i've got a stock standard ASP.NET web site, deployed to our development machine (internal machine in our server room).
Now, this dev site can be accessed by both INTERNAL and EXTERNAL users. Now, in IIS6 we used to have it so that Anonymous Authentication was turned off and something else was turned on .. giving the users a popup model box for username and password. I think they had to type some username or password that was defined in a web.config file? (not their website account username/password)/
Now, with IIS7, when i turn Anon Auth off, and turn on Basic or Windows Auth, i get access to the site BUT it's trying to log me in with those credentials .. and not the account the user signed up with (using some stock standard asp.net webform page).
So ... is it possible to 'lock' the entire site and get the testers to get general access to the site .. which is different to their website username and password. Those usernames and passwords are for use in the site instead.
does that make sense?
cheers!
<authentication mode="Forms">
<forms loginUrl="~/Pages/Login.aspx" protection="Validation" timeout="1000000000" requireSSL="false" slidingExpiration="true" defaultUrl="Default.aspx">
</forms>
</authentication>
there is no authorization section.
also, when i add 'Digest Auth' to iis7 and enable that (and disable everythign else), i get the pop up window (kewl!) but i'm not sure what credentials i need to pass in. Where can i define those credentials manually (so they are seperate from the website's users) ??
IIS7 integrated mode does not support the two phase authentication that IIS6 does. Basically, IIS6 would perform its authentication (windows), followed by asp.net performing its authentication (forms). But with IIS7, everything is equal in integrated mode, so you can only have one or the other authentication methods.
You can either convert the app pool to use classic mode or follow this workaround to get it working with Integrated mode.
Related
Assumptions:
Client is a Web application (ASP.NET) configured for STS Passive Issue
Server is a MVC Application with 2 services (1. Issues a token and other gets metadata)
Server on the other hand configured for Forms authentication and should redirect to Login page if unauthenticated access is made.
Workflow:
end user tries to load client.
It contact the STS by redirecting to the STS server.
The server is configured with Forms authentication with a redirect URL.
But Server does not redirect to login page. instead it allows to call the Issue end point.
I tried to restrict via authorization tag in web.config. Also, i tried location tag to set authorization explicitly. But it still allows the call.
i referred many blogs
How to: Enable the WCF Authentication Service
How to: Customize User Login When Using the WCF Authentication Service
But no luck.
This is easy to achieve with ADFS. Use the following steps if ADFS is your STS:
Navigate to the folder where ADFS web application is located (normally C:\inetpub\adfs\ls)
Make a copy of the current web.config for safety
Open web.config in notepad
Locate
In , change the order of authentication to assure that it lists Forms Authentication first
The order must look like this:
<add name="Forms" page="FormsSignIn.aspx" />
<add name="Integrated" page="auth/integrated/" />
<add name="TlsClient" page="auth/sslclient/" />
<add name="Basic" page="auth/basic/" />
Save the changes (you do not need to restart ADFS)
Navigate to your application and click on Login. Instead of sending the login request to ADFS, a page containing a login dialog will pop up. Please enter your credential and click ok. Then, you will get the same result as above.
Reference articles:
Claims Aware MVC4 App using WIF Identity and Access tool in .Net 4.5 Part I
Claims Aware MVC4 App using WIF Identity and Access tool in .Net 4.5 Part II
I have an asp.net web site, earlier version of the application need to run in classic mode, the latest version can run in integrated mode. Generally the application is configured to use Forms Authentication but it can be configured to used Windows Authentication.
There is a business requirement that even when running IIS in Windows Authentication the application should still support forms authentication this is so administrators are forced to login with a username/password. This is handled internally with code that determines whether to log the user in or redirect to login
ISS6 allowed this configuration with no problems and in fact IIS 7 can be configured in this way, except for the fact that it shows an "Alert" message "iis7 Challenge-based and login redirect-based authentication cannot be used simultaneously". This message doesn't appear to be strictly true as the application seems to work as intended, happily supporting IIS as windows auth but the asp.net app thinking its forms auth.
The problem I have is with the "Alert" message, as this will no doubt cause confusion and support calls.
Is there way to provide both windows auth and forms auth and keeps IIS7 UI happy?
There's a well detailed proposal that basically does the following:
Applies Forms authentication everywhere as this is not applicable piecemeal on a site. Then to have a gateway page (login) where the windows authentication takes place. It's not flicking a switch but I'm going to be trying it myself.
I'll report back on how it goes if there's interest.
I have several WCF services in an ASP.NET application. I want to prevent applications from outside of my domain from accessing these services. Is there a configuration setting that allows me to block requests from outside of my domain?
Thank you!
What you want is authentication. Limiting access based on domain is not a secure manner of authentication.
