Disable Forms Authentication on subfolder or Virtual Directory - authentication

Here is my scenario:
I've got a website set up in IIS (7.5) that uses Forms Authentication. I've got a subfolder within that website that I'm using as a WebDAV share. I've got a custom HTTP Module monitoring my WebDAV requests and also acts as a level of custom authentication. This custom authentication will first send a HTTP 401 Challenge to get the user's credentials when they try to map a drive to my WebDAV share, and then the credentials are parsed out of the Basic-Auth header server-side. The problem is that a Basic-Auth header is only sent if Forms Authentication is turned off.
What's more is that normally when my HTTP Module doesn't find an Auth Header, a 401 Challenge is sent (which prompts the user for credentials when Forms Auth is turned off). However, with Forms Auth turned on, my HTTP Module still executes and sends a 401 Challenge, but it appears that the Forms Auth is taking priority so in Fiddler I can clearly see a redirect to:
/Account/Login.aspx?ReturnURL=MySubFolder
The point of the custom authentication is so that I can allow the user to log-in to my site when mapping a drive to my WebDAV share. I want to capture their website credentials, authenticate them, and then show them the contents of the directory.
So my question is:
Is there a way to get Forms Authentication disabled on a subfolder or Virtual Directory within a website which has Forms Authentication enabled?
I've verified that I can get around this by creating a new Application in my website and put the subfolder in there, and then disable Forms Auth on the Application itself, but I'd really prefer not to do that if possible.
Everything I've tried (listed below) has resulted with my request to map a drive to Http://localhost/MySubFolder getting taken over by Forms Authentication (at least that's what I think is happening) and redirected to /login.aspx?ReturnUrl=MySubFolder (as shown in Fiddler).
Here's what I've tried:
1) Added a separate Web.config in MySubFolder:
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
2) Added a <location> tag in the root-level Web.config for MySubFolder like this:
<location path="MySubFolder">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
3) Looked at updating the Feature Delegation in IIS.
Personally, I had some doubt with the above solutions because from what I've read, they are meant to simply allow all access while still leaving Forms Authentication enabled. I need a way to actually get Forms Authentication disabled on my subfolder. Is this possible?
I should also note that my subfolder could be a Virtual Directory, but it's not required one way or the other. I just need a way for Forms Auth to be disabled on that folder.
As per request, my Web.config file (site-level):
<?xml version="1.0"?>
<configuration>
<connectionStrings>
<add name="MyConnString" connectionString="Persist Security Info=True;Initial Catalog=MyDB;Data Source=MyServer;User ID=UserName;Password=xxxxxxxxxx;MultipleActiveResultSets=True;"/>
</connectionStrings>
<system.web>
<compilation debug="true" strict="false" explicit="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
</system.web>
<system.webServer>
<modules runManagedModulesForWebDavRequests="true" runAllManagedModulesForAllRequests="true">
<add name="CustomWebDAVModule" type="CustomWebDAVModule"/>
</modules>
</system.webServer>
</configuration>

This question has already been answered: Multiple/Different authentication settings in web.config
You can't override the root authentication mode="Forms" tag within location tags. Making the folder it's own application is the easiest way out.
Another option is to implement your own custom Forms authentication and have it ignore the redirect for your webdav folder.
<authentication mode="None">

Apparently you have not correctly setup WebDAV within IIS.
Since you want to use a custom webdav module for authentication we first need to ensure that IIS does not interfere with your WebDAV requests.
Follow these steps (note that the important point is in step 7):
Keep your web.config as is (as posted in the question).
Enable WebDav within IIS. Within the IIS manager select your website. Within the main window open WebDAV Authoring Rules.
In the actions pane (on the right) click Enable WebDAV.
Now select your sub-folder that you want to enable WebDAV for (I am using path3 in my example) by clicking it and then open WebDAV Authoring Rules.
Click Add authoring rule... in the actions pane (on the right).
In the dialog that opens make sure all of these are selected All content, All users, Read, Source and Write and click OK. This will grant access to all content of that subfolder to all users with all permissions.
Now the most important part. Since you want to handle WebDAV authentication through your custom WebDAV handler we must explicitly tell IIS not to interfere with authentication. How do we do that? We tell IIS to allow anonymous WebDAV access. This way IIS does not try to authenticate the user and your module is free to do its authorization operations. To go about doing this we will need to set Allow Anonymous Property Queries to True under WebDav settings. The next steps will highlight how to do this.
Open the site root WebDAV Authoring Rules.
Click WebDAV settings....
Set Allow Anonymous Property Queries to True.
Close and restart the WebDAV client that you will be testing on. This is to ensure that it does not cache connection parameters from the previous incorrect configuration.
Check to see if the WebDAV configuration of your website works as desired. :)

