I'm working on an older ASP.NET project and debugging in IISExpress and have implemented an API controller method that should require no authentication/anonymous (the project is set to Windows Authentications I believe).
Within APIController, I have added the following attribute above the method:
[System.Web.Mvc.AllowAnonymous]
Within the web.config file I have added the following with a correct location:
<location path="api/GreenTime">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
However, when visiting the API Controller/Method, the browser prompts to credentials and returns a 401.2 error if domain credentials are supplied.
I found the issue. AnonymousAuthentication was set to false in the VS Project settings. You have to click on the project in the solution explorer and press F4 to find the settings.
Related
I am building two separate webpages, contained within two separate projects on Visual Studio 2017, using asp.net framework. I am trying to add my first project into my current solution, to link with my new project. I have no issues adding the project, but when I try to run the imported project, it is giving me the following message:
HTTP Error 403.14 - Forbidden The Web server is configured to not list
the contents of this directory
Most likely causes:
A default document is not configured for the requested URL, and
directory browsing is not enabled on the server.
It also states in the title bar:
IIS 10.0 Detailed Error - 403.14 - Forbidden
I can run the first project and the new project by themselves and everything works fine, but when they are in the same solution, only the original project seems to work. Can anyone help me?
I think you just need to set some configurations in the web.config
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>
I've got a webapp running that needs users to login.
Webconfig:
<!--Logging in stuff-->
<authentication mode="Forms">
<forms loginUrl="login.aspx" timeout="2880"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
And in the login.aspx page (doubled checked the name) I have the following logic after verifying the user credentials using my own database:
if (checkCredentials.searchCredentials(attemptedName, passwordBox.Text) != null)
{
FormsAuthentication.RedirectFromLoginPage(attemptedName,false);
}
I know the if statement works, as it did with a previous method I used for logging in.
However, when I run the application, the login page opens up immediately with error 401.2. Help would be much appreciated :)
I am posting another answer since this deals with the typical problem of using Visual Studio 2017 with forms authentication, and is an alternate to my previous answer.
Visual Studio 2017 will automatically add a NuGet package called Microsoft.AspNet.FriendlyUrls to your website or web app project. Because of this package, forms authentication will not work and even the login page will not render many times.
The solution explained in my previous answer is to remove this
package or comment the line in Application_Start event in global.asax
that says RouteConfig.RegisterRoutes(RouteTable.Routes);. Your website will lose the benefits of friendlyUrls if you use this approach.
But, there is a third solution that is mentioned in two different CONFIGURATIONS below; you can use either of them.
CONFIGURATION 1 removes the aspx extension from login and defaultUrl
values.
CONFIGURATION 2 keeps the aspx extensions but adds special access
permissions for freindlyurl corresponding to login.aspx.
(? in access permission means all unauthenticated users and * means all users i.e. authenticated + unauthenticated users)
NOTE: I have tried and tested this solution.
CONFIGURATION 1 for Forms authentication config when using Friendly Urls
<authentication mode="Forms">
<forms loginUrl="login" defaultUrl="home"
slidingExpiration="true" timeout="20" name=".Auth" protection="All">
</forms>
</authentication>
CONFIGURATION 2 for Forms authentication config when using Friendly Urls
<system.web>
<!--keep the aspx extensions for login and default pages-->
<authentication mode="Forms">
<forms loginUrl="login.aspx" defaultUrl="home.aspx"
slidingExpiration="true" timeout="20" name=".Auth" protection="All">
</forms>
</authentication>
</system.web>
<!-- add access permissions for friendly url corresponding to login.aspx-->
<location path="login">
<system.web>
<authorization>
<allow users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
Since you are using Visual Studio 2017, the first thing you need to check is if Microsoft.AspNet.FriendlyUrls package is included. Go through following steps.
comment the line in Global.asax that says
RouteConfig.RegisterRoutes(RouteTable.Routes); and try your page now. But, make sure to clear the cache in your browser else the old cached version of this URL with 401.2 error will keep showing.
If you still see some issues, then just remove the above package by
selecting Solution node in solution explorer and then going to Tools
=> NuGet Package Manager => Manage Packages for solution; check in Installed list for this package, select it and select the solution
checkboxes on right,then click on uninstall button.
Below are some other things that you need to make sure.
Try changing your forms tag in web config to following. Change the value of defaultUrl and timeout according to your requirements.
