MachineKey setting for AntiForgeryToken in ASP.NET MVC - asp.net-mvc

I was deploying my asp MVC 5 web site in Azure Web Site. Everything was fine until I tried to manage my account (changging the password), it gave an error like this:
The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.
I was using Asp Identity, so all the code is built in. I have been searching the solution and found two possibilities:
1) It is because there are two #html.antiforgerytoken. One belongs to the MANAGE controller form, and the other belongs to the login partial view int he navigation bar. I tried to exclude the login partial view, but the error persisted, so I concluded that problem might not be it.
2) As the error says, maybe it is about MACHINE KEY. I tried to input setting to the web config. There are two popular ways to generate this machine key, fist is using ISS and the second is using third party. I wanted to use the ISS, but my ISS8 is not showing a modul to see the machine key which is weird that I could not find any solution for it. Then I tried the third party, and created something like this:
<machineKey validationKey="4359B782C08EF91E2AA6CA8AD46C0D63BF323E97ABAA06FBDA1535A1FA1CD2B7702B2BACDC937074ED65FC16D3ECA0F674BBAC8675910AF921D301CA22343AA1" decryptionKey="1A956B2A0405EC07AEBEFBA40DA7E61E2E17F001B868D7507EB3F3CD2AFF060E" validation="SHA1" decryption="AES" />
Then I redeployed my website but the error persisted. Can anyone please help me?

Related

ASP.NET User.IsInRole() with trusted-domain memberships

I have a .NET Framework 4.7.2 MVC 5 site that is using Windows Authentication to authorise access to actions based on AD group membership. This works fine for a single domain, but we have domain trusts in place and ASP does not seem to resolve memberships from other domains.
e.g.
Two domains: Parent and Leaf
The site runs in the Parent domain, which has local security groups setup: SiteAccess-L.
SiteAccess-L contains a single member Leaf\SiteAccess-G, which in turn has our user Leaf\User.
When I dump the contents of HttpContext.User.Identity.Groups (casting through WindowsIdentity), I can see all the Leaf domain groups that the user is a member of, but not any of the Parent domain groups. This only happens for remote users, if I access the site locally, it seems to work.
Running a simple C# app on the desktop of the web server with the same user account and calling WindowsIdentity.GetCurrent() will bring me back both domain group membership.
Does anybody know what gives here, and how I access the full cross-domain group memberships in MVC? If I use GetCurrent() in MVC, I get the service-account that the application pool is running under.
Thanks.
I finally got a resolution to this, but I don't fully understand why.
The issue it seemed to be with an SPN. When accessing the web page through a URL such as http://mysite.parent/ and a SPN was in place for this host, the issue described would occur.
Removing the SPN resolved the issue and all groups were viewable by the site. This is clearly Keberos related, but my understanding isn't deep enough to categorically say for sure.
In the end, the SPN wasn't needed so it could be removed to resolve the issue. Reference: https://www.aligrant.com/web/blog/2020-09-28_iis__do_i_need_to_use_a_spn

Implement AspNet Core Identity or Work account Authentication

This is not like other questions you might find similar. My issue is way bigger.
Scenario:
I have 3 websites. All of them have a common database for authentication and stuff.
Problem is that i will need to expand to 2 more sites, which means more maintenance in login screens and so on. So i will dedicate time to make a "central website" to manage users, access, etc.
Also, Need to implement OpenId for Microsoft Works accounts (ie, Azure tenants).
DDBB User Model: (Simplified)
All users are in the same central database. Which does not contains
anything non-user related.
User is personal on all applications.
Users can have different Roles
Each "User-Role" is mapped to an application, a server and a
database.
Problem:
Created a site in AspNet Core, without any authentication done so I can do it myself since I found that mapping Aspnet Identity tables was no-go because of incopatibilities and overriding is way to complicated, specially when dealing with Managers.
So, Tried and got working a simple Authentication page using HttpContext.Authentication.SignInAsync and CookieAuthentication. Which works well and there is no need to use any of the Identity's implementation (which is not compatible with my backend).
But then I added UseOpenIdConnectAuthentication to have the OpenId auth, but I have no idea how to use it since its suposed to work out of the box when using Identity and when checked documentation they use this code in an controller action: signInManager.ConfigureExternalAuthenticationProperties and I do not have any SignInManager since Im not using Aspnet Identity.
Questions:
Is coping the source of ConfigureExternalAuthenticationProperties to make it work in my site an aceptable solution?
Should I continue to override all SignInManager methods and also probably implement other classes to make Aspnet Identity work with my model?
Tried Mapping the properties to my columns just to test it out and it gave me non debuggable errors, which i dont like to even think about the problems this can give me in the future. For example one error was that it coudnt parse byte[] to string.
How can I implement Microsoft Work Accounts authentication and Database authentication in the same AspNet Site?
Bonus topic
Recently I feel like programming is becoming Configuring instead of coding. Is it just me? Are we now Professional Configurers?
Thanks

