MVC2 site + Windows Authentication = 401 Not Authorized - asp.net-mvc

We have an MVC2 site that we need to add Windows Authentication to, for the sole purpose of capturing the AD login name -- the site, itself, does not need to be restricted. All pages on it are open to all on our network.
So in our web.config, we have this:
<authentication mode="Windows" />
And several location nodes to open up the various areas of the site to all users:
<location path="default">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path=".">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="sales/index">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
However, when we try to hit sales/index, for example, it prompts for the login, and even a correct login will yield a 401:
Not Authorized
HTTP Error 401. The requested resource requires user authentication.
Some other details:
We don't have any sort of authorization action filters, because as I said, the whole site should remain open to all on our network.
We have IIS (site and app pool) configured identically, best we can tell, to another (MVC3) site where authentication works.
We also have folder permissions configured identically between the two.
The only difference we can think of, at this point, is the broken one is an MVC2 site, and the working one is an MVC3 site.
The broken MVC2 site will prompt for a user, whereas the working MVC3 site does not -- it uses passthrough authentication.
The broken MVC2 site will return the same response for a valid user, both with a valid password, or with an invalid password.
The broken MVC2 site will continue to prompt for a username/password if an invalid user is entered.

Related

multiple login page in asp.net mvc

I have an mvc 4 application, where I have to define multiple login pages, one for each role type user.
Is there any way to do this? trying to configure multiple login pages inside the location tag in web. config gives me errors.
thanks,
luca
One way is just to create different login controllers for each role type. To make it possible for people to access two different login pages while they are not logged in, you can open up those locations in web.config:
<location path="Employee/Login">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Customer/Login">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
You say that when people get logged out they can be redirected to the home page. To do this, in the forms authentication portion of web.config, set loginUrl to your home page.
If your login logic is mostly the same, but you want to present a different view, you could reuse the same controller, but have a route value that specifies which mode you're in and switch between Views depending on which value is provided.

Css and Scripts don't work until the user log in the website - Asp.NET MVC 3 Web Site

I've a asp.net mvc 3 site and i publish it in iis 7.5 (framework 4.0), and the problem is that the css and the scripts don't work util the user log in the website. So:
The website was created like virtual directory and converted into a application.
The mode is forms authentication.
I enable in the iis the forms and anonymous authentication.
The web config has:
<location path="Content" allowOverride="true">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Scripts" allowOverride="true">
<system.web>
<authorization>
<allow users="*" />
</authorization>
<globalization culture="pt-BR" uiCulture="pt-BR" />
</system.web>
</location>
<authorization>
<deny users="?"/>
</authorization>
Obs: the dlls that i add in bin directory: System.Web.Helpers.dll, System.Web.Mvc.dll, System.Web.Routing.dll, System.Web.WebPages.dll.
I tried to change the path in the localtion as "~/Content", but i got the same result.
I tried to put the tag allow in the autorization tag as:
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
But i got the same result.
What am i missing?
I figured it out. It was something I missed from my checklist when setting up a new IIS application: Select the application, double-click "Authentication", select "Anonymous Authentication", then Edit, and change it to use the Application Pool Identity. Make sure that user has permissions on the folder that contains the site like the others said.
I've had this problem too and it's not the asp.net authorization that is the problem it's the rights to the files in the filesystem.
You need to make sure the website runs under an account that has access to the files. For my internal testing I usually make the website run under my account but I guess this wouldn't be good idea security wise if you host it in public. You can set this under advanced settings -> Physical Path Credentials for the website.
Try to allow content path, where your scripts and css files are stored:
<configuration>
<location path="content" allowOverride="true">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<allow roles="admin" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
I see that you figured it out and you are happy with your answer.
I also had this problem, but it was not an app pool authentication issue. Instead, I just allowed all users access to the locations of the css/js files, so at least the login page would render appropriately until the user logged in.
e.g. by putting this web.config file in the root of /site/public (or wherever your necessary css & js files are collected)
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
I agree with Mikael that it could be file access rights; try to give permissions to Everyone account, and if it cures your problem - find out which account IIS use for Application Pool which you use and give permissions to it.
Also, if it doesn't work, try to put web.config files inside folders Scripts and Content, with authorization attributes only.
And also there is a little possibility that you overtuned your Routing in some way, and it intercepts real file requests.
IUSR is generally the default impersonation user configured for anonymous authentication. If that is the case, I would make sure that IUSR has read permissions to the folders in question.
You can configure the site to use a different user as well, but I'm not sure that I'd simply switch the site to run as the application pool user. The application pool user often has more permissions than the anonymous user would/should have.
To follow up on the accepted answer, you can add the authentication tags inside the location so that you don't have to manually set this in IIS when deploying on new machines. This only shows one path, but it's easy to copy it for other paths like ~/Scripts, ~/Fonts, or any other static content you want to reference.
<location path="Content" allowOverride="true">
<!-- Authorize all users -->
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<!-- Authenticate anonymous users -->
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>

