I'm working on a MVC .NET project that uses forms authentication. I tried to make a copy of the site and publish it on IIS (different virtual directory). I noticed that I can't get authenticated to the two sites at the same time : when I access one site I automatically get disconnected from the other. What should be changed in order to make it possible to a user to access both of them simultaneously? is it a cookies issue?
I think so, because when I inspect site elements It's obvious that _ASPXAUTH cookie has the same value for both of them. What should I change?
is it a cookies issue?
Yes, most probably. SSO between the 2 websites would very much depend on which domains they are hosted. If they are hosted on 2 sub-domains under the same top level domain such as site1.example.com and site2.example.com all you need to do in order to achieve SSO between them is to set the domain property on the forms authentication cookie to .example.com and ensure that both applications share the same machine keys:
<authentication mode="Forms">
<forms protection="All" domain=".example.com" />
</authentication>
<machineKey validationKey="XXXXX" decryptionKey="XXX" validation="SHA1" decryption="AES" />
If the 2 sites are on different top level domains such as example1.com and example2.com then you need much more work to achieve cross domain SSO. You may find some details in this answer.
UPDATE:
I might have misread your question. It appears that you don't want to have SSO between the websites but rather have separate authentication. In this case all you need is to have a different cookie name for both of them:
<forms name="SITE1AUTH" />
and:
<forms name="SITE2AUTH" />
Related
I have this webpage I need to secure on Azure. I want to be the only person who can access it. I don't need a fancy login or error page process. The page/site was formerly running on my home web server and so windows authentication via the web.config authentication tag was "really easy" to implement.
I'm looking at Azure Authentication models with STS, ACS, SAML, Federated... and truthfully am somewhat confused about what I need to do. Also, I'm wondering why MS did not offer a simple control panel interface to secure and maintain access to websites so we don't have to create services and custom web site code to manage all of this.
At a high level, what are the minimum steps I need to perform to accomplish this?
If you are the only one going to use the site, then I'm not sure you need to go through all that trouble.
But, on the other hand, doing what you want is not that complicated:
Get an ACS namespace
Install WIF in your machine
Run "Add STS Reference" in your web project and point to your ACS namespace
(look for Federation metadata endpoint)
Configure LiveID trust in ACS (or any other of the pre-provisioned IdPs)
Configure ACS to issue a token for your app
Since your needs are very simple, the default rules will probably work for you.
Here's an article that explains everything step-by-step.
You could use Forms Authentication which should be pretty straightforward to implement.
Set your application to use forms authentication in your web.config.
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="/myadminlogin.aspx" protection="All" path="/" timeout="120" />
</authentication>
Define the protected folders in your web.config.
<location path="secure">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Within your login area check a condition and set the auth cookie:
'SET AUTH COOKIE
FormsAuthentication.SetAuthCookie(sessionID, False)
Check the session on your protected page:
If User.Identity.Name.ToString = "sessionID" then
'Permit access
End if
Here is my scenario:
I've got a website set up in IIS (7.5) that uses Forms Authentication. I've got a subfolder within that website that I'm using as a WebDAV share. I've got a custom HTTP Module monitoring my WebDAV requests and also acts as a level of custom authentication. This custom authentication will first send a HTTP 401 Challenge to get the user's credentials when they try to map a drive to my WebDAV share, and then the credentials are parsed out of the Basic-Auth header server-side. The problem is that a Basic-Auth header is only sent if Forms Authentication is turned off.
What's more is that normally when my HTTP Module doesn't find an Auth Header, a 401 Challenge is sent (which prompts the user for credentials when Forms Auth is turned off). However, with Forms Auth turned on, my HTTP Module still executes and sends a 401 Challenge, but it appears that the Forms Auth is taking priority so in Fiddler I can clearly see a redirect to:
/Account/Login.aspx?ReturnURL=MySubFolder
The point of the custom authentication is so that I can allow the user to log-in to my site when mapping a drive to my WebDAV share. I want to capture their website credentials, authenticate them, and then show them the contents of the directory.
So my question is:
Is there a way to get Forms Authentication disabled on a subfolder or Virtual Directory within a website which has Forms Authentication enabled?
I've verified that I can get around this by creating a new Application in my website and put the subfolder in there, and then disable Forms Auth on the Application itself, but I'd really prefer not to do that if possible.
Everything I've tried (listed below) has resulted with my request to map a drive to Http://localhost/MySubFolder getting taken over by Forms Authentication (at least that's what I think is happening) and redirected to /login.aspx?ReturnUrl=MySubFolder (as shown in Fiddler).
