how can i use in Umbraco 7 the internal Users and roles who use the BackOffice and my custom users and roles (which comes from an external SQL database.
i want log in umbraco backoffice with the umbraco users as it is and with seperate Login want use external users. i have already changed the web.config
<add name="mynewMembershipProvider" type="mynewMembershipProvider, mynew"
<add name="mynewrovider" type="mynewrsRoleProvider"/>
when i go now to my custom Login i can Login my custom user . but when i try
User.Identity.IsAuthenticated
or
User.IsInRole("xyz")
umbraco is always looking at the umbraco roles.
what did i have done wrong
best regards Michael
If I understand you correctly, you are leaving CMS and back office Users as-is, and you want to allow Member login on the public facing side of your site with a custom provider?
Did you set the default provider to your new membership provider?
<membership defaultProvider="mynewMembershipProvider">
...
</membership>
The default provider in the membership section should always point to the provider being used for public-facing Members - the backoffice interally asks for the UsersMembershipProvider every time it needs to authenticate, so changing the default will not affect it at all.
It is also possible depending on your set up (I haven't tried this) that if you did not include a <clear/> directive then the original Umbraco member provider is causing problems.
Here is a full working <membership> section using a custom BCrypt hashing provider from an Umbraco 7 install of mine:
<membership defaultProvider="BCryptMembershipProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add
name="BCryptMembershipProvider"
type="cFront.Web.Security.BCryptMembershipProvider"
connectionStringName="umbracoDbDSN"
requiresUniqueEmail="0"
/>
<add name="UsersMembershipProvider" type="umbraco.providers.UsersMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" passwordFormat="Hashed" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="BCryptRoleProvider">
<providers>
<clear />
<add name="BCryptRoleProvider" type="cFront.Web.Security.BCryptRoleProvider"
connectionStringName="umbracoDbDSN"
availableRoles="SuperUser,Administrator,Manager,User"
/>
</providers>
</roleManager>
Related
I have an MVC site that I am in the process of converting from Forms to Federated Authentication. I am able to connect to the ADFS server and verify authentication. However the site currently uses an ActiveDirectoryMembershipProvider to verify the roles of the users as different roles permit different access.
I can not figure out how to populate the MembershipProvider so that I can user things such as this:
User.IsInRole(#"MY-ROLE")
and this:
[Authorize(Roles = "MY-ROLE")]
I have this snippet in my web.config which works for forms authentication but isn't working in my federated site:
<membership defaultProvider="ADMembershipProvider">
<providers>
<clear />
<add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionProtection="Secure" attributeMapUsername="sAMAccountName" connectionStringName="ADConn" connectionUsername="LotusLDAPUser" connectionPassword="LotusLDAPUser" />
</providers>
</membership>
I have read a lot of MSDN docs and am still having trouble so please don't just answer with a link to docs. I would appreciated some sample code.
UPDATE:
I added a RoleProvider to my web.config. The role provider was being used in the forms application version successfully, so I believe the values are correct I just missed adding it to the web.config of the federated version. Here is what I have:
<roleManager enabled="true" defaultProvider="ActiveDirectoryRoleProvider" cacheRolesInCookie="true" cookieName=".ADLibraryROLES" cookiePath="/" cookieTimeout="1440" cookieRequireSSL="false" cookieSlidingExpiration="true" createPersistentCookie="true" cookieProtection="All">
<providers>
<clear />
<add name="ActiveDirectoryRoleProvider" connectionStringName="ADConn" connectionUsername="LotusLDAPUser" connectionPassword="LotusLDAPUser" attributeMapUsername="sAMAccountName" type="MyNamespace.ActiveDirectoryRoleProvider" />
</providers>
</roleManager>
It is still returning false for
User.IsInRole(#"MY-ROLE")
and
[Authorize(Roles = "MY-ROLE")]
For a user I know to my in "MY-ROLE"
The problem was that I wasn't setting the Session Token Cookie. In the forms authentication version I had the code:
FormsAuthentication.SetAuthCookie(user.UserName, true);
When testing the Federated version I wasn't setting the authentication cookie, this line is needed:
FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(token);
Where token is a SessionSecurityToken created from my Claim.
In the project's Web.Config of MVC, there are tags such as
<profile defaultProvider="DefaultProfileProvider">
<providers>
<add name="DefaultProfileProvider"
type="System.Web.Providers.DefaultProfileProvider, System.Web.Providers, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
connectionStringName="OfficeData" applicationName="/" />
</providers>
</profile>
<membership defaultProvider="DefaultMembershipProvider">
...
</membership>
<roleManager defaultProvider="DefaultRoleProvider">
...
</roleManager>
What are they? And what is their purpose?
Those elements are the basic configuration for ASP.Net Membership, the default authentication/authorization system for ASP.Net. There's lots of configuration you'll want to do, but at a high level you have three sets of configuration:
profile - a system for saving user related profile information (By default a weird data schema is used, and should be avoided)
membership - the central place for configuring authentication (passwords storage, resetting, etc.)
roles - your users will be grouped into roles within you app, this is where you configure that
ASP.Net Membership is solid, but dated and inflexible. The new standard is ASP.Net Identity
I've read several questions on this topic,
such as here, here, here and here;
but none have provided a working solution in my case.
