux system use nginx as proxy and config file under:
/etc/nginx/conf.d/nuget.conf
server_name localhost;
root /var/www/public/;
client_max_body_size 200M;
change client_max_body_size 200M is working for me.
I had the same issue:
[Step 1/2] Publishing package to feed at http://localhost/OctopusDeploy/nuget/packages...
[Step 1/2] Failed to push to package feed at 'http://localhost/OctopusDeploy/nuget/packages/'.
[Step 1/2] (The server responded with: [413] Request Entity Too Large)
[Step 1/2] Process exited with code 1
but the Octopus Deploy service had stopped!
What worked for me was in this article:
http://blogs.blackmarble.co.uk/blogs/rfennell/post/2012/10/31/403-and-413-errors-when-publishing-to-a-local-Nuget-Server.aspx
"Important: This second error was a red herring, you don't need the /nuget on the end of the URL"
In IIS 7 I try to deny access to all files with the extension .xml for all users.
I tried the following setting in my web.config file:
<location path="*.xml">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
But then getting any file results in an internal server error.
It works if I deny access to the individual files but this solution does not buy me much as I do not know all .xml files in advance.
Try this:
<configuration>
<system.web>
<httpHandlers>
<add path="*.xml" verb="*"
type="System.Web.HttpNotFoundHandler" />
</httpHandlers>
</system.web>
</configuration>
By the way you could alternatively store all of your xml files within the App_Data directory. Storing files of any type in this directory will not be served to the web.
Another way is to use a request filter:
<system.webServer>
<security>
<requestFiltering>
<fileExtensions>
<add fileExtension=".xml" allowed="false" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
I have stumbled across this when searching for a way to change the security applied to all actions within a controller in a legacy application (ASP.NET MVC). I thought I need some sort of wildcard, but simply providing the path including the controller segment is enough:
This allows anonymous access to all actions within FooController.