My web application uses form authentication. It is working fine. But when I install 2 instances of the same application as virtual directories, I am able to log into both instances with the same cookie. Is there any way to keep it to a single virtual directory?
Here is my web.config.
<authentication mode="Forms">
<forms name="MyAppAuth" loginUrl="~/secured/login" protection="All" timeout="30" slidingExpiration="true" path="/">
<credentials passwordFormat="Clear">>
</credentials>
</forms>
</authentication>
I'm not sure what technology is being used here, but I would guess that the path="/" is used to create the cookie (you could probably use your browser developer tools to make certain). Try setting the path to the root of each webapp /app1 /app2
Related
We recently converted a Framework 4.8 WebForms project that was using Forms Authentication to use Identity 2.0 Authentication and now we can't access default documents or images without allowing anonymous access.
Once authenticated with Identity, if you browse to a folder such as http://mysite/dashboard/default.aspx it works fine. However, if the default page is not in the path as in http://mysite/dashboard/ it returns 401.2 as though IIS needs permissions to server the page :
*Access is denied. Description: An error occurred while accessing the resources required to serve this request. The server may not be
configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server
configuration. Verify that you have permission to view this directory
or page based on the credentials you supplied and the authentication
methods enabled on the Web server. Contact the Web server's
administrator for additional assistance.*
We have <authentication mode="None"> which I understand is correct for this situation. IIS is configured to use default documents just as it was when we were using Forms Authentication.
We also deny unauthenticated users with the System.Web.Security.UrlAuthorizationModule:
<authorization>
<deny users="?" />
</authorization>
If we allow anonymous on the folder it does work but we don't what anonymous access on these locations.
<location path="Dashboard">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
So, how do you configure IIS to access default documents without 'allow anonymous' so it works like it did under Forms Authentication.
Thanks!!!
Try to add this to the System.Webserver section
<modules>
<remove name="FormsAuthentication"/>
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
</modules>
The key seems to be to remove the managedHandler Precondition from the FormsAuthentication module. As I understand it this is only supposed to optimize serving of static content.
Found that adding <modules runAllManagedModulesForAllRequests="true"> to the web.config resolved the issues. Not really sure why at this point. I did notice that the request for a static file did not include the user identity which was working before removing Forms Authentication. After adding this, the user identity started showing up in the request.
I've inherited a IIS 8.5 installation with a lengthy applicationHost.config file; I'm not familiar with all the options and am trying not to mess with it as it is working.
When I set up a new web application, to get it work, I'm having to go into C:\Windows\System32\inetsrv\config\applicationHost.config
and manually add the following for each application:
<location path="Default Web Site/MyNewAppPath">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="true" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
Or I get an error - "Access is denied Error message 401.2.: Unauthorized: Logon failed due to server configuration..."
Lots of posts/comments saying to fix it this way by manually adding the location and other tags, but this seems hacky.
Isn't there an option/function inside IIS Manager somewhere that handles these tags?
FYI IIS Manager is adding below tags to the config file (on its own) for each app. Hoping somehow it can do similar for the location etc tags.
<application path="/MyNewAppPath" applicationPool=".NET 4.5">
<virtualDirectory path="/" physicalPath="C:\inetpub\wwwroot\MyNewAppPath" />
</application>
Thanks for any help!
Sub-application's authentication are only allowed in applicationhost.config by default. If you go to config manager, you will see this
If you try to set it in other place like root web.config or <location path='webapp'>, IIS will report the application has already been locked and everything grayed out.
You can set authentication via IIS manager or command line and it will add these configuration to applicationhost.config automatically. I think this is just common operation instead of hacky.
Since Elmah relies on ASP.NET security the following web.config section does not work with ServiceStack authorizations:
<location path="admin">
<system.web>
<httpHandlers>
<add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
So, what is the best practice to lock elmah.axd to everyone except administrators users?
When you run ServiceStack with MVC you should typically define ServiceStack to pick up the requests to a custom location such as api using <location path="api">.
See here for setup instructions:
ServiceStack v3 (BSD)
ServiceStack v4 (Commercial)
Therefore ServiceStack won't handle requests to other locations and as such the location path <location path="admin"> will be outside the path handled by ServiceStack, so the Authentication of your elmah.axd will be handled by IIS. So IIS will authenticate as per usual.
I have a single IIS server that runs many web sites all with their own IP addresses. These sites are all ASP sites. I have a new site I need to add that was done in straight HTML and is not an ASP site. The request is to only allow people into the site who have been authenticated to one of the other sites. I am using IIS 7 on Windows 2008 Server R2.
Not sure if that's possible, but here's what I did so far:
Added the following to system.webServer:
<modules>
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
Added the following to system.web:
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
<authentication mode="Forms" />
Tried adding the following to system.web as well:
<identity impersonate="true" />
Is this possible to do?
Besides setting the authentication mode to Windows which I missed at first, other steps to do this are:
Open IIS, and make sure an application pool exists for the site.
