When I try to access my page I only get redirected to login.aspx, which is not what's intended.
What I'm after is instead a windows login popup where I authenticate if my current logged in user is not allowed, and if it is, it goes straight to the application.
I'm running a MVC4 project on an IIS6 webserver (yeah, I know.).
I've disabled "Enable anonymous access" in Directory Security - Authentication and access control and checked in "Integrated Windows authentication".
My web.config looks as follows:
<authorization>
<allow roles="DOMAIN\Role1"/>
<deny users="*"/>
<deny users="?"/>
</authorization>
<compilation targetFramework="4.0" debug="true"/>
<authentication mode="Windows">
</authentication>
Any clues?
I finally figured this out, by finding this stackoverflow question:
ASP.NET MVC3 and Windows Auth on IIS keeps redirecting to /Account/Login
By removing the references WebMatrix.Data.dll and/or WebMatrix.WebData.dll it worked as intended.
Related
I've an MVC5 project wherein modules are spread out across multiple web applications, deployed on a single IIS Server, single app pool.
Server: Windows 2008 R2 (SP1)
IIS: 7.5.7600.16385
Forms authentication is used and cross-application authentication is enabled by using common 'machineKey'
Problem
When using Internet Explorer 10/11 and do the steps below, cross-app authentication sharing no longer works.
1. Login and open another module
2. Signout
3. Login and open another module - !!gets redirected back to login page
This issue doesn't happen with Chrome and Firefox.
Config Sample
<system.web>
<httpRuntime targetFramework="4.5" />
<compilation debug="true" targetFramework="4.5" />
<machineKey validationKey="KEYXXX"
decryptionKey="KEYXXX"
validation="SHA1"
decryption="AES" />
<authentication mode="Forms">
<forms loginUrl="/login/login.aspx" timeout="120" cookieless="AutoDetect" name=".ASPXFORMSAUTH" />
</authentication>
</system.web>
Signout Code
FormsAuthentication.SignOut();
HttpContext.Session.Remove(MvcConstants.userContextSessionKey);
Appreciate help on this.
We have an MVC2 site that we need to add Windows Authentication to, for the sole purpose of capturing the AD login name -- the site, itself, does not need to be restricted. All pages on it are open to all on our network.
So in our web.config, we have this:
<authentication mode="Windows" />
And several location nodes to open up the various areas of the site to all users:
<location path="default">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path=".">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="sales/index">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
However, when we try to hit sales/index, for example, it prompts for the login, and even a correct login will yield a 401:
Not Authorized
HTTP Error 401. The requested resource requires user authentication.
Some other details:
We don't have any sort of authorization action filters, because as I said, the whole site should remain open to all on our network.
We have IIS (site and app pool) configured identically, best we can tell, to another (MVC3) site where authentication works.
We also have folder permissions configured identically between the two.
The only difference we can think of, at this point, is the broken one is an MVC2 site, and the working one is an MVC3 site.
The broken MVC2 site will prompt for a user, whereas the working MVC3 site does not -- it uses passthrough authentication.
The broken MVC2 site will return the same response for a valid user, both with a valid password, or with an invalid password.
The broken MVC2 site will continue to prompt for a username/password if an invalid user is entered.
I've a asp.net mvc 3 site and i publish it in iis 7.5 (framework 4.0), and the problem is that the css and the scripts don't work util the user log in the website. So:
The website was created like virtual directory and converted into a application.
The mode is forms authentication.
I enable in the iis the forms and anonymous authentication.
The web config has:
<location path="Content" allowOverride="true">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Scripts" allowOverride="true">
<system.web>
<authorization>
<allow users="*" />
</authorization>
<globalization culture="pt-BR" uiCulture="pt-BR" />
</system.web>
</location>
<authorization>
<deny users="?"/>
</authorization>
Obs: the dlls that i add in bin directory: System.Web.Helpers.dll, System.Web.Mvc.dll, System.Web.Routing.dll, System.Web.WebPages.dll.
I tried to change the path in the localtion as "~/Content", but i got the same result.
I tried to put the tag allow in the autorization tag as:
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
But i got the same result.
What am i missing?
I figured it out. It was something I missed from my checklist when setting up a new IIS application: Select the application, double-click "Authentication", select "Anonymous Authentication", then Edit, and change it to use the Application Pool Identity. Make sure that user has permissions on the folder that contains the site like the others said.
I've had this problem too and it's not the asp.net authorization that is the problem it's the rights to the files in the filesystem.
You need to make sure the website runs under an account that has access to the files. For my internal testing I usually make the website run under my account but I guess this wouldn't be good idea security wise if you host it in public. You can set this under advanced settings -> Physical Path Credentials for the website.
Try to allow content path, where your scripts and css files are stored:
<configuration>
<location path="content" allowOverride="true">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<allow roles="admin" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
I see that you figured it out and you are happy with your answer.