What I want to do:
Implement Windows authentication for a web app that is only used by our own employees. This way they should not need to log into the app, but already be authenticated by way of having logged into windows.
Also, I need to restrict certain areas of the app, based on Active Directory Security Groups that the user may be assigned to.
So I want to be able to decorate Controllers / Actions with
[Authorize(Roles="SomeRole")]
What I've tried:
I have
<authentication mode="Windows" />
in my web.config. And I have added several permutations of a <roleManager> as found in some of the posts linked to above. Currently I have this role manager
<roleManager defaultProvider="WindowsProvider"
enabled="true"
cacheRolesInCookie="false">
<providers>
<add
name="WindowsProvider"
type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
as found in this post.
As it is, if I decorate a controller with [Authorize], I can access it fine.
However:
I can see in my user settings on the network, that I am part of a AD security group called "IT". But if I decorate the same controller with [Authorize(Roles="IT")] I get the blank screen that is is served by the asp.net development server for a 401 not authorized. This is unexpected. I would think that I should be able to view the page as I am logged in to windows and am part of the group "IT".
Most everything I am finding on this topic make it sound very simple to accomplish what I'm trying to do, but I am clearly missing something here.
For dev I am using IISExpress
with development server properties of the MVC project set up so that
Anonymous Authentication is Disabled and Windows Authentication is Enabled.
The web config is deployed using our TFS build server to test and release servers for which authentication is also setup as above and works in those locations as well.
In my web.config I have.
<system.web>
....
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<clear />
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
</providers>
</roleManager>
....
</system.web>
I can use
[Authorize(Roles = #"DOMAIN\ADGroup")]
Public ActionResult Index()
{...}
or
public ActionResult Index()
{
var User = System.Web.HttpContext.Current.User;
if (User.IsInRole("DOMAIN\\ADGroup"))
{
return RedirectToAction("IRSAdmin");
}
return View();
}
After i remember to logoff and log back in so the permission i was given to the AD group were applied.
I have 2 SQL express databases: one for my application data and another for the MembershipProvider data. When I attempt to use the CreateUserWizard control, I get the following error:
Error: Login failed for user 'SFP\Susan'.
I can connect to thesee the DB in the server explorer and all its tables and data. What is the problem?
Thanks in advance
It sounds like the MembershipProvider connection is not correctly set up in your web.config file. It should look something like this (with "MyAwesomeDatabaseConnectionName" being the name of the configured connection string, in the connectionStrings section of the file):
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="MyAwesomeDatabaseConnectionName"
applicationName="MyAwesomeApp"/>
</providers>
</membership>
Also, it looks like you are configured for Windows authentication, but if your membership data is in a database, you'll want to configure for Forms authentication:
<authentication mode="Forms">
<forms loginUrl="~/myloginpage.aspx"
defaultUrl="~/myhomepage.aspx" />
</authentication>
What I am trying is the following:
I got an MVC app. running DIRECTLY in "Default Web Site"...
I got another app. ( ProductionService ) which is another standalone app..
Looks like this in IIS-Manager:
My problem is, that a requets to "ProductionService" is not routed to the app., but instead is handled by the MVC-app. running under "Default Web Site"
I tried the MVC IngoreRoute method, but it didn't change the result.. here is my last "RegisterRoutes" with all my try & errors ;)
routes.IgnoreRoute("Staging/{*pathInfo}");
routes.IgnoreRoute("ProductionService/{*pathInfo}");
routes.IgnoreRoute("StagingService/{*pathInfo}");
routes.IgnoreRoute("/Staging/{*pathInfo}");
routes.IgnoreRoute("/ProductionService/{*pathInfo}");
routes.IgnoreRoute("/StagingService/{*pathInfo}");
routes.IgnoreRoute("~/Staging/{*pathInfo}");
routes.IgnoreRoute("~/ProductionService/{*pathInfo}");
routes.IgnoreRoute("~/StagingService/{*pathInfo}");
routes.IgnoreRoute("~/Staging/{*pathInfo}");
routes.IgnoreRoute("~/ProductionService/{*pathInfo}");
routes.IgnoreRoute("{*Staging*}");
routes.IgnoreRoute("{*ProductionService*}");
routes.IgnoreRoute("{*StagingService*}");
So, any ideas what I can do? Maybe configure sth. in IIS directly?
I found it... the web.config is somehow inherited to the sub.applications, so if i do a construct like this in the sub-app., for my case it was solved:
<!-- This is required if you want to run with sub-applications in IIS as it inherits the web.config somehow...-->
<membership>
<providers>
<clear/>
</providers>
</membership>
<roleManager enabled="false">
<providers>
<clear/>
</providers>
</roleManager>
<pages>
<namespaces>
<clear/>
</namespaces>
</pages>