I have developed an ASP.NET MVC 5 application and it is hosted on shared hosting - IIS 10.
For authentication, I am using identity to check authentication.
I'm logging in and out multiple times in my application. After 6 or 7 attempts, it directs me to the 403 error page.
After clearing the cache from the browser, it works fine again.
Please assist me to find a solution.
I updated the machine key as well. still getting the same issue.
The error initiates from the dynamic compression module when we check the tracing
I got an answer from the Hosting team. They have installed (ModSecurity)WAF to block requests from understanding the behavior of requests. After disabling this works fine now.
It will definitely help someone.
Thanks.
Related
We have an MVC application hosted on IIS 6 web server. It uses integrated authentication. It's been hosted there since last 5 years. Recently our IT department had installed some patches on the server. After the patch installation, suddenly our application started prompting for credentials. When user enters his credentials, it again prompts for credentials. It keeps on repeating and user will not be able to get into the application. When user cancels the credentials window, it gives the below error:
401 - Unauthorized: Access is denied due to invalid credentials.
Can somebody, please guide me to understand why it might have occurred and how to fix this?
We actually ran into this about 8 months ago. It brought down our entire environment for 3 days. At that time we came to find that it was a Microsoft patch that was applied to our web servers in regards to NTLM authentication. I will look and see if I can find the documentation on exactly what KB it was. Our solution was (at the time) to temporarily roll back the patch. Long story short is the underlying cause turned out to be that the patch that was installed had specific dependencies on other patches being installed on the web server AND our domain controllers. I will follow up and edit my answer when I get into the office, but I recommend checking the server to see what patches got installed and take note of if any in regards to NTLM.
Try remoting into the server. Then while you are in, minimize your screen and try hitting the website again. I bet I will work and authenticate. If that is the case, then you are seeing the exact same thing we were. I will follow up in a little bit with more specifics.
I have an issue with Identity 2.0 on Asp.NET MVC 5 project.
I am not using sessions, just the basic out of the box cookie based features.
My shared server currently recycles the application at a high frequency.
when this happens all the users get logged out.
The ApplicationCookie in the HttpContext.Request.Cookies remains the same but you get redirected to the login page and all identity.user properties are no longer there.
Is this normal and what sort of work rounds are there for maintaining logins after recycling?
Any advice would be really appreciated.
Is this a cache or machinekey issue?
(the website has plesk IIS interface so I don't have full control over it)
Still not sure why the server is restarting the application regularly as none of the settings reflect this. However found the reason for the users being logged out is due to identity 2 using a machine key that gets refreshed everything is resets the app
I have an odd situation occurring that I am trying to diagnose and would appreciate any advice on where to look.
I have an ASP.NET application using WIF that contains another ASP.NET application as a child in IIS 7.5. This child application contains a REST based web service. Accessing this service directly by pasting a URL into a browser will redirect to an ADFS sign in page. This is how I expect it to work. The odd part is that I have a second environment with the same applications and service deployed, and in this environment I am never redirected to the sign in page.
I have checked that all web.config files are identical, and also checked all IIS settings that I thought might be related. Browsing to web pages on the second environment requires a login, but not when browsing directly to the REST .svc file. I checked all HttpModules and Handler Mappings in IIS. I also enabled tracing of Microsoft.IdentityModel events and on the first environment can see a basic entries for a redirect to the STS. On the second environment I don't see any WIF events. The SessionAuthenticationModule appears to be called when I examine the data flow using IIS failed event tracing, but am not sure why it isn't requiring authentication.
I am familiar with cookie related issues with WIF and made sure that all cookieHandler settings were correct. I also closed browser windows and cleared all cookies to make sure the SessionAuthenticationModule wasn't seeing previous WIF cookies.
If you can think of anything else I should check please let me know.
If you have the same application in two separate environments bound to the same instance of ADFS, the URL's must be different so I am puzzled by the statement "all web.config files are identical"?
Have you tried re-running FedUtil on the application that doesn't work?
Also check AppPool settings.
After a lot of trial and error and carefully examining the applicationHost.config files between the two servers I found out this was caused by a difference in the ordering of HTTP handlers. The ExtensionlessUrl-Integrated-4.0 handler was picking up the request on one server and redirecting to ADFS. On the other server the svc-Integrated-4.0 handler was responding to the request first. You can read more about this behavior here: http://support.microsoft.com/kb/2520479
I have just deployed an MVC 3 site to my Windows 2008 Web Edition (IIS 7) server, and am trying to set up Basic Authentication so that it will not allow unauthorized access. This seemed to work at first, but once I was troubleshooting a problem and making changes, now that this issue is fixed, my basic authentication for some reason no longer works -- it's letting anybody on.
Under my Authentication settings in IIS7, I have Basic Authentication enabled, and all other forms of authentication disabled. I've also tried other various combinations, and so far, everything I've tried is leaving the site wide open.
I wondered if it was caching my credentials, so I tried from a different browser from which the site has not been accessed, and it's still leaving it open.
Am I overlooking something obvious here? I thought all I had to do was leave all forms of authentication disabled, except for Basic? Any ideas what could be going on?
If not, any ideas on what I could do to troubleshoot? Is there anything I could see in Firebug to see what may be going on?
Thanks in advance.
Ultimately, this was what I was trying to accomplish, I just wasn't sure how to articulate it. After reading the article linked in that answer, I'm going to try to figure out a different way to limit access to this site (either by IP or using my single-level authentication).
I have a pretty simple ASP.NET MVC Site Application. (MVC 1.0)
I have NO authorization sections in my web.config because I use the [Authoize] attribute on my controllers.
The default web.config for the server allows * for forms authentication, as expected.
I have 2 existing Windows 2008 dedicated (hosted) servers. The site works well.
I have a new dedicated server, seems identical except the site just won't work. Every resource, even images/javascript is redirecting to the login page.
I tried adding explicit authorization rules to allow * and location rules, same result. I checked the .NET Trust level, Internal/Full Trust. Everything runs perfectly on two servers, just this one is ignoring all rules for authorization.
Any ideas?
thanks
I found the issue :) Unless something has changed in Windows 2008 I would have expected this to show as an error but as stated above, it was being hidden by Forms Authentication.
The issue was the hosting company now adds data drives to all servers for your websites/storage. There were no permissions set to allow IIS to read the files. The reason I couldn't find it was I already added permission for the application pool user, in my case I just went ahead and added ASPNET, Network Service, IIS Anon User etc to have full permissions.
I needed to allow Everyone to have at least Read to the website folders and then IIS showed the non-secured content. I still think it is odd that forms auth. was kicking in and ignoring all web.config rules but anyway.
I found the error by turning off Forms Auth support in the IIS 7 manager. Then I got the process failure error because of file permissions.