I am building a MVC3 Intranet application using the default MembershipProvider, ProfileProvider, and RoleProvider connected to a SQL Server dB. If I use Forms authentication, the roles provider populates properly. When I switch to Windows authentication, the roles provider no longer populates. This is tested by putting a breakpoint in the code and looking at "Roles.GetRolesForUser()". What I suspect is happening is that the userid that is being passed to the database is 'DOMAIN\USERID' (this is what is in User.Identity.Name), whereas what is in the database is just the userid.
Since everything is default, there is not much code to post.
<authentication mode="Windows" />
<authorization>
<deny users="?"/>
</authorization>
<membership defaultProvider="AspNetSqlMembershipProvider">
<providers>
<clear />
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
</providers>
</membership>
<profile>
<providers>
<clear />
<add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/" />
</providers>
<properties></properties>
</profile>
<roleManager enabled="true" defaultProvider="AspNetSqlRoleProvider" cacheRolesInCookie="true">
<providers>
<clear />
<add connectionStringName="ApplicationServices" applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" />
<add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
My first thought, is can we just remove the domain before the identity is passed to the membership provider, but User.Identity.Name is get only.
What would be the best route at correcting this, without having to change my entire database to have domain\userid instead of just userid? Can this be done without having to write a custom membership/profile/role provider?
If you just want to use Windows Authentication, then you don't want to be use the SqlRoleProvider, but instead want to use the WindowsTokenRoleProvider, which will return their AD roles. (There is no reason to use a membership provider because when using Windows Authentication you can't get to the site without being authenticated already)
If you want to use Windows Authentication, but use SqlRoles then you probably want to do something like this:
http://weblogs.asp.net/scottgu/pages/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server.aspx
Related
I have a web site in asp.net (web forms not MVC) with .NET framework 4.6.1 with standard Microsoft authentication on SQL Server:
<membership defaultProvider="SecuritySqlMembershipProvider">
<providers>
<add name="SecuritySqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="ManageUsers"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
applicationName="SecurityTutorials"
requiresUniqueEmail="false" passwordFormat="Hashed"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="10" passwordStrengthRegularExpression="" />
</providers>
</membership>
<roleManager enabled="true"
defaultProvider="SecuritySqlRoleProvider">
<providers>
<add name="SecuritySqlRoleProvider"
type="System.Web.Security.SqlRoleProvider"
applicationName="SecurityTutorials"
connectionStringName="ManageUsers" />
</providers>
</roleManager>
Now we've changed from Microsoft to Oracle and I need to adapt provider to manage membership.
I am unable to find anything good to make this work.
I found this article but it is incomplete.
Any suggestions? Thanks in advance.
Solved on my own way.
View at
GitHub
I am working on a legacy MVC3 application which uses Forms authentication and SQLMembership Provider for authorizing user access. It has the folowing configuration:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
<membership>
<providers>
<clear />
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="3" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/TimeSheets" passwordFormat="Clear" />
</providers>
</membership>
<profile inherits="Timesheets.Services.UserProfile">
<providers>
<clear />
<add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/TimeSheets" />
</providers>
</profile>
<roleManager enabled="true">
<providers>
<clear />
<add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/TimeSheets" />
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/TimeSheets" />
</providers>
</roleManager>
If I create a new MVC application using Windows Authentication this configuration seems to be replaced with configuration like this:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
I have tried just changing the configuration of the legacy MVC site to use this new authentication mode, but this fails to authenticate (I get an Error message "401.2.: Unauthorized: Logon failed due to server configuration.")
However the new web project runs and authenticates correctly (so it's not an AD or local permissions issue)
I had thought to try just putting all the legacy code into the new project but it is rather large and complex and getting everything lined up again in the new site could be very time consuming.
I'm hoping that changing the Auth model should be simpler and less intrusive - But what additional steps would I need to perform to configure the legacy site for Windows Authentication?
The missing part of my configuration change was in the .proj file. This is due to using the IIS Express within Visual Studio.
In order to get the Windows Auth to work in the IIS Express for debugging you need to configure it in the project settings:
The lines:
<IISExpressAnonymousAuthentication />
<IISExpressWindowsAuthentication />
Need to be replaced with:
<IISExpressAnonymousAuthentication>disabled</IISExpressAnonymousAuthentication>
<IISExpressWindowsAuthentication>enabled</IISExpressWindowsAuthentication>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<connectionStrings>
<add name="ApplicationServices"
connectionString="data source="Localhost\SQLEXPRESS";
Initial Catalog=Saqib;Integrated Security=SSPI;
AttachDBFilename=|D:\SAQIB|\aspnetdb.mdf;
User Instance=true; User ID=sa;Password=angel"
providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
<compilation debug="false" strict="false" explicit="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices"
enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
applicationName="/" />
</providers>
</membership>
<profile>
<providers>
<clear/>
<add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/"/>
</providers>
</profile>
<roleManager enabled="false">
<providers>
<clear/>
<add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
</providers>
</roleManager>
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
I create a connectionstring to access localhost database. My code is below please suggest me that is it correct or not? Because when I run my login page on the browser it give this error:
Server Error in '/SAQIB1' Application.
