locked
I CANNOT RUN FORM-BASED AUTHENTICATION RRS feed

  • Question

  • User-1961011923 posted

    Hi,

    I try desesperatly do an ASP.NET web site works properly with form-based authentication.
    I read a lot web tutorals  or video and i beleived have a good understanding of this feature. In reality is not.

    My web site has a default.aspx page, I added a connexion.aspx one and i  coded Web.Config like that :

    <configuration>
    <system.web>
    <authentication mode="Forms">
    <forms loginUrl="Connexion.aspx" timeout="20" name=".ASPNETAUTH" protection="All" path="/" defaultUrl="Default.aspx">
    <credentials passwordFormat="Clear">
    <user name="fred" password="pass1"/>
    <user name="bruno" password="pass2"/>
    <user name="napier" password="pass"/>
    </credentials>
    </forms>
    </authentication>
    <authorization>
    <deny users ="?" />
    </authorization>
    </system.web>

    <location path="Default.aspx">
    <system.web>
    <authorization>
    <allow users ="*" />
    </authorization>
    </system.web>
    </location>

    <location path="Connexion.aspx">
    <system.web>
    <authorization>
    <allow users ="*" />
    </authorization>
    </system.web>
    </location>

    But the execution throw an 401.2 error systematicaly : (french langage) "Echec de la connexion en raison de la configuration du serveur. Vérifiez que vous êtes autoriser à afficher cette page en fonction des informations d'identification"
    I suppose the page in question is "connexion.aspx" because when i delete the tag "<deny user = "?" />" in web.config, the error don't occurs...

    IIS has the Anonymous authentication enabled, and the form-based one too…

    Can you help me fastly ? I really need for this site soon and i don't find anywhere Something to resolv my problem.

    Best regards and apologies for my (bad) English...

    Bruno

    Friday, June 19, 2020 3:41 PM

Answers

  • User475983607 posted

    BSharp34, you are not following the recommendations!  The code I posted above was tested and verified.  You MUST update the global.asax if you wish to allow anonymous access to the application root. 

    public class Global : HttpApplication
    {
        void Application_Start(object sender, EventArgs e)
        {
            // Code that runs on application startup
            RouteConfig.RegisterRoutes(RouteTable.Routes);
            BundleConfig.RegisterBundles(BundleTable.Bundles);
        }
    
        void Application_BeginRequest(object sender, EventArgs e)
        {
            if (Request.AppRelativeCurrentExecutionFilePath == "~/")
                HttpContext.Current.RewritePath("default.aspx");
        }
    }

    This syntax is wrong.

    <location path="~/Contact.aspx">

    It should be the following when the web.config is in the root.  Again, see my example above.

    <location path="Contact.aspx">

    This construct denies access to all users (anonymous and authenticated) which makes no logical sense because you can just remove the page.

    <deny users="*" />
    <deny users="?" />

    The common solution is placing the secured pages in a folder and adding a web.config file to the folder.  Same for anonymous pages.  The standard docs cover the details.

    https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/membership/user-based-authorization-cs

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, June 21, 2020 5:18 PM
  • User1686398519 posted

    Hi BSharp34,

    I have another solution, you can refer to it.

    When you use FriendlyUrlSettings, there will be no aspx suffix, so it will not find "Default.aspx" written in web.config.

    Open the RouteConfig.cs file,then comment the code below.

                var settings = new FriendlyUrlSettings();
                settings.AutoRedirectMode = RedirectMode.Permanent;
                routes.EnableFriendlyUrls(settings);

    Web.config

           <system.web>     
    <authentication mode="Forms"> <forms loginUrl="Connexion.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20"/> </authentication> <authorization> <deny users="?" /> </authorization> </system.web> <location path="Default.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Connexion.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Contact.aspx"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location>

    Here is the result.

     
    Best Regards,

    YihuiSun

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, June 22, 2020 8:28 AM

All replies

  • User-943250815 posted

    Your login page should be allowed to everyone <allow users ="*">, other than you get UnAuthorized error.
    All other pages you should allow authenticated users.

