I have 2 applications under the same website in IIS7.5. The problem is the follow:
Open the browser and login the first application;
Open another browser tab and login the second appication;
The first application automatically logout.
I have the same asp.net authentication DB but I created two different users with different roles and different ApplicationId. I also set different applicationName attribute in membership provider configuration in applications web.config file.
Can you help me please? Sorry for my English.
Thanks.
If the IIS website is configured to use Forms-Based Authentication, then the problem is most likely that the cookie for the 2nd login (which is a different user) is overwriting the cookie from the initial login. By default, the cookie is named ".ASPXAUTH". You should be able to verify this by inspecting the response headers returned from IIS using something like Fiddler.
You can control the cookie name IIS uses to maintain the session by changing the "name" attribute in the element in the web.config. See this documentation for more details. An example of this portion of the web.config would be something like:
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="APP1SESS" />
</authentication>
If the applications are contained within single, separate sub-folders, then you could also use the "path" attribute instead to tell the browser to only send the cookie for requests in that sub-folder. Be careful here as any shared resources like images that are not in the sub-folder would need to be publicly accessible.
The //authentication/forms element can only be specified at the root level of the application. Check this SO post for a discussion on that.
Related
I have an MVC5 project (with other underlying projects), using Web Forms Authentication (SimpleMembership).
Later, I created a second MVC project in the same solution. I changed the port for IISExpress debugging to be different than that of the original so I can access both sites when I debug.
http://localhost:12345/MainAppIndex
http://localhost:54321/SecondaryAppIndex
My current login information however, is shared between both projects. If I log in the first site and open the second, it uses my first login's credentials.
I literally made the second app by copying the first project, tweaking around the .csproj file and solution file, then stripped a bunch of stuff away to start with what I needed. (I also created a new aspnet membership database and pointed the new project to that db, so both apps have their own membership database).
What setting do I have to change for IIS Express to view these as two different logins?
And... will this be an issue in production if a user happens to look at both at the same time (or even swapping back and forth with only one open at once?)
This turned out to be a cookie issue. By changing the web.config to set a non-default cookie name (the default being .ASPXAUTH, apparently), they are then treated as separate logins.
<system.web>
<authentication mode="Forms">
<forms name=".ASPXAUTH-PROVIDERS" loginUrl="~/Account/Login" timeout="2880" />
</authentication>
</system.web>
You need to use another database or 2 applications will continue using the same database.
In order to do that, go to Web.Config (at the root) and use other Connection String.
Then go to Models -> IdentityModels.cs and change the name of the Connection string to your new connection string.
I am building a local intranet web application which uses the current user's AD credentials to access the system. My web server is running IIS 7.5 on Server 2008.
My AD is configured with two groups, Users and Admins, both of which I want to access my web application and I have added the two groups (read/execute permissions) to my directory in IIS. My web.config is pretty standard and I do not have any additional filters in my Global.asax file.
I am able to access my application if I use my user or admin account, but my coworker can not, which further complicates things. My accounts do not have any permissions on the folder - only the groups to which they belong.
Authentication mode is set to Windows, but unfortunately every attempt as my coworker to access the website fails with the following:
HTTP Error 401.0 - Unauthorized
You do not have permission to view this directory or page.
The "most likely cause" box suggests:
The authenticated user does not have access to a resource needed to process the request.
I just can not figure this out. If I create a sample mvc3 application and deploy it in the same directory, I can authenticate and view pages fine as any user.
There can be many reasons for this.
Your controller needs to be decorated with appropriate authorization attribute like following
[Authorize(Roles = "Administrator")]
In your web.config, you need to have following code inside your system.web configuration
<roleManager enabled="true" defaultProvider="YourRoleProvider">
Finally you need to see if that user has been added to their respective roles
I'd the exact same issue. After having few hours of research, it seems to be very easy way to deal with this issue.
<system.webServer>
<modules>
<!--<remove name="FormsAuthentication" />-->
</modules>
</system.webServer>
I'd to remove <remove name="FormsAuthentication" /> statement from modules attribute in Web.config file which was added by default while creating default MVC website.