Here's what I've tried:
1) Added a separate Web.config in MySubFolder:
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
2) Added a <location> tag in the root-level Web.config for MySubFolder like this:
<location path="MySubFolder">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
3) Looked at updating the Feature Delegation in IIS.
Personally, I had some doubt with the above solutions because from what I've read, they are meant to simply allow all access while still leaving Forms Authentication enabled. I need a way to actually get Forms Authentication disabled on my subfolder. Is this possible?
I should also note that my subfolder could be a Virtual Directory, but it's not required one way or the other. I just need a way for Forms Auth to be disabled on that folder.
As per request, my Web.config file (site-level):
<?xml version="1.0"?>
<configuration>
<connectionStrings>
<add name="MyConnString" connectionString="Persist Security Info=True;Initial Catalog=MyDB;Data Source=MyServer;User ID=UserName;Password=xxxxxxxxxx;MultipleActiveResultSets=True;"/>
</connectionStrings>
<system.web>
<compilation debug="true" strict="false" explicit="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
</system.web>
<system.webServer>
<modules runManagedModulesForWebDavRequests="true" runAllManagedModulesForAllRequests="true">
<add name="CustomWebDAVModule" type="CustomWebDAVModule"/>
</modules>
</system.webServer>
</configuration>
This question has already been answered: Multiple/Different authentication settings in web.config
You can't override the root authentication mode="Forms" tag within location tags. Making the folder it's own application is the easiest way out.
Another option is to implement your own custom Forms authentication and have it ignore the redirect for your webdav folder.
<authentication mode="None">
Apparently you have not correctly setup WebDAV within IIS.
Since you want to use a custom webdav module for authentication we first need to ensure that IIS does not interfere with your WebDAV requests.
Follow these steps (note that the important point is in step 7):
Keep your web.config as is (as posted in the question).
Enable WebDav within IIS. Within the IIS manager select your website. Within the main window open WebDAV Authoring Rules.
In the actions pane (on the right) click Enable WebDAV.
Now select your sub-folder that you want to enable WebDAV for (I am using path3 in my example) by clicking it and then open WebDAV Authoring Rules.
Click Add authoring rule... in the actions pane (on the right).
In the dialog that opens make sure all of these are selected All content, All users, Read, Source and Write and click OK. This will grant access to all content of that subfolder to all users with all permissions.
Now the most important part. Since you want to handle WebDAV authentication through your custom WebDAV handler we must explicitly tell IIS not to interfere with authentication. How do we do that? We tell IIS to allow anonymous WebDAV access. This way IIS does not try to authenticate the user and your module is free to do its authorization operations. To go about doing this we will need to set Allow Anonymous Property Queries to True under WebDav settings. The next steps will highlight how to do this.
Open the site root WebDAV Authoring Rules.
Click WebDAV settings....
Set Allow Anonymous Property Queries to True.
Close and restart the WebDAV client that you will be testing on. This is to ensure that it does not cache connection parameters from the previous incorrect configuration.
Check to see if the WebDAV configuration of your website works as desired. :)
Within your custom HTTP Module, you can tell the Forms Authentication to supress the redirect via HttpResponse.SuppressFormsAuthenticationRedirect:
public class DavAuthenticationModule : IHttpModule
{
public void Init(HttpApplication application)
{
application.AuthenticateRequest += App_OnAuthenticateRequest;
}
private void App_OnAuthenticateRequest(object source, EventArgs eventArgs)
{
// Only applies for WebDAV requests.
var ctx = HttpContext.Current;
if (!ctx.Request.Path.StartsWith("/dav/path", StringComparison.OrdinalIgnoreCase))
return;
// So that forms auth won't do a redirect.
// Note that it will still attempt to read / parse the forms auth cookie.
ctx.Response.SuppressFormsAuthenticationRedirect = true;
// Now do my own auth.
DoBasicHttpAuthentication(ctx);
}
}
Another option is to hook the FormsAuthenticationModule.Authenticate event to authenticate before Forms Auth runs at all. This would require you to fish around in IIS for the module instance, which I don't have an example for.
Both these options are based on the .NET 4.6 reference source: http://referencesource.microsoft.com/#System.Web/Security/FormsAuthenticationModule.cs,ac471f8ac73cdb2b
I have several WCF services in an ASP.NET application. I want to prevent applications from outside of my domain from accessing these services. Is there a configuration setting that allows me to block requests from outside of my domain?
Thank you!
What you want is authentication. Limiting access based on domain is not a secure manner of authentication.
If you don't want expose services to Internet you should not host them on public server. If you really need this you should first start to look for way to secure your services on network level. For example I guess ISA server should be able to block requests to your services.