    Friday, June 19, 2020 6:39 PM
  • User-1961011923 posted

    Hi jzero,

    Thank a lot for your answer.
    But my problem is exactly to know why the page is not allowed while i give the right in web.config as you can see in my first ask.

    I used this tag for the default page and the login page, and i expected everyone can acces it, but the 401.2 error seem to say the opposite...

    <location path="Default.aspx">
    <system.web>
    <authorization>
    <allow users ="*" />
    </authorization>
    </system.web>
    </location>

    <location path="Connexion.aspx">
    <system.web>
    <authorization>
    <allow users ="*" />
    </authorization>
    </system.web>
    </location>

    have you an idea about that ?

    Best regards,

    BSharp34

    Saturday, June 20, 2020 11:38 AM
  • User475983607 posted

    My best guess is you want to allow anonymous access to the default site root.

    <configuration>
      <location path="default.aspx">
        <system.web>
          <authorization>
            <allow users="?"/>
          </authorization>
        </system.web>
      </location>
      <system.web>
        <compilation debug="true" targetFramework="4.8"/>
        <httpRuntime targetFramework="4.8"/>
        <authentication mode="Forms">
          <forms loginUrl="login" defaultUrl="SecuredPage" />
        </authentication>
        <authorization>
          <deny users="?"/>
          <allow users="*"/>
        </authorization>

    Global.asax

    public class Global : HttpApplication
    {
        void Application_Start(object sender, EventArgs e)
        {
            // Code that runs on application startup
            RouteConfig.RegisterRoutes(RouteTable.Routes);
            BundleConfig.RegisterBundles(BundleTable.Bundles);
        }
    
        void Application_BeginRequest(object sender, EventArgs e)
        {
            if (Request.AppRelativeCurrentExecutionFilePath == "~/")
                HttpContext.Current.RewritePath("default.aspx");
        }
    }

    Saturday, June 20, 2020 12:33 PM
  • User-943250815 posted

    Here is an good starting point article (older but give you a better view of) https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/introduction/an-overview-of-forms-authentication-cs
    Some examples for allow/deny https://weblogs.asp.net/gurusarkar/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config

    Try this way, I´m assuming you have all elements in page Connexion.aspx to collect User & Password and check if user is valid or not

    <configuration>
      <system.web>
        <compilation debug="true" targetFramework="4.8"/>
        <httpRuntime targetFramework="4.8"/>
    
        <authorization>
          <allow users ="?" /> <!-- Allow Anonymous users, or if you want allow everyone replace ? by * -->
        </authorization>
    
        <authentication mode="Forms">
          <forms loginUrl="Connexion.aspx" timeout="20" name=".ASPNETAUTH" protection="All" path="/" defaultUrl="Default.aspx">
            <credentials passwordFormat="Clear">
              <user name="fred" password="pass1"/>
              <user name="bruno" password="pass2"/>
              <user name="napier" password="pass"/>
            </credentials>
          </forms>
        </authentication>
      </system.web>
    
      <location path="Default.aspx">
        <system.web>
          <authorization>
            <allow users ="fred, bruno"/> <!-- Only fred and bruno are allowed on this page -->
            <deny users ="?"/>            <!-- Everyone else is denied -->
          </authorization>
        </system.web>
      </location>
    </configuration>

    Saturday, June 20, 2020 4:09 PM
  • User-1961011923 posted

    Hi Jzero ,

    Thank you for the time you have lost with my problem, and GebHard too...

    Unfortunaltely, no solution occured despite the quality of yours answers.
    I read and followed the documentation you advised me, without succes.

