I've already tried Use Anonymous authentication in MVC4 on single controller when the whole application uses Windows Authenticaion and IIS Mixed Anonymous and Windows Authentication , no such luck so far getting what I need to happen.
We have an MVC app on our network. Internally, it should use windows authentication, and we use an [AuthorizeByRole(param[] Role roles)] Attribute on many of our views / controllers.
However, we also need for external users to be able to access the app. We have contractors and physicians that don't have AD credentials, plus the mobile app uses an anonymous backend API.
What I need to happen:
Internal users: auto login using windows authentication, nice and simple
External users: Challenge for windows credentials (which it does) - if they hit cancel, they become an anonymous user, and can still view the app.
What happens now: Hitting cancel causes them to be redirected to the standard asp.net 401 page, rather than seeing the Guest page. Also, the mobile backend just automatically gets a 401, and can't hit the API at all.
Any thoughts?
more information
Here is a sample solution I have
In my web.config, I have:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
In IIS, I have
In my API controller, I put [AllowAnonymous] on both the controller and my GetKey method
On my phone, I go to /api/Auth/GetKey, and I'm challenged for AD credentials. When I hit cancel, I'm redirected to a 401 page.
If the Controller is decorated with an [Authorize] Attribute, you can exclude individual methods, within that Controller, from the Authorization by decorating them with the [AllowAnonymous] Attribute.
Read more about it here.
On the other hand, you could also remove the [Authorize] Attribute from the Controller and only mark methods that need Authorization with it.
You have to decorate controller actions individually instead of the entire controller. Use [Authorize] for actions that only AD users can perform and leave the others undecorated for anonymous users.
Related
I need to create an ASP .NET web page (hosted on Windows Server 2008R2 with IIS 7.5) which should be visible by domain users and anonymous users without prompting credential requests for both of them. Domain Users should be authorized to see the entire page, while anonymous users can see the public part of the page.
When I enable Windows authentication: domain users can see the entire page, but anonymous users are prompted for credentials.
When I enable anonymous authentication or both (anonymous and windows): anonymous users can see public part of the page, but domain users do not see the entire page (they are like anonymous users).
I use the following string to discriminate anonymous users and domain users:
WindowsAccountName = HttpContext.Current.Request.LogonUserIdentity.Name;
If WindowsAccountName is empty user is anonymous, otherwise is a domain user. Unfortunately, when anonymous authentication is enabled WindowsAccountName is always empty (even for domain users), but when anonymous authentication is disabled non-domain users are prompted for credentials.
Do you have any solution for these problem? Keep in mind that domain users are spread among different networks so IP address is not a good choice to discriminate domain users and non-domain users.
it looks like a catch-22 for me
Thanks.
The term for this is Mixed-Mode Authentication. I have done this multiple times.
This can be accomplished by using a windows authenticated site that does no more that pull the users credentials from AD and pass those to the anonymous site. I have done this using a custom ticket (GUID in a database) that expires in 5 seconds. The anonymous site takes the GUID passed, queries the DB and obtains the user id. Other ways I have done this with an encrypted URL parameter that contains the user id and time-stamp.
Internal Site
Create a Redirect URL Site: Setup this site as Window Auth so you can pull the User ID from Active Directory. Give your users this URL and/or make it the link they click on your Intranet. Then this site calls your anonymous site and passes the user credentials (login id).
a. This can be done either via an encrypted string on the URL or encrypted value in a cookie. You can encrypt with an expiration date/time value too.
b. (Speaking from Forms Auth) Create a Forms Authentication Ticket with that user ID. Run any other login logic you have. Done.
External Site - No Changes required. Let the users login as-is.
I don't know if it's too late to post this.I recently worked on enabling anonymous authentication on one page in the .NET 4.8 MVC application.
Let's say the page was accessible via URL: User/MyCustomPage
Application configuration was as follows:
1. In web.config authentication mode was specified and authorization was
set to deny for anonymous users.
<system.web>
<authentication mode= "windows"/>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
2. In the controller, authorize tag was there.
3. In IIS, windows authentication was enabled, and anonymous mode was disabled.
I did the below steps:
1. Removed authorize tag from the specific controller and added
[AllowAnonymous] tag.
2. Enabled anonymous authentication in the IIS server. Go to
server->authentication-> Anonymous-> click Enable in the right pane.
3. I had to add the particular path, to exclude it from regular
windows authentication by writing the below code in web.config file.
<location path="User/MyCustomPage"/>
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
But Still, I was getting prompt for windows credentials on accessing the above URL. The reason I found that was:
The View that MyCustomPage was returning, was consuming another resource.
So, I have to add that path too in the web.config.
<location path="Bundle/Content/css"/>
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
I have an ASP.NET MVC4 website deployed on IIS with Windows Authentication enabled. My config file has this setting:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
My understanding is that this will allow me to authenticate without having to type in credentials; i.e. an intranet site.
