I use ReportViewer web server control on a web page. The goal is to have a page that will allow anonymous access. I'm creating a dummy FormsAuthentication cookie that expires in 5 seconds and try to call the report. I also derive from IReportServerCredential and pass in Domain administrator's credentials to the report server. Weird thing is that this approach works fine if i run the web site on VS 2008 and access it from Firefox or IE. I get reports to display. I am also able to host the web site on my Dev box in IIS and view the report in both FF and IE. But as soon as i deploy the web site to production box, I can no longer view reports on IE, but still can on FF. Reports are shown both in IE and FF if a user logs in and opens the page afterward. Web Server and Report Server are two different machines on the same network, same domain. IIS on the production box has impersonation enablet to impersonate domain admin. IIS on both, Dev and Prod boxes has correct http handler mapped for report cpontrol .axd
Any thoughts and suggestions are welcome. Thanks
After closely examining the request in Fiddler it appeared that Reserved.ReportViewerWebControl.axd was treated as a separate physical file by IE and it couldn't access it due to permissions. After adding
<location path="Reserved.ReportViewerWebControl.axd">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
to web config, it worked
Related
I have a .NET 6 application (asp mvc) running under IIS 10 on Windows 2016 server and cannot get integrated windows authentication working properly as I continue to get prompted for a login. I have set Windows Authentication to enabled in IIS with all other security types disabled and my application web.config file authentication/authorization is set up as:
***<system.web>
<authenticationmode="Windows"/>
<authorization>
<deny users = "?" />
</authorization>
</system.web>***
With this setup, I'm expecting behind the scene verification of the Windows user to allow access and deny anonymous users. However, what I'm getting is a Windows login pop-up when I try to access the site.
I really appreciate any help anyone can provide so that I'm still using only windows authentication but don't get the pop-up and the windows authentication is performed against the actual Windows user.
I have a web site that works fine with Chrome and FF but chokes on IE 10 and 11.
I have googled the issue but can't find a solution that fixes this problem. I checked the serve event logs, IIS log, set compatibility mode on, nothinf fixes it. I keep getting:
"Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. "
I checked IIS and it does allow script access, Keep Alive is checked, not using jQuery, ...
I am using form authentication (against AD) and have the following in web.config:
<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="Account/Login.aspx" timeout="15"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
Any other ideas on how to tackle this is appreciated.
I don't think this is a one size fit solution but for my settings this worked:
I removed <deny users="?"> and it works in IE. In IIS Directory Security, under Authentication and Access Control, I had enabled "Enable Anonymous Access", using a Windows user account and password (with access to AD). I needed that to authenticate users against AD using forms authentication. It might be a conflict (at least in IE's point of view) between in web.config and "Enable Anonymous Access" in IIS.
Here is my scenario:
I've got a website set up in IIS (7.5) that uses Forms Authentication. I've got a subfolder within that website that I'm using as a WebDAV share. I've got a custom HTTP Module monitoring my WebDAV requests and also acts as a level of custom authentication. This custom authentication will first send a HTTP 401 Challenge to get the user's credentials when they try to map a drive to my WebDAV share, and then the credentials are parsed out of the Basic-Auth header server-side. The problem is that a Basic-Auth header is only sent if Forms Authentication is turned off.
What's more is that normally when my HTTP Module doesn't find an Auth Header, a 401 Challenge is sent (which prompts the user for credentials when Forms Auth is turned off). However, with Forms Auth turned on, my HTTP Module still executes and sends a 401 Challenge, but it appears that the Forms Auth is taking priority so in Fiddler I can clearly see a redirect to:
/Account/Login.aspx?ReturnURL=MySubFolder
The point of the custom authentication is so that I can allow the user to log-in to my site when mapping a drive to my WebDAV share. I want to capture their website credentials, authenticate them, and then show them the contents of the directory.