Invalid value for key 'attachdbfilename'.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.ArgumentException: Invalid value for key 'attachdbfilename'.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Usually when you specify the db filename, you would use the |DataDirectory| placeholder. Its a substitution string used to denote the location of your db file like so:
"AttachDBFilename=|DataDirectory|database.mdf;"
In your case, you are specifying your own value and not using DataDirectory, so exclude the | characters and your setting would be:
AttachDBFilename=D:\SAQIB\aspnetdb.mdf;
Following the article shanselman i'm trying to use "System.Web.Providers" so you can use memberships, rules and profiles with Sql Server Compact.
I installed via Nuget, created a Users.sdf database and copied to the App_Data folder.
My Web.config was as follows:
<profile defaultProvider="DefaultProfileProvider">
<providers>
<clear />
<add
name="DefaultProfileProvider"
type="System.Web.Providers.DefaultProfileProvider"
connectionStringName="DefaultConnection"
applicationName="/" />
</providers>
</profile>
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<clear />
<add connectionStringName="DefaultConnection" enablePasswordRetrieval="false"
enablePasswordReset="true" requiresQuestionAndAnswer="false"
requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
applicationName="/" name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider" />
</providers>
</membership>
<roleManager defaultProvider="DefaultRoleProvider">
<providers>
<clear />
<add connectionStringName="DefaultConnection" applicationName="/"
name="DefaultRoleProvider" type="System.Web.Providers.DefaultRoleProvider" />
</providers>
</roleManager>
<sessionState mode="Custom" customProvider="DefaultSessionProvider">
<providers>
<add
name="DefaultSessionProvider"
type="System.Web.Providers.DefaultSessionStateProvider"
connectionStringName="DefaultConnection"
applicationName="/" />
</providers>
</sessionState>
<connectionStrings>
<add name="Sql_CE" connectionString="Data Source=|DataDirectory|\Users.sdf;"
providerName="System.Data.SqlServerCe.4.0"/>
</connectionStrings>
I can not use "aspnet_regsql" because it generates the tables to a SQL Server based
The following error occurs when trying to access the "Web Site Administration Tool" on page security
There is a problem with your selected
data store. This can be caused by an
invalid server name or credentials, or
by insufficient permission. It can
also be caused by the role manager
feature not being enabled. Click the
button below to be redirected to a
page where you can choose a new data
store.
The following message may help in
diagnosing the problem: The
pre-application start initialization
method Start on type
WebMatrix.WebData.PreApplicationStartCode
threw an exception with the following
error message: This method cannot be
called during the application's
pre-start initialization stage.
First rename your connection string to DefaultConnection and remove the \ in front of Users.sdf like so:
<connectionStrings>
<add name="DefaultConnection" connectionString="Data Source=|DataDirectory|Users.sdf;"
providerName="System.Data.SqlServerCe.4.0"/>
</connectionStrings>
You say that you
created a Users.sdf database
how? The Providers framework and SqlCe should do this for you. Try deleting the Users.sdf from the App_Data folder and try accessing the "Web Site Administration Tool" again. The provider engine should recreate it for you.
I have an ASP.NET 2010 web app that uses the default membership controls. When I log in, the Login control on the Master reveals a Log out control. When I click that, it does redirect me to Default page, but I notice that if I naviagte back to an authenticated page, it lets me in. So I added the following code when the log out link is clicked to ensure the cookie is killed,
FormsAuthentication.SignOut()
Session.Abandon()
But I can still navigate to the authenticated page. It only stops me if I actually close the browser and reopen it.
Here is my web.config....
<authentication mode="Forms">
<forms
name=".ASPXAUTH"
loginUrl="~/Account/Login.aspx"
protection="All"
timeout="2880"
slidingExpiration="true"
defaultUrl="~/Authenticated/User/UserHome.aspx"
/>
</authentication>
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider"
passwordFormat="Hashed"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="ApplicationServices"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10"
applicationName="/"/>
</providers>
</membership>
<profile>
<providers>
<clear/>
<add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/"/>
</providers>
</profile>
<roleManager enabled="true">
<providers>
<clear />
<add connectionStringName="ApplicationServices" applicationName="/"
name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" />
<add applicationName="/" name="AspNetWindowsTokenRoleProvider"
type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
Try this:
Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddYears(-1)
FormsAuthentication.SignOut()
Session.Abandon()
// Now, forward to a safe unauthenticated page if SignOut() doesn't already do this.
Response.Redirect("/default.aspx")
This attempts to set the ASP.NET_SessionID cookie to expire immediately. The browser should remove it from its collection. I've not run this up in VS2010, so please take my typing with a grain of salt.
Let me know if this works for you.