This works as intended, except for the first page load. When I first access the website, I am directed to the following URL:
http://localhost/SandboxWebsite/login.aspx?ReturnUrl=%2fSandboxWebsite
This is obviously a page that asks for credentials. When I then navigate again to http://localhost/SandboxWebsite/, I am automatically authenticated without having to enter any credentials.
Why is this occurring and how can I prevent it?
The problem was that, whilst anonymous access was disabled as a setting, there was no authorisation rule to deny anonymous users. Why this redirected me to Login.aspx I do not know, but I fixed it by adding the following rules.
IIS > MyWebsite > .NET Authorization Rules
John,
this is a long shot but have you tried using an address other than LocalHost to access the site ? It may be that your ASP.NET MVC4 website is expecting a specific domain name/computer name or IP address because of the way it was setup.
You could alter your hosts file to test this out.
Hope this helps.
Dorje
I am working on ASP.net MVC 2.0 Web Application in C#.
I am very new to MVC . I wanted to implement Windows Authentication and Role based
Authentication in my application.
I was sucessful in implementing windows authentication. I have configured Properly to make my application work with windows authentication.
Code:
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
So, from Windows Active directory i was able to get the logged in user name.
Then in the Session_Start of my application , i am sending that username to database whether
that particular is a valid user for that Application.
Now, Here i only have two roles: Normal user and Admin
So, a normal user should be restricted to only some set of pages.
I have database table structure like this: Sample Data Example
UserID IsAdmin
1 false
2 true
3 false
I have read many articles on this. But, after reading all those i was pretty much confused about the approach to be followed.
How can i create my custom Authorize Attribute to restrict the access and hiding the contents of page.
Please give some ideas / sample examples on this.
NOte: I am working MVC 2.0 Application
I have two questions concerning authentication of a intranet website and how to go about doing it.
I want the first page the user comes to, to be the login page. I could have sworn there was a tag, something like [Authorize] that you put in your C# code that did this for you but I can't find it anymore. Right now the first page is my dafault.aspx. I turned on windows authentication in the web.config file and it automatically logged me in. So that is working, but I want the user to have to login as stated above. What do I have to do?
I only want to allow people that are in a certain group to have access. How do I add this additional check?
In your web.config file you need to add the following
<authentication mode="Forms">
<forms loginUrl="YOUR LOGIN PAGE!!" timeout="2880" />
</authentication>
in the <system.web /> tag.
That will force the user to authenticate for that site.
The [Authorize] attribute is used to require a user be authenticated (like you had put in your question), BUT!! only for MVC applications http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx
With MVC you can also do the [RequiresAuthentication(Roles = "admin")] attribute which will give you control over which rolls have access to which endpoints.
I would seriously consider MVC
Use forms authentication instead of windows authentication. Have a look on these link they provide walk throughs for using forms authentication :
http://www.asp.net/web-forms/tutorials/security/introduction/an-overview-of-forms-authentication-vb
http://www.dotnetfunda.com/articles/article141.aspx
For using active directory go through these links :
http://msdn.microsoft.com/en-us/library/ms180890(v=vs.80).aspx
http://msdn.microsoft.com/en-us/library/ff650308.aspx
Here's a guide to setting up Forms Authentication on your site: https://web.archive.org/web/20211020150650/http://www.4guysfromrolla.com/webtech/110701-1.shtml
Part 2 has the meat of the stuff.
Thanks for all the great input. They got me going in the right direction and then the customer decided to change direction. They want to have it auto login if they are in the right group, otherwise display and error message. The Form authentication would have worked as described.
I've got an asp.net app that uses forms authentication that denies anonymous users. It's working fine if i access the server directly, however if i access it via a reverse proxy it does not seem to work so good.
What happens is the reverse proxy sends you to the default page, then gets redirected to the login.aspx page because i'm not logged in, which is all fine and proves that the proxy setup is fine. But it cannot render the login.aspx, giving a 302 (redirect) response.
I'm guessing that somehow asp.net has a way of giving the login.aspx special permissions so that you do not need to be logged in to access it, unlike the rest of a site. I'm further guessing that this logic is failing when accessing it through the reverse proxy, somehow it is thinking 'you're not allowed to see login.aspx because you're not logged in'. However this is just a guess...
Anyway, can someone lend a hand? Thanks a lot in advance.
use fiddler/wireshark/whatever if possible to see what's actually going on over the wire
the page that gets 'special treatment' by default is determined by the loginUrl specified in your web.config -> system.web -> authentication -> forms loginUrl - for instance, something like:
you can disable the auth requirement on specific paths via your web.config:
`
<location path="js">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
A common problem I see happen (and this may be what you're hitting) is that the Login page skips the auth check fine, but things the Login page refers to (images, javascript files, etc) do not, so those requests end up with the 302 back to Login. If that's your case, too, then just add location paths (like the above) sufficient to 'unprotect' whatever your Login page needs access to for displaying properly.