So my question is:
Is there a way to get Forms Authentication disabled on a subfolder or Virtual Directory within a website which has Forms Authentication enabled?
I've verified that I can get around this by creating a new Application in my website and put the subfolder in there, and then disable Forms Auth on the Application itself, but I'd really prefer not to do that if possible.
Everything I've tried (listed below) has resulted with my request to map a drive to Http://localhost/MySubFolder getting taken over by Forms Authentication (at least that's what I think is happening) and redirected to /login.aspx?ReturnUrl=MySubFolder (as shown in Fiddler).
Here's what I've tried:
1) Added a separate Web.config in MySubFolder:
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
2) Added a <location> tag in the root-level Web.config for MySubFolder like this:
<location path="MySubFolder">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
3) Looked at updating the Feature Delegation in IIS.
Personally, I had some doubt with the above solutions because from what I've read, they are meant to simply allow all access while still leaving Forms Authentication enabled. I need a way to actually get Forms Authentication disabled on my subfolder. Is this possible?
I should also note that my subfolder could be a Virtual Directory, but it's not required one way or the other. I just need a way for Forms Auth to be disabled on that folder.
As per request, my Web.config file (site-level):
<?xml version="1.0"?>
<configuration>
<connectionStrings>
<add name="MyConnString" connectionString="Persist Security Info=True;Initial Catalog=MyDB;Data Source=MyServer;User ID=UserName;Password=xxxxxxxxxx;MultipleActiveResultSets=True;"/>
</connectionStrings>
<system.web>
<compilation debug="true" strict="false" explicit="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
</system.web>
<system.webServer>
<modules runManagedModulesForWebDavRequests="true" runAllManagedModulesForAllRequests="true">
<add name="CustomWebDAVModule" type="CustomWebDAVModule"/>
</modules>
</system.webServer>
</configuration>
This question has already been answered: Multiple/Different authentication settings in web.config
You can't override the root authentication mode="Forms" tag within location tags. Making the folder it's own application is the easiest way out.
Another option is to implement your own custom Forms authentication and have it ignore the redirect for your webdav folder.
<authentication mode="None">
Apparently you have not correctly setup WebDAV within IIS.
Since you want to use a custom webdav module for authentication we first need to ensure that IIS does not interfere with your WebDAV requests.
Follow these steps (note that the important point is in step 7):
Keep your web.config as is (as posted in the question).
Enable WebDav within IIS. Within the IIS manager select your website. Within the main window open WebDAV Authoring Rules.
In the actions pane (on the right) click Enable WebDAV.
Now select your sub-folder that you want to enable WebDAV for (I am using path3 in my example) by clicking it and then open WebDAV Authoring Rules.
Click Add authoring rule... in the actions pane (on the right).
In the dialog that opens make sure all of these are selected All content, All users, Read, Source and Write and click OK. This will grant access to all content of that subfolder to all users with all permissions.
Now the most important part. Since you want to handle WebDAV authentication through your custom WebDAV handler we must explicitly tell IIS not to interfere with authentication. How do we do that? We tell IIS to allow anonymous WebDAV access. This way IIS does not try to authenticate the user and your module is free to do its authorization operations. To go about doing this we will need to set Allow Anonymous Property Queries to True under WebDav settings. The next steps will highlight how to do this.
Open the site root WebDAV Authoring Rules.
Click WebDAV settings....
Set Allow Anonymous Property Queries to True.
Close and restart the WebDAV client that you will be testing on. This is to ensure that it does not cache connection parameters from the previous incorrect configuration.
Check to see if the WebDAV configuration of your website works as desired. :)
Within your custom HTTP Module, you can tell the Forms Authentication to supress the redirect via HttpResponse.SuppressFormsAuthenticationRedirect:
public class DavAuthenticationModule : IHttpModule
{
public void Init(HttpApplication application)
{
application.AuthenticateRequest += App_OnAuthenticateRequest;
}
private void App_OnAuthenticateRequest(object source, EventArgs eventArgs)
{
// Only applies for WebDAV requests.
var ctx = HttpContext.Current;
if (!ctx.Request.Path.StartsWith("/dav/path", StringComparison.OrdinalIgnoreCase))
return;
// So that forms auth won't do a redirect.
