|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS With Basic Authentication Set/FormsAuthentication - HELP PLS!?First off, sorry for the cross-post... I am developing a site (ASP.NET) in which the root will be set with Anonymous AND/OR Basic permissions. Past that I will have an application (directory) in which I will be developing applications, which will have IIS Basic Authentication set (this can't be avoided). In the past, I have been able to use a ISAPI Filter to add the response headers dynamically, and add the authentication to the request, therefore, allowing users into the secure directory, and all of this is form based, there is no browser prompt for their username/password (and it adds it to every request, images, .htm files, .asp files, etc). Now I am trying to do this with ASP.NET (VB), again, trying to avoid the browser prompt, and add the authentication to every request (again, images, .htm files, aspx files, etc). However, I have been unsuccessful using FormsAuthentication with the directory set to IIS Basic Authentication (since IIS sees the request first, I get a browser prompt. I want to replace this with a redirect to a login form). I have been able to get the FormsAuthentication to set the cookie, but when it tries to go into the Basic secured directory, I get a browser prompt. Any help would be greatly appreciated!! (Do I need to write another ISAPI Filter, can I use FormsAuthentication to do this?? Suggestions?) I have looked at hundreds of articles (or at least it seems!), and am not 100% how to write an ISAPI filter in .NET, if that needs to be done. Any pointers to live artices, code, etc. would be very helpful. Overall, basically, I want to use Basic Authentication protocol and FormsAuthentication to access an IIS-set Basic Authentication directory, but I want to use a form instead of the normal windows logon prompt. Our users share computers, so having them being able to "save their password" is a major security concern, which is why I need a login form page. Thanks! Chad When you use Forms authentication you have to set IIS to Anonymous authentication. Check out this article for a discussion on the combinations between ASP.NET authentication and IIS authentication:
nhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/authaspdotnet.asp If you think you can customize ASP.NET to use forms with Basis Authentication you'll probably have to write an HTTP Module. Check out this article for a discussion on Modules and Handlers: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/elmah.asp Good luck. -- Show quoteHide quote_______________________________ Sam Santiago ssantiago@n0spam-SoftiTechture.com http://www.SoftiTechture.com _______________________________ "Chad Beckner" <cbeck***@iupui.edu> wrote in message news:uQIFS58rFHA.3352@TK2MSFTNGP14.phx.gbl... > Hi everyone, > > First off, sorry for the cross-post... > > I am developing a site (ASP.NET) in which the root will be set with > Anonymous AND/OR Basic permissions. Past that I will have an application > (directory) in which I will be developing applications, which will have IIS > Basic Authentication set (this can't be avoided). In the past, I have been > able to use a ISAPI Filter to add the response headers dynamically, and add > the authentication to the request, therefore, allowing users into the secure > directory, and all of this is form based, there is no browser prompt for > their username/password (and it adds it to every request, images, .htm > files, .asp files, etc). Now I am trying to do this with ASP.NET (VB), > again, trying to avoid the browser prompt, and add the authentication to > every request (again, images, .htm files, aspx files, etc). However, I have > been unsuccessful using FormsAuthentication with the directory set to IIS > Basic Authentication (since IIS sees the request first, I get a browser > prompt. I want to replace this with a redirect to a login form). I have > been able to get the FormsAuthentication to set the cookie, but when it > tries to go into the Basic secured directory, I get a browser prompt. Any > help would be greatly appreciated!! (Do I need to write another ISAPI > Filter, can I use FormsAuthentication to do this?? Suggestions?) > > I have looked at hundreds of articles (or at least it seems!), and am not > 100% how to write an ISAPI filter in .NET, if that needs to be done. Any > pointers to live artices, code, etc. would be very helpful. > > Overall, basically, I want to use Basic Authentication protocol and > FormsAuthentication to access an IIS-set Basic Authentication directory, but > I want to use a form instead of the normal windows logon prompt. Our users > share computers, so having them being able to "save their password" is a > major security concern, which is why I need a login form page. > > Thanks! > > Chad > > So, in effect, how does that protect files in a directory (.gif, .htm,
