In my ASP.NET web-application I have created Default.aspx (set as my start page), and a new folder called SmartCard with WebForm1.aspx inside of it. How do I configure Web.Config to prompt user for Certificate upon visiting SmartCard/WebForm1.aspx but NOT when Default.aspx loads?
In the accepted answer of this question:
if your app is hosted in IIS then simply add (in web.config) a section that says client certificate is required for those pages. THe browser will then ask the user for a cert.
From the above answer, I looked some more on StackOverflow and found this. From their accepted answer I put the following section in Web.Config:
<location path="SmartCard">
<system.webServer>
<security>
<access sslFlags="SslRequireCert" />
</security>
</system.webServer>
I then modified applicationHost.config in C:\Windows\System32\inetsrv\config (or appropriate directory for your install) and change the following line:
<section name="access" overrideModeDefault="Deny" />
to:
<section name="access" overrideModeDefault="Allow" />
However, I still get prompted for a Certificate on site load. I first get the following screen:
After clicking "Continue to this website" I then get prompted to selected a Certificate when Default.aspx loads. However, I only want to get prompted to selected a Certificate when SmartCard/WebForm1.aspx loads!
ANY help is greatly appreciated!
Here are my site settings in IIS-7:
SSL settings:
Site Bindings:
*MyDevCert is self-signed
Update:
I created a new Web.Config file inside of SmartCard directory with the following:
<?xml version="1.0"?>
<configuration>
<security>
<access sslFlags="SslRequireCert" />
</security>
<system.web></system.web>
</configuration>
I then removed the 'location' tag from base Web.Config.
Base Web.Config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<identity impersonate="false" />
</system.web>
</configuration>
However, I still get "There is a problem with this website's security certificate" screen and I get prompted for certificate once I click "Continue to this website"
From what I'm seeing, you can only have a single value for sslFlags.
See http://www.iis.net/configreference/system.webserver/security/access
And https://msdn.microsoft.com/en-us/library/ms689458(v=VS.90).aspx
The sslFlags attribute can be one of the following possible values. The default is None.
Related
I have a folder called "Template" in my project and want to make it inaccessible via HTTP. I added a web.config file. It makes the folder inaccessible but users can access any content in the folder.
They cannot access "Template" folder, but they can access "Template\index.html"
here is my web.config.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
how can I make the contents inaccessible?
This can be achieved by IIS Request filters. The same way the bin content is inaccessible for browsing.
Under the system.webserver section add the following. There I have enabled directory browsing just to check that even though the directory browsing is enabled users can't browse files in "Template" folder.
Set <directoryBrowse enabled="false" /> if directory browsing is not required.
<?xml version="1.0"?>
<configuration>
<system.webServer>
<directoryBrowse enabled="true" />
<security>
<requestFiltering>
<hiddenSegments>
<add segment="Template" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webserver>
</configuration>
For more information refer this post.
I have developed a web application using c# and asp.net but when I am trying to publish and put it into the server using ftp then I am getting this following error:
Configuration Error
Description: An error occurred during the processing of a configuration
file required to service this request. Please review the specific error
details below and modify your configuration file appropriately.
Parser Error Message: It is an error to use a section registered as
allowDefinition='MachineToApplication' beyond application level. This error
can be caused by a virtual directory not being configured as an application
in IIS.
Source File: \\fs8-n02\stor10wc2dfw1\555713\570520\www.gxxxxjjsxx.ssd\web\content\2way\armb
\web.config Line: 9
Here if I check on my Line 9 of the web config file then I get this:
<authentication mode="Forms">
And here is my complete web config file code:
<?xml version="1.0"?>
<configuration>
<system.web>
<customErrors mode="Off"/>
<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="2880"/>
</authentication>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<pages validateRequest="false">
<controls>
<add tagPrefix="ajaxtoolkit" namespace="AjaxControlToolkit" assembly="AjaxControlToolKit" />
</controls>
</pages>
<globalization culture="en-GB"/>
</system.web>
<appSettings>
<add key="ValidationSettings:UnobtrusiveValidationMode" value="None" />
</appSettings>
</configuration>
I have checked whether I have multiple web config files but I could not find something like that. And also I have used this published folder into my IIS and I can browse the site from my localhost using IIS but still when ever I am trying to browse using the link:
I am getting the same error. Please help me on this. Thanks.
Here is my solution to the problem: Actually the path was not configured properly into the IIS as a virtual directory. So, that I had to create a proper virtual directory and then only I am able to access the site.
I am getting a 401.2 error on the default document in VS2013 (and IIS). Here are the steps I'm taking:
In VS2013, right click choose "New Project"
Choose "ASP.NET Web Application", click OK
Choose "Empty" project, Check "Web Forms" at the bottom and click OK
Right click on the project and choose "Add | Web Form" - named
Default.aspx with "Authentication Succeeded" as the page content
Right click on the project and choose "Add | Web Form" - named
Login.aspx
Add a "Login" as the page content
Assign an "Authentication" event handler that sets "e.Authenticated
= true"
Update the web.config as listed below
Press F5
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings>
<add key="ValidationSettings:UnobtrusiveValidationMode" value="None" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Forms">
<forms loginUrl="Login.aspx" />
</authentication>
</system.web>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="default.aspx" />
</files>
</defaultDocument>
<security>
<authorization>
<remove users="*"/>
<add accessType="Deny" users="?" />
<add accessType="Allow" users="*"/>
</authorization>
</security>
</system.webServer>
</configuration>
The behavior that I'm seeing is that http://localhost:12345/Default.aspx behaves correctly (always). In other words, when I first go to Default.aspx, it redirects me to the Login.aspx page. Once I've authenticated, I can see the Default.aspx page. If I logout and try to go to the Default.aspx page again it redirects me to login first.
