I am switching from WebForms to MVC.
In the web.config of a WebForm I have the following:
<authentication mode="Forms">
<forms loginUrl="/forms/Login"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
If the user is not already authenticated they are redirected to a separate app on the web server /forms/Login/?ReturnUrl=%2fforms%2fLoginClient. That app has a standard log in screen and connects to active directory to verify user credentials and then on success creates the cookie and redirects the user back to the originally requested page using:
FormsAuthentication.RedirectFromLoginPage(username, false)
This is really convenient as I only have one login page UI to manage and all my code to talk to active directory in a single centralized location. Additionally, for new apps all I need to do to provide authentication is add the snippet above into the web.config of the new app.
Is there an equivalent way to do this in an MVC project?
I am familiar with the option to include an Account controller when creating a new MVC application.
However, this has a lot of stuff I don't want and way more Views than I'll ever need.
I don't want to have to create a new login page or duplicate my active directory auth code for every new MVC application that I create.
Thanks for any guidance on this.
Related
I need to create an ASP .NET web page (hosted on Windows Server 2008R2 with IIS 7.5) which should be visible by domain users and anonymous users without prompting credential requests for both of them. Domain Users should be authorized to see the entire page, while anonymous users can see the public part of the page.
When I enable Windows authentication: domain users can see the entire page, but anonymous users are prompted for credentials.
When I enable anonymous authentication or both (anonymous and windows): anonymous users can see public part of the page, but domain users do not see the entire page (they are like anonymous users).
I use the following string to discriminate anonymous users and domain users:
WindowsAccountName = HttpContext.Current.Request.LogonUserIdentity.Name;
If WindowsAccountName is empty user is anonymous, otherwise is a domain user. Unfortunately, when anonymous authentication is enabled WindowsAccountName is always empty (even for domain users), but when anonymous authentication is disabled non-domain users are prompted for credentials.
Do you have any solution for these problem? Keep in mind that domain users are spread among different networks so IP address is not a good choice to discriminate domain users and non-domain users.
it looks like a catch-22 for me
Thanks.
The term for this is Mixed-Mode Authentication. I have done this multiple times.
This can be accomplished by using a windows authenticated site that does no more that pull the users credentials from AD and pass those to the anonymous site. I have done this using a custom ticket (GUID in a database) that expires in 5 seconds. The anonymous site takes the GUID passed, queries the DB and obtains the user id. Other ways I have done this with an encrypted URL parameter that contains the user id and time-stamp.
Internal Site
Create a Redirect URL Site: Setup this site as Window Auth so you can pull the User ID from Active Directory. Give your users this URL and/or make it the link they click on your Intranet. Then this site calls your anonymous site and passes the user credentials (login id).
a. This can be done either via an encrypted string on the URL or encrypted value in a cookie. You can encrypt with an expiration date/time value too.
b. (Speaking from Forms Auth) Create a Forms Authentication Ticket with that user ID. Run any other login logic you have. Done.
External Site - No Changes required. Let the users login as-is.
I don't know if it's too late to post this.I recently worked on enabling anonymous authentication on one page in the .NET 4.8 MVC application.
Let's say the page was accessible via URL: User/MyCustomPage
Application configuration was as follows:
1. In web.config authentication mode was specified and authorization was
set to deny for anonymous users.
<system.web>
<authentication mode= "windows"/>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
2. In the controller, authorize tag was there.
3. In IIS, windows authentication was enabled, and anonymous mode was disabled.
I did the below steps:
1. Removed authorize tag from the specific controller and added
[AllowAnonymous] tag.
2. Enabled anonymous authentication in the IIS server. Go to
server->authentication-> Anonymous-> click Enable in the right pane.
3. I had to add the particular path, to exclude it from regular
windows authentication by writing the below code in web.config file.
<location path="User/MyCustomPage"/>
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
But Still, I was getting prompt for windows credentials on accessing the above URL. The reason I found that was:
The View that MyCustomPage was returning, was consuming another resource.
So, I have to add that path too in the web.config.
<location path="Bundle/Content/css"/>
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
I have started looking into Forms Authentication with Windows Authentication (I believe its called Mixed Forms Authentication, but I could and probably am wrong)
So far I have discovered in my web.config file I need to add the following lines:
<authentication mode="Forms">
<forms loginUrl="~/Login"></forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
which I have done. But the next part confuses me. I have been reading about WinLog and WebLog pages and one has to be Windows Authentication and the other a forms Authentication.
I am under the impression this is how the flow should go
Add the lines above to your web.config
Brings user to login page
User gets redirected from another project that has Windows Authenication with the creds they filled and the other project sends a response saying yes or no.
