I have a few web applications running on production server.
Scenario:
Web App1(e.g. www.test.com): In this web application, User logs in and cookies are created in this application. User can do some other functionalities here, although on click of 1 button, it is required to redirect to another web application (WebApp2)
Web App2 (on different subdomain, e.g. abc.test.com): The session created earlier is to be passed here. Hence, I had used same machine key for Web.config in two webapps (Web App1 and Web App2) (As suggested on Link: Sharing sessions across applications using the ASP.NET Session State Service).
Issue:
Although, the session is getting shared fine and everything works great on staging.
But, on production, I am getting this error:
Unable to cast object of type 'System.Security.Principal.GenericIdentity' to type 'System.Web.Security.FormsIdentity'
It seems to me that the session sharing is not happening for some reason on production. Can you please guide me on the possible cause of this issue.
Either: Enable Forms authentication on production IIS
or: ensure your web.config on production (sessionState)
It looks like roots are configuration issues on production.
Related
I'm trying to set the Machine Key in Web.Config of ASP.Net MVC apps but it sounds like Azure automatically provision unique machine keys for each web app and override what's in my Web.Config.
The reason I want to do that is because I have an App Service witch is used as Authentication App. Thats where users will login. And I also have plenty others apps that will be using the Token provided by the first app. Doing this will Authenticate users at one unique place and users will be able to navigate through some modules in a portal being authenticated only once. It works very well in localhost or hosted in IIS, but on Azure Hosted App Service it seems like Machine Key aren't read properly or something even if I reset the machine-key configuration section upon Application_Start.
I tried the solution described Here, but as #gorillapower said
Seems this isnt working for us. We are using .NET 4.6.1 and using OWIN startup with app.UseCookieAuthentication() and using a Redis cache session provider. I implemented the above, but the user keeps getting logged out after a slot swap. Any ideas?
It also seems that when you run an ASP.NET application on multiple instances of an App Service Plan (ASP) you do not need to worry about machineKeys as the App Service Platform will use the same one across all your instances and therefore will not need to make any changes to your application.
But in my case, our Apps are all in different App Service Plan. So this solution doesn't apply.
Any clues about this problem ?
Thanks
Generate machine Key and add into web.config file
It will work for Web Farm / load balancer either in IIS or Azure Web App service.
Note : It will only work if you are using IAppBuilder->UseCookieAuthentication-> CookieAuthenticationOptions
<system.web>
<authentication mode="None" />
<machineKey validation="HMACSHA256" decryption="AES" validationKey="D6883865C0490AFA4907A046E838DD2C7B13B636694B552630C13770701B944A" decryptionKey="2C3C48562E6FE018E71B69BDB27D06048A573C094A962AA9A1547C3D874C63B0" />
When I'm deploying an ASP.NET Core web application to Azure, I have an issue with the session : they are shared across browsers.
Explanation : I'm going to my deployed site, I log in with my email/password then I'm logged in. If I open the website in an other browser on the same machine or on an other machine, I'm now connected with the credentials I used in the first browser.
I deployed the default template from Visual Studio without any changes.
Is there something to do to resolve this issue or am I missing something ?
Pretty sure this functionality is by design... and it makes a lot of sense - you wouldn't want to have to re-authenticate if you opened another tab to view a document in your on-line banking would you?
If you need to logon without sharing the cookies with existing browser (it will be the cookies that are holding the reference to the session that ensures the server knows who you are) you need to start a new session. For Internet Explorer this is simply File >> New Session.
For Chrome it is a little more complicated but explained here... Separate session for each window
I have a MCV3 application in godaddy serves and the session is quite unstable.
When I login it works fine but while navigating in the application it logs me out, and hitting refresh or navigating a little more inside the application in logs me in just like that (without asking credentials or anything). On my remote test servers and local in works fine.
This is probably not a session issue but rather an authentication cookie/ticket issue. GoDaddy (most likely) has their servers load balanced. Meaning that your application actually exists on more than one server at a time.
In your web.config, if you are not properly defining the <machineKey> attribute, then IIS makes up a machine key for you. Each server running the application will make their own machine key if it is not defined by you. As a result, one server is able to decrypt and read your authentication ticket, while the next request goes to another server which cannot decrypt the authentication ticket because it was encrypted with a different key and this server thinks that you are not logged in.
To address this issue, open your web.config file and define your <machineKey> attribute and redeploy. Once you login with the newly deployed application, you should see this issue disappear.
Forms authentication and Machine Key information on MSDN
Machine Key Generator (Most likely, everyone going here should use the .NET 2.0 version that is generated)
I have an odd situation occurring that I am trying to diagnose and would appreciate any advice on where to look.
I have an ASP.NET application using WIF that contains another ASP.NET application as a child in IIS 7.5. This child application contains a REST based web service. Accessing this service directly by pasting a URL into a browser will redirect to an ADFS sign in page. This is how I expect it to work. The odd part is that I have a second environment with the same applications and service deployed, and in this environment I am never redirected to the sign in page.
I have checked that all web.config files are identical, and also checked all IIS settings that I thought might be related. Browsing to web pages on the second environment requires a login, but not when browsing directly to the REST .svc file. I checked all HttpModules and Handler Mappings in IIS. I also enabled tracing of Microsoft.IdentityModel events and on the first environment can see a basic entries for a redirect to the STS. On the second environment I don't see any WIF events. The SessionAuthenticationModule appears to be called when I examine the data flow using IIS failed event tracing, but am not sure why it isn't requiring authentication.
I am familiar with cookie related issues with WIF and made sure that all cookieHandler settings were correct. I also closed browser windows and cleared all cookies to make sure the SessionAuthenticationModule wasn't seeing previous WIF cookies.
If you can think of anything else I should check please let me know.
If you have the same application in two separate environments bound to the same instance of ADFS, the URL's must be different so I am puzzled by the statement "all web.config files are identical"?
Have you tried re-running FedUtil on the application that doesn't work?
Also check AppPool settings.
After a lot of trial and error and carefully examining the applicationHost.config files between the two servers I found out this was caused by a difference in the ordering of HTTP handlers. The ExtensionlessUrl-Integrated-4.0 handler was picking up the request on one server and redirecting to ADFS. On the other server the svc-Integrated-4.0 handler was responding to the request first. You can read more about this behavior here: http://support.microsoft.com/kb/2520479
I have a pretty simple ASP.NET MVC Site Application. (MVC 1.0)
I have NO authorization sections in my web.config because I use the [Authoize] attribute on my controllers.
The default web.config for the server allows * for forms authentication, as expected.
I have 2 existing Windows 2008 dedicated (hosted) servers. The site works well.
I have a new dedicated server, seems identical except the site just won't work. Every resource, even images/javascript is redirecting to the login page.
I tried adding explicit authorization rules to allow * and location rules, same result. I checked the .NET Trust level, Internal/Full Trust. Everything runs perfectly on two servers, just this one is ignoring all rules for authorization.
Any ideas?
thanks
I found the issue :) Unless something has changed in Windows 2008 I would have expected this to show as an error but as stated above, it was being hidden by Forms Authentication.
The issue was the hosting company now adds data drives to all servers for your websites/storage. There were no permissions set to allow IIS to read the files. The reason I couldn't find it was I already added permission for the application pool user, in my case I just went ahead and added ASPNET, Network Service, IIS Anon User etc to have full permissions.
I needed to allow Everyone to have at least Read to the website folders and then IIS showed the non-secured content. I still think it is odd that forms auth. was kicking in and ignoring all web.config rules but anyway.
I found the error by turning off Forms Auth support in the IIS 7 manager. Then I got the process failure error because of file permissions.