Umbraco AD integration for an intranet

Im wanting to build an intranet that will use Domain (AD) authentication and let the user not have to login. So Ive been looking at the AD package here and digging into the details a bit, it seems you have to configure a user & password in the web.config. Then I seen this example, which is seems to simply be using the AD membership provider and isnt putting any hard-coded username and password in the config file. Are those two approaches even talking about the same thing?
I just need simple pass-through authentication based on the identity of the user passed in from the browser. The question also comes up as to under which context will requests be made when the user uploads a file, edits content etc. Will it be Network Service or the passed in identity?
Since you have specified umbraco 7 in your question, I think you are much better of pursuing the option in your second link.
The first link was written for Umbraco 4.11, and an awful lot has changed since then. Can't tell you if the second link will simply work out-of-the-box, but imo, you have a better chance of being successful.

How to prevent "Swapping" of "Staged" Azure Websites from logging users out?

I have deployed a MVC3, Membership Services, .NET4, C#, Razor, EF4.1, SQL Azure Web application into Azure using Azure Websites(Standard).
I have been experimenting with the new "staging" feature where one can "swap" in an upgraded web application. Very good. What we would really like to do is to upgrade code without interfering with the end user ie Continuous integration of small fixes. However we have noticed that a "Swap" logs users out which is not ideal. I suspect this is to do with authentication cookies being lost after the "swap" so the session cannot authenticate resulting in the users being returned to the login page. Is there a way around this? The only thought I have had is to somehow persist the "essentials" in the database.
Thoughts appreciated.
Thanks in advance.
Since your "stage" application is on another instance, you will need to have a matching machineKey across the two applications. Add the following to your web.config, so that a machineKey is not auto generated.
<machineKey
validationKey="052851E2D519231BE84E455B4C4A9FBC0CAC53B8FE7BBA1917FC296ACE6F41832383347EAEC498F40978DDD3374E7A666AFD0ADC1084A9E48B1B40ADC918C9A6"
decryptionKey="7077D8F4C273E3FC5CE296F3B74897ACECF055F9BA01565372EE87B8746DE50F"
validation="SHA1"
decryption="AES" />
Replace the keys with your own. You can generate them through IIS or here. You can also change the encryption and decryption algorithms if you so choose.
More info on MSDN

Authorization problem, FormsAuth and ASP.NET MVC

I have a pretty simple ASP.NET MVC Site Application. (MVC 1.0)
I have NO authorization sections in my web.config because I use the [Authoize] attribute on my controllers.
The default web.config for the server allows * for forms authentication, as expected.
I have 2 existing Windows 2008 dedicated (hosted) servers. The site works well.
I have a new dedicated server, seems identical except the site just won't work. Every resource, even images/javascript is redirecting to the login page.
I tried adding explicit authorization rules to allow * and location rules, same result. I checked the .NET Trust level, Internal/Full Trust. Everything runs perfectly on two servers, just this one is ignoring all rules for authorization.
Any ideas?
thanks
I found the issue :) Unless something has changed in Windows 2008 I would have expected this to show as an error but as stated above, it was being hidden by Forms Authentication.
The issue was the hosting company now adds data drives to all servers for your websites/storage. There were no permissions set to allow IIS to read the files. The reason I couldn't find it was I already added permission for the application pool user, in my case I just went ahead and added ASPNET, Network Service, IIS Anon User etc to have full permissions.
I needed to allow Everyone to have at least Read to the website folders and then IIS showed the non-secured content. I still think it is odd that forms auth. was kicking in and ignoring all web.config rules but anyway.
I found the error by turning off Forms Auth support in the IIS 7 manager. Then I got the process failure error because of file permissions.

Resources