I had the same problem in MVC 4, and I have resolved it with this:
[AllowAnonymous]
(Add this line in controller, above action you are calling when this error appears.)
I have an intranet application using windows authentication that works great. Now I have a requirement to expose an Api area. This area should use basic authentication but to keep things easy I am first just trying to make this area allowed to anonymous.
I am using IIS 7.5 and it is configured like this:
IIS > My Intranet Site > Authentication > Windows Authentication Enabled,
everything else Disabled
in the application root web.config I have
<authentication mode="Windows"></authentication>
All the intranet controllers (except for Api Area) inherit from a BaseController that have an AuthorizeAttribute
I tried adding
<location path="~/Api">
<system.web>
<authentication mode="None" />
</system.web>
</location>
In the web.config for the API area, but no go, still get prompted for credentials.
My application structure looks like this
-IntranetApp
--Controllers
--Areas
----Area1
----Area2
----Api
All should be using Windows Authentication except for Api area.
Thanks for any help/pointers.
I don't know details, but the way I've seen "mixed" authentication done is two web applications. The one with windows authentication enabled will then use the ASP membership API to authenticate the user(and automatically create a username if necessary using information from domain account) and then redirect to the other site. Both site's membership config share the same application ID, keys, etc.
You are probably running into this:
"you cannot achieve this within a single application because in IIS once you set up Windows authentication for a virtual directory it will no longer accept users from different domains."
See this for more information on setting up one version of this:
ASP.NET MVC and mixed mode authentication
I'm creating an intranet asp.net mvc application that everyone in the company should have access to. I need to run the website impersonated for database access etc., but I want to know who each user is.
When I look at Page.User.Identity.Name it's blank. Is it possible to get the user's windows account name even though the site is running impersonated?
Edit:
Here's a little more info. I have a site in IIS 6 running with anonymous access enabled. The site is running under a system account that has access to the database (because all of the employees do not have access to the database).
My web.config has <authentication mode="Windows" /> and <identity impersonate="true"/>
My goal is that the users won't have to log in - that fact that they are logged into our network (and the fact that the site is not on an external IP) is enough authentication. I would just like to know who the user is in order to track changes they make, etc.
With <authentication mode="Windows"/> in your application and Anonymous access enabled in IIS, you will see the following results:
System.Environment.UserName: Computer Name
Page.User.Identity.Name: Blank
System.Security.Principal.WindowsIdentity.GetCurrent().Name: Computer Name
With <authentication mode="Windows"/> in your application, and ‘Anonymous access’ disabled and only ‘Integrated Windows Authentication’ in IIS, you will see the following results:
System.Environment.UserName: ASPNET (user account used to run ASP.NET service)
Page.User.Identity.Name: Domain\ Windows Account Name
System.Security.Principal.WindowsIdentity.GetCurrent().Name: Computer Name\ASPNET
With <authentication mode="Windows"/> and <identity impersonate ="true"/> in your application, and ‘Anonymous access’ disabled and only ‘Integrated Windows Authentication’ in IIS, you will see the following results:
System.Environment.UserName: Windows Account Name
Page.User.Identity.Name: Domain\ Windows Account Name
System.Security.Principal.WindowsIdentity.GetCurrent().Name: Domain\ Windows Account Name
try this
System.Security.Principal.WindowsIdentity.GetCurrent().Name
It should return a string with the users login name
I just wanted to post my fix, because no one else had said anything about it.
I was having the same issue when I published the site to the server, but not on my local. All the settings were the same. However, in IIS the "Default Website" had never been turned off. It was running and intercepting traffic, even though there was no site associated with it. Anonymous Authentication was turned on in the default, but turned off in my website running under port 80. It didn't seem to matter that my site had it turned off... since the default was turned on it was turned on for all traffic to port 80.
Disabling the default web fixed the issue. Also changing the port to 8080 works.
I hope this helps someone.
