This is my first ASP.NET MVC application, and my first on an IIS 7.x installation whereby I have to do anything over and above the standard.
I need to enforce Windows authentication on the /Index and /feeds/xxx.svc pages/services. In ASP.NET Web Forms, I would apply the Windows permissions on the files and remove Anonymous authentication in IIS 6. This needs to work over HTTP/S, but don't worry about that, that's in hand.
What happens in MVC/IIS 7?
I have tried modifying the permissions on the /Index.aspx view, which seems to block access. It asks me for a username/password, but does not grant access when I enter a valid username/password. Pressing Escape gives me an exception "**Access to the path 'E:\dev\xxx\xxx.ConsultantRegistration.Web.Admin\Views\ConsultantRegistration\index.aspx' is denied. **", which does get sent as a 401.
So although the username/password does exist on the Index.aspx view, I can't use those credentials to access said view.
I have in my web.config:
What am I missing?
Don't set file permissions. Instead enable the WindowsAuthentication provider in your website in IIS, and add the [Authorize] attribute on the controller action. You can further filter the users that have access to these pages like this:
[RequireHttps, Authorize(Users="MyUser")]
public ActionResult Index()
{
return View();
}
Related
I am calling a FileResult action like this:
[AllowAnonymous]
public FileResult DownloadDocument(int documentId){// My code}
But it keeps redirecting to Account/Login, I dont even have a Login page.
This is only happening when I deploy the application to my Server (Windows Server 2016 IIS Version 10).
Is there some configuration that I need to use to avoid this issue?
Is the anonymous authentication activated?
On IIS Manager, if your website node is selected, you will find an Authentication button. It is usually in IIS section. If you click on it, you will have an Authentication page.
On this page you will have a list of authentication installed. (like Windows, Form, etc.) You will also have the Anonymous Authentication node.
You'll need to activate it.
Actions are on the right panel.
I have created an MVC 5 application (following the Create an ASP.NET MVC 5 App with Facebook and Google OAuth2 and OpenID Sign-on tutorial) and uncommented the line:
app.UseGoogleAuthentication();
Everything works fine. I can login using Google. I then change the project properties to host the application under my local IIS server (instead of the default IIS Express). The Google login no longer works. The line:
var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync();
in ExternalLoginCallback always returns a null, whereas under IIS Express loginInfo is populated. This means the browser is just bounced back to the Login page. I'm running on Windows 8.1.
I have seen other people having issues with null exceptions, I don't get any. I have restarted IIS. I have rebooted my machine and still I get the same result.
I have just managed to solve this for a project I am working on as detailed on my blog.
The solution seems to be to either turn off Session state
<system.web>
<sessionState mode="Off"/>
</system.web>
or to ensure that users have a value in their Session before the external login is performed,
[AllowAnonymous]
public ActionResult Login(string returnUrl)
{
//Ensure Session has at least one value
Session["EnableExternalAuth"] = true;
return View();
}
There is an Owin cookie issue/bug which is probably the root cause
ASP.NET_SessionId + OWIN Cookies do not send to browser
and the following StackOverflow questions are also related:
OWIN OpenID provider - GetExternalLoginInfo() returns null
ASP.NET MVC 5 (VS2013 final): Facebook login with OWIN fails (loginInfo is null)
See the Technovert article where they discuss adding a location permission subsection to the web.config file.
This solves some of the issues anyway
I have an intranet application using windows authentication that works great. Now I have a requirement to expose an Api area. This area should use basic authentication but to keep things easy I am first just trying to make this area allowed to anonymous.
I am using IIS 7.5 and it is configured like this:
IIS > My Intranet Site > Authentication > Windows Authentication Enabled,
everything else Disabled
in the application root web.config I have
<authentication mode="Windows"></authentication>
All the intranet controllers (except for Api Area) inherit from a BaseController that have an AuthorizeAttribute
I tried adding
<location path="~/Api">
<system.web>
<authentication mode="None" />
</system.web>
</location>
In the web.config for the API area, but no go, still get prompted for credentials.
My application structure looks like this
-IntranetApp
--Controllers
--Areas
----Area1
----Area2
----Api
All should be using Windows Authentication except for Api area.
