Search results matching tag 'authentication'

IIS virtual directory not inheriting forms auth - something I am doing wrong?

Maxer_Ars — Tue, 01 Dec 2009 16:28:44 GMT

We have our IIS 6 server on Win Server 2003.

Our setup is: IIS -> Web Sites -> Default Web Site-> Our Portal -> MySite

The "MySite" is a separate project in VS 08 that was added as a virtual directory.

The problem we are having is that our portal site uses forms authentication, but the "MySite" does not seem to inherit this properly.

We don't have anything in MySite's web.config about authentication, leaving that all commented out hoping it would inherit.

Are there some common things to check to resolve this?

WebDAV Security

jock_sbfc — Thu, 26 Nov 2009 08:28:15 GMT

Hi All,

Forgive me - I'm by no means an IIS expert all, so hopefully I'll provide all the details - if not please ask.

I'm attempting to setting up a WebDAV to a share, and all is working fine. My user account has permissions to get to that share, and provided I specify my account in the Basic Settings->Connect As->Specific User then all appears to work fine.

However, what I'd like is to be able to use the account of the user currently logged in (either via Windows Authentication, or via a challenge - either would do). Whenever I change the Connect As settings to 'Application User (pass-through authentication') I get a pop-up dialog box from IE8 saying 'Windows cannot find '\\server\directory'. Please check and try again'.

Am I missing something simple - I seem to have gone through as many of the authentication and authorisation settings as I can see...

Appreciated any help,

Greg

Windows Integrated Authentication Through ARR

deshazer — Mon, 16 Nov 2009 20:59:26 GMT

I have a basic load balancing scenario using ARR with two server farms defined. The ARR host, its default virtual web site and the server farm members (separate hardware) are all setup with Windows Integrated Authentication enabled and anonymous disabled. Each element works independently but when a route a request through ARR to the server farm, it appears I lose my identity and receive a 401 from the downstream hosts. The ARR host computer object has been set to allow trusted delegation and the HTTP service class SPN set on it as well.

Anyone sucessfully setup ARR with Windows Integrated Authentication ?

Need help with IIS7/SQL2008 std connector

Kevin510 — Mon, 16 Nov 2009 19:31:10 GMT

I've got a windows 2008 standard server with SQL 2008 standard and IIS7 installed. The web app we have made reads from the database fine but it won't write to the database. For example when I click the join button and fill out the new user page, the data doesn't get written to the 'user' table. However I can write to the database by using a script we wrote to generate a user within the sql server manager so i know the database can be written to logged in as the same credentials used for the database connection specified in the web.config file.

I should also add that SQL is NOT running in mixed mode, we'd prefer not to have to run it in mixed mode for the production environment. Also sql is setup to do windows authentication. The app works fine in a dev environment using iis7 and sql 2008 express so I know it's not an app design issue, it's got to be a configuration problem.

I am using impersonate in the web.config file and have logged in as that user and confirmed i can directly write to the database in the database manager. The account also has db reader/writer access, so i double checked that.

I'm looking for some other ideas because i'm stumped at the moment. I'm also new to iis7/sql2008 web deployments so I don't have a lot of back history to draw on for a solution. Hopefully someone here can help?

Authentication breaks

jakb — Mon, 16 Nov 2009 10:09:40 GMT

My framework 4 asp.net app using forms authentication runs fine in Cassini and in IIS7.5 on the local box but on a public facing box with IIS7.5 in the DMZ (running cookieless session state) the authentication breaks without returning any error - the forms authentication simply does not work.

I have modified the register.aspx.cs entry to accept the cookieless state thus without effect:

FormsAuthentication.SetAuthCookie(RegisterUser.UserName, true);

Can anyone advise why the login is failing?

Directory Enumeration possible on Web Server

sunitha4ever — Tue, 10 Nov 2009 06:22:54 GMT

Hi,

My web application runs on Windows Server 2008 and IIS 7. During penetration testing, we found that it was possible to determine the existence of directories within the web root on the system through messages returned by the access control code. This could enable an attacker to target particluar areas of functionality that they otherwise may not be aware of.

Eg: 1. Directory : /includes/ - Return Code: 403 ; Conclusion:- Forbidden. This directory exists but access has not been granted.

2. Directory : /Views/ - Return Code: 403 ; Conclusion:- Forbidden. This directory exists but access has not been granted although access is granted to subdirectoires for example /Views/xyz/abc.aspx

3. Directory : /mwr/ - Return Code: 404 ; Conclusion:- Not Found. This directory does not exist in the web root

Could you please help me to prevent this enumeration of directories such that a resource that the current user does not have access to should yield an identical message to the one displayed if that resource does not exist.

ApplicationPoolIdentity + SQL

foxontherock — Mon, 09 Nov 2009 15:01:47 GMT

This is just to tell everyone that if you want to connect to SQL Server with the ApplicationPoolIdentity login, you can, but you can't use the user interface of SQL Management Studio.

You can do this only from script (like when you want to give access to this user to NTFS you can't do it from the explorer security tab).

CREATE LOGIN [IIS APPPOOL\mypool] FROM WINDOWS WITH DEFAULT_DATABASE=[master] USE [mydatabase] CREATE USER [IIS APPPOOL\mypool] FOR LOGIN [IIS APPPOOL\mypool]

So you can give the access right directly to this "virtual" user, withoug the need to use the impersonate=true setting in web.config.

We used it with SQL 2005 in Win2008 sp2 (not R2), with IIS 7.0

Hope it may help someone, because I took me a lot of time to find it !

Double authentication: forms + htpasswd?

Francisco Lozano — Sat, 07 Nov 2009 15:42:17 GMT

Hi,

I have an ASP.NET MVC Website which is currently under development, deployed on a W2008r2 IIS7.5 server.

My website uses "forms" authentication and it works perfect.

As the website is under development and not open to the public, I would like to add an additional layer of protection, so that non-authorized users can't even see the login form.

Is there any way to add something like an htpasswd to my website without messing with the currently-configured forms-based auth stuff?

Authentication Issue

ujjj008 — Tue, 03 Nov 2009 21:51:14 GMT

Is it possible through IIS?

Person A who's computer is in Domain A logs into a website that is in Domain B. They are prompted to enter in their crendentials to Domain B, which they do and then they are authenticated and able to get in. Then in that the website, there is a link to another website that is in Domain B but on another server. When they click on that link, they are then prompted to put in their credentials for Domain B again. Is there anyway around it so they don't have to put in their credentials twice?

Protecting static content on IIS7 in Classic Mode

aures_arrigo — Thu, 29 Oct 2009 15:07:18 GMT

Hi,

I know how to protect my static (HTML) pages in IIS6, and how to do it using the IIS7 Integrated Pipeline, but how can I protect my HTML pages from unauthorised access in IIS7 when running in Classic Mode?

It's an ASP.NET site using forms authentication.

Thanks!