I also had this problem, but it was not an app pool authentication issue. Instead, I just allowed all users access to the locations of the css/js files, so at least the login page would render appropriately until the user logged in.
e.g. by putting this web.config file in the root of /site/public (or wherever your necessary css & js files are collected)
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
I agree with Mikael that it could be file access rights; try to give permissions to Everyone account, and if it cures your problem - find out which account IIS use for Application Pool which you use and give permissions to it.
Also, if it doesn't work, try to put web.config files inside folders Scripts and Content, with authorization attributes only.
And also there is a little possibility that you overtuned your Routing in some way, and it intercepts real file requests.
IUSR is generally the default impersonation user configured for anonymous authentication. If that is the case, I would make sure that IUSR has read permissions to the folders in question.
You can configure the site to use a different user as well, but I'm not sure that I'd simply switch the site to run as the application pool user. The application pool user often has more permissions than the anonymous user would/should have.
To follow up on the accepted answer, you can add the authentication tags inside the location so that you don't have to manually set this in IIS when deploying on new machines. This only shows one path, but it's easy to copy it for other paths like ~/Scripts, ~/Fonts, or any other static content you want to reference.
<location path="Content" allowOverride="true">
<!-- Authorize all users -->
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<!-- Authenticate anonymous users -->
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
I am sure this has something to do with IIS but I can't figure it out.
I have a website using forms authentication. When my website tries to access any file resources (javascript files, css, etc), I am redirected to the forms login page set in my web.config. I also get redirected if I just type the address into the address bar.
The web.config entry for forms auth is pretty basic:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
There are also two location nodes to deny users from other parts of the site:
<location path="n2">
<system.web>
<authorization>
<allow roles="Editors" />
</authorization>
</system.web>
</location>
<location path="web.config">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
I am using the standard IIS7 install on Windows Server 2008 R2.
Edit
So, if I add a random auth cookie (FormsAuthentication.SetAuthCookie()), the resources become available, I know it has to be my authentication model that's messed up somehow. It works on another server (I just copied it over). Any ideas how I can track the problem down?
I had the same error, in my case the trick was setting Anonymous Authentication to use the App Pool identity instead of IUSR in IIS
Open IIS
Expand Sites
Select [YourWebSite]
Double click Authentication (will be under the IIS "Area" or the Security "Category")
Select Anonymous Authentication
Click Edit in the Actions pane
Click the 'Application pool identity' radio button
Don't use <location> tags in web.config to handle authorization in an ASP.NET MVC application as locations have no longer any sense. All you need in web.config is the authentication tag. In MVC authorization could be achieved by decorating proper controllers and/or actions with the [Authorize] attribute.
I use allow * for my Content folder. That will prevent any authorization from happening for static content.
<location path="Content">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Rick
In IIS, my Anonymous Authentication was on correctly and the user was set to IUSR. Therefore, I needed to go into Windows Explorer, navigate to my web app directory, right-click for Properties, Security tab, Edit button, and give IUSR Read, List, and Read & Execute permissions (the default set). Ensure the changes will be inherited by all children, apply, possibly wait, and you're good to go.
It's been along time since I did any asp.net forms work but the first questions would be - are you sure your user is a member of the "Editors" role. You can use the Web Site Administration tool to set this up I think?
http://msdn.microsoft.com/en-us/library/ssa0wsyf.aspx
That is because you have set deny to everyone. In IIS 7, because of the integrated pipeline you will get redirected even when you try to browse CSS or any static page.
Put the static content inside a folder if you like and allow access to it.
I had exactly the same and found it was because I had forgotten to allow anonymous access to the website from inside IIS! This meant that the FormsAuthentication was always kicking in, even for the static resources that were not protected.
The default controller in my ASP.NET MVC project is decorated with the [Authorize] attribute. When I deploy the website on my development machine and access the website, I am redirected to the login page (defined in forms loginUrl section of the Web.Config). Result: everything works as expected.
When I publish the website on our production server (Windows Server 2008, IIS 7, DefaultAppPool) and access the website, the expected address shows in the address bar (/Account/LogOn?ReturnUrl=*my_expected_return_url*), but the page displays "You do not have permission to view this directory or page." instead of the login page. If I remove the [Authorize] attribute on the default controller/action, the page displays correctly.
My Web.Config file:
sessionState mode="InProc" timeout="30"
authentication mode="Forms"
forms loginUrl="~/Account/LogOn" timeout="2880"
Do you have a section in your web.config to explicitly allow non-authorised users to access the ~/Account/LogOn page?
<configuration>
<location path="~/Account/LogOn">
<system.web>
<authorization>
<allow users="*" />
<allow users="?" />
</authorization>
</system.web>
</location>
</configuration>