EDIT: This will prevent all non-authenticated users from getting to your services. If you need users in your domain who aren't authenticated to access the services, let me know and I'll update accordingly.
Are you using authentication in your ASP.NET application?
<system.web>
...
<authentication mode="Forms">
<forms protection="All" defaultUrl="login.aspx" ... />
</authentication>
...
</system.web>
If so, your .svc files will be inaccessible until your users authenticate. If a non-authenticated user tries to access a .svc file, they will be redirected to your login page.
EDIT(2):
Since you need non-authenticated access to the services within your site, one thing you can consider is having a cookie that's sent to the user's machine upon the first visit to the site. The cookie could use a create date and some secret key to create a hash, and you can validate the hash on the server for each request. Requests from other sites wouldn't pass the cookie and your service would manually check to see if that cookie is there or not -- if it's not there, then the request is denied.
If your WCF services has ASP.NET compatibility enabled (true) and AspNetCompatibilityRequirementsMode set to Allowed or Required, you should have access to HttpContext and cookies. Here's more information about ASP.NET compatibility mode.
This may not be the most appropriate solution as I don't know your scenario and requirements. But hopefully this helps.
I've posted this on Server Fault, but as there is sort of a programming aspect to it, I'll post it here too.
I have an ASP.NET MVC 1.0 application that uses Forms Authentication. We are using Windows Server 2008. I need to lock down the site so that only certain users (in AD Groups) can access the site. Unfortunately, though, when I set the site to not allow anon users and use windows authentication, due to the integration of the site and IIS, it shows the user as signed in as their domain account, instead of allowing them to sign in through Forms Auth.
So, I need a mixed mode authentication. I need the site to be only accessible through windows auth, without anon users, but once you are in, it needs to use forms auth only. How would I go about doing this the right way?
EDIT:
Here's a clarification. The site must work like this.
You go to the URL and a windows auth login pops up. You sign in with a domain accout that has access. If you don't have access, it shows you the 401 error.
If you have access, you hit the site. However, the site doesn't use your windows auth username. It uses forms Auth. So, you have to sigh in to the site using the forms auth.
The problem is, when I set it up to do step 1, it uses your windows username in step 2. I don't want it to do that.
Trick here is to change the provider for your authentication to use Active Directory, rather than change the settings to Windows.
Or, use a version of the following provider:
<add
name="AdProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="YourAd"
applicationName="YourApp"
enablePasswordReset="false"
/>
With a version of the following connection string:
<add name="YourAd"
connectionString="LDAP://[your DC]/OU=[your OU],DC=[your domain],DC=[your extension]"
/>
Authorization-wise, you have some options. If it is based on domain groups, then you'll need to get azman wired up. If it is application controlled, you'll need to line up the AD users with the database-stored roles.
PS: I suck at LDAP connection strings, you can probably do alot more with it than I did.
Well, seems like I answered the wrong question. I'll leave this up for posterity's sake, but you should just try to disable Anonymous Authentication for the site.
I found my answer here:
IIS7 and Authentication problems
The short of it is, in IIS 7 you cannot have two-tiered authentication like you could with IIS 6.
i've got a stock standard ASP.NET web site, deployed to our development machine (internal machine in our server room).
Now, this dev site can be accessed by both INTERNAL and EXTERNAL users. Now, in IIS6 we used to have it so that Anonymous Authentication was turned off and something else was turned on .. giving the users a popup model box for username and password. I think they had to type some username or password that was defined in a web.config file? (not their website account username/password)/
Now, with IIS7, when i turn Anon Auth off, and turn on Basic or Windows Auth, i get access to the site BUT it's trying to log me in with those credentials .. and not the account the user signed up with (using some stock standard asp.net webform page).
So ... is it possible to 'lock' the entire site and get the testers to get general access to the site .. which is different to their website username and password. Those usernames and passwords are for use in the site instead.
does that make sense?
cheers!
<authentication mode="Forms">
<forms loginUrl="~/Pages/Login.aspx" protection="Validation" timeout="1000000000" requireSSL="false" slidingExpiration="true" defaultUrl="Default.aspx">
</forms>
</authentication>
there is no authorization section.
also, when i add 'Digest Auth' to iis7 and enable that (and disable everythign else), i get the pop up window (kewl!) but i'm not sure what credentials i need to pass in. Where can i define those credentials manually (so they are seperate from the website's users) ??
IIS7 integrated mode does not support the two phase authentication that IIS6 does. Basically, IIS6 would perform its authentication (windows), followed by asp.net performing its authentication (forms). But with IIS7, everything is equal in integrated mode, so you can only have one or the other authentication methods.
You can either convert the app pool to use classic mode or follow this workaround to get it working with Integrated mode.