If you don't want expose services to Internet you should not host them on public server. If you really need this you should first start to look for way to secure your services on network level. For example I guess ISA server should be able to block requests to your services.
EDIT: This will prevent all non-authenticated users from getting to your services. If you need users in your domain who aren't authenticated to access the services, let me know and I'll update accordingly.
Are you using authentication in your ASP.NET application?
<system.web>
...
<authentication mode="Forms">
<forms protection="All" defaultUrl="login.aspx" ... />
</authentication>
...
</system.web>
If so, your .svc files will be inaccessible until your users authenticate. If a non-authenticated user tries to access a .svc file, they will be redirected to your login page.
EDIT(2):
Since you need non-authenticated access to the services within your site, one thing you can consider is having a cookie that's sent to the user's machine upon the first visit to the site. The cookie could use a create date and some secret key to create a hash, and you can validate the hash on the server for each request. Requests from other sites wouldn't pass the cookie and your service would manually check to see if that cookie is there or not -- if it's not there, then the request is denied.
If your WCF services has ASP.NET compatibility enabled (true) and AspNetCompatibilityRequirementsMode set to Allowed or Required, you should have access to HttpContext and cookies. Here's more information about ASP.NET compatibility mode.
This may not be the most appropriate solution as I don't know your scenario and requirements. But hopefully this helps.
I need some help with authentication when using the web reportviewer to view SSRS reports.
In IIS I've set "Windows Authentication" only and unchecked "Anonymous Access" and the other checks in the Directory Security tab. The result in my website is that WindowsIdentity.GetCurrent() returns the ASPNET user and Request.LogonUserIdentity the domain account of the user that logged in. On the page that hosts the ReportViewer control, I programmatically impersonate the Request.LogonUserIdentity, then set all the report/server properties and refresh the ServerReport, however this returns the "The request failed with HTTP status 401: Unauthorized." error and I'm 100% sure the Request.LogonUserIdentity has access to the report. To proof the impersonation worked, WindowsIdentity.GetCurrent() returns the same user as Request.LogonUserIdentity after the impersonation and I'm using the same impersonation when I need to query the database, just with a specific user.
I've noticed that on the ReportViewer1, the ServerReport property has a property for ImpersonationUser, but I'm not able to set this and can't find where to either.
Can anyone shed some light please! I've been working on this for days now....
It's not clear why you need to do impersonation yourself. If you're using Windows Authentication and have disabled anonymous access, then simply let ASP.NET flow the end-user's credentials to Reporting Server. Try adding the <identity> element to your web.config file:
<identity impersonate="true" />
Another issue you might be encountering (if your Reporting Server is on a different machine to your web server) is the NTLM double-hop problem and you may need to configure Kerberos in order to support credential delegation over multiple machines.
I've posted this on Server Fault, but as there is sort of a programming aspect to it, I'll post it here too.
I have an ASP.NET MVC 1.0 application that uses Forms Authentication. We are using Windows Server 2008. I need to lock down the site so that only certain users (in AD Groups) can access the site. Unfortunately, though, when I set the site to not allow anon users and use windows authentication, due to the integration of the site and IIS, it shows the user as signed in as their domain account, instead of allowing them to sign in through Forms Auth.
So, I need a mixed mode authentication. I need the site to be only accessible through windows auth, without anon users, but once you are in, it needs to use forms auth only. How would I go about doing this the right way?
EDIT:
Here's a clarification. The site must work like this.
You go to the URL and a windows auth login pops up. You sign in with a domain accout that has access. If you don't have access, it shows you the 401 error.
If you have access, you hit the site. However, the site doesn't use your windows auth username. It uses forms Auth. So, you have to sigh in to the site using the forms auth.
The problem is, when I set it up to do step 1, it uses your windows username in step 2. I don't want it to do that.
Trick here is to change the provider for your authentication to use Active Directory, rather than change the settings to Windows.
Or, use a version of the following provider:
<add
name="AdProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="YourAd"
applicationName="YourApp"
enablePasswordReset="false"
/>
With a version of the following connection string:
<add name="YourAd"
connectionString="LDAP://[your DC]/OU=[your OU],DC=[your domain],DC=[your extension]"
/>
Authorization-wise, you have some options. If it is based on domain groups, then you'll need to get azman wired up. If it is application controlled, you'll need to line up the AD users with the database-stored roles.
PS: I suck at LDAP connection strings, you can probably do alot more with it than I did.
Well, seems like I answered the wrong question. I'll leave this up for posterity's sake, but you should just try to disable Anonymous Authentication for the site.
I found my answer here:
IIS7 and Authentication problems
The short of it is, in IIS 7 you cannot have two-tiered authentication like you could with IIS 6.