ASP.NET MVC: AuthorizeAttribute on default page

The default controller in my ASP.NET MVC project is decorated with the [Authorize] attribute. When I deploy the website on my development machine and access the website, I am redirected to the login page (defined in forms loginUrl section of the Web.Config). Result: everything works as expected.
When I publish the website on our production server (Windows Server 2008, IIS 7, DefaultAppPool) and access the website, the expected address shows in the address bar (/Account/LogOn?ReturnUrl=*my_expected_return_url*), but the page displays "You do not have permission to view this directory or page." instead of the login page. If I remove the [Authorize] attribute on the default controller/action, the page displays correctly.
My Web.Config file:
sessionState mode="InProc" timeout="30"
authentication mode="Forms"
forms loginUrl="~/Account/LogOn" timeout="2880"
Do you have a section in your web.config to explicitly allow non-authorised users to access the ~/Account/LogOn page?
<configuration>
<location path="~/Account/LogOn">
<system.web>
<authorization>
<allow users="*" />
<allow users="?" />
</authorization>
</system.web>
</location>
</configuration>

Trouble getting ASP.NET MVC app to redirect to error page for unauthorized users

I've got the following set up in the web.config of my ASP.NET MVC application:
<authentication mode="Windows" />
<authorization>
<allow roles="MySecurityGroup"/>
<deny users="*"/>
</authorization>
<customErrors mode="On" defaultRedirect="Error.aspx">
<error statusCode="401" redirect="Help.aspx"/>
</customErrors>
Everything works fine if you are in MySecurityGroup, but if you're not, you are not redirected to either Error.aspx or Help.aspx. (Note that Error.aspx lives in Views\Shared while Help.aspx is in Views\Home.) All you get is the default error:
Server Error in '/' Application.
Access is denied.
Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.
What am I doing wrong?
UPDATE: Now my web.config is set up like this, and it's still not working:
<system.web>
<customErrors mode="On" defaultRedirect="Help.aspx">
</customErrors>
</system.web>
<location path="">
<system.web>
<authorization>
<allow roles="MySecurityGroup"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Help">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Note that I can navigate to MyApp/Help just fine and am correctly banned from the rest of the site, but it never redirects to the Help page automatically.
You have to explicitly give access to other groups to Error.aspx and/or Help.aspx so they can actually get to the pages. The way you have it set up right now, only MySecurityGroup users can get to the pages.
You'll need something like this:
<location path="Error.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
and the same for Help.aspx. Alternatively you can do this at a folder level.
Do you want the the error and help pages handled by mvc or asp.net? Currently you are treating the pages like mvc views yet you have redirect urls that map to the asp.net pipeline. At a guess move error and help into the root directory of the site and it should work

Problem with Authorization with IIS and MVC

Got some problem with settings up the Authorization.
First i got :
<authorization>
<deny users="?" />
</authorization>
So i deny all unknown users and then allow them to view those pages:
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Public">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Now to the problem .. they can access the Public pages and Default.aspx .. but not www.mydomain.com or www.mydomain.com/ .. so www.mydmain.com/Default.aspx works fine.
So how to make those work ?
Keep in mind that there's a fundamental difference in protected resources between WebForms and MVC. In WebForms, the resources you're trying to protect are the pages themselves, and since the pages exist on disk at a well-known path you can use Web.config to secure them. However, in MVC, the resources you're trying to protect are actually controllers and actions, not individual paths and pages. If you try protecting the path rather than the controller, your application likely has a security vulnerability.
In MVC, by default all controllers + actions are accessible to all users, both authenticated and guest. To secure controllers or actions, the [Authorize] attribute has been provided. See http://www.asp.net/learn/mvc/#MVC_Security for more information.
In short, it sounds like for your application you'd want to attribute every controller except the default controller and the Public controller with the [Authorize] attribute.

Resources