We have a MVC4 application running on a windows server 2008 with iis 7.5. everything was running fine until out SSO team installed siteminder for single sign on.
Now the application after the SSO redirect is giving a 403 forbidden error. Any Suggestions?
Here's what is happening.
1. access the site.
2. Site redirects to SSO page
3. after entering the credentials (everything is validated as the siteminder trace and logs is showing no errors)
4. application redirects the original entered url and we see a 403.
we currently have no implementation that uses the SSO user coz we were waiting for the SSO to be setup and our current authentication in web config is set to "None"
application was all good before the siteminder and the url was accessible.
Verified everything but not sure what is the issue.
1. Application pool is set to 4.0
2. TestConnection is ok for authorization and authentication
3. No errors in siteminder logs (the SM cookie is set correctly)
4. We do not have SSL
5. this is the only site running on the server
6. IIS_IUSRS is given access to the sites root folder
Not sure if there is anything we can do in the sites web config. though as i have mentioned before it was all ok before site minder. Now Even if we disable the siteminder the application just return 403 forbidden.
please help!!
well we finally reached out to some people with extensive siteminder experience and they suggested to use the "classic" app pool instead of "Integrated" which solved our issue.
Related
I am working in an Asp.net application with forms authentication. On my web.config I had set the requiressl property=true.
I have been working on development without any problem but when I deploy it on my test environment I got the next error:
The application is configured to issue secure cookies. These cookies require the browser to issue the request over SSL (https protocol). However, the current request is not over SSL."
The error is raised on
at System.Web.Security.FormsAuthentication.SetAuthCookie(String userName, Boolean createPersistentCookie, String strCookiePath)
at System.Web.Security.FormsAuthentication.RedirectFromLoginPage
So my questions are why is FormsAuthentication.SetAuthCookie setting the cookie over http? and how can I set it to be over https??
I think you should configure your IIS in order to accept SSL connections for your site.
https://learn.microsoft.com/en-us/iis/manage/configuring-security/how-to-set-up-ssl-on-iis
You should pay attention if you activate SSL for your site and if you don't have a Valid SSL Certificate, users will see a warning when they open your site: Continue with this website (Not recommended). And most of the time people don't choose this option.
And it can be more complicated. For me, you should buy an SSL certificate from a provider. You should install it on your server. In order to ensure that your clients will browse your site under https://, you should redirect any connection to your site to https://.
Here is a link which is very useful :
https://www.namecheap.com/support/knowledgebase/article.aspx/9953/38/iis-redirect-http-to-https
I created a web application with asp webforms, ef 6.0 and authentication over owin. on dev system works everything perfect. I published the webapp on iis on windows server 2012. Login works fine, but suddenly after some time, the users are not able to authenticate. I need to make a recycle of the apppool and then its working again. then same again after some time not able to login. I have no excpetions or erros in the windows or app logs. Also the connection to the database is working because i get some user infos from database (tested it with inactive flag). web.config also looks okay. Formsauthentication is deactivated and modules removed.
I have a second webapp also with an owin authentication on same iis without any problems.
someone has a clue what can cause that problem?
thx
Ronald
I think i found the solution.
After the authentication i made
Context.Redirect(url);
I needed to change to
Context.redirect(url, false);
For unclear reasons its possible that the Cookie is not created and added to the context before the redirect. Then asp has No Cookie and redirect again to Login.
Thx, ronald
I have a curious problem with a legacy ASP.NET web application using Windows Authentication. A particular page is crashing, and an inspection of the page and the site logs indicates the page is crashing because the request is not properly authenticated - no Windows identity is being requested by IIS or supplied by IE 11.
The page has a curious path; it took a few minutes to decode how it was originally assembled. The initial request is not for a specific page, but is merely a folder-only URL that is routed to Default.aspx. The handler checks the query string and redirects to specific pages accordingly.
The initial request to the site is authenticated, as evidenced by the IIS site logs. The page to which the request is redirected (Response.Redirect) does not authenticate. The absence of the Windows authentication challenge leaves the site with no automatic identity to the targeted page, leading to the page crash (code depending on the identity fails). The sequence goes this way:
Original URL: /sitename/folder/?parameter1=value¶meter2=value
IIS issues the authentication challenge, and the authenticated user is shown in the logs - eg, domain\user
The request is then handled by folder/Default.aspx (default page as defined in IIS)
Default.aspx.cs inspects the query string, and routes the request to (eg) OtherPage.aspx via Response.Redirect.