    I Believe now there are no default in Web.config like it's written. It seem Something goes wrong in it's interpretation  by IIS.
    I have followed the explain of Gurusarkar's blog as you said to me, point by point, and tested every step :
    With the next code , the Anonymous users are well excluded, the connexion.aspx page are called but it never can open it(no right for). And if i don't used the tag "LoginURL", it try to open a "login.aspx" page, but it cannot too (i have create one…)…
    Moreover, rights given with a "Location" tag never works : it seem to be ignored …

    <system.web>
    <compilation targetFramework="4.6.1" />
    <httpRuntime targetFramework="4.6.1" />
    <authorization>
    <deny users="?" /> // All Anonymous users are forbidden
    </authorization>
    <authentication mode="Forms">
    <forms loginUrl="~/Connexion.aspx" /> //This page should be open for all page without particular right … But not ...
    </authentication>
    </system.web>

    <location path="~/Default.aspx"> 
    <system.web>
    <authorization>
    <allow users="*" />
    <allow users="?" />
    </authorization>
    </system.web>
    </location>
    <location path="~/Connexion.aspx"> // should be open to connect users, but ISS cannot because right ...
    <system.web>
    <authorization>
    <allow users="*" />
    <allow users="?" />
    </authorization>
    </system.web>
    </location>
    <location path="~/Contact.aspx"> // Noone should acces to this page, but it's ever possible
    <system.web>
    <authorization>
    <deny users="*" />
    <deny users="?" />
    </authorization>
    </system.web>
    </location>

    If you have anothers ideas, it will be cool, but in all cases very thanks for the attention you already had for me.
    (For information : 7 forums AS.NET requested, 5 in France 2 outside, only 1 discussion with responses : yours.)

    Bests regards,

    Bruno

    Sunday, June 21, 2020 4:51 PM
  • User475983607 posted

    BSharp34, you are not following the recommendations!  The code I posted above was tested and verified.  You MUST update the global.asax if you wish to allow anonymous access to the application root. 

    public class Global : HttpApplication
    {
        void Application_Start(object sender, EventArgs e)
        {
            // Code that runs on application startup
            RouteConfig.RegisterRoutes(RouteTable.Routes);
            BundleConfig.RegisterBundles(BundleTable.Bundles);
        }
    
        void Application_BeginRequest(object sender, EventArgs e)
        {
            if (Request.AppRelativeCurrentExecutionFilePath == "~/")
                HttpContext.Current.RewritePath("default.aspx");
        }
    }

    This syntax is wrong.

    <location path="~/Contact.aspx">

    It should be the following when the web.config is in the root.  Again, see my example above.

    <location path="Contact.aspx">

    This construct denies access to all users (anonymous and authenticated) which makes no logical sense because you can just remove the page.

    <deny users="*" />
    <deny users="?" />

    The common solution is placing the secured pages in a folder and adding a web.config file to the folder.  Same for anonymous pages.  The standard docs cover the details.

    https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/membership/user-based-authorization-cs

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, June 21, 2020 5:18 PM
  • User-1961011923 posted

    Hi mgebhard,

    You're right !! Sorry ! In fact, i 've followed your post and update the global.asax, but i was back to the initial version before testing the post of Jzero… 

    And you're right down the line because everything works properly now… 

    I read the tutorial you advised me, created folders with web.config adapted, and the web site works like i wanted it does !

    now I just have to go on the other forums to explain your solution in case of somebody has the same problem of comprehension.

    A great thank to you and Jzero.

    Bruno

    Monday, June 22, 2020 7:07 AM
  • User1686398519 posted

    Hi BSharp34,

    I have another solution, you can refer to it.

    When you use FriendlyUrlSettings, there will be no aspx suffix, so it will not find "Default.aspx" written in web.config.

    Open the RouteConfig.cs file,then comment the code below.

                var settings = new FriendlyUrlSettings();
                settings.AutoRedirectMode = RedirectMode.Permanent;
                routes.EnableFriendlyUrls(settings);

    Web.config

           <system.web>     
    <authentication mode="Forms"> <forms loginUrl="Connexion.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20"/> </authentication> <authorization> <deny users="?" /> </authorization> </system.web> <location path="Default.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Connexion.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Contact.aspx"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location>

    Here is the result.

     
    Best Regards,

    YihuiSun

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, June 22, 2020 8:28 AM
  • User-1961011923 posted

    hi YiHuiSun,

    Thank a lot for your post.

    It's a very interesting way whitch in more explain why i couldn't enabled my connexion page...

    Best regards

    Bruno

    Tuesday, June 23, 2020 9:21 AM