In this question a user replied that he was able to override the security settings on a shared host. I'm using the same host, but haven't been able to figure out how to change web.config to allow reflection. Is it a one-liner?
I'm using MVC + Nhibernate in my project, but I can't even get an Mvc "new project" template site to work, I suppose the problem is reflection.
Try adding the following line to your web.config:
<system.web>
<trust Level="Full" />
</system.web>
Note, however, that the section might be locked by machine.config.
Related
Like the title says, I want to protect a directory from anonymous access and that directory is ignored for routing because it contains static content.
I should also mention I'm just using the out of box individual accounts identity stuff in my MVC app.
The other catch I have is that I will be hosting as an Azure web app.
Ignore route looks like:
routes.IgnoreRoute("Cordova/{*pathInfo}");
That works just fine.
I thought I could just add a location exclusion in my web.config:
<location path="Cordova" >
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
With just that, I can still access the content as an unauthenticated user, so that isn't it alone.
Then in the Web.config, system.webServer->modules section I added:
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
Now it will deny access to the directory (when using the location element above), BUT it will not allow access to any authenticated user.
I saw a few other suggestions that involved tweaking IIS settings or local directory permissions, but since I'm hosting in Azure, that is not an option for me.
UPDATE
I implemented forms authentication in the web config, and manually added the FormsAuthentication calls in my Account controller. AND it works!
So I'm guessing the web.config deny="?" in the location element is only enforceable with forms auth??
Now I have the forms auth mixed in with the OWIN cookie auth stuff. I thought one used the other (what happened to app.UseFormsAuthentication?) but its not looking that way. I'm making a mess.
How should I be doing this?
UPDATE2
And in doing so now my WebAPI security is broken.
I've created Internet MVC Application with Individual User Accounts Authentication, but now this project should be intranet with windows authentication... How to switch authentication, when project is almost done? I'm not guru in MVC and this is new technology for me, so any help please and if possible with all steps in description=)
In the Web.config of you project. The first step would be change:
<authentication mode="Forms">
</authentication>
to
<authentication mode="Windows">
</authentication>
Selecting your project and hitting F4 for the properties window allows you to change the authentication method.
However instead of me putting step by step in here just use this very easy to follow tutorial:
Enabling Windows Authentication
Since I found this question through google attempting the same thing, and Firearm's link doesn't quite do the process justice, I'll attempt to list the steps I went through here. Obviously, if I tell you to remove something, that only means if you aren't using it otherwise. I don't think you have to do these steps in any particular order.
Also, I'm using Entity Framework, so you'll have to look elsewhere to remove it.
in the solution explorer, highlight your project and press f4. This will bring up the properties window for that project. Disable anonymous authentication. Enable windows authentication.
Tools -> NuGet Package Manager -> Manage NuGet Packages for Solution... uninstall anything with "owin" in the name, Microsoft.AspNet.Identity.EntityFramework, and Microsoft.AspNet.Identity.Core.
Open your Web.config. Under runtime, under assemblyBinding, remove all the dependentAssembly's for Owin stuff that got left behind. Under system.web, replace <authentication mode="None" /> with <authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>. Under system.webServer, remove handlers. under modules, remove <remove name="FormsAuthentication" />.
Remove the Account and Manage controllers and views. Remove the ManageViewModels from your models.
Under App_Start, get rid of IdentityConfig and Startup.Auth.
At the top level, right next to your web config, is Startup.cs. Get rid of it.
Make a new ApplicationDbContext. It should derive from DbContext. Get rid of throwIfV1Schema: false in your constructors. Then you can get rid of IdentityModels from your Models folder. Add a new migration and update your database.
Obviously you'll have to clean out any references you've made yourself to Identity.
Possible additional step:
* remove _LoginPartial view. The _Layout view will then be updated to replace partial display of that view with this line:
<p class="nav navbar-text navbar-right">Hello, #User.Identity.Name!</p>
Searching the exact same problem led me to this article, however the answers are a bit old, so with ASP.NET using MVC 5 this should be detailed documentation from Microsoft:
To detect Windows Authentication in an MVC project, the wizard looks for the authentication element from your web.config file.
<configuration>
<system.web>
<authentication mode="Windows" />
</system.web>
</configuration>
To detect Windows Authentication in a Web API project, the wizard looks for the IISExpressWindowsAuthentication element from your project's .csproj file:
<Project>
<PropertyGroup>
<IISExpressWindowsAuthentication>enabled
</IISExpressWindowsAuthentication>
</PropertyGroup>
</Project>
Found at Diagnosing errors with the Azure Active Directory Connection Wizard
For my specific problem it was switching to Azure AD rather than Windows Authentication (which was preset), there are more steps found at the developer network website.
I'm afraid I'm a bit late with my answer to you're question on how to implement the SwitchUser functionality, but for those of you who are still struggling with this (even Microsoft SharePoint still can't get it to work...), here's how it's done: (I just finished writing the article)
Switch User Functionality using MVC4 and Windows Authentication
If you need more information on how to get Windows Authentication workong for an Intranet Website using AD and Windows Server 2012 (or Higher), then take a look at my following article:
Windows Authentication on Intranet Website using AD and Windows Server 2012 (or Higher)
Happy coding!
I'm trying to add Active Directory authentication to a help desk system that was built years ago. Gradually, we'll be upgrading the whole system. I'm starting by creating an MVC2 application that will host the login, and then my plan is to bring current functionality into the MVC as we also add new features.
But the login is the base of the whole thing. We need auditing, so we need to know who's in the system.
I've read articles, other stackoverflow posts, and followed a couple MS walkthroughs to the letter. I was able to get it working as an ASP website, but when it's an MVC application, I can't seem to get it. The ASP application required adding extensive methods, and everything I read makes it sound like MVC should be much simpler.
