I am developing an ASP.NET MVC app with custom membership and role providers.
My custom role provider uses LinqToEntities to query the user/role mapping table and retrieve if a user is in a role or not.
When running on debug, local machine, everything is fine. When deploying on IIS7 however, I have this strange behavior:
When I change roles to a user, and then login with that user, it retains the old roles, instead of the new ones. It's like they are cached somewhere, but I already set the cacheRolesInCookie="false" option in the Web.config
Reading on the web, I saw that the option I mentioned is just a directive for the provider, meaning if I don't implement its usage, it will be ignored, is that right?
This leaves me puzzled. My provider should perform a fresh query every time a method is called. It works locally, but not on the deploy machine with IIS7.
Anyone knows if there's any hidden setting in IIS7 to make things work right?
Thanks.
After a long time I found the solution.
The problem was residing on the EF context I was using to read the users/roles.
I fixed it resintantiating the context every time a role is checked, instead of keeping the same context until application restarted.
Related
I have a .NET Framework 4.7.2 MVC 5 site that is using Windows Authentication to authorise access to actions based on AD group membership. This works fine for a single domain, but we have domain trusts in place and ASP does not seem to resolve memberships from other domains.
e.g.
Two domains: Parent and Leaf
The site runs in the Parent domain, which has local security groups setup: SiteAccess-L.
SiteAccess-L contains a single member Leaf\SiteAccess-G, which in turn has our user Leaf\User.
When I dump the contents of HttpContext.User.Identity.Groups (casting through WindowsIdentity), I can see all the Leaf domain groups that the user is a member of, but not any of the Parent domain groups. This only happens for remote users, if I access the site locally, it seems to work.
Running a simple C# app on the desktop of the web server with the same user account and calling WindowsIdentity.GetCurrent() will bring me back both domain group membership.
Does anybody know what gives here, and how I access the full cross-domain group memberships in MVC? If I use GetCurrent() in MVC, I get the service-account that the application pool is running under.
Thanks.
I finally got a resolution to this, but I don't fully understand why.
The issue it seemed to be with an SPN. When accessing the web page through a URL such as http://mysite.parent/ and a SPN was in place for this host, the issue described would occur.
Removing the SPN resolved the issue and all groups were viewable by the site. This is clearly Keberos related, but my understanding isn't deep enough to categorically say for sure.
In the end, the SPN wasn't needed so it could be removed to resolve the issue. Reference: https://www.aligrant.com/web/blog/2020-09-28_iis__do_i_need_to_use_a_spn
Im wanting to build an intranet that will use Domain (AD) authentication and let the user not have to login. So Ive been looking at the AD package here and digging into the details a bit, it seems you have to configure a user & password in the web.config. Then I seen this example, which is seems to simply be using the AD membership provider and isnt putting any hard-coded username and password in the config file. Are those two approaches even talking about the same thing?
I just need simple pass-through authentication based on the identity of the user passed in from the browser. The question also comes up as to under which context will requests be made when the user uploads a file, edits content etc. Will it be Network Service or the passed in identity?
Since you have specified umbraco 7 in your question, I think you are much better of pursuing the option in your second link.
The first link was written for Umbraco 4.11, and an awful lot has changed since then. Can't tell you if the second link will simply work out-of-the-box, but imo, you have a better chance of being successful.
There is no code for this example as of yet because I'm after a conceptual answer.
Say I have an MVC application hosted at mydomain.com. I have a set of admin tools that are available at mydomain.com/admin. There is an attribute on the admin controller that looks for a session variable indicating whether the user is logged in or not. If not it redirects to a login page, sets the session variable and all is good. I'm fine with this .. I understand how it works.
Now say that I have another 'sub-application' at mydomain/blog. This is a separate virtual directory that has a similar security mechanism that locks down mydomain/blog/admin.
If a user is logged into /mydomain/admin (ie the session variable is set) can I then redirect them to /blog/admin/index in such a way that the session variable is passed through to this separate application. My assumption is that the session variables for the two virtual directories are distinct.
The essence of this is a way to add modular tools to a web application. If a module is installed, I want to place a link or menu that will take them to the specific module's tool-set without having to authenticate again.
One caveat, this would more than likely have to work with shared hosting scenarios where I may not have access to IIS configuration. In the scenario where I do have IIS access I would obviously have other options that I understand, but I specifically need this to work without that level of control or access.
I hope that makes sense. Please ask for any clarification.
Thanks. Simon.
I notice in the azure examples they are using:
<sessionState mode="Custom" customProvider="TableStorageSessionStateProvider">
Can someone explain what this is used for with MVC3? I'm very confused about session state. Do I really need to use it if my application does not have anything like a shopping cart? Is it needed if I just want to do simple authentication? I removed the code from my web.config and my authentication still seems to work.
If you're publishing your application to Azure and you're using Session in any way (this includes MVC's TempData) then you will probably need to use some kind of central storage for session, rather than using the default "InProc" provider which just stores the user's session in the application's own memory. With azure, you can use, among others, SQL Azure or the AppFabric Cache (still in CTP).
Here is a good lab for AppFabric:
http://msdn.microsoft.com/en-us/gg457897
And here's one for SQL Azure (not supported): http://blogs.msdn.com/b/sqlazure/archive/2010/08/04/10046103.aspx
This is because you could have mutiple instances running or you instance could be moved at any given moment.
It sounds like your application doesn't currently use Session State so you won't need to worry about it. (although, remember that the TempData dictionary uses Session under the hood)
I've asked similar question here because I thought the problem was in my custom membership provider.
Then I tried this:
I created two NEW asp.net MVC applications. In first one, I registered as new user using default membership provider. I closed this application, opened second one and ran it. In this application I was also logged in as user I created in first application. Logging in as user from other application doesn't work, but caching is remembered on this site. Why is it so? Is it a bug?
I think this can be expected behaviour:
If you open localhost/app1 and localhost/app2 you are on the same domain. So its valid that the same cookie is sent. I am not shure if localhost:5050 localhost:5060 are considered as the same domain. But I guess thats the case.
If the same cookie is sent the Memebershipsystem will evaluate this as the same user. Thats expected behaviour.
If you want to have these 2 webs use different pools of users you have to create a new application in the Mebershipsystem and configure it in web.config.
This will not affect the behaviour of a production system, because the 2 web will be on a different domain. each domain is only allowed to access its own cookies.