Same question was asked here but it was not a solution for me, its been more than 16 hours I'm trying to find solution for it.
I setup Windows Authentication for my MVC5 (ASP.Net Fw4.5) application using VS2013 (Windows Server 2012 R2) following are the major steps i did for setting up.
I have two controllers I put Authorize attribute on Home controller, About controller does not have any attribute on it
On project properties Enabled Windows Authentication
Web.Config as below
<authentication mode="Windows" />
<authorization>
<allow users="?" />
</authorization>
<identity impersonate="false" />
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<clear />
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
</providers>
</roleManager>
<validation validateIntegratedModeConfiguration="false" />
IIS Settings
Anonymous Authentication is Enabled
Windows Authentication is Enabled (Provider: NTLM, Negotiate)
With these configurations my application works perfect on IISExpress, but when I access it through IIS it prompts for login/password upon giving correct username/password it keep repeating. (I can access About Controller without Authorize attribute)
I inspected request through Fiddler that bring something interesting. Below is the response when i access through IIS
When i access through IISExpress i can see there are three entries for single request two of them get 401 but third gets 200
I have an asp.net Web API server running under IIS, that until now has used windows authentication as it has only had other services running on the same domain conencting to it.
So, in my web.config I have the following settings...
<system.web>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
<authentication mode="Windows" />
</system.web>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
</security>
....
With this I can use a browser (or the services) on the same domain and reach my services.
Now we want to allow Mobile applications to also connect. We will be using a a token based scheme based on this, and so far to use this I need to turn off the Windows authentication in my web.config to use this. If I leave in the windows configuration as above, I don't even get any of the Owin middle where methods (or custom filters) called when I, for example, se Postman to call a route with no windows authentication set.
So my question is
How can I allow either authentication, so that even a Browser (on the same domain) can still call the routes and be authenticated (via the Negotiate), but also allow other clients to use the token based scheme? Also (very important) how do I configure this in web.config to allow both?
Thanks in advance for any help!
I've an MVC5 project wherein modules are spread out across multiple web applications, deployed on a single IIS Server, single app pool.
Server: Windows 2008 R2 (SP1)
IIS: 7.5.7600.16385
Forms authentication is used and cross-application authentication is enabled by using common 'machineKey'
Problem
When using Internet Explorer 10/11 and do the steps below, cross-app authentication sharing no longer works.
1. Login and open another module
2. Signout
3. Login and open another module - !!gets redirected back to login page
This issue doesn't happen with Chrome and Firefox.
Config Sample
<system.web>
<httpRuntime targetFramework="4.5" />
<compilation debug="true" targetFramework="4.5" />
<machineKey validationKey="KEYXXX"
decryptionKey="KEYXXX"
validation="SHA1"
decryption="AES" />
<authentication mode="Forms">
<forms loginUrl="/login/login.aspx" timeout="120" cookieless="AutoDetect" name=".ASPXFORMSAUTH" />
</authentication>
</system.web>
Signout Code
FormsAuthentication.SignOut();
HttpContext.Session.Remove(MvcConstants.userContextSessionKey);
Appreciate help on this.
Application:
MVC Website running on IIS 8.5 / Windows Server 2012R2.
Requirements:
Restrict Access to certain user groups
Execute Code as the user that sends the requests (i.e. querying a Database, accessing files etc.)
Steps taken so far:
Web.config
<system.web>
<identity impersonate="true" />
<authentication mode="Windows" />
<compilation targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
</system.web>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
</modules>
</system.webServer>
IIS > Sites > $TheSiteName$ > Authentication > Disable all except Windows
IIS > Sites > $TheSiteName$ > Authorization Rules > Allow All
Active Directory > $TheServerName$ > Delegation > Trust this computer for delegation to any service (Kerberos only)
Results
IIS complains that impersonation is not possible in Integrated Pipeline Mode
When I change Pipeline Mode to classic, a authentication dialogue pops up, but seems to be inable to verify my credentials.
Any idea what I might have forgotten to get this to work? Why can't I access this website?
Soon as I got this going, I will have to take care of restrictions. Wild guessing as I am, I would assume it will be possible to add the restricted groups into the authorization rules, but I can't get to test it...Is this the right / best way to do that?
We're using Elmah as our error logging system for an app that will be going into production soon. It's extremely useful, but if it goes into production like this anyone in the world access the error log because all they have to do is visit ourdomain.com/elmah.axd.
This is obviously not ideal. I originally intended to restrict access to that page only to IP addresses within our company, but now our SysAdmins are saying that's not possible. So I'm asking here how can I prevent access to this resource?
We running an ASP.NET MVC app on IIS 6.
The typical scenario for securing elmah.axd is allowing only some authenticated user to be able to access it. But if your site doesn't use any authentication at all this might not be applicable.
Here's what I would recommend you:
Disable completely the elmah.axd handler on your main site
Configure elmah to write the logs to some shared data source (like a shared file, SQLite database or even SQL Server)
Configure a second site in IIS, probably on another network or server, which has only elmah installed and which points to this same shared data source. Now you would always use the second site to read the logs. Obviously the second site would only be accessible to you.
If you decide to use SQL Server you could even read the logs of multiple applications running on multiple web servers in a farm from within a single internal application accessible only to you.
I found this is most acceptable for MVC applications:
http://www.beletsky.net/2011/03/integrating-elmah-to-aspnet-mvc-in.html
You can point the elmah http handler to another url (for example "Secure/elmah.axd") in web.config. You can secure the url as any other asp.net page in the web config.
<httpHandlers>
...
<add verb="POST,GET,HEAD" path="/Secure/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<location path="Secure" > <!-- secure the host.com/Secure path -->
<system.web>
<authorization>
<deny users="?" />
<!-- Or anything else... -->
</authorization>
</system.web>
</location>
We are successfully using this approach on IIS7 using active directory membership providers, and it works great. I am not sure if it works on IIS6 though.
If you're using ASP.NET Membership, it's pretty easy to restrict access to the elmah.axd HttpHandler for anonymous users and only allow logged in users in an "Administrators" group. I've done it like this:
<configuration>
...
<location path="elmah.axd">
<system.web>
<authorization>
<allow roles="Administrators"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Anybody who's logged in AND member of the "Administrators" role can access the page now.
Here are some useful links:
Securely Implement ELMAH For Plug And Play Error Logging
Securing Error Log Pages
If your intention is to disable remote users from accessing it, simply change the value of <security allowRemoteAccess="yes" /> to <security allowRemoteAccess="no" />
I used IP Restrictions from the IIS 7 configuration. By default, you can't simply apply it in <location path="elmah.axd"> because it's locked on the parent configuration level. As such, I created an empty folder "logs" and applied restrictions in IIS to this folder, then modified the location path for the elmah.axd file. That's it! You have remote access to yourdomain.com/logs/elmah.axd, but only from specific IPs.