We have an Azure Website hosting a static site (just some HTML, CSS, Javascript), which then communicates with our Azure Mobile Services by AJAX calls.
We would like to add some very simple authentication to this site (just a static username/password will be sufficient).
Please recommend the easiest way to do this.
Or may be there is some better option for serving static content, other then Azure Websites?
A very simple form of authentication with a static username and password can be achieved by leveraging ASP.NET's authentication and authorization, integrated with IIS as described in this article: Apply ASP.NET Authentication and Authorization Rules to Static Content with IIS 7.0's Integrated Pipeline Feature.
Se this sample GitHub project for an example. The relevant pieces of code are this Web.config file that you should place in the root directory (which would be public):
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="false" />
<authentication mode="Forms">
<forms>
<credentials passwordFormat="Clear">
<user name="Alice" password="secret" />
</credentials>
</forms>
</authentication>
<!-- Unless specified in a sub-folder's Web.config file,
any user can access any resource in the site -->
<authorization>
<allow users="*" />
</authorization>
</system.web>
<system.webServer>
<modules>
<remove name="FormsAuthenticationModule" />
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
</modules>
</system.webServer>
</configuration>
And this Web.config file that you could place in a subdirectory (which would be restricted):
<?xml version="1.0"?>
<configuration>
<system.web>
<!-- Anonymous users are denied access to this folder (and its subfolders) -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
You also need a Login.aspx file with the HTML form and server-side authentication logic. See the Login.aspx in the sample project for an example.
This way you would be able to host both public files at root level and private files at subdirectories. If you want to protect even the root level, just adjust the authorization rules accordingly.
For documentation on configuration options see these MSDN pages:
authorization Element (ASP.NET Settings Schema)
allow Element for authorization (ASP.NET Settings Schema)
deny Element for authorization (ASP.NET Settings Schema)
This is an old question that's been previously answered, but if you're looking for the easiest possible solution that requires no code or config changes, you can use Azure Websites Authentication / Authorization (disclaimer, I helped build this feature). Here are some links:
Blog Post:
http://azure.microsoft.com/blog/2014/11/13/azure-websites-authentication-authorization/
Demo Video:
http://azure.microsoft.com/en-us/documentation/videos/azure-websites-easy-authentication-and-authorization-with-chris-gillum/
EDIT:
And here is a more recent blog post describing how you can use social providers (Twitter, Facebook, Google, Microsoft Accounts) in addition to the default Azure AD: https://azure.microsoft.com/en-us/blog/announcing-app-service-authentication-authorization/
Related
I have a .NET core 3.1 razor pages website. I'm using windows credentials (with Active directory) for authentication and I'm managing authorization using policies.
Using IIS express (the one you use when developing is working ok. My username is displayed)
Now I'm using the IIS manager to host this site using my machine IP, for example 'xxx.xxx.xxx.xxx:portNumber'. This is loading if anonymous authentication is on, but if I include windows credentials it is failing.
I followed the guide from here --> https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-3.1&tabs=visual-studio
Basically I did what it is showed in the previous link. (Created the web.config file and followed the steps listed there)
web.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
</configuration>
The following error is showing up when I try to enter authentication option in IIS manager in my site.
This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false"
After hitting accept button the following table loads.
And when I try to access the website, it is throwing
Error HTTP 500.19 - Internal Server Error
Module: WindowsAuthenticationModule
Notification: AuthenticateRequest
source of config
<anonymousAuthentication enabled="false" />
**<windowsAuthentication enabled="true" />** --> *this line is in red*
</authentication>
Here I changed a couple of lines in applicationhost.config file.
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
<section name="windowsAuthentication" overrideModeDefault="Allow" />
I changed both lines from Deny to Allow. Restart, but it doesn't work.
I've activated some windows features too like the following
I finally solved it. I referred to this post This configuration section cannot be used at this path - Windows 2016
I setted the following entries in the file located in
C:\Windows\System32\inetsrv\config\applicationHost.config
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
<section name="windowsAuthentication" overrideModeDefault="Allow" />
<section name="ipSecurity" overrideModeDefault="Allow" />
I mistakenly edited the applicationHost.config located in IISExpress in my documents folder. That's why this wasn't working.
We recently converted a Framework 4.8 WebForms project that was using Forms Authentication to use Identity 2.0 Authentication and now we can't access default documents or images without allowing anonymous access.