Within your custom HTTP Module, you can tell the Forms Authentication to supress the redirect via HttpResponse.SuppressFormsAuthenticationRedirect:
public class DavAuthenticationModule : IHttpModule
{
public void Init(HttpApplication application)
{
application.AuthenticateRequest += App_OnAuthenticateRequest;
}
private void App_OnAuthenticateRequest(object source, EventArgs eventArgs)
{
// Only applies for WebDAV requests.
var ctx = HttpContext.Current;
if (!ctx.Request.Path.StartsWith("/dav/path", StringComparison.OrdinalIgnoreCase))
return;
// So that forms auth won't do a redirect.
// Note that it will still attempt to read / parse the forms auth cookie.
ctx.Response.SuppressFormsAuthenticationRedirect = true;
// Now do my own auth.
DoBasicHttpAuthentication(ctx);
}
}
Another option is to hook the FormsAuthenticationModule.Authenticate event to authenticate before Forms Auth runs at all. This would require you to fish around in IIS for the module instance, which I don't have an example for.
Both these options are based on the .NET 4.6 reference source: http://referencesource.microsoft.com/#System.Web/Security/FormsAuthenticationModule.cs,ac471f8ac73cdb2b

Related

How to call RESTFul WCF service with Forms authentication

Assumptions:
Client is a Web application (ASP.NET) configured for STS Passive Issue
Server is a MVC Application with 2 services (1. Issues a token and other gets metadata)
Server on the other hand configured for Forms authentication and should redirect to Login page if unauthenticated access is made.
Workflow:
end user tries to load client.
It contact the STS by redirecting to the STS server.
The server is configured with Forms authentication with a redirect URL.
But Server does not redirect to login page. instead it allows to call the Issue end point.
I tried to restrict via authorization tag in web.config. Also, i tried location tag to set authorization explicitly. But it still allows the call.
i referred many blogs
How to: Enable the WCF Authentication Service
How to: Customize User Login When Using the WCF Authentication Service
But no luck.
This is easy to achieve with ADFS. Use the following steps if ADFS is your STS:
Navigate to the folder where ADFS web application is located (normally C:\inetpub\adfs\ls)
Make a copy of the current web.config for safety
Open web.config in notepad
Locate
In , change the order of authentication to assure that it lists Forms Authentication first
The order must look like this:
<add name="Forms" page="FormsSignIn.aspx" />
<add name="Integrated" page="auth/integrated/" />
<add name="TlsClient" page="auth/sslclient/" />
<add name="Basic" page="auth/basic/" />
Save the changes (you do not need to restart ADFS)
Navigate to your application and click on Login. Instead of sending the login request to ADFS, a page containing a login dialog will pop up. Please enter your credential and click ok. Then, you will get the same result as above.
Reference articles:
Claims Aware MVC4 App using WIF Identity and Access tool in .Net 4.5 Part I
Claims Aware MVC4 App using WIF Identity and Access tool in .Net 4.5 Part II

Copy Paste Site on IIS - Authentication issue

I'm working on a MVC .NET project that uses forms authentication. I tried to make a copy of the site and publish it on IIS (different virtual directory). I noticed that I can't get authenticated to the two sites at the same time : when I access one site I automatically get disconnected from the other. What should be changed in order to make it possible to a user to access both of them simultaneously? is it a cookies issue?
I think so, because when I inspect site elements It's obvious that _ASPXAUTH cookie has the same value for both of them. What should I change?
is it a cookies issue?
Yes, most probably. SSO between the 2 websites would very much depend on which domains they are hosted. If they are hosted on 2 sub-domains under the same top level domain such as site1.example.com and site2.example.com all you need to do in order to achieve SSO between them is to set the domain property on the forms authentication cookie to .example.com and ensure that both applications share the same machine keys:
<authentication mode="Forms">
<forms protection="All" domain=".example.com" />
</authentication>
<machineKey validationKey="XXXXX" decryptionKey="XXX" validation="SHA1" decryption="AES" />
If the 2 sites are on different top level domains such as example1.com and example2.com then you need much more work to achieve cross domain SSO. You may find some details in this answer.
UPDATE:
I might have misread your question. It appears that you don't want to have SSO between the websites but rather have separate authentication. In this case all you need is to have a different cookie name for both of them:
<forms name="SITE1AUTH" />
and:
<forms name="SITE2AUTH" />