Thanks for any help/pointers.
I don't know details, but the way I've seen "mixed" authentication done is two web applications. The one with windows authentication enabled will then use the ASP membership API to authenticate the user(and automatically create a username if necessary using information from domain account) and then redirect to the other site. Both site's membership config share the same application ID, keys, etc.
You are probably running into this:
"you cannot achieve this within a single application because in IIS once you set up Windows authentication for a virtual directory it will no longer accept users from different domains."
See this for more information on setting up one version of this:
ASP.NET MVC and mixed mode authentication
I need to capture user's X.509 certificates from their cards and map to a user table for forms authentication in ASP.NET MVC. I have created an MVC (ver 2) project in VS 2008, configured to run as a virtual directory under the Default Web Site in the local IIS on Vista using the default template but added RequireHttpsAttribute to the Account/LogOn ActionResult. No other changes. Using the local IIS Manager, I created a self-signed cert and applied it, then set the Account/Logon.aspx page to Require SSL and Require client certificates.
Running in debug, when I click the 'Log On' link from the Welcome page (Home/Index view), it correctly routes to Account/Logon.aspx using https but no prompt for certificate. Using Dynatrace (awesome, http://ajax.dynatrace.com), I can see that the response status is getting set to 403 but again, no cert prompt.
As a sanity check, I set up a default asp.net web app project to run in a virtual directory in the default Web Site (same as MVC project above) in Vista and configured the default.aspx page to Require SSL and Require client certificates, as done in the MVC project above. Ran it, works fine, I get the certificate prompt and can choose cert and enter PIN for card and read my X.509 from request.clientcertificate object in the code behind.
The application pool for both virtual directories is set to Classic .NET AppPool in integrated pipeline mode.
Help?!
Update:
Super kludgy workaround in progress. I added a folder 'Auth' and an 'GetCert.aspx' file to it that is marked SSL/Require client certificates to the MVC project and then added "routes.IgnoreRoute("Auth/{*pathInfo}")" to the global.asax. The codebehind of the GetCert.aspx response.writes the data I want from the X.509. Then I added a jquery.get call in LogOn.aspx which calls GetCert.aspx and returns the cert Subject results as a string to a div in LogOn.aspx. I now get the cert prompt and get the results in my MVC view, but this can't be the way to do this!
I have a working solution using forms authentication and the authorize attribute on my base controller class so all non-authenticated requests go to Account/LogOn. The logOn page post button routes to an action called Authorize which is decorated with the RequireHttps attribute which correctly triggers the prompt for the client cert. Once the cert is selected the Authorize action handles parsing the HttpClientCertificate for the user info I want and doing a match lookup in my users table and writes an authentication cookie. I then have an HttpModule that reads the cookie to create a custom Principal in the AuthenticateRequest event. This all works great. I'm opening another question for the next issue regarding IIS configuration of 'ignore client certificates' here: https://stackoverflow.com/questions/4141272/iis-6-ssl-client-certificates-configuration
I am suddenly getting a Windows Security dialog when requesting:
http://mydomain/Reports/
This happens after I have moved an ASP.NET MVC application from Server 2008 to Server 2008 R2.
This page (like others) are access controlled using Windows Form authentication. The other pages work correctly, just this page is giving me hassles - and only on this server.
Even signing in with my domain credentials fails; after the third failed login a blank page appears.
I have disabled Windows Authentication in IIS and enable Form Authentication.
The request executes:
public ActionResult Index()
{
return View();
}
The index.aspx page associated to his page contains static HTML.
Any ideas what might be causing this?
Update to comments and questions:
Site (mydomain) is running as a web site on its own.
SSRS is installed on the machine but not part of this web site.
Changing the controller name to ReportController instead of ReportsController causes it to work. Something is processing Reports first, where can I find it? I don't see any Reports folder or web sites on the server...
When upgrading sql server, often it adds a virtual directory or virtual application in iis called Reports and ReportManager. Just went through this, so it's worth checking out.
Check the permissions on the folder or file, they are probably not set correctly so IIS is trying to get a valid set of credentials to continue.
Also, is that Reports folder running, say, SSRS?