I have installed an MVC4 application provided by a third party on our web server and most requests are being redirected to http://domain.com/login.aspx?ReturnUrl=requestedpage.
The website does not have any form of authentication and it does not have this or any other login page.
The default page loads but none of the page resources (like images, CSS, etc) loads as each of those is being redirected to the non-existent login.aspx page. Even a webservice request gets redirected.
I have done lots of searching online and tried the usual fix of <add key="autoFormsAuthentication" value="false" /> but it doesn't make any difference. I also tried <authentication mode="None" />.
It is IIS8.5 on Server 2012 and anonymous access is enabled throughout.
I just tried installing MVC4 directly on the server and this did not help.
Can anyone help?
This problem turned out to be caused by the anonymous user account not being set to the ApplicationPoolIdentity.
I fixed this after finding the answer on another question.
Related
We have a web site in IIS 7, that has a default document (index.asp) set. The entire site uses basic authentication except the index.asp page. This is working correctly if I enter the domain with the actual page name (www.mysite.com/index.asp). However, without the page name (www.mysite.com) I am prompted for credentials, even though it is the same page.
I've tried various web config changes and tried it with anonymous user set to the app pool and the IUSR account and it doesn't work either way. I'm thinking maybe I need to enable and then configure URL rewriting for this site but I'm not positive.
If you need any other info let me know.
thanks!
I am trying to prevent unauthorized access to all files within some of my media libraries in Kentico v9.0. I intend to only provide access to certain libraries via Kentico Role membership and global admins only.
I have followed the guide published here: Securing media libraries and it seems to work fine: Direct URL path access results in a 401.2 - Unauthorized message, regardless of user authentication state and role membership. And I have a media gallery web part set up correctly to provide the permanent URLs, which also work as I expect them to.
However, I have another requirement; which is to serve up a ~/googlesitemap.xml file. I followed the guide published here: Google Sitemaps, which instructs me to provide an attribute to the system.webServer/modules node in the web.config:
<modules runAllManagedModulesForAllRequests="true">
...
</modules>
However, when I add the above, then any authenticated user can gain access to my media library files if they enter in the full URL. This violates my attempts at media library access based on role membership; since I dont want users in other roles to be able to get at the files.
I have tried to exclude all media library files from the re-writing engine by adding my media folder root as an Excluded URL in Settings > URLs and SEO > URL Format > Excluded URLs... but this doesn't appear to help.
Any suggestions would be highly welcome!
As far as I know runAllManagedModulesForAllRequests attribute is mandatory only for different extensions (different from .aspx). If you are using IIS 7 or above you can omit this attribute in your web.config (see source).
Note: In ASP.NET websites, the value of runAllManagedModulesForAllRequests previously had to be set to true to support routing. However, once IIS 7 has been updated with a Service Pack, the value of runAllManagedModulesForAllRequests can be set to false or omitted when working with ASP.NET routing. For more information, see ASP.NET Routing on the MSDN website.
So quick fix: Do not add this attribute to web.config and your media gallery (permissions) should work as you wish.
EDIT: So I think I have got solution for you. It seems that runAllmanagedModulesForAllRequests attribute kills Anonymous Authentication setting so Kentico serves data after successful authentication. I`ve found workaround so you can forbid access to media library. Try to add something like:
<location path="MySite/media/MyMediaLibrary">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
into your web.config inside configuration section.
We are building a website inwhich user must be authenticated before access the site. However, I don't know if it's possible to do that in Piranha?
I used
<authorization>
<deny users ="?"/>
</authorization>
but it does not work.
Is anyone know how to do that?
Thanks
Piranha CMS uses forms authentication, so the above should work if you add a login url to the forms configuration in the web.config. I have used that setup myself for a couple of projects.
If you want to set restrictions on page level you can do this under Settings for a page, where you can choose the group needed to view the page.
If you're using MVC you can also add the [Authorize] attribute to your controllers/actions as usuall. Basically the normal steps should apply!
Regards
I have configured FBA on Sharepoint 2010 site. And its working fine when I use the OOTB login page which is available at _form/default.aspx.
Now I have created my own Login.aspx page and configured the web application to get redirected to this custom page. This page I have kept it at Layouts/CustomFBA/Login.aspx location under 14 Hive. I followed this blog post to create and configure the login page.
I have included a user sign in page link at the bottom of this login page which is another application page.
I have updated the web.config of the web application to allow users to reach to the user sign-in page without getting authenticated or redirected to login page again. Ideally this should work, but somehow whenever I click that link I am being redirected back to the login page. I will really appreciate if somebody can help me in this regard
==========================================================
As I have mentioned earlier,the custom login page is working perfectly fine. But, I have link on the login page which take the users to a sign-in(UserSignin.aspx) page which is also kept in the /_layouts/CustomFBA/ folder. The problem is when I click the link, I am coming back to the Login page again.
As per some of the blog which I read, they have mentioned to allow user to view such page which should not ask for any authentication, we have to include the tag (mentioned by djeeg) in web.config of the web application. So I have done that as well.
But this is also not resolving the problem. I am still coming back to Login.aspx page when I click that "Sign-in" link on the Custom Login Page. I hope I have made my problem clear here.
Thanks & Regards,
Paddy
By default, SharePoint application pages added in Visual Studio inherit from the LayoutsPageBase class (MSDN: represents an application page to which access can be limited to users that possess certain rights).
Change the base class of the UserSignin.aspx page to UnsecuredLayoutsPageBase (MSDN: represents the base class for application pages that explicitly do not require the user to have any permissions, such as the access denied page).
Try adding this to your web.config
<location path="_layouts/CustomFBA/Login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
That should then allow anonymous access to your custom login page
this is my first post on this great source of programming information.
I have developed new site for client and just doing some finishing touches.
I am trying to create custom error pages which would be read from web.config
<system.web>
<customErrors mode="RemoteOnly">
<error statusCode="404" redirect="404.aspx" />
<error statusCode="500" redirect="500.aspx" />
</customErrors>
It works well on local development machine and 404 and 500 errors are shown as required.
After compilation and publishing site to web server it doesnt work. IIS 6 keeps on showing original IIS 6 error pages like this 404 error:
The page cannot be found
The page you are looking for might have been removed,
had its name changed, or is temporarily unavailable.
Please try the following:
Make sure that the Web site address displayed in the address bar of
your browser is spelled and formatted correctly.
If you reached this page by clicking a link, contact the Web site
administrator to alert them that the link is incorrectly formatted.
Click the Back button to try another link.
HTTP Error 404 - File or directory not found.
Internet Information Services (IIS)
I am not sure why is it doing this, I thought that web.config overwrites original IIS6 settings.
Ok I have found out that the problem is with the 404 .aspx page only. Error 500 is working fine and showing 500.aspx page. But not for 404.aspx. Please advice
The web config will only override IIS6 settings if the request is passed to the .NET ISAPI filter - for example, for pages ending with .aspx
If I browsed to a file or directory that didn't get to the .NET ISAPI it wouldn't use the web.config rules.