Configuring IIS7 and Mixed Mode Authentication in ASP.NET

Rich

Oct 12, 2011 02:21

ahh...ok...yea...I replied to the question you asked in the comments for the question I posted.

jcolebrand φ

I saw part of that

I presume these are for a work server?

We can tackle this while you're at work, if you have time for that.

I know sometimes you just want to get it resolved tho.

Rich

yea...that's cool. I'll hit you up tomorrow then.

jcolebrand φ

So, for starters, in the IIS configuration (server manager) did you install the authorization types for anonymous and windows auth?

replied to a message: View original message

@Rich I can do this now, if you can

Rich

ok.

I checked and verified that the windows auth was installed....didnt check anon..let me see...

jcolebrand φ

How many files are you using for auth?

I keep the app on forms auth (in the web.config) and put the individual page that handles the windows auth on windows auth

So I have TWO pages for authentication

Login.aspx (this does forms auth)
WindowsLogin.aspx (this does Windows auth)

Rich

Oct 12, 2011 02:29

right...thats what I'm doing...also...I checked and couldn't tell if anon was installed...dont see that as an option under features in IIS...do I need to look somewhere else?

jcolebrand φ

are you looking at the server roles portion? I don't have a VPN to an IIS server on this laptop

Rich

Yes.

jcolebrand φ

I forget where it is

Rich

I do not have Basic Authentication installed

Looking at documentation...dont think I need it....says to disable anon if you are going to use basic

in your forms authentication node, did you have your loginUrl property pointing to your WindowsLogin.aspx?

I'm referring to the web.config

ooops....wasnt trying to paste the whole thing

jcolebrand φ

Oct 12, 2011 02:49

Sorry, there was a minor crisis going here

You still here?

Rich

np...still here

jcolebrand φ

ok, so web.config first

loading files :p

sorry, working off my kilnhg repo instead of on my local machine

Rich

all good....while we're waiting...we are having Houston Techfest this weekend...you going?

jcolebrand φ

I'm in Shreveport now, so no, probably not. That's about a 5 hour drive

    <authentication mode="Forms">
        <forms cookieless="UseDeviceProfile" defaultUrl="~/Default.aspx" enableCrossAppRedirects="true" loginUrl="~/WindowsLogin.aspx" name=".ASPXAUTH" path="/" protection="All" requireSSL="false" slidingExpiration="true" timeout="10080"/>
    </authentication>

That's step one

also in system.web:

    <authorization>
        <deny users="?"/>
    </authorization>

then I have this chunk:

<location path="Login.aspx">
    <system.web>
        <authorization>
            <allow users="?"/>
        </authorization>
    </system.web>
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication enabled="true"/>
                <windowsAuthentication enabled="false"/>
            </authentication>
        </security>
    </system.webServer>
</location>
<location path="WindowsLogin.aspx">
    <system.web>
        <authorization>
            <deny users="?"/>

You still with me @Rich?

Rich

yea...Im here...cutting and pasting

jcolebrand φ

Oct 12, 2011 03:03

lol

but do you understand why?

Rich

ok saving and publishing....lets see what happens

yes....the main difference I noticed was that you explicitly set authentication to the login.aspx file

jcolebrand φ

well we didn't even cover the two files

LOGIN does forms, right, so that's just bog standard ASP.NET forms auth

It's WindowsLogin that does the magic

Rich

right....

I also noticed that you explicitly set all the properties of the forms authentication node...I looked at these in IIS and they were set nearly identical except for time out and loginUrl all else was the same...I went ahead and added them explicitly as you did

let me give it a shot...

jcolebrand φ

Did you make sure auth was set to forms and not windows?

I just have a fetish for defining properties so that I know what they are, especially when I'm debugging, so I don't have to trace them back up the path.

Eventually I will inherit them up the tree

Rich

you mean in iis correct?

jcolebrand φ

Oct 12, 2011 03:11

Yes

from the root app in my app tree

Rich

yes...question

jcolebrand φ

Ask away

Rich

there is a virtual directory that is created in the root app I believe its the site as a web application...

I should have this set to Forms also correct?

jcolebrand φ

No, each app should stand on its own

using System;
using System.Web;
using System.Web.Security;
using App_Code.Biz;

public partial class WindowsLogin : System.Web.UI.Page {
    protected string UserIsInRoles = string.Empty;
    private static readonly BAL _mBAL = new BAL();
    protected void Page_Load(object sender, EventArgs e) {
        string redirectUrl = Request["returnurl"] ?? "~/default.aspx";
        string username = Request.ServerVariables["LOGON_USER"];
        try {
            if ( Roles.GetRolesForUser( username ).Length < 1 )

So that is how I handle WindowsAuth

Rich

ok...I have something similar....

jcolebrand φ

Oct 12, 2011 03:17

It doesn't have to match exactly

Request.ServerVariables["LOGON_USER"]

that's the magic

You should literally NEVER get to this line //we shouldn't get here, so if we do, redirect back to a page they can use.

Rich

ok....didnt see the rest of the code...you are doing a lot more than I was...I can see some parts where I may have been getting tripped up.

jcolebrand φ

Yeah, I spent a couple days figuring out all the parts :p

That was like two years ago, so I'm a little rusty at explaining it

Rich

all good...I think I can figure it out....at this point I was happy with just getting the username...my goal was to get the role as well...your getting that from AD?

jcolebrand φ

no, since I use forms I still use aspnetdb

Rich

oh ok...your just matching up using the user name that your pulling from the ServerVariables["LOGON_USER"]

jcolebrand φ

Oct 12, 2011 03:24

go here

2

Q: How to configure IIS7 when using mixed mode authentication with asp.net

The following posts show how to setup the web.config for a site using Mixed Mode Authentication. IIS7 Mixed Mode Authentication and How to allow mixed-mode authentication in IIS 7.0. I've got my site setup and working locally (on my developer machine). However, when I run it locally on the serv...

asp.net

and delete your comment :p

replied to a message: View original message

@Rich yes, because IIS does the auth for you against AD

That's what you're using "Windows Auth" for

Rich

right....ok...I need to look at your code a little more closely...want to understand what's going on and not just cut&paste this one.

jcolebrand φ

I'm gonna put it all together as an answer

The SO Tavern (Free Snacks)

Participants