I am trying to setup FormsAuth for my MVC app. When I browse to the login action (which has the AllowAnonymous attribute, I get a 401.2 error. My web.config has:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
My IIS authentication settings for the web app have Forms Auth and Anon Auth enabled the others (including Windows Auth) are disabled.
There are no web.configs in any parent directories overriding the settings.
As per the help screen, I have tried all the suggestions:
Causes
No authentication protocol (including anonymous) is selected in IIS. - Forms and Anon are enabled
Only integrated authentication is enabled, and a client browser was used that does not support integrated authentication. - Not the case
Integrated authentication is enabled and the request was sent through a proxy that changed the authentication headers before they reach the Web server. - Not the case
The Web server is not configured for anonymous access and a required authorization header was not received. - Anon is enabled
The "configuration/system.webServer/authorization" configuration section may be explicitly denying the user access. - Set to allow all
Things To Try
Verify the authentication setting for the resource and then try requesting the resource using that authentication method. - Done
Verify that the client browser supports Integrated authentication. - Using Chrome, other sites work
Verify that the request is not going through a proxy when Integrated authentication is used. - No proxy
Verify that the user is not explicitly denied access in the "configuration/system.webServer/authorization" configuration section. - Verified
Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click here. - When I run this I get "AUTH_INVALID_ANON_ACCOUNT" error: Logon failure: unknown user name or bad password. (0x8007052e).
Any ideas? I've googled this for quite a bit, but canno't find a solution.
I've also tried changing the app pool to an app pool of a web app that I know works (with the same settings). Still failed.
It works fine with IIS Express
Related
I have 2 applications, one is mvc web application with Msal .net code for Azure ad B2C login and second application is power apps portal using same azure ad b2c login. I have added iframe into both application for silent login if user logged in any one of the application, on power apps portal it worked on all browser like chrome, firefox, edge, opera. But for mvc application it work only on firefox browser, other than firefox it's request does not get authenticated. When I debug iframe request, able to see acquire token
IConfidentialClientApplication confidentialClient = MsalAppBuilder.BuildConfidentialClientApplication(new ClaimsPrincipal(notification.AuthenticationTicket.Identity));
Globals.ClientInfo = confidentialClient;
// Upon successful sign in, get & cache a token using MSAL
AuthenticationResult result = await confidentialClient.AcquireTokenByAuthorizationCode(Globals.Scopes, notification.Code).ExecuteAsync();
Globals.AuthenticationResult = result;
Globals.Claims = notification.AuthenticationTicket.Identity.Claims;
Globals.EncryptedClaim = notification.JwtSecurityToken.RawData;
but into call back function Request.IsAuthenticated is false.
My web application is using .net framework 4.7.1 and Microsoft.Identity.Client version 4.29.0, please help me to resolve this issue.
Also i am getting below error for my b2c callback method on chrome and edge, automatically response cookies are getting set Lax instead None, is this causing problem to set cookies for iframe.
Thanks,
Sandy
Request.IsAuthenticated is FALSE when you deal with <authentication mode="Forms"> and TRUE if you deal with <authentication mode="Windows" />.
So, to solve this problem check the authentication mode in your web.config. Add the following code in your web.config :
<authentication mode="Forms">
<forms loginUrl="~/_Login/Login" timeout="30" />
</authentication>
and
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
</modules>
<system.webServer>
Set the reply URL to your main homepage URL in both the registration and the config and make sure that the application ID and client ID are matching.
Refer the following links for more information :
Microsoft AAD Identity And Access Management With MVC 5 Web Application.
Request.IsAuthenticated is false after logging into Active Directory| MSDN
If in case you are getting redirected to the login page after successfull login then you will need to change the CookieManger :
var cookieOptions = new CookieAuthenticationOptions();
cookieOptions.CookieManager = new SystemWebCookieManager();
app.UseCookieAuthentication(cookieOptions);
Check this document for more information.
I am having MVC application which is integrated with ADFS .
Summary
I am setting a session before calling ADFS authentication. After the return of ADFS call,that session got lost which i set previously.