Unless this functionality has changed under the MVC framework, and I don't think it has, Page.User.Identity.Name should still work. Sounds like your site is set up to allow anonymous authentication. If so, try disabling it.
Exactly as per the title.
Simply in my HomeController I have:
string Username = User.Identity.Name;
Why is this value always blank?
Is there something special I have to place in the web.config to get this value to come through. I've tried on both the VS dev web server as well as on a windows server 2003 IIS server.
It's got to be something simple, a server setting in IIS or something as the code is so simple and seems to be the correct way to reference this value.
Thx a lot
If you are wanting to use windows authentication it's not enough to just add
...
<system.web>
...
<authentication mode="Windows"/>
...
</system.web>
...
You also want to check the readme file instructions for the MVC project, especially if your running in IIS Express and using Visual Studio 2012.
See below:
Hosting on IIS Express:
Click on your project in the Solution Explorer to select the project.
If the Properties pane is not open, open it (F4).
In the Properties pane for your project:
a) Set "Anonymous Authentication" to "Disabled".
b) Set "Windows Authentication" to
"Enabled".
Hosting on IIS 7 or later:
Open IIS Manager and navigate to your website.
In Features View, double-click Authentication.
On the Authentication page, select Windows authentication. If Windows authentication is not an option, you'll need to make sure
Windows authentication is installed on the server.
To enable Windows authentication on Windows:
a) In Control Panel open "Programs and Features".
b) Select "Turn Windows features on or off".
c) Navigate to Internet Information Services > World Wide Web Services > Security
and make sure the Windows authentication node is checked.
To enable Windows authentication on Windows Server:
a) In Server Manager, select Web Server (IIS) and click Add Role Services.
b) Navigate to Web Server > Security
and make sure the Windows authentication node is checked.
In the Actions pane, click Enable to use Windows authentication.
On the Authentication page, select Anonymous authentication.
In the Actions pane, click Disable to disable anonymous authentication.
Sure is mate. You need to authenticate with the website. That's the name used for authentication.
You are authenticating, right?
It's not a setting, etc.
Click the LOG IN link, if you're using the stock standard ASP.NET MVC template (if my memory serves me right).
UPDATE (as the posted has added more info/comments)
So what you're after is Windows Authentication. A quick google search came up with this post. It's pretty helpful (though a bit old, but still relevant) .. check that out.
Found a better post with MVC code for Windows Authentication. Check that out instead.
Config setting that is important, is...
...
<system.web>
...
<authentication mode="Windows"/>
...
</system.web>
...
If you do not wish to Authorize on every controller or action, you can do a blanket authorization in the web.config file. This should work as long as you are using Windows authentication. If you allow ASP.NET to control the authentication, then you would not need to configure any IIS setting. It should then work well with whatever web server that you are running on. I do not know or assume what u have tried so far I'll try to be complete in my answer. First remark off the forms authentication tag in web.config. All following settings are placed in the system.web configuration section.
<!--
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
-->
Replace with the Windows authentication tag.
<authentication mode="Windows" />
Then add the authorization tag to deny access to anonymous users. If the users are using Internet Explorer and are connecting from an Intranet zone, IE automatically will login the user. But if the user is connecting from the Internet zone, IE will still display a login box though for safety. But these are options that can be set from IE.
<authorization>
<deny users="?" />
</authorization>
Setting authentication mode alone without authorization does not force the user to be authenticated in ASP.NET. If you want to control the security from IIS, I cannot help much with IIS settings but I know basically you can disable Basic Authentication , then enable Integrated Windows Authentication and then disable the Anonymous Login Account which will achieve the same or better results.
I am also working on an MVC project at the moment and I tested the above settings with my project and it works. You would not need the Authorize attribute since we have the authorization tag in the configuration. I hope this can be of help to you and not get another -1.
Have you attached Authorize attribute to ur action or controller?
public class HomeController : Controller {
[Authorize]
public ActionResult Index() {
string userName = User.Identity.Name;
return View();
}
}