Once authenticated with Identity, if you browse to a folder such as http://mysite/dashboard/default.aspx it works fine. However, if the default page is not in the path as in http://mysite/dashboard/ it returns 401.2 as though IIS needs permissions to server the page :
*Access is denied. Description: An error occurred while accessing the resources required to serve this request. The server may not be
configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server
configuration. Verify that you have permission to view this directory
or page based on the credentials you supplied and the authentication
methods enabled on the Web server. Contact the Web server's
administrator for additional assistance.*
We have <authentication mode="None"> which I understand is correct for this situation. IIS is configured to use default documents just as it was when we were using Forms Authentication.
We also deny unauthenticated users with the System.Web.Security.UrlAuthorizationModule:
<authorization>
<deny users="?" />
</authorization>
If we allow anonymous on the folder it does work but we don't what anonymous access on these locations.
<location path="Dashboard">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
So, how do you configure IIS to access default documents without 'allow anonymous' so it works like it did under Forms Authentication.
Thanks!!!
Try to add this to the System.Webserver section
<modules>
<remove name="FormsAuthentication"/>
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
</modules>
The key seems to be to remove the managedHandler Precondition from the FormsAuthentication module. As I understand it this is only supposed to optimize serving of static content.
Found that adding <modules runAllManagedModulesForAllRequests="true"> to the web.config resolved the issues. Not really sure why at this point. I did notice that the request for a static file did not include the user identity which was working before removing Forms Authentication. After adding this, the user identity started showing up in the request.
I've inherited a IIS 8.5 installation with a lengthy applicationHost.config file; I'm not familiar with all the options and am trying not to mess with it as it is working.
When I set up a new web application, to get it work, I'm having to go into C:\Windows\System32\inetsrv\config\applicationHost.config
and manually add the following for each application:
<location path="Default Web Site/MyNewAppPath">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="true" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
Or I get an error - "Access is denied Error message 401.2.: Unauthorized: Logon failed due to server configuration..."
Lots of posts/comments saying to fix it this way by manually adding the location and other tags, but this seems hacky.
Isn't there an option/function inside IIS Manager somewhere that handles these tags?
FYI IIS Manager is adding below tags to the config file (on its own) for each app. Hoping somehow it can do similar for the location etc tags.
<application path="/MyNewAppPath" applicationPool=".NET 4.5">
<virtualDirectory path="/" physicalPath="C:\inetpub\wwwroot\MyNewAppPath" />
</application>
Thanks for any help!
Sub-application's authentication are only allowed in applicationhost.config by default. If you go to config manager, you will see this
If you try to set it in other place like root web.config or <location path='webapp'>, IIS will report the application has already been locked and everything grayed out.
You can set authentication via IIS manager or command line and it will add these configuration to applicationhost.config automatically. I think this is just common operation instead of hacky.
Since Elmah relies on ASP.NET security the following web.config section does not work with ServiceStack authorizations:
<location path="admin">
<system.web>
<httpHandlers>
<add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
So, what is the best practice to lock elmah.axd to everyone except administrators users?
When you run ServiceStack with MVC you should typically define ServiceStack to pick up the requests to a custom location such as api using <location path="api">.
See here for setup instructions:
ServiceStack v3 (BSD)
ServiceStack v4 (Commercial)
Therefore ServiceStack won't handle requests to other locations and as such the location path <location path="admin"> will be outside the path handled by ServiceStack, so the Authentication of your elmah.axd will be handled by IIS. So IIS will authenticate as per usual.
I have a single IIS server that runs many web sites all with their own IP addresses. These sites are all ASP sites. I have a new site I need to add that was done in straight HTML and is not an ASP site. The request is to only allow people into the site who have been authenticated to one of the other sites. I am using IIS 7 on Windows 2008 Server R2.
Not sure if that's possible, but here's what I did so far:
Added the following to system.webServer:
<modules>
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
Added the following to system.web:
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
<authentication mode="Forms" />
Tried adding the following to system.web as well:
<identity impersonate="true" />
Is this possible to do?
Besides setting the authentication mode to Windows which I missed at first, other steps to do this are:
Open IIS, and make sure an application pool exists for the site.
Set it's mode to integrated.
Open the site itself in IIS
In the IIS section open Authentication.
Enable Windows Authentication.
Modify the web.config adding users/groups as needed to the authorization
section.
Here's one thing I didn't realize - it doesn't process all rules and overwrite previous rules with new rules. It stops once it finds a rule that works. So you don't deny all users, then add one. You add the one you want, then deny all after.
The system.webServer section from the OP is correct.