Develop Reference

Using ASP.NET Identity 2.0 in web forms project

I'm upgrading user management pages of my old web forms project to use new Identity 2.0. This means introducing MVC pages within web forms solution but so far it does not seem to be a big issue. Most of the functionality works fine except when I'm trying to add external auth provider (Google, FCBK) to already signed in user. I'm working off Identity 2.0 sample app and my problem happens in equivalent of /manage/linklogin action within Identity 2.0 sample app.
In here, external auth provider (let's say Google) should be challenged by setting HTTP 401 into current response, resulting in a browser redirect:
Location: https://www.google.com/accounts/o8/ud?openid.ns=[edited out...]
However, what happens to me is that I only get redirected to a local login page:
Location: /Account/Login?ReturnUrl=%2fManageAccount%2fLinkLogin
Please note that the very same code is called when I try to register (i.e. user is not logged in, not authenticated) using Google account - so it is not an issue that I'd have app.UseGoogleAuthentication() set wrongly in Startup.Auth.cs.
I suspect "something" in the response pipeline catches StatusCode 401 set by Microsoft.Owin.Security.AuthenticationManager.Challenge() method before Owin.Security.Google auth middleware kicks in and set the proper redirect location, though I cannot find what that "something" is.
Anyone successfully imported Identity 2.0 into web forms project already?
More info on my issue can be found here: Identity2.0 Codeplex discussion

Please refer to this sample for ASP.NET Web Forms which shows the Identity 2.0 features https://aspnet.codeplex.com/SourceControl/latest#Samples/Identity/Webforms.Samples/
You should also make sure the order of registering the middlewares is correct. For eg. Cookies should come before Google

Yeah this was a challenge. You are correct in your observation of it's
behavior. The config info below resolved this issue for me.
The very bottom config tag that excludes the callback path caused
it to start functioning as expected for me.
<system.webServer>
<modules>
<remove name="FormsAuthentication"/>
</modules>
</system.webServer>
<system.web>
<authentication mode="None"/>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<!-- the callback path has to be open to anonymous so that owin can do it's redirect magic-->
<location path="signin-google">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

can we share site authentication cookie?

i have two web site domain1.com and domain2.com user come in domain1.com and i authenticate
it and create authenticate cookie ,is it possible to share this cookie by domain2.com,for
example when user Soto domain2.com is authenticated because it authenticated in domain1.com?
is it possible?
I'm looking for a simple way and these domains are not
a sub domains they are two separate site
notice i don't want use sql server url parameter or other ways
thanks all

Absolutely. Hopefully both sites share the same username database or it is replicated so that you can secure and access content by using the HttpContext.User.Identity.Name.
Anyways, basically you need to update your web.config <authentication> section to be exactly the same between the two sites. This means your machine key, decryption key, algorithm....everything.
Here is the MSDN article with the full directions on how to proceed to share authentication across several applications

This is possible using <authentication> and <machineKey> in your web config.
Machine Key
Contains a decrytion key and validation key. This must be the same in both web configs.
<machineKey
decryptionKey="A225194E99BCCB0F6B92BC9D82F12C2907BD07CF069BC8B4"
validationKey="6FA5B7DB89076816248243B8FD7336CCA360DAF8" />
Auhentication
This must be in both web configs but the values are specific to the application.
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH"
path="/"
loginUrl="~Membership/login"
protection="ALL"
timeout="1000" />
</authentication>

Windows Authentication not working in IIS 7.5

I am having a problem with getting windows authentication to work on IIS 7.5.
The application is an internal site built in asp.net MVC 3. The application pool is using a specific domain user and the site is using windows authentication. Every time I try to launch the site IE prompts me for a login.
If I cancel enough the site comes up, messed up looking, but it has my name associated with my windows log in displayed at the top. So that tells me that the site is picking up my windows credentials correctly.
I added the Network local user to have read access to the inetpub folder on the server and now it doesn't prompt for login with IE 8. But on chrome I get this error "Error 338 (net::ERR_INVALID_AUTH_CREDENTIALS): Unknown error.".
It is in our intranet sites zone. I should have stated this but I forgot. The site used to work on our old development server but when I upgraded to Win 2008 R2 with IIS 7.5 it stopped working. Used to be on 2003 with IIS 6.0.
I am wondering if any one has any idea what else I can try. I am pretty much spinning my wheels at this point.
I have tried all of the solutions in the links below and none of them have fixed the problem
http://forums.iis.net/t/1177154.aspx
http://forums.iis.net/t/1178188.aspx
Receiving login prompt using integrated windows authentication
http://warnajith.blogspot.com/2011/06/iis-75-401-unauthorized-access-error.html
http://forums.asp.net/t/1639511.aspx/1
https://superuser.com/questions/128746/iis-asks-for-login-pass-when-accessed-using-hostname-but-not-when-localhost-is
http://ask.metafilter.com/183636/Prompted-for-a-username-and-password-when-browsing-to-an-IIS-virtual-directory
IIS 7 and Windows Authentication