Here are my IIS settings and the mods I've made to my web.config:
IIS Authentication
Anonymous: Disabled
ASP.NET Impersonation: Disabled
Forms: Enabled
Windows: Disabled
...
...
I keep getting the following error:
HTTP Error 401.2 - Unauthorized
You are not authorized to view this page due to invalid authentication headers.
End goal is to authenticate the user at the home page. If they can't be authenticated, force the login.
EDIT: Enabled Anonymous Authentication
I enabled Anonymous Authentication to see if any underlying errors might be the source of the problem. I got the following error:
The container specified in the connection string does not exist.
It's finding the error in the definition of MyADMembershipProvider.
<add name="MyADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnectionString" />
I changed my connection string to the following:
<add name="ADConnectionString" connectionString="LDAP://server.domain.com"/>
That did successfully redirect to the login page, but it didn't authenticate me automatically. And when I set Anonymous to Disabled again, I was back to the original error.
I think I'm missing some essential knowledge here that I'm not getting from the materials I'm reading.
EDIT: Authentication not working at all
I thought it might be worth adding that authentication isn't working at all.MembershipService.ValidateUser always returns false.
I think the solution is in the Authentication type. Originally, I was using the following:
IIS Authentication
Anonymous: Disabled
ASP.NET Impersonation: Disabled
Forms: Enabled
Windows: Disabled
And in my Web.config file I was using Forms authentication. Apparently for Active Directory authentication, the type has to be Windows.
Original:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
Revised:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
I know this worked, but since I'm new to MVC, I could still be missing something.
I'm building out a series of MVC4 Web API's that return various bits of information. In most of the APIs, I'm conducting a GET method and passing a fully qualified domain name.
If I pass a short name the API returns the data as expected; however if I pass a fully qualified domain as an ID ending in ".com" I get a 404.
The API works fine when I debug within Visual Studio 2010; however once I "publish" the content, I start getting 404's. My initial hunch is that it's something with IIS; however I haven't been able to put my finger on the exact problem.
WORKS: /controller/action/server_shortname
404: /controller/action/server.domain.com
Any guidance would be appreciated. Thanks
If you are using .NET 4.0 you can use this in your web.config:
<httpRuntime relaxedUrlToFileSystemMapping="true" />
Apart from that you should also assure that you are running your applicationPool in integrated mode.
There are a few other posts that mention the same problem and depending on your configuration you could find your answer there:
How to get ASP.NET MVC to match dot (".") character at the end in a route?
ASP.NET MVC Url Route supporting (dot)
. has a special meaning in the path portion of an url and is interpreted by IIS as a extension separator.
If you are running in IIS Integrated Pipeline mode you could add the following handler to the <system.webServer> node:
<system.webServer>
<handlers>
...
<add
name="UrlRoutingHandler"
type="System.Web.Routing.UrlRoutingHandler, System.Web"
path="/api/*"
verb="*" />
</handlers>
</system.webServer>
You will only need to adjust the path="/api/*" to the endpoint that you configured your API to listen to.
We're using Elmah as our error logging system for an app that will be going into production soon. It's extremely useful, but if it goes into production like this anyone in the world access the error log because all they have to do is visit ourdomain.com/elmah.axd.
This is obviously not ideal. I originally intended to restrict access to that page only to IP addresses within our company, but now our SysAdmins are saying that's not possible. So I'm asking here how can I prevent access to this resource?
We running an ASP.NET MVC app on IIS 6.
The typical scenario for securing elmah.axd is allowing only some authenticated user to be able to access it. But if your site doesn't use any authentication at all this might not be applicable.
Here's what I would recommend you:
Disable completely the elmah.axd handler on your main site
Configure elmah to write the logs to some shared data source (like a shared file, SQLite database or even SQL Server)
Configure a second site in IIS, probably on another network or server, which has only elmah installed and which points to this same shared data source. Now you would always use the second site to read the logs. Obviously the second site would only be accessible to you.
If you decide to use SQL Server you could even read the logs of multiple applications running on multiple web servers in a farm from within a single internal application accessible only to you.
I found this is most acceptable for MVC applications:
http://www.beletsky.net/2011/03/integrating-elmah-to-aspnet-mvc-in.html
You can point the elmah http handler to another url (for example "Secure/elmah.axd") in web.config. You can secure the url as any other asp.net page in the web config.
<httpHandlers>
...
<add verb="POST,GET,HEAD" path="/Secure/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<location path="Secure" > <!-- secure the host.com/Secure path -->
<system.web>
<authorization>
<deny users="?" />
<!-- Or anything else... -->
</authorization>
</system.web>
</location>
We are successfully using this approach on IIS7 using active directory membership providers, and it works great. I am not sure if it works on IIS6 though.
If you're using ASP.NET Membership, it's pretty easy to restrict access to the elmah.axd HttpHandler for anonymous users and only allow logged in users in an "Administrators" group. I've done it like this:
<configuration>
...
<location path="elmah.axd">
<system.web>
<authorization>
<allow roles="Administrators"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Anybody who's logged in AND member of the "Administrators" role can access the page now.
Here are some useful links:
Securely Implement ELMAH For Plug And Play Error Logging
Securing Error Log Pages
If your intention is to disable remote users from accessing it, simply change the value of <security allowRemoteAccess="yes" /> to <security allowRemoteAccess="no" />
I used IP Restrictions from the IIS 7 configuration. By default, you can't simply apply it in <location path="elmah.axd"> because it's locked on the parent configuration level. As such, I created an empty folder "logs" and applied restrictions in IIS to this folder, then modified the location path for the elmah.axd file. That's it! You have remote access to yourdomain.com/logs/elmah.axd, but only from specific IPs.