It is not liking my web config at all. I need to make this change for my REST service so I do not get
IIS specified authentication schemes 'Basic, Anonymous', but the binding only supports specification of exactly one authentication scheme. Valid authentication schemes are Digest, Negotiate, NTLM, Basic, or Anonymous. Change the IIS settings so that only a single authentication scheme is used.
So the change I made is
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<basicAuthentication enabled="false" />
</authentication>
</security>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
And when I try to load the rest service it says
HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
Any ideas?
Related
I have an asp.net Web API server running under IIS, that until now has used windows authentication as it has only had other services running on the same domain conencting to it.
So, in my web.config I have the following settings...
<system.web>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
<authentication mode="Windows" />
</system.web>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
</security>
....
With this I can use a browser (or the services) on the same domain and reach my services.
Now we want to allow Mobile applications to also connect. We will be using a a token based scheme based on this, and so far to use this I need to turn off the Windows authentication in my web.config to use this. If I leave in the windows configuration as above, I don't even get any of the Owin middle where methods (or custom filters) called when I, for example, se Postman to call a route with no windows authentication set.
So my question is
How can I allow either authentication, so that even a Browser (on the same domain) can still call the routes and be authenticated (via the Negotiate), but also allow other clients to use the token based scheme? Also (very important) how do I configure this in web.config to allow both?
Thanks in advance for any help!
Like the title says, I want to protect a directory from anonymous access and that directory is ignored for routing because it contains static content.
I should also mention I'm just using the out of box individual accounts identity stuff in my MVC app.
The other catch I have is that I will be hosting as an Azure web app.
Ignore route looks like:
routes.IgnoreRoute("Cordova/{*pathInfo}");
That works just fine.
I thought I could just add a location exclusion in my web.config:
<location path="Cordova" >
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
With just that, I can still access the content as an unauthenticated user, so that isn't it alone.
Then in the Web.config, system.webServer->modules section I added:
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
Now it will deny access to the directory (when using the location element above), BUT it will not allow access to any authenticated user.
I saw a few other suggestions that involved tweaking IIS settings or local directory permissions, but since I'm hosting in Azure, that is not an option for me.
UPDATE
I implemented forms authentication in the web config, and manually added the FormsAuthentication calls in my Account controller. AND it works!
So I'm guessing the web.config deny="?" in the location element is only enforceable with forms auth??
Now I have the forms auth mixed in with the OWIN cookie auth stuff. I thought one used the other (what happened to app.UseFormsAuthentication?) but its not looking that way. I'm making a mess.
How should I be doing this?
UPDATE2
And in doing so now my WebAPI security is broken.
Application:
MVC Website running on IIS 8.5 / Windows Server 2012R2.
Requirements:
Restrict Access to certain user groups
Execute Code as the user that sends the requests (i.e. querying a Database, accessing files etc.)
Steps taken so far:
Web.config
<system.web>
<identity impersonate="true" />
<authentication mode="Windows" />
<compilation targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
</system.web>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
</modules>
</system.webServer>
IIS > Sites > $TheSiteName$ > Authentication > Disable all except Windows
IIS > Sites > $TheSiteName$ > Authorization Rules > Allow All
Active Directory > $TheServerName$ > Delegation > Trust this computer for delegation to any service (Kerberos only)
Results
IIS complains that impersonation is not possible in Integrated Pipeline Mode
When I change Pipeline Mode to classic, a authentication dialogue pops up, but seems to be inable to verify my credentials.
Any idea what I might have forgotten to get this to work? Why can't I access this website?
Soon as I got this going, I will have to take care of restrictions. Wild guessing as I am, I would assume it will be possible to add the restricted groups into the authorization rules, but I can't get to test it...Is this the right / best way to do that?
I have an MVC WebAPI site that has the latest ELMAH.MVC NuGet package installed. Under Visual Studio, I can access
http://localhost:1234/elmah
and get the error log, just like I'm supposed to be able to.
When I deploy it to Azure, it throws an error when I do that. Fortunately, Elmah is logging the error to the XmlError log in App_Data, and I found this:
<error errorId="92ad3ee1-3fd5-449a-8cb4-0474aa771aab"
application="/LM/W3SVC/417796901/ROOT"
host="RD00155D430783" type="System.Web.HttpException"
message="Server cannot set status after HTTP headers have been sent."
source="System.Web"
detail="System.Web.HttpException (0x80004005): Server cannot set status after HTTP headers have been sent.
And then goes on for many lines of stack trace, NONE of which comes anywhere near my code.
What's going on? I've just added the Elmah.MVC nuget package, and made the following changes to the Web.Config
<elmah>
<security allowRemoteAccess="yes"/>
<errorLog type="Elmah.XmlFileErrorLog, Elmah" logPath="~/App_Data" />
</elmah>
<location path="elmah.axd">
<system.web>
<allow roles="*" />
</system.web>
</location>
It's not coming anywhere near any of my controllers, so I don't have any control over when Http status headers are set or sent.
Thanks for any help.
itanex is right! Put an empty text file (i.e. placeholder.txt) in the App_Data folder and mark it as "Content" and "Always Copy" - This will ensure that the App_Data folder is getting created. Also, as Simon point out, the correct path (based on your config) is /elmah.axd
via https://stackoverflow.com/a/11680786/1037948:
Allow remote access:
<elmah>
<security allowRemoteAccess="true"/>
</elmah>
I'm looking to secure an ASP.NET MVC application with SSL and client certificate authentication. I'm using IIS 7.5, Windows Server 2008 R2.
I'd like to know whether it's possible to do the following through Web.config (it has to be through there!)
Require SSL communication for all requests
Map multiple client certificates to a single user
Require the user to be authenticated
Also, any pointers on how to go on about doing this, any tutorials or other relevant resources will be much appreciated as I'm new to pretty much all of these things.
So, to answer my own questions.. all of the above can be achieved through the Web.config. The following section of the Web.config requires SSL through the system/access section, and configures many-to-one client certificate mapping. These sections are locked in the applicationHost.config so anyone wishing to edit them in the Web.config will need to unlock them. There are many tutorials on that so I won't go into it.
<security>
<access sslFlags="Ssl, SslNegotiateCert" />
<authentication>
<anonymousAuthentication enabled="false" />
<iisClientCertificateMappingAuthentication enabled="true" manyToOneCertificateMappingsEnabled="true">
<manyToOneMappings>
<add name="Authentication Certificate"
enabled="true"
permissionMode="Allow"
userName="foo"
password="bar">
<rules>
<add certificateField="Issuer" certificateSubField="CN" matchCriteria="*.stackoverflow.com" compareCaseSensitive="false" />
</rules>
</add>
</manyToOneMappings>
</iisClientCertificateMappingAuthentication>
</authentication>
</security>
Going in order:
Require SSL communication for all requests - Yes. In IIS, set the site with only an https binding, and delete the http binding. The site will not respond to http requests. If you do this, you should create a script to redirect 403.4 errors from http://mysite.com to https://mysite.com. You can find many examples of how to do this using various tools.
Map multiple client certificates to a single user - I dunno. I will pass on this one.
Require the user to be authenticated - Yes. In the web.config file, in the <system.web> element, add the following:
<authorization>
<deny users="?"/>
</authorization>