However, when I got the / URL instead (no Default.aspx) I get a 401.2 error (even if I've authenticated 1st)?
The Default.aspx page is listed as a default document, and if I remove the "Deny" line from the Web.Config - then the default document behaves as expected. But when Deny ? is listed in the web config, suddenly the default document stops working and I have to go to /Default.aspx in order to avoid a 401.2 error.
Any suggests as to why this would behave like this?
I see no errors about any of this in the event log. I see the same behavior when using IISExpress (in VS by pressing F5) or with IIS when going to the public URL directly through a browser.
I hesitate to offer this as an answer as I don't understand exactly why it worked for me. However it is too long for a comment and it might help you.
I found that adding the following to the System.Webserver section solved this problem:
<modules>
<remove name="FormsAuthentication"/>
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
</modules>
The key seems to be to remove the managedHandler Precondition from the FormsAuthentication module. As I understand it this is only supposed to optimize serving of static content. So I do not at this point know why it would have this effect. I stumbled on this trying to establish if FormsAuthentication module needed to be registered in the System.Webserver section.
Server Error in '/' Application.
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
I've looked through countless of previous questions and I haven't managed to get it working.
I've edited my web.config file and included a generated key at no success.
Web.config
<?xml version="1.0" encoding="utf-8"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<system.web>
<machineKey validationKey="E91A16E07A8D628F1F1397962336B0C63B6DC45B8EB3D16BBD5E5761DD8AE462C04C1CC215904FF0353E84EF8194B48682114C72CF8E10F5295E5ADF36DBC520" decryptionKey="EFA118DF00BFB8206F24A1BB4AF7D18FBD6A605B44789E9048D8127FFF950A09" validation="SHA1" decryption="AES" />
<httpRuntime />
<pages enableViewStateMac="true" />
<customErrors mode="Off" />
<compilation targetFramework="4.0" debug="true" />
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
This happens when I postback to another page!
Instead of using <form action="..."> to perform a cross-page post back, try changing your submit button to read <asp:Button runat="server" postbackurl="...">. Using the PostBackUrl property is the officially supported way to perform a cross-page post back, as it sets a flag in the request telling the destination page to ignore the __VIEWSTATE field.
The main problem lies in the Application Pool of your website.Configure your website to use the proper .NET Framework version (i.e. v4.0) under the General section of the Application Pool related to your website.
Under the Process Model, set the Identity value to Network Service.Close the dialog box and right-click your website and select Advanced Settings... from the Manage Website option of the content menu. In the dialog box, under General section, make sure you have selected the proper name of the Application Pool to be used.
Your website should now run without any problem.Hope this helps you overcome this error.
This question already has answers here:
Asp.net Validation of viewstate MAC failed
(17 answers)
Closed 9 years ago.
net 4.0 frame work,
I had made many website in this frame work but never get such error
"Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster."
I think so this error is caused because of use of cookies as only in this website i had made use of cookies.
Another one thing i used to get this error very rarely almost 2twice a week
I had read many solutions for this but very rarer for 4.0
solution readed such as putting
<machineKey validationKey="6628ECBFB40F6F852AB543C23C0B83C1679C5AAE35AD72FACF5B9F4FDB70AA1F648A1D5877CE1F9D69F08BAD919BFBAC0976D9119B8F32CFB80814E4E943F8EE" decryptionKey="42F45B378301126EB4CCBA16995304263754EF116E08A81003A936CC04B7537F" validation="SHA1" decryption="AES" />
in web config
OR Adding
<pages validateRequest="false" enableEventValidation="false" viewStateEncryptionMode ="Never" />
in webconfig
But where should i add in my above web config
<?xml version="1.0"?>
<configuration>
<connectionStrings>
<add name="Conn" connectionString="Data Source=abc; Initial Catalog=alfadesi_trikon;User ID=abc;Password=abc" providerName="System.Data.SqlClient"/>
</connectionStrings>
<system.web>
<globalization culture="en-AU" uiCulture="en-AU" />
<compilation debug="true" targetFramework="4.0"/>
<authentication mode="Windows"/>
<customErrors mode="Off"></customErrors>
</system.web>
</configuration>
you can add your machine key in system.web element.
for e.g.
<system.web>
<machineKey validationKey="1234567890123456789012345678901234567890AAAAAAAAAA"
decryptionKey="123456789012345678901234567890123456789012345678"
validation="SHA1" decryption="Auto" />
</system.web>
If you don't want to put a machinekey in the web.config for each application, you need to put it in machine level web.config for each .Net Framework version.