// Note that it will still attempt to read / parse the forms auth cookie.
ctx.Response.SuppressFormsAuthenticationRedirect = true;
// Now do my own auth.
DoBasicHttpAuthentication(ctx);
}
}
Another option is to hook the FormsAuthenticationModule.Authenticate event to authenticate before Forms Auth runs at all. This would require you to fish around in IIS for the module instance, which I don't have an example for.
Both these options are based on the .NET 4.6 reference source: http://referencesource.microsoft.com/#System.Web/Security/FormsAuthenticationModule.cs,ac471f8ac73cdb2b
I need some help with authentication when using the web reportviewer to view SSRS reports.
In IIS I've set "Windows Authentication" only and unchecked "Anonymous Access" and the other checks in the Directory Security tab. The result in my website is that WindowsIdentity.GetCurrent() returns the ASPNET user and Request.LogonUserIdentity the domain account of the user that logged in. On the page that hosts the ReportViewer control, I programmatically impersonate the Request.LogonUserIdentity, then set all the report/server properties and refresh the ServerReport, however this returns the "The request failed with HTTP status 401: Unauthorized." error and I'm 100% sure the Request.LogonUserIdentity has access to the report. To proof the impersonation worked, WindowsIdentity.GetCurrent() returns the same user as Request.LogonUserIdentity after the impersonation and I'm using the same impersonation when I need to query the database, just with a specific user.
I've noticed that on the ReportViewer1, the ServerReport property has a property for ImpersonationUser, but I'm not able to set this and can't find where to either.
Can anyone shed some light please! I've been working on this for days now....
It's not clear why you need to do impersonation yourself. If you're using Windows Authentication and have disabled anonymous access, then simply let ASP.NET flow the end-user's credentials to Reporting Server. Try adding the <identity> element to your web.config file:
<identity impersonate="true" />
Another issue you might be encountering (if your Reporting Server is on a different machine to your web server) is the NTLM double-hop problem and you may need to configure Kerberos in order to support credential delegation over multiple machines.
i've got a stock standard ASP.NET web site, deployed to our development machine (internal machine in our server room).
Now, this dev site can be accessed by both INTERNAL and EXTERNAL users. Now, in IIS6 we used to have it so that Anonymous Authentication was turned off and something else was turned on .. giving the users a popup model box for username and password. I think they had to type some username or password that was defined in a web.config file? (not their website account username/password)/
Now, with IIS7, when i turn Anon Auth off, and turn on Basic or Windows Auth, i get access to the site BUT it's trying to log me in with those credentials .. and not the account the user signed up with (using some stock standard asp.net webform page).
So ... is it possible to 'lock' the entire site and get the testers to get general access to the site .. which is different to their website username and password. Those usernames and passwords are for use in the site instead.
does that make sense?
cheers!
<authentication mode="Forms">
<forms loginUrl="~/Pages/Login.aspx" protection="Validation" timeout="1000000000" requireSSL="false" slidingExpiration="true" defaultUrl="Default.aspx">
</forms>
</authentication>
there is no authorization section.
also, when i add 'Digest Auth' to iis7 and enable that (and disable everythign else), i get the pop up window (kewl!) but i'm not sure what credentials i need to pass in. Where can i define those credentials manually (so they are seperate from the website's users) ??
IIS7 integrated mode does not support the two phase authentication that IIS6 does. Basically, IIS6 would perform its authentication (windows), followed by asp.net performing its authentication (forms). But with IIS7, everything is equal in integrated mode, so you can only have one or the other authentication methods.
You can either convert the app pool to use classic mode or follow this workaround to get it working with Integrated mode.