Currently having issues grabbing the domain user and also allowing anonymous users to access the page. As I have it set up in web.config currently, it makes anonymous users log in. I would just like to allow anyone but grab the domain user if it exists.
Web.config
<system.web>
<authentication mode="Windows" />
<authorization>
<!--<allow users="*" />-->
<deny users="?" />
</authorization>
<identity impersonate="true" />
</system.web>
Above is currently the only setup I can use to grab the domain user, however it asks anonymous users to log in still.
Trying two methods to grab the domain user:
string CurrentUser = System.Web.HttpContext.Current.User.Identity.Name.ToString();
string CurrentUser2 = System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString();
Am I going about this all wrong?
Edit: Following what #MethodMan said, I'm using the UserPrincipal.
UserPrincipal CurrentUser = UserPrincipal.Current;
ViewBag.CurrentUser = CurrentUser.DisplayName.ToString();
However, I'm getting the following error on IIS but not IIS Express:
Unable to cast object of type 'System.DirectoryServices.AccountManagement.GroupPrincipal' to type 'System.DirectoryServices.AccountManagement.UserPrincipal'.
Not sure what it means because I'm only using UserPrincipal.
Related
We are working with an old designed system that is Role-Based and reads users roles from webconfig as follows:
<authentication mode="Forms">
<forms loginUrl="/UserMgmt/login" timeout="2880" defaultUrl="~/Transaction/Index" enableCrossAppRedirects="true" />
</authentication>
<authorization>
<allow roles="Admin" />
<allow roles="VicePres" />
<deny users="*"/>
</authorization>
I'm looking for a way to remove roles from webconfig and just have them in my database table.
I know it is somehow related to IPrincipal and IsInRole method, but after hours of googling could not wrap my head around that.
Where exactly webconfig roles are bind to security context and how should I change it?
Base on Microsoft article:
When using role-based URL authorization rules the RolePrincipal's
IsInRole method will be called on every request to a page that is
protected by the role-based URL authorization rules
I've implemented IsInRole and its looking for roles in database query object and working fine, but when roles are removed from Web Config, user login is failed.
I have a system in which it is necessary for users to pass through login section to access home page. I am able to do that using asp C# Ado and SQL. But the problem is security. Still users are able to access Home Page without entering credentials by simply changing the URL. When users will open the website the URL will be this:
www.domain.co/Login.aspx
If any user changes it to this:
www.domain.co/Home.aspx
Still they will be able to access it. I do not want it. Can anyone guide me how to achieve this functionality?
Hope that you know the use and advantages of session. You can make use of it.
What you want to do is:
Create a session variable(let it be user_id) set its value as the id of the current user if the user successfully logged into the site. Which means session["user_id"] having the user id if there is any logged user.
You can check for session["user_id"] in the load event of other pages, if it is null means throw him out( redirect to the login page).
Creating session:
session["user_id"] = "Id of the user"; // This will be the unique identifier
This will be added after checking his/her credentials and are valid.
Checking session in the Home page/ or any other page:
if(string.IsNullOrEmpty(session["user_id"]))
Response.Redirect("Login.Aspx");
If your are not using it already, you should see how to add Forms Authentication: https://support.microsoft.com/en-us/kb/301240
<authentication mode="Forms">
<forms name=".ASPXFORMSDEMO" loginUrl="logon.aspx"
protection="All" path="/" timeout="30" />
</authentication>
Then you can deny access to anonymous users to all the site doing:
<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>
Or to specific pages:
<location path="Restricted.aspx">
<system.web>
<authorization>
<deny users ="?" />
</authorization>
</system.web>
</location>
I use Forms Authentication on my project and need to implement the feature for password recovery. Problem is, every time I try to access another controller method I get redirected to the login page. I tried to use
</location>
<location path="~/Account/RecoverPassword">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
on the web.config, but didn't work. How can I achieve this?
* means any existing user.
You want users="?", which means anonymous users.
I have two pages: Members.aspx and Admins.aspx. I want to make unlogged users to see none of them, any logged user to see the first one and only certain users to see both.
User's category ("member" or "admin") is detected at login time from the code and is put in a session variable.
I can easily grant access to any logged user to some page using Forms Authentication (basically as described here), but how should I design my web.config in order to take in account not the username but his category?
Note that users could anytime change their category so i can't hard-code their names, and I need this to be db-independent so I shall stick to Forms Authentication login mode.
You really should look into
Asp.net roles management
And
Filtering Site-Map Nodes Based on Security Roles
It would be smarter than trying to build your own security mechanism based upon Session values.
My suggestion is to use Role-based authentication. A user can have one or more roles. .NET has classes to help you manage users along with their roles.
This is one good tutorial: https://web.archive.org/web/20211029043732/https://www.4guysfromrolla.com/articles/082703-1.aspx
Good luck.
You can place your pages in folders grouped by roles, and create a Web.config for each folder:
For your Admin zone you can use:
<configuration>
<system.web>
<authorization>
<allow roles="admin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
And for your Member zone you can use:
<configuration>
<system.web>
<authorization>
<allow roles="admin"/>
<allow roles="member"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
I have to install a ASP.NET site in a intranet network.
I'm using a authentication mode=Forms".
In a my page i need to get the domain\user of the user connected.
I've followed this article:
http://support.microsoft.com/kb/306359
But it doesn't work.
My web.config has:
<identity impersonate="true"/>
<authentication mode="Forms" >
<forms name="login" loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx" timeout="30000" />
</authentication>
<authorization>
<deny users = "?" />
<!-- This denies access to the Anonymous user -->
<allow users ="*" />
<!-- This allows access to all users -->
</authorization>
I'm using IIS 6 and .net 4
In Authentication methods settings of iis i've checked
-Enable anonymous access
-Integrated windows authentication
How can i do?
thanks
If you have anonymous access enabled the web-site visitors will all be impersonating the IUSR_MachineName account (or whatever you have configured as the anonymous account).
You need to disable anonymous access so the site will force the user to authenticate with his/her credentials so they will be available in your ASP.NET page. Otherwise the server has no idea who the current user is.