I am hosting a WCF Service within an ASP.NET MVC web application. I would like the WCF Service to only be accessible to authenticated users. Adding the configuration code below to the web.config file does not have the desired result:
<location path="Services/MyService.svc">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
How should I deny access to this service for unauthenticated users?
I was able to resolve this by adding a Web.Config file containing the authorization rule within the "~/Services" directory itself instead of the Web.Config at the root of the website.
~/Services/Web.Config
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
Related
I have an ASP.NET MVC application hosted on IIS on windows server 2019. The webapp runs fine but upon clicking a button(which triggers a service call), I get windows sign-in pop up intermittently.
Note that, we have disabled windows authentication at IIS level and user authentication is being done at application level using Azure active directory.
We have the following authentication settings in web.config:
<system.web>
<authentication mode="None" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
<modules runAllManagedModulesForAllRequests="true">
<remove name="FormsAuthentication" />
...
</modules>
Every time I deploy a basic ASP.NET MVC site to one of our intranet servers, the authentication mode for the site and any sub sites turns off. We have it set to Windows. This does not happen to a second server that we use.
This is what we have in our root web.config file. We can go in to IIS Manager and turn Windows authentication back on, but why does it get turned off each time even though the config file is set to use Windows authentication?
<system.web>
<customErrors mode="Off" />
<compilation targetFramework="4.6.1" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<httpModules />
</system.web>
You could try to add the below section in your web.config file.
<system.webServer>
<security >
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
Or you could directly modify the applicationhost.config file which is located at C:\Windows\System32\inetsrv\config
<location path="TestSite">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
Note: path="TestSite" use your site name in this section and add this code before the </configuration> tag.
I have a site runing inside our domain servers witha firewall for external access. It popups up a login box for you to put your AD credentials. This is all how it is supposed to work. But since this week it no longer considers it valid. Users that were able to connetc last week no longer can connect. we all get 401 errors in the IIS 7 log. Is there a way to trace where this is broken?
the server Windows Server 2016 DataCenter.
This is our Web.config:
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime />
<authorization>
<allow roles="SEC_DB_EMAILMANAGER_ADMIN" />
<allow users=".\egadmin" />
<deny users="*" />
</authorization>
<pages controlRenderingCompatibilityVersion="4.0">
<controls>
<add tagPrefix="asp" namespace="AjaxControlToolkit" assembly="AjaxControlToolkit" />
</controls>
</pages>
<authentication mode="Windows" />
<identity impersonate="false" />
</system.web>
In the Authorization section of IIS WE have these settings:
Anonymous Access: Enabled - with specific user:IUSR
Basic Authentication: Enabled - no settings set
The others are all disabled. I tried changing different settings and it doesn't seem to work. we have an automated deployment process that deployed something last week it is possibles some settings were changed we didn't realize
After a day & a half we figured out the problem. When IT Support was adding the last batch of users to the SECURITY GROUP The SAML ( PRE 2000 name) name was renamed to something else, which is used for iis lookup
Background:
My team is moving to asp.net mvc 5 but we still have many applications we need to support written in ColdFusion. We have implemented an Asp.net MVC 5 application that will serve as the main point of entry to access all our ColdFusion applications and we have dropped each ColdFusion application inside a folder inside our MVC application like this
MVCApp
-- InternalApps
-----ColdfusionApp1
-----ColdfusionApp2
We are trying to control access to the Coldfusion applications by means of roles. In other words, if you have ColfusionApp1 role then you can access files inside MVCApp/InternalApps/ColdfusionApp1, all other users will be denied access to the ColdfusionApp1 directory and its containing files.
We implemented access control to the coldfusion directories and files inside directories by specifying rules in our MVC’s web.config like in this post ( Url Authorization with MVC and ASP.NET Identity ), and we made a slight modification to the previous solution because we want to control access by roles as in https://weblogs.asp.net/gurusarkar/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config
In IIS the MVCApp is a Website and under the MVCApp Website the directory MVCApp/InternalApps/ColdfusionApp1 contains the Coldfusion code which becomes accessible once you run the Adobe ColdFusion Webserver Configuration Application that configures IIS to server ColdFusion files.
Problem:
The solution seems to work just fine if instead of Coldfusion files we put a static html file inside the ColdFusion directories, but the moment we drop the ColdFusion files and configure these files to be served by IIS using the wsconfig.exe (Adobe ColdFusion Webserver Configuration Application) then even if you specify authorization rules for ColdFusion files .cfm these files are still served to unauthorized users. Below is the navigation url patterns that work as expected and the one that fail to work as expected.
https://localhost/InternalApps/ColdfusionApp1 (block access to unauthorized users and redirects to login page)
https://localhost/InternalApps/ColdfusionApp1/index.cfm (lets any unauthorized user access this file)
We think that the problem we are having has to do with the order in which modules and handlers are configured. It seems that for .cfm files there is a handler or module that processes this request before the authorization rules can be applied.
Conclusion:
Role based authorization rules using the location tag in web.config work fine to prevent users from accessing a directory, but it does not work to prevent access to the ColdFusion files inside that directory.
Environment:
MS Server 2012 R2 with IIS 8.5
Visual Studio 2015 (Asp.net MVC 5, Asp.net Identity 2)
Oracle 12c Database
ColdFusion 2016
Snippet from web.config:
<system.web>
<authentication mode="None" />
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
</system.web>
<location path="InternalApps/ColdfusionApp1">
<system.web>
<authorization>
<allow roles="ColdfusionApp1"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
</modules>
<handlers>
<add name="HtmlScriptHandler" path="*.html" verb="*" preCondition="integratedMode" type="System.Web.StaticFileHandler" />
<add name="CfmScriptHandler" path="*.cfm" verb="*" preCondition="integratedMode" type="System.Web.StaticFileHandler" />
</handlers>
</system.webServer>
I have two machines:
Windows 2008 - for Active Directory
Windows 7 - installed with IIS7, it also serves as development machine. Note that this PC is not member of the domain.
I tried Forms Authentication and it's working fine with this configuration in my web.config:
<connectionStrings>
<add name="ADConn" connectionString="LDAP://192.168.0.21" />
</connectionStrings>
<membership defaultProvider="ADMembership">
<providers>
<add name="ADMembership"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADConn"
connectionUsername="dominic"
attributeMapUsername="sAMAccountName"
connectionPassword="p#ssw0rd" />
</providers>
</membership>
Now I want to change from Form to Windows Authentication. My questions are:
What configurations do I need to add in Web.Config to enable Windows Authentication?
What configurations should be done in IIS to enable Windows Authentication?
Do I need to configure Windows Firewall?
When logging in using Windows Authentication, what should be my username? Is it "192.168.0.21\dominic" or "dominic"?
Did I miss to ask any question?
I tried many tutorials today but it's either giving me 403 or it's not accepting my username and password. If you know any complete step-by-step tutorial, please let me know.
After days of research, it turns out that IIS at least, should be a member of the domain. The client does not necessarily be a member of the domain.
In the Web.Config, all I need to add is:
<authentication mode="Windows" />
<authorization>
<allow users="*"/>
<deny users="?" />
</authorization>
Connection string and membership are not necessary.