I am trying to implement the following code to test forms authentication in the web app.
<location path="Test.aspx">
<system.web>
<authentication mode="Forms">
<forms loginUrl="Test.aspx">
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
Error:
Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.*
I already did clean in release mode then in debug mode then build solution. i also tried IIS express but still getting this error , anyone knows the solution , please ?
Related
I am trying to deploy in Azure WebApp service an ASP.NET Weforms.
The app runs fine locally, without any problem.
After build ends I got the error below error in web browser after i go to myapp.azurewebsites.net i
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a "web.config" configuration file located in the root directory of the current web application. This tag should then have its "mode" attribute set to "Off".
Here is source of Web.config file
<?xml version="1.0"?>
<configuration>
<configSections/>
<connectionStrings>
<add name="constr" providerName="System.Data.SqlClient" connectionString="server=telendar.database.windows.net; database=TrackerDB;uid=telendar;password=*****;"/>
</connectionStrings>
<location path="Admin">
<system.web>
<customErrors mode="On"/>
<authorization>
<allow roles="Administrator"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<compilation debug="true" targetFramework="4.5.1"/>
<sessionState timeout="60"/>
<authentication mode="Forms">
<forms defaultUrl="~/Default.aspx" loginUrl="~/AuthUser.aspx" slidingExpiration="true" timeout="60"/>
</authentication>
<authorization/>
<pages controlRenderingCompatibilityVersion="4.0" validateRequest="true">
<controls>
<add tagPrefix="ajaxToolkit" assembly="AjaxControlToolkit" namespace="AjaxControlToolkit"/>
</controls>
</pages>
</system.web>
</configuration>
You misunderstand the error message, it's telling you that your code crashed an unhandled exception and it's not allowed to show it ,it suggest you modifying the web.config to enable the details of the specific error message to be viewable on remote machines.
So what you need to do is recreate the error while you browse it on the server and then solve the problem.
However my suggestion is you could try to change your FrameWork maybe this will work for you.
If you still have other questions, please let me know.
I've got a webapp running that needs users to login.
Webconfig:
<!--Logging in stuff-->
<authentication mode="Forms">
<forms loginUrl="login.aspx" timeout="2880"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
And in the login.aspx page (doubled checked the name) I have the following logic after verifying the user credentials using my own database:
if (checkCredentials.searchCredentials(attemptedName, passwordBox.Text) != null)
{
FormsAuthentication.RedirectFromLoginPage(attemptedName,false);
}
I know the if statement works, as it did with a previous method I used for logging in.
However, when I run the application, the login page opens up immediately with error 401.2. Help would be much appreciated :)
I am posting another answer since this deals with the typical problem of using Visual Studio 2017 with forms authentication, and is an alternate to my previous answer.
Visual Studio 2017 will automatically add a NuGet package called Microsoft.AspNet.FriendlyUrls to your website or web app project. Because of this package, forms authentication will not work and even the login page will not render many times.
The solution explained in my previous answer is to remove this
package or comment the line in Application_Start event in global.asax
that says RouteConfig.RegisterRoutes(RouteTable.Routes);. Your website will lose the benefits of friendlyUrls if you use this approach.
But, there is a third solution that is mentioned in two different CONFIGURATIONS below; you can use either of them.
CONFIGURATION 1 removes the aspx extension from login and defaultUrl
values.
CONFIGURATION 2 keeps the aspx extensions but adds special access
permissions for freindlyurl corresponding to login.aspx.
(? in access permission means all unauthenticated users and * means all users i.e. authenticated + unauthenticated users)
NOTE: I have tried and tested this solution.
CONFIGURATION 1 for Forms authentication config when using Friendly Urls
<authentication mode="Forms">
<forms loginUrl="login" defaultUrl="home"
slidingExpiration="true" timeout="20" name=".Auth" protection="All">
</forms>
</authentication>
CONFIGURATION 2 for Forms authentication config when using Friendly Urls
<system.web>
<!--keep the aspx extensions for login and default pages-->
<authentication mode="Forms">
<forms loginUrl="login.aspx" defaultUrl="home.aspx"
slidingExpiration="true" timeout="20" name=".Auth" protection="All">
</forms>
</authentication>
</system.web>
<!-- add access permissions for friendly url corresponding to login.aspx-->
<location path="login">
<system.web>
<authorization>
<allow users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
Since you are using Visual Studio 2017, the first thing you need to check is if Microsoft.AspNet.FriendlyUrls package is included. Go through following steps.
comment the line in Global.asax that says
RouteConfig.RegisterRoutes(RouteTable.Routes); and try your page now. But, make sure to clear the cache in your browser else the old cached version of this URL with 401.2 error will keep showing.
If you still see some issues, then just remove the above package by
selecting Solution node in solution explorer and then going to Tools
=> NuGet Package Manager => Manage Packages for solution; check in Installed list for this package, select it and select the solution
checkboxes on right,then click on uninstall button.