Related Note: If you are trying to replicate your site on localhost, and windows authentication is enabled and still fails, the solution is some registry hacking to avoid the loopback check:
Using regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Add a new Multi-String Value to MSV1_0 and name it BackConnectionHostNames
Add the host names you wish to use. Example, "mysite.com".
Restart the IIS.
Source link
The value should be the website name in your windows hosts file.
Also to be able to access a non-authenticated /data folder using PHP's file_get_contents, I had to add this to the applicationHost.config file, to prevent 401 errors.
<location path="mysite.com/data">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<windowsAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>

I found the answer to this. It is a config setting that isn't mapped in the GUI. I had to go into the application host config file located at <%SystemDrive%>/Windows/System32/inetsrv/config and change the below settings.
default settings where
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
</providers>
</windowsAuthentication>
Changed to this and it worked.
<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">
<providers>
<add value="NTLM" />
</providers>
</windowsAuthentication>

In order for integrated credentials to be passed by IE, the site needs to be in your Intranet sites zone. It cannot be in trusted sites or any other sites.

I had a similar problem and it was fixed by adding the users group (MYDOMAIN\Users) to the physical folder of the application with read permissions.

i have a similar problem that is only solved by moving NTLM on top of kerberos in the providers as explained by Rory, or by modifying DNS.
The problem only occurs in IIS7 when the host header of the website exists as a CNAME (alias) in the DNS.
in IIS6, Integrated Windows Authentication only uses NTLM by default.
in IIS7, IWS uses kerberos before NTLM by default.
Replacing the CNAME record with an A record solves the problem.
Kerberos has no problems with A records in DNS, but it has problems with aliases.
So apparantly DNS CNAMEs are not compatible with kerberos on Windows 2008.
chris

If the browser prompts you for credential, I think your app pool credential don't have access to some of the resources on your page. Have you tried to create a blank html page and access to that page?
<html>
<body>
hello world!
</body>
</html>

I have a similar problem.
I had an application under Default Web Site that already had Windows authentication enabled but didn´t worked. I solved disabling anonymous authentication on Default Web Site and also Enabling Windows authentication on Default Website.

Why doesn't my MVC3 AD authorization filter seem to work when running locally?

I'm writing a simple web app using ASP.NET MVC3, and I want to restrict access to this app to members of an Active Directory group in our domain.
I've done this using an authorization filter in the controller, as follows:
namespace MyApp.Controllers
{
[Authorize(Roles = #"DOMAINNAME\MyApp_AccessControlGroup")]
public class HomeController : Controller
{
public ActionResult index()
{
//action code
}
//More actions here
}
}
I have not defined a custom authorization filter, although I did modify web.config to only allow Windows Authentication:
<authentication mode="Windows">
<!--<forms loginUrl="~/Account/LogOn" timeout="2880" />-->
</authentication>
<!--Added for Windows authentication-->
<authorization>
<deny users="?"/>
</authorization>
And this works very well when I deploy it to our development webserver (using Visual Studio's Publish feature, if it matters). If I am not in the MyApp_AccessControlGroup group, I am prompted for credentials when I try to bring up the app in a browser. But if I am in the group, then I can see the webpage as expected.
This is not the case when I debug in Visual Studio. When I press F5 and the ASP.NET Development Server starts on my workstation, I can see the site even when I am not in the AD group.
Why does this happen? I would expect the authorization filter to still check for group membership, no matter where the code was running.

Well, the only thing I can think of is that you are running Visual Studio as an Administrator, so the development server is running as an Administrator, thus giving you access to the URL.

STS and Redirecting causing issues with Ajax and also post requests

I've got a site that's integrated with WIF for security and mostly everything is ok. It's redirecting and dealing with load balancers etc.
I've noticed on a few requests it's bouncing to the sts and back, if it's a get request not a problem but it's happened a few times with AJAX requests and also with regular post requests.
I'm thinking that other people must have the same issue's and that I must of missed something in the configuration. I really don't fancy writing a custom implementation to deal with this requirement.
Any help?
Thanks

It will only redirect if the resource (page, image, CSS, etc.) is secured and needs the user to authenticate. If you need to make sure that this doesn't happen for certain areas, you can try allowing anonymous access within the web.config:
<location path="UnsecuredResource">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
What's happening with the hop is that the client-side authentication has either expired or does not exist so the browser is redirected to the STS. The STS has a persistent cookie that recognizes the user from their previous login so it simply authenticates and sends the user back to the application, which signs them in automatically.
If the session is expiring on the client side, that could be causing the need to re-authenticate. Make sure there isn't anything that would be causing the session to expire or get lost.
Hopefully this helps. A little more info would help to debug this issue.