The part after the web.config is super confusing, can someone tell me if I am on the right track or far from it?
What I am trying to do is not have an ugly dialog box, but instead have a custom login page.
If someone can point me in the right direction, that would be great.
ASP.NET has 3 different ways of authentication:
- Windows
- Forms
- Passport
Mixed mode authentication has been known as a somehow problematic way of authenticating users, in order to achieve it, you'll need one application to authenticate the users from a form, and another one to authenticate the users from IIS.
You will find some more info here:
ASP.NET MVC and mixed mode authentication
http://aspalliance.com/553_Mixed_Mode_Authentication.all
https://msdn.microsoft.com/en-us/library/aa291347(v=vs.71).aspx
I have an ASP.NET MVC4 website deployed on IIS with Windows Authentication enabled. My config file has this setting:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
My understanding is that this will allow me to authenticate without having to type in credentials; i.e. an intranet site.
This works as intended, except for the first page load. When I first access the website, I am directed to the following URL:
http://localhost/SandboxWebsite/login.aspx?ReturnUrl=%2fSandboxWebsite
This is obviously a page that asks for credentials. When I then navigate again to http://localhost/SandboxWebsite/, I am automatically authenticated without having to enter any credentials.
Why is this occurring and how can I prevent it?
The problem was that, whilst anonymous access was disabled as a setting, there was no authorisation rule to deny anonymous users. Why this redirected me to Login.aspx I do not know, but I fixed it by adding the following rules.
IIS > MyWebsite > .NET Authorization Rules
John,
this is a long shot but have you tried using an address other than LocalHost to access the site ? It may be that your ASP.NET MVC4 website is expecting a specific domain name/computer name or IP address because of the way it was setup.
You could alter your hosts file to test this out.
Hope this helps.
Dorje
I am working on ASP.net MVC 2.0 Web Application in C#.
I am very new to MVC . I wanted to implement Windows Authentication and Role based
Authentication in my application.
I was sucessful in implementing windows authentication. I have configured Properly to make my application work with windows authentication.
Code:
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
So, from Windows Active directory i was able to get the logged in user name.
Then in the Session_Start of my application , i am sending that username to database whether
that particular is a valid user for that Application.
Now, Here i only have two roles: Normal user and Admin
So, a normal user should be restricted to only some set of pages.
I have database table structure like this: Sample Data Example
UserID IsAdmin
1 false
2 true
3 false
I have read many articles on this. But, after reading all those i was pretty much confused about the approach to be followed.
How can i create my custom Authorize Attribute to restrict the access and hiding the contents of page.
Please give some ideas / sample examples on this.
NOte: I am working MVC 2.0 Application
I created a new ASP.NET, C# empty website and I have my own database in the App_Data folder. I have a master page as well in the solution.
Anyway, I want to create a login page, but my issue is, how would I know whether a user is logged in or not when navigating around the site.
To elaborate more, when the user opens the home page, it'll have a label saying "Login" and linking to /login.aspx
But then when the user logs in, I want the "Login" label at the top to change to, Username + a "Logout" label (which ofcourse logs the user out).
My question is, say I go to another page, say /AboutUs.aspx, how would I know, if there is anyone logged in and who is logged in?
I've googled this alot and seen many solutions, including Membership Provider and LoginView, but I don't understand both of them (yes, I've read many articles; even MSDN articles).
Im not really used to programming with ASP.NET.
Any help please! Thanks!
In ASP.NET, I recommend using Forms authentication. http://msdn.microsoft.com/en-us/library/ff647070.aspx
When the user is logged in, there will be an IIdentity object in the user's session that you can use to determine if the user has been authenticated. But, you won't really need to use it much, because the web.config will be configured to toss all unauthenticated users back to your login page.
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
protection="All"
timeout="30"
name=".ASPXAUTH"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseDeviceProfile"
enableCrossAppRedirects="false" />
</authentication>
</system.web>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
If you are, as you say, using your own db, where you store usernames and passwords, you will need to take care of the authentication process yourself. The easiest way to do this is to write your own Membership provider by inheriting from the System.Web.Security.MembershipProvider class and overriding essential methods, like bool ValidateUser(string userName, string password). Then you'll need to plug your provider into your website via web.config.
On the other hand, you can use the built-in Membership provider and its db. To do this, you'll need to copy your user data into this db which will be created the 1st time your app uses Membership feature (like, when in VS you execute PROJECT -> ASP.NET Configuration menu command). It's name and location depends on the connection string in your web.config. If you opt to using this way, once your user is authenticated, you'll be able to see it with the following code on the server side:
User.Identity.IsAuthenticated