Below are some other things that you need to make sure.
Try changing your forms tag in web config to following. Change the value of defaultUrl and timeout according to your requirements.
<authentication mode="Forms">
<forms loginUrl="login.aspx" defaultUrl="home.aspx"
slidingExpiration="true" timeout="20" name=".Auth" protection="All">
</forms>
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
Also, your C# code must be in Login button click event; if it's anywhere else then also you could see issues.
Allow Login.aspx for all unauthenticated users. Add this configuration just before </configuration> at end of web config file. Enter the path for Login.aspx if its not in root like Security/login.aaspx if the page is under Security folder of root.
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
Open the IIS Management console by going to Control Panel > Administrative Tools > Internet Information Services Manager. Then, expand the websites node and select the website you are using. Now double click Authentication in right pane and make sure Anonymous and Forms authentication are enabled and other options are disabled as shown in following screenshot: Security settings in IIS website
You can check to see if you have this kind of entry. If so, you could try remove it.
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
</modules>
</system.webServer>
Just in case it will helps someone.
I am doing a web service in .NET containing a server file (.asmx) and a client interface (.aspx). The visitors should be able to visit only the client aspx site ( urlXXX:portYY/Client.aspx)
However, when I remove the "/Client.aspx" part from the URL, I get into the project directory and this should not be possible. (So far, I am running the project just on localhost.)
Is there any way, how restrict getting into other parts of the solution? The only possibility I could think of is creating a separate project for the client aspx site, however, even then the visitor is able to get into the directory containing that site.
You should be able to control explicit access using your web.config. Have a look at this example (exclaimer: I've copied this straight from this MS page):
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
<location path="default1.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder. -->
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
EDIT: Take a look at this question for more info on denying access to explicit folders as well.
So, basically I have managed to find a workaround, by adding the following code into the Web.config:
<system.webServer>
<defaultDocument>
<files>
<add value="Client.aspx" />
</files>
</defaultDocument>
</system.webServer>
...which makes the Client a default web-page, thus preventing to see the directory. However, I will leave this topic open in case someone comes with a more elaborate and sophisticated solution.
I have been working on a website project which restricts access to a certain folder to annonymous users and allows access to the folder to those who are logged in.
This has been working perfectly on my development machine.
However since publishing the website and deploying to a web server (Windows Server 2008, IIS7) the forms authentication appears not to be working. Anonymous users are able to access the "restricted" folder.
I have compared the webconfig on both the development machine and the web server and they are exactly the same.
I set up the access/restriction to the directory on the development machine using the Web Site Administration Tool built into the .NET Framework using this tutorial. However I understand this tool is localhost only?
Please note: I am not using the asp.net login and registration controls. I am using a custom function in the code behind (C#)
Is this problem caused by the change of location?
The development machine directory: C:\Users\Megatron\Documents\Visual Studio 2010\Projects\Osqar - v0.2\OSQARv0.1
The Web server Directory: C:\inetpub\wwwroot\Osqar
I am a little lost here so any advice would be greatly appreciated.
Here is the web config file
<?xml version="1.0" encoding="UTF-8"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<connectionStrings>
<add name="dbConn" connectionString="data source=mssql.database.com; Initial Catalog=devworks_oscar;User ID=myusername;Password=password" providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
<authentication mode="Forms">
<forms name="Osqar" loginUrl="/login/login.aspx" protection="All" path="/" timeout="60" />
</authentication>
<compilation debug="true" />
<pages /></system.web>
<system.webServer>
<defaultDocument>
<files>
<add value="index.aspx" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
The authorization section seems to be missing (?). You should have something like
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
Without the information about the required level of authorization (deny anonymous users), the application server will let everyone go everywhere.
Put this under <cofiguraation> main tag like:
<configuration>
<location path="~/RestrictedFolder">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
....
if you're restricting specific files do:
<location path="~/securedpage.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Do these changes to the web.config in the deployed project
Alternatively as Wiktor suggested use to block anonymous access to the website as a whole
put it under <system.web> possibly before or after <authentication> tag
<authorization>
<deny users="?"/>
</authorization>
Or create a folder under the root of your project and put secured pages inside that folder. R-click on the folder add new web.config file and put the following under the <system.web> tag
<authorization>
<deny users="?"/>
</authorization>
I have an asp.net application with a web.config file in the root and uses Windows authentication by default.
I have an Admin folder that should have Forms authentication. for this, I have added a new web.config file in the Admin folder as below:
<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="~/Admin/Login.aspx" name=".ASPXFORMSAUTH" >
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Now when I run a page inside the Admin folder, it gives me the below error:
Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
How to Configure Forms Authentication for the pages inside the Admin folder only and leaving other pages for the Windows authentication which is the default?
thanks
I think this you will need to do something like
In your Admin folder web.config
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
In your root web.config
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
</system.web>
Anyway this might help you Control Authorization Permissions in an ASP.NET Application