"Access is denied" in IE 10/11

I have a web site that works fine with Chrome and FF but chokes on IE 10 and 11.
I have googled the issue but can't find a solution that fixes this problem. I checked the serve event logs, IIS log, set compatibility mode on, nothinf fixes it. I keep getting:
"Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. "
I checked IIS and it does allow script access, Keep Alive is checked, not using jQuery, ...
I am using form authentication (against AD) and have the following in web.config:
<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="Account/Login.aspx" timeout="15"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
Any other ideas on how to tackle this is appreciated.
I don't think this is a one size fit solution but for my settings this worked:
I removed <deny users="?"> and it works in IE. In IIS Directory Security, under Authentication and Access Control, I had enabled "Enable Anonymous Access", using a Windows user account and password (with access to AD). I needed that to authenticate users against AD using forms authentication. It might be a conflict (at least in IE's point of view) between in web.config and "Enable Anonymous Access" in IIS.

low code, simplistic Azure Website security using windows live provider?

I have this webpage I need to secure on Azure. I want to be the only person who can access it. I don't need a fancy login or error page process. The page/site was formerly running on my home web server and so windows authentication via the web.config authentication tag was "really easy" to implement.
I'm looking at Azure Authentication models with STS, ACS, SAML, Federated... and truthfully am somewhat confused about what I need to do. Also, I'm wondering why MS did not offer a simple control panel interface to secure and maintain access to websites so we don't have to create services and custom web site code to manage all of this.
At a high level, what are the minimum steps I need to perform to accomplish this?
If you are the only one going to use the site, then I'm not sure you need to go through all that trouble.
But, on the other hand, doing what you want is not that complicated:
Get an ACS namespace
Install WIF in your machine
Run "Add STS Reference" in your web project and point to your ACS namespace
(look for Federation metadata endpoint)
Configure LiveID trust in ACS (or any other of the pre-provisioned IdPs)
Configure ACS to issue a token for your app
Since your needs are very simple, the default rules will probably work for you.
Here's an article that explains everything step-by-step.
You could use Forms Authentication which should be pretty straightforward to implement.
Set your application to use forms authentication in your web.config.
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="/myadminlogin.aspx" protection="All" path="/" timeout="120" />
</authentication>
Define the protected folders in your web.config.
<location path="secure">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Within your login area check a condition and set the auth cookie:
'SET AUTH COOKIE
FormsAuthentication.SetAuthCookie(sessionID, False)
Check the session on your protected page:
If User.Identity.Name.ToString = "sessionID" then
'Permit access
End if

ReportViewer web control without authentication

I use ReportViewer web server control on a web page. The goal is to have a page that will allow anonymous access. I'm creating a dummy FormsAuthentication cookie that expires in 5 seconds and try to call the report. I also derive from IReportServerCredential and pass in Domain administrator's credentials to the report server. Weird thing is that this approach works fine if i run the web site on VS 2008 and access it from Firefox or IE. I get reports to display. I am also able to host the web site on my Dev box in IIS and view the report in both FF and IE. But as soon as i deploy the web site to production box, I can no longer view reports on IE, but still can on FF. Reports are shown both in IE and FF if a user logs in and opens the page afterward. Web Server and Report Server are two different machines on the same network, same domain. IIS on the production box has impersonation enablet to impersonate domain admin. IIS on both, Dev and Prod boxes has correct http handler mapped for report cpontrol .axd
Any thoughts and suggestions are welcome. Thanks
After closely examining the request in Fiddler it appeared that Reserved.ReportViewerWebControl.axd was treated as a separate physical file by IE and it couldn't access it due to permissions. After adding
<location path="Reserved.ReportViewerWebControl.axd">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
to web config, it worked