I am looking to implement Simple Membership authentication for a wildcarded sub-domain application. Users will login to a root site (i.e. www.localhost.com) and be redirected to a psuedo sub-domain site (www.user1.localhost.com). There is only one application on the server.
The following web.config entry for authentication is not working:
<authentication mode="Forms">
<forms loginUrl="~/Account/SignIn" timeout="2880" domain=".localhost" />
</authentication>
The above entry will not authenticate users into the root site or any of the user specific sites. My local hosts file is configured correctly.
Is this authentication scheme possible with Simple Membership? Am I missing a step?
Whether you are using SMP or the standard membership provider has nothing to do with the FormsAuthentication process and the cookie transmission and decryption.
In addition to setting the domain property to your top level domain make sure that you have configured the same machine keys on both applications.
Related
We have asp.net mvc web application, hosted in IIS with Windows authentication enabled (we are using active directory to authenticate users).
At some point (in production), users found themselves logged in using different users, the login usually done when user login to their laptops/PCs in the organization, so it is expected the website to always show their logged in user to the PC/laptop cause that is their identities.
For IIS, we are storing session state in Sql server, and we are maintaining sessions using HttpContext.Session in the application.
I need some guides on how I can track the source of the issue. Is there a tool or what code I can share with you that might help ?
Thanks!
Make sure that:
You have “Integrated Windows Authentication” (formerly called NTLM
authentication) enabled within IIS for the application you are using.
You should then add a web.config file to the root directory of
your ASP.NET application that contains an <authentication> section
which sets the mode to “Windows”.
You should also then add an <authorization> section to the same
web.config file that denies access to “anonymous” users visiting the site. This will force ASP.NET to always authenticate the
incoming browser user using Windows Authentication – and ensure that
from within code on the server you can always access the username and
Windows group membership of the incoming user.
The below web.config file demonstrates how to configure both steps described above:
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Troubleshooting ideas...
For seeing the error, I would make sure you are showing the current user HttpContext.Current.User.Identity.Name; on each page. Refresh the page and make sure the user doesn't change. Go to other pages and do the same. Clear all cookies and application state in the browser, close the browser, then re-open the browser and go back to the site. You should still be logged in as the same user every page and every browser session. If this is intermittent, you may have to repeat this a few times to reproduce the error.
Does this every happen when running local IIS Express on developer machines? Does it ever happen in other environments (test, staging) where the code is deployed? If not, what is different about production?
Is there a proxy server between the users and the production web server? Or even some of the users, like if they come in through VPN?
How do i implement Window Active Directory authentication for Intranet user and Forms authentication for Internet users, i found many examples online explaining each of them individually but can't get to find one that explain both implemented together.
I have my ASP MVC 4 project working with Forms Authentication but was requested to add Windows Active Directory authenticate for intranet users. How do i do it?
My existing Forms Authentication
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" name=".ASPXFORMSAUTH"/>
</authentication>
I am only just beginning to explore this type of situation myself so I am not going to try and give a definitive answer, but I think that you will want to start looking at Claims Based Authentication and Secure Token Services (STS)
Have a look at:
Least Privilege by Dominick Baier; as well as some of his
pluralsight courses to get a better understanding of what you're trying to achieve.
I have an MVC 3 website that is using Forms authentication. The user logins and navigates to a Silverlight 5 application. The Silverlight app is calling a Silverlight-Enabled WCF service on another port. Because one of my requirements is to use Https/SSL, I decided to move the WCF services into a "Services" folder in my MVC application.
To see if the service is working, I typed in the address of my service. I got an error message stating my service requires anonymous access, but the website is specified to use forms authentication. So, I removed my mexHttpBinding in my web.config for my service and added authenticationScheme="Negotiate" to my httpTransport of my binding. (I'm not to https yet).
Now, I get a 302 and am redirected to the log-in page. It seems that my service is suggesting i'm not logged in. So, I added
routes.IgnoreRoute("{resource}.svc/{*pathInfo}");
and
routes.IgnoreRoute("Services/");
but that hasn't made a difference. I think the service says i'm not authenticated, but I'm certain I am.
Can someone explain what I'm doing wrong?
All of this works when I debug on my localhost, but I can't access the service when I deploy to a server.
Edit
I may have found my answer. I turned on anonymous access for my website in IIS and changed the httpTransport's authenticationScheme to the default (Anonymous). I then added
<authorization>
<deny users="?"/>
</authorization>
along with
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
which seems to be requiring the user to be authenticated in order to access the service. I am now going to check my silverlight application to make sure it can reach the service and get/post data. This was all in a test application, so I'll have to change my real application accordingly. Then, I'll tackle ssl/https.
Does all this sound right?
EDIT 2
I had to ensure mex was enabled and aspNetCompatibilityEnabled was set to 'false' to get the conctracts to update in my silverlight app. But after updating my services, I set the aspNetCompatibilityEnabled to 'true', and everything appears to be working.
I hope I'm still headed down the right path...
I ended up setting up IIS to add the webservice as a website under the parent website. Then, I used the Location tag in the parent site's web.config to implement forms authentication on the webservice.
I have an ASP.NET MVC 2 application in development that uses a web service to access security information (Roles, Permissions, etc). The users of these applications will be internal Company users. This web service security mode is currently set to "None".
What kind of web service security do you recommend for my situation? Should I use certificates?
For an internal use I suggest using Windows Authentication :
<system.web>
<authentication mode="Windows" />
</system.web>
We have a small application we built in our spare time using the latest mvc3 and Entity Framework .net libraries available at the time, and deployed it. The management liked it, and they want it integrated into a heavy legacy .net 3.5 web forms application.
I need to somehow use the same authentication sessions across the two applications. I am using the same DB and Application for authentication using the .net membership and profile providers. This works fine, but users have to login separately into the MVC app even when they are already signed in for the main application. I am open to any suggestions: enabling state session at a different level, or shared cookies, etc
What is the best way to bypass this login requirement and whether I should integrate the mvc application into the webforms or keep it as an independent application? My main concerns affecting the decision would be time taken for complete integration, and later maintenance of the applications.
First, the fact one application is ASP.NET MVC does make no difference here :)
Second, here is one example of what to do from MSDN:
http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx
Small snippet from that page:
<configuration>
<system.web>
<authentication mode="Forms" >
<!-- The name, protection, and path attributes must match
exactly in each Web.config file. -->
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="contoso.com"
timeout="30" />
</authentication>
<!-- Validation and decryption keys must exactly match and cannot
be set to "AutoGenerate". The validation and decryption
algorithms must also be the same. -->
<machineKey
validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE"
decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F"
validation="SHA1" />
</system.web>
</configuration>
.
P.S.
StriplingWarrior's advice of merging both applications although not really required but may be very useful for future integrations. You may later end up doing it anyway.
Forms authentication uses cookies to track users. Cookies can only be shared between the same domain. So for example if you had app1.foo.com and app2.foo.com simply configure those two applications to share the same domain cookie. For example both web.config should share the same forms authentication configuration:
<authentication mode="Forms">
<forms
loginUrl="~/Account/LogOn"
timeout="2880"
domain="foo.com"
/>
</authentication>
You also must ensure that both application share the same machine keys because an authentication cookie emitted by app1 needs to be decrypted by app2 with the same keys.
You may want to consider simply integrating this application into your Web Forms application directly. The two can coexist in the same application.
Store the session state in a database. Store the session key in the cookies of each sessions. At the AcquireSessionState event in the life cycle's of both applications, get the session id from the cookie, load the session data from the database and update your HttpContext.User. You will then have the same authentication data in both applications.