<authentication mode="Forms">
<forms loginUrl="login.aspx" defaultUrl="home.aspx"
slidingExpiration="true" timeout="20" name=".Auth" protection="All">
</forms>
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
Also, your C# code must be in Login button click event; if it's anywhere else then also you could see issues.
Allow Login.aspx for all unauthenticated users. Add this configuration just before </configuration> at end of web config file. Enter the path for Login.aspx if its not in root like Security/login.aaspx if the page is under Security folder of root.
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
Open the IIS Management console by going to Control Panel > Administrative Tools > Internet Information Services Manager. Then, expand the websites node and select the website you are using. Now double click Authentication in right pane and make sure Anonymous and Forms authentication are enabled and other options are disabled as shown in following screenshot: Security settings in IIS website
You can check to see if you have this kind of entry. If so, you could try remove it.
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
</modules>
</system.webServer>
Just in case it will helps someone.
I created a brand new Asp.Net Core 2.0 web mvc application with windows authentication enabled.
If I immediately hit play it prompts me for user credentials which is not what I want. If I hit cancel it then redirects me to a 401.2 unauthorized error screen with the following error:
"You are not authorized to view this page due to invalid
authentication headers."
When I then stop the application and enable anonymous authentication on the project and hit play again, it runs the application successfully but will not display my username. #User.Identity.Name returns empty string.
How do I get around the security prompt while still being able to display my username?
In the .NET Framework, I would use this in the web.config file along with anonymous authentication = true and it would work the way I want:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
I am using Visual Studio 15.4.1.
I think that the <authentication> tag is related to ASP.NET, and not IIS. In ASP.NET Core, the System.Web pipeline doesn't run.
I've had success in implementing Windows authentication with ASP.NET Core by using the following configuration in the web.config
<configuration>
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</configuration>
The <system.webServer> section is the one getting modified when you change the authentication settings through IIS Manager.
Edit after Ben's first comment
Sorry, I had misread part of your initial message, and thought that you were trying to deploy your application in IIS.
It looks like Windows Authentication is set up correctly since you get prompted for credentials. What I don't understand is why you get prompted. I'm using IE11, Edge and Chrome, and they all know how to send Windows credentials without prompting me.
What browser are you using when doing your test? Could you try with the ones I listed above?
I have an MVC ASP.NET application set with "Individual user accounts". The log in and register features only works when debugging in Chrome. When i run without debugging on any browser including Chrome, i get redirected to the login page when attempting to register or log in.
In my web.config class i have this
<system.web>
<authentication mode="None" />
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
Any idea as to whats going on?
I had the same problem before, and it's related to cookies and session state, try to run your solution without debugger in google incognito if it ran successfully, then clear your browser cache from settings (cookies).
for OWIN itself, make sure to update all of your nuget packages, this should solve the problem.
Server Error in '/' Application.
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
I've looked through countless of previous questions and I haven't managed to get it working.
I've edited my web.config file and included a generated key at no success.
Web.config
<?xml version="1.0" encoding="utf-8"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<system.web>
<machineKey validationKey="E91A16E07A8D628F1F1397962336B0C63B6DC45B8EB3D16BBD5E5761DD8AE462C04C1CC215904FF0353E84EF8194B48682114C72CF8E10F5295E5ADF36DBC520" decryptionKey="EFA118DF00BFB8206F24A1BB4AF7D18FBD6A605B44789E9048D8127FFF950A09" validation="SHA1" decryption="AES" />
<httpRuntime />
<pages enableViewStateMac="true" />
<customErrors mode="Off" />
<compilation targetFramework="4.0" debug="true" />
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
This happens when I postback to another page!
Instead of using <form action="..."> to perform a cross-page post back, try changing your submit button to read <asp:Button runat="server" postbackurl="...">. Using the PostBackUrl property is the officially supported way to perform a cross-page post back, as it sets a flag in the request telling the destination page to ignore the __VIEWSTATE field.
The main problem lies in the Application Pool of your website.Configure your website to use the proper .NET Framework version (i.e. v4.0) under the General section of the Application Pool related to your website.
Under the Process Model, set the Identity value to Network Service.Close the dialog box and right-click your website and select Advanced Settings... from the Manage Website option of the content menu. In the dialog box, under General section, make sure you have selected the proper name of the Application Pool to be used.
Your website should now run without any problem.Hope this helps you overcome this error.