Set it's mode to integrated.
Open the site itself in IIS
In the IIS section open Authentication.
Enable Windows Authentication.
Modify the web.config adding users/groups as needed to the authorization
section.
Here's one thing I didn't realize - it doesn't process all rules and overwrite previous rules with new rules. It stops once it finds a rule that works. So you don't deny all users, then add one. You add the one you want, then deny all after.
The system.webServer section from the OP is correct.
I'm having reports and complaints from my user that they will be using a screen and get kicked back to the login screen immediately on their next request. It doesn't happen all the time but randomly. After looking at the Web server the error that shows up in the application event log is:
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied has expired.
Everything that I read starts out with people asking about web gardens or load balancing. We are not using either of those. We're a single Windows 2003 (32-bit OS, 64-bit hardware) Server with IIS6. This is the only website on this server too.
This behavior does not generate any application exceptions or visible issues to the user. They just get booted back to the login screen and are forced to login. As you can imagine this is extremely annoying and counter-productive for our users.
Here's what I have set in my web.config for the application in the root:
<authentication mode="Forms">
<forms name=".TcaNet"
protection="All"
timeout="40"
loginUrl="~/Login.aspx"
defaultUrl="~/MyHome.aspx"
path="/"
slidingExpiration="true"
requireSSL="false" />
</authentication>
I have also read that if you have some locations setup that no longer exist or are bogus you could have issues. My path attributes are all valid directories so that shouldn't be the problem:
<location path="js">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="anon">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="App_Themes">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="NonSSL">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
The only thing I'm not clear on is if my timeout value in the forms property for the auth ticket has to be the same as my session timeout value (defined in the app's configuration in IIS). I've read some things that say you should have the authentication timeout shorter (40) than the session timeout (45) to avoid possible complications. Either way we have users that get kicked to the login screen a minute or two after their last action. So the session definitely should not be expiring.
Update 2/23/09: I've since set the session timeout and authentication ticket timeout values to both be 45 and the problem still seems to be happening.
The only other web.config in the application is in 1 virtual directory that hosts Community Server. That web.config's authentication settings are as follows:
<authentication mode="Forms">
<forms name=".TcaNet"
protection="All"
timeout="40"
loginUrl="~/Login.aspx"
defaultUrl="~/MyHome.aspx"
path="/"
slidingExpiration="true"
requireSSL="true" />
</authentication>
And while I don't believe it applies unless you're in a web garden, I have both of the machine key values set in both web.config files to be the same (removed for convenience):
<machineKey
validationKey="<MYVALIDATIONKEYHERE>"
decryptionKey="<MYDECRYPTIONKEYHERE>"
validation="SHA1" />
<machineKey
validationKey="<MYVALIDATIONKEYHERE>"
decryptionKey="<MYDECRYPTIONKEYHERE>"
validation="SHA1"/>
Any help with this would be greatly appreciated. This seems to be one of those problems that yields a ton of Google results, none of which seem to be fitting into my situation so far.
It may also be worth checking the Maximum Worker Processes property for your application pool. If you are using in memory session and have more than one as the max worker process you can find session issues as a users request is handled by a different thread that is unaware of their session.
Since you have noted that you are using a very specific FQDN for your site, do you have any other .Net applications running under the same FQDN just different virtual paths? The name of the auth cookie might be the same for both applications, but the token will be different. So if I log into www.domain.com and then to www.domain.com/app2, I will no longer have correct authentication for app1.
1.) Check how often your iis process gets recycled. (Turn on logging and check your settings). After a recycle, using the default in proc session store, the session is lost.
2.) Does your application spawn Threads that may throw an Exception (which are btw not displayed to the user)? Because if that situation exists the iis recycles processes far more often.
I have just finished dealing with this precise problem, exactly as described in the question and the issue was some missing config in web.config.
When using formsAuthentication, you need to stop having the session handle authentication, as the cookie is now responsible for it.
This line needs to be added (or updated) in your web config, in the "system.web" element
<sessionState mode="Off">
sessionState and formsAuthentication should not both be active. I don't understand the fine details of how they interfere with each other, but in this case, it produced random log outs of random users at random times.
Our site has stumbled with the same problem for years, but yesterday we found a fix, see my question. As a commenter suggested, I tried adding this to web.config:
<sessionState mode="InProc" timeout="60" />
Apparently, the timeout must be set both in sessionState and in the ticket. See also ms docu in https://msdn.microsoft.com/en-us/library/ms178586.aspx
To more accurately measure the actual timeout while in debug mode, I found it handy to add Debug.WriteLine calls in file Global.asax.cs in methods Session_Start() and Session_End(), with millisecond time added using
string.Format("{0:HH:mm:ss.fff} - {1}", DateTime.Now, strMessage);
so that you can login, go for lunch, let the session time out, and read the time stamps at some convenient moment in the VisualStudio Output window.