OtherPage.aspx is requested, and the request is logged - with no authentication, and no challenge
OtherPage.aspx.cs crashes (no user credential)
I am trying to theorize how or why ASP.NET is even permitting the unauthenticated file request. I have tried to reproduce the behavior in a test environment, and have been unable to do so. I have suspected that "Automatic logon in Intranet zone" might have been disabled, or that stored local credentials may be present but somehow causing a conflict, but neither of those scenarios panned out. The former did result in a failed authentication attempt and a proper 401 response from the server (the target page was not fired in a test environment).
Further research into this question has led to a solution if not a 100% dissection of the cause.
The users experiencing the problem were accessing the target site via a link in an email message. The link, for some unknown reason, inhibited the credential exchange between IE and IIS until the site URL was placed in the "Local Intranet" sites list of IE. This allowed the "Automatic logon in Intranet sites only" option to apply which, in turn, allowed the authentication to work.
The reason this is not a "100% dissection" is because these users were accessing the site previously, wherein authentication worked when the site was accessed conventionally. Exactly how the email message link inhibited the authentication exchange is not known. At the moment, I theorize that some security setting inhibits authentication when originating from an email link unless the specific site URL is explicitly qualified as a trusted or Intranet site.
Thanks for your consideration.
I've viewed a few of the other IIS reverse proxy with windows authentication posts on here and they don't seem to be what I'm trying to do. Hopefully someone will be able to help or spot what I'm not doing or doing wrong.
I've got a server which has a website running on port 80 which I need to present a number of other web applications on. I cannot create new hostnames so I created a virtual directory in the site which pointed to my web apps, however the root site is using .net2.0 app pool which must stay as .net2.0 whereas my ASP.NET MVC apps all need 4.0 app pools. As per the web.config inheritance problem this is not working and I cannot change the web.config in the root to ignore propagation to child web.configs - with me so far? ;-)
To cut a long story short I've now got a virtual directory in my port 80 site which is acting as a reverse proxy to another site on port 81 and this is working fine for anonymous connections. I've tested it with a simple HTML page and I can access it and the url re-writing is working on links in the HTML page, all good so far.
Now I need to enable windows authentication on the port 81 site, so I followed the instructions similar to what is in these links on MSDN site to configure SPN's for the domain account I'm using (DOMAIN\testaccount) and other IIS config's:-
link 1
link 2
The problem is that all I get now is the good old error message:-
Access is denied. Description: An error occurred while accessing the
resources required to serve this request. The server may not be
configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server
configuration. Verify that you have permission to view this directory
or page based on the credentials you supplied and the authentication
methods enabled on the Web server. Contact the Web server's
administrator for additional assistance.
-------------------------------------------------------------------------------- Version Information: Microsoft .NET Framework Version:4.0.30319;
ASP.NET Version:4.0.30319.34280
I've tried creating a test aspx page which just outputs the server variables to the response but even this is not working.
I can't find anything else to try, initially I thought I'd have to get Kerberos sorted to pass the details from virtual directory to site on port 81 but the MSDN posts say this is not needed, just the SPN's.
Anyone any ideas?
This turned out to be something very simple and me being dumb for not checking! :-)
I spent days trying to figure out why this wasn't working, not sure why I didn't try earlier but I changed the application pool it was running under to use .net2.0 and then my test aspx page worked!?!
Turns out in IIS manager if you click on the root server node itself that under 'ISAPI and CGI restrictions' feature settings that the .net4.0 DLL's were set to 'Not Allowed' but the .net2.0 DLL's were 'Allowed'! I just enabled the .net4.0 changed the application pool back and then voila it works.
I'm making a personal management site only for me(using ASP.Net MVC, IIS8.0), so I want to use Windows authorization.
I turned on Windows authorization in IIS, so I can log on my web site on outside of my computer (like smartphone, both 4G network and WIFI LAN)
BUT I can't log on my site in my computer
actually, I can log on(automatically logs on) when I use url : [http://localhost/].
but when I access via my own domain, ex. [http://myowndomain.com], It shows a basic authorization form, When I submit the correct userId and password, it doesn't work and returns a 401 error. (401 - Unauthorized: Access is denied due to invalid credentials.)
What's wrong with my settings?