Detailed Description
Step 1 Calling application URL
https://hrcentral/mainmodule/expense/index
step 2 Above call redirect the request to WIF component which is a httphandler in my application
hence url : https://hrcentral/federationMetaData/wif.axd ?ReturnUrl=https://hrcentral/mainmodule/expense/index
Web.config i have setting like below for redirection
<authentication mode="Forms">
<forms loginUrl="~/FederationMetadata/WIF.axd" name="smartForms" />
</authentication>
Step 3: setting a session inside the WIF.axd httphandler reading returning url from query string
HttpContext.Current.Session["ReturnUrl"]="https://hrcentral/mainmodule/expense/index";
After setting session,it will redirect to ADFS
Step 4 ADFS authenticate and POST request https://hrcentral/federationMetaData/wif.axd will be send inside the same WIF handler.We have a condition to check whether request is POST or NOT.
As this request is POST, previously stored session which contain the ReturnUrl and try to redirect back and land to our application.
Now the issue is the session which is set on step 3 (HttpContext.Current.Session["ReturnUrl"]=ReturnUrl) is not accessible after redirection from ADFS in wif.axd.
In general any session ,any session which is set in our application is lost after the redirection from ADFS.
Authentication will happen after that it will redirect to https://hrcentral/mainmodule/expense/index
Setting session
I have a provider hosted app which uses SharePoint Context filter for authenticating users. I'm storing the context token generated in the first request in a session variable and using it in subsequent calls.
When I click on the app in site contents and get redirected to the provider hosted app, everything is working fine.
But when I navigate to a page in SharePoint Online which has a Client Webpart hosted in the provider hosted app, session does not work.
On inspecting the request headers sent by the App webpart and the app when it is opened directly, I found that ASP.NET_SessionId cookie is not getting stored in the app webpart but when the provider hosted app is navigated directly.
Also I found that SPCacheKey cookie is being stored in both cases only Session cookie is not getting stored when loading via app web part.
I tested this in Chrome as well as IE and both are giving same output.
I tried modifying the web.config as per this link
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="p3p" value="CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT""/>
</customHeaders>
</httpProtocol>
</system.webServer>
But it didnt solve the issue. Because of the session not getting stored, Every ajax call in my provider hosted app is getting redirected to appredirect.aspx which is throwing
Access to xmlhttprequest at https://tenant.sharepoint.com from origin https://providerhosted.domain blocked by cors policy no access
Why is the ASP.NET Session Id cookie not getting stored when loading via app webpart?
Please help
After searching solution for this problem using many different keywords in google, finally found a solution. It looks like this is an Iframe issue. As the app web part loads inside an iframe, the session cookies are not stored inside iframe.
As per this answer and this link, adding the cookieSameSite=None attribute in the sessionState of web.config fixed the issue.
<sessionState cookieSameSite="None" cookieless="false" timeout="360">
</sessionState>
As usual, this was caused by an update release by MS which changed the default value of cookieSameSite attribute of Session cookies from None to Lax
I have an ASP.NET MVC app. It is hosted on Windows Server 2012 R2 joined to an AD domain.
The operating regime requires a Http proxy and credentials. When using a browser, the logged in credentials of the (human) domain user are applied transparently.
My ASP.NET app uses HttpWebRequest. Although the documentation says it would use the proxy as set in Internet Explorer, it does not appear to be doing so. So I assign the proxy manually and set UseDefaultCredentials to true, which the documentation says the credentials of the "currently logged on user" will be used. But the response came back with:
The remote server returned an error: (407) Proxy Authentication Required.
Under IIS Authentication settings, I already have enabled ASP.NET Impersonation: <identity impersonate="true" />. (Is this the right thing to do?) How do I find out the identity of the process that is used to make the HttpWebRequest?
Or what must I do to use the credentials of the logged in domain user using my app to access the proxy?
I think you may refer to this answers on another question right here
I think it's exactly related to your question
In the server response, I am adding the "secure" flag to all cookies by placing the following line within the web.config:
<system.web>
<httpCookies requireSSL="true" />
</system.web>
This seems to work since the ASP.NET_SessionId cookie shows the "secure" flag in the response:
However, when I perform an action on the page and check the Dev Tools again, I noticed that the very same cookie no longer has the "secure" flag in the client request:
I am using Internet Explorer 11 developer tools to view the Network.
Should the session cookie contain the "secure" flag in the client's request? If not, are there any security implications of having an "insecure" request cookie?
After spending some time looking into it, I did not find any code in my application that was altering the cookies or the "secure" flag on the cookies. Any information on the matter will be appreciated.