We Keep Coding

IdentityServer: Clients aren't notified when user logs out, if the application connected to IIS

i have many asp.net core applications that connected to IdentityServer for the authentication. Before i run these application on the IIS every thing worked as it should. Before running on IIS, every application had its own port on same domain: eg: www.myserver.com:500x.
By moving them to the IIS server, we made those port invisible, so the user just sees the domain without any ports. To identity the requests, we gave every application an alias. The iis forwards the requests to the application, the alias belongs to. Example as following:
www.myserver.com/app1/index --> gets forwarded to application 1 with port 5001.
www.myserver.com/app2/index --> gets forwarded to application 2 with port 5002 and so on.
this idea worked fine, but not with the log out. when i log out from a client i call this functions from the client:
public async Task<IActionResult> OnGet()
{
logger.LogDebug("Current Client will be loged out for a user");
await HttpContext.SignOutAsync("oidc");
await HttpContext.SignOutAsync("Cookies", );
return SignOut("Cookies", "oidc");
}
But this deletes the authentication coockies just for the current Client and for the IdentityServer. The coockies at the other clients are not getting cleaned anymore with this code.
I'm not using the Iframe to make the PostLogout procedure. Any idea where should i search for the problem?
is it possible to delete all coockies for same domain at the logout call? is it the correct way to solve it?

Handling exceptions before startup

I have an application that can throw an InvalidOperationException during the startup process before the host has been created. What I would like to do is capture this error, and handle it by displaying a static, custom error page (i.e. ErrorPage.html)
Is this possible? Everywhere I seem to look makes it seem as though this is an impossible task and that the default 500.30 - ASP.NET Core app failed to start is the only page that will appear in a situation where the host fails to establish by the time the exception is thrown.

One option to achieve a custom error page on host errors generating 500 responses would be to use some gateway or proxy in front of your app. The idea would be to handle certain responses by showing some error content from the gateway.
Options would include custom error pages in Azure Application Gateway or a middleware handler if using a YARP proxy instance.

For IIS use web.config and add a section inside element <system.webServer>
<httpErrors errorMode="Custom" existingResponse="Replace">
<error statusCode="500" subStatusCode="30" path="ErrorPage.html" responseMode="File" />
</httpErrors>
Check docs for more information

Why does UWP app get 401 Unauthorized against local IIS with Windows authentication?

Problem
When running a UWP app (with the Enteprise Authentication capability) that makes an HTTP request to a local IIS website protected by Windows authentication, the app receives a 401 Unauthorized response. If the app is run on a different computer than IIS (either the app is moved to a different computer or a remote Windows authentication-protected URL is requested), the request succeeds.
IIS
I am running Windows 10 Enterprise (Anniversary Edition) joined to an AD domain.
On my local IIS instance, I've enabled Windows authentication and disabled anonymous authentication for the default website. The enabled providers are "Negotiate" and "NTLM".
I've also created a test.aspx page at the root that contains simply:
<%= User.Identity.Name %>
If I visit http://localhost/test.aspx in Edge, Chrome, or IE, I am authenticated correctly and presented with my user name.
UWP
I've created a simple UWP app (targeting build 14393) with the following capabilities:
<Capabilities>
<Capability Name="internetClient" />
<Capability Name="privateNetworkClientServer" />
<uap:Capability Name="enterpriseAuthentication" />
<uap:Capability Name="userAccountInformation" />
</Capabilities>
The app's code is simply:
public MainPage()
{
this.InitializeComponent();
var result = Nito.AsyncEx.AsyncContext.Run(async () =>
{
using (var httpClient = new System.Net.Http.HttpClient())
{
return await httpClient.GetStringAsync("http://localhost/test.aspx");
}
});
textBlock.Text = result;
}
Result
If the requesting UWP app and IIS are on the same computer, the HTTP request in the UWP app fails with 401 Unauthorized.
The network profiler shows that authentication is attempted (note that the multiple requests are part of the WWW-Authenticate challenge/response scheme):
If the requesting app and IIS are on different computers, the request succeeds.
That is, if I change the request URL so that it is my development computer's FQDN (http://localhost/test.aspx becomes http://computername.domain/test.aspx) and run the app on a second computer (in other words, the app on the second computer calls my development computer's IIS), the request succeeds. Alternatively, I can successfully run the UWP on my development computer but call a remote IIS.
A few more details
The UWP app's request results in a 200 OK if anonymous authentication is enabled on the localhost IIS.
I have "Allow local network loopback" checked in the app's Debug property page, and I've verified that the loopback is enabled with checknetisolation.

UWP can't connect to loopback or localhost.
There is a workaround if you're side loading or in an enterprise environment: https://msdn.microsoft.com/en-us/library/windows/apps/dn640582.aspx

Cannot login if requiressl is set to true

I have a live web site in IIS 7.5. I can login to my site correctly with http protocol till I add this line in Web.config:
httpCookies httpOnlyCookies="true" requireSSL="true"
All configuration for SSL is done but I cannot login anymore with both http and https although the cookie .ASPXAUTH is created.
If I set requireSSL="false", I can login normally.
Please help!

I had the same problem and as I came across this post searching for a solution I can explain what happened: your application was configure to use secure cookies and this requires the browser to issue the request over SSL. Therefore, if requireSSL attribute is set to true, you can't log in to your website with Http

IIS6.0 - ASP.NET 4.0 - Default Content Page throwing Error message 401.2

We have a .NET application that was recently converted to .NET 4.0 and then published to IIS 6.0. When we trying going to the url without a page www.blahblahblah.com we get the following error:
Server Error in '/' Application.
Access is denied. Description: An
error occurred while accessing the
resources required to serve this
request. The server may not be
configured for access to the requested
URL.
Error message 401.2.: Unauthorized:
Logon failed due to server
configuration. Verify that you have
permission to view this directory or
page based on the credentials you
supplied and the authentication
methods enabled on the Web server.
Contact the Web server's administrator
for additional assistance.
We have IIS 6.0 site setup with a default content page going to "default.aspx". However, it seems IIS is not getting to the point of forwarding the url to this page. If we navigate directly to www.blahblahblah.com/default.aspx the page comes up with not issue and we all other functionality of the application works. If we roll back to the 3.5 version, the default page forwarding works as it should. Does anyone have any idea what is causing this?

I found the issue. Someone had put this (see below) in the authorization tag which prevented access to the website as a whole preventing IIS from forwarding to the default page, even though the page default.aspx had a location exception that allowed all users.
<authorization>
<deny users="*"/>
</authorization>