etc)? That, to me, doesn't seem to provide "true"security of an area, like IIS does... Does anyone know if this has changed in 2.0? For now, I guess I can keep using the ISAPI filter that I built... Unless anyone else has a better solution. However, I am disappointed that I can't set up this kind of security in .NET/FormsAuthentication like I can with IIS Basic. I want to protect ALL files (and not have everything be processed through the isapi_aspnet dll) in a particular area and have them authenticate before accessing it, but without a "windows logon" prompt. Thanks for the help, Chad "Sam Santiago" <ssantiago@n0spam-SoftiTechture.com> wrote in message When you use Forms authentication you have to set IIS to Anonymous news:Oi0PhrNsFHA.2008@TK2MSFTNGP10.phx.gbl... authentication. Check out this article for a discussion on the combinations between ASP.NET authentication and IIS authentication: nhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/authaspdotnet.asp If you think you can customize ASP.NET to use forms with Basis Authentication you'll probably have to write an HTTP Module. Check out this article for a discussion on Modules and Handlers: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/elmah.asp Good luck. -- Show quoteHide quote_______________________________ Sam Santiago ssantiago@n0spam-SoftiTechture.com http://www.SoftiTechture.com _______________________________ "Chad Beckner" <cbeck***@iupui.edu> wrote in message news:uQIFS58rFHA.3352@TK2MSFTNGP14.phx.gbl... > Hi everyone, > > First off, sorry for the cross-post... > > I am developing a site (ASP.NET) in which the root will be set with > Anonymous AND/OR Basic permissions. Past that I will have an application > (directory) in which I will be developing applications, which will have > IIS > Basic Authentication set (this can't be avoided). In the past, I have > been > able to use a ISAPI Filter to add the response headers dynamically, and > add > the authentication to the request, therefore, allowing users into the > secure > directory, and all of this is form based, there is no browser prompt for > their username/password (and it adds it to every request, images, .htm > files, .asp files, etc). Now I am trying to do this with ASP.NET (VB), > again, trying to avoid the browser prompt, and add the authentication to > every request (again, images, .htm files, aspx files, etc). However, I > have > been unsuccessful using FormsAuthentication with the directory set to IIS > Basic Authentication (since IIS sees the request first, I get a browser > prompt. I want to replace this with a redirect to a login form). I have > been able to get the FormsAuthentication to set the cookie, but when it > tries to go into the Basic secured directory, I get a browser prompt. Any > help would be greatly appreciated!! (Do I need to write another ISAPI > Filter, can I use FormsAuthentication to do this?? Suggestions?) > > I have looked at hundreds of articles (or at least it seems!), and am not > 100% how to write an ISAPI filter in .NET, if that needs to be done. Any > pointers to live artices, code, etc. would be very helpful. > > Overall, basically, I want to use Basic Authentication protocol and > FormsAuthentication to access an IIS-set Basic Authentication directory, > but > I want to use a form instead of the normal windows logon prompt. Our > users > share computers, so having them being able to "save their password" is a > major security concern, which is why I need a login form page. > > Thanks! > > Chad > > When IIS "protects" things, it is using mechanisms that are built into the
HTTP specification. Since all requests to the server involve HTTP in some way, this is how you get all your resources (images, documents, ASP.NET pages etc) protected. On the other hand, currently, only requests for resources mapped to the ASP.NET ISAPI filter can take advantage of functionality built into the .NET Framework (forms based authentication). So this means that images etc that are handled by the static file handler are not protected. This will change in IIS7, where there will be a single, unified event pipeline, and you can hook into this pipeline using managed code (i.e. the forms authentication HTTP module supplied with .NET). Cheers Ken Show quoteHide quote "Chad Beckner" <cbeck***@iupui.edu> wrote in message nhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/authaspdotnet.aspnews:e0tUL5NsFHA.3216@TK2MSFTNGP12.phx.gbl... : So, in effect, how does that protect files in a directory (.gif, .htm, : etc)? That, to me, doesn't seem to provide "true"security of an area, like : IIS does... Does anyone know if this has changed in 2.0? : : For now, I guess I can keep using the ISAPI filter that I built... Unless : anyone else has a better solution. However, I am disappointed that I can't : set up this kind of security in .NET/FormsAuthentication like I can with IIS : Basic. I want to protect ALL files (and not have everything be processed : through the isapi_aspnet dll) in a particular area and have them : authenticate before accessing it, but without a "windows logon" prompt. : : Thanks for the help, : : Chad : : "Sam Santiago" <ssantiago@n0spam-SoftiTechture.com> wrote in message : news:Oi0PhrNsFHA.2008@TK2MSFTNGP10.phx.gbl... : When you use Forms authentication you have to set IIS to Anonymous : authentication. Check out this article for a discussion on the combinations : between ASP.NET authentication and IIS authentication: : : : http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/elmah.asp: If you think you can customize ASP.NET to use forms with Basis : Authentication you'll probably have to write an HTTP Module. Check out this : article for a discussion on Modules and Handlers: : : Show quoteHide quote : : Good luck. : : -- : _______________________________ : Sam Santiago : ssantiago@n0spam-SoftiTechture.com : http://www.SoftiTechture.com : _______________________________ : "Chad Beckner" <cbeck***@iupui.edu> wrote in message : news:uQIFS58rFHA.3352@TK2MSFTNGP14.phx.gbl... : > Hi everyone, : > : > First off, sorry for the cross-post... : > : > I am developing a site (ASP.NET) in which the root will be set with : > Anonymous AND/OR Basic permissions. Past that I will have an application : > (directory) in which I will be developing applications, which will have : > IIS : > Basic Authentication set (this can't be avoided). In the past, I have : > been : > able to use a ISAPI Filter to add the response headers dynamically, and : > add : > the authentication to the request, therefore, allowing users into the : > secure : > directory, and all of this is form based, there is no browser prompt for : > their username/password (and it adds it to every request, images, .htm : > files, .asp files, etc). Now I am trying to do this with ASP.NET (VB), : > again, trying to avoid the browser prompt, and add the authentication to : > every request (again, images, .htm files, aspx files, etc). However, I : > have : > been unsuccessful using FormsAuthentication with the directory set to IIS : > Basic Authentication (since IIS sees the request first, I get a browser : > prompt. I want to replace this with a redirect to a login form). I have : > been able to get the FormsAuthentication to set the cookie, but when it : > tries to go into the Basic secured directory, I get a browser prompt. Any : > help would be greatly appreciated!! (Do I need to write another ISAPI : > Filter, can I use FormsAuthentication to do this?? Suggestions?) : > : > I have looked at hundreds of articles (or at least it seems!), and am not : > 100% how to write an ISAPI filter in .NET, if that needs to be done. Any : > pointers to live artices, code, etc. would be very helpful. : > : > Overall, basically, I want to use Basic Authentication protocol and : > FormsAuthentication to access an IIS-set Basic Authentication directory, : > but : > I want to use a form instead of the normal windows logon prompt. Our : > users : > share computers, so having them being able to "save their password" is a : > major security concern, which is why I need a login form page. : > : > Thanks! : > : > Chad : > : > : : Ken is basically right on. The sort of integrated functionality you are
talking about, between ASP.Net and IIS, will first appear in IIS7. IIS7 will allow both native and managed code to participate in HTTP request processing with high fidelity. But of course, as soon as you add managed code to the mix, performance-wise it will be as if you *-scriptmapped aspnet_isapi.dll to handle the resource. You can think of it this way -- if you extend IIS with native code, just that DLL gets loaded; if you extend with managed code, then most of .Net Framework + ASP.Net intrinsics DLLs must be loaded to support your managed code module to and manipulate the IIS pipeline. Based on how you are using it (all you want is basic authentication, except using an HTML form to input data instead of the standard browser login popup dialog), I do not think FormsAuthentication gets you anything. All you are doing is trading one custom authentication scheme (Basic+Filter+HTML Form) for another (Anonymous+ScriptMapping+HTML Form) . If you are interested in another custom authentication scheme that works similarly to yours, try CustomAuth from the IIS Platform SDK (Anonymous+Filter+ScriptMapping+HTML Form). It gives you a customizable login page, no need to map aspnet_isapi.dll (i.e. managed code) to handle things... but you DO need to map another ISAPI DLL (CustomAuth.dll) to do exactly the same thing. http://www.microsoft.com/msdownload/platformsdk/sdkupdate/default.htm -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message When IIS "protects" things, it is using mechanisms that are built into thenews:ew6ml7UsFHA.1032@TK2MSFTNGP12.phx.gbl... HTTP specification. Since all requests to the server involve HTTP in some way, this is how you get all your resources (images, documents, ASP.NET pages etc) protected. On the other hand, currently, only requests for resources mapped to the ASP.NET ISAPI filter can take advantage of functionality built into the .NET Framework (forms based authentication). So this means that images etc that are handled by the static file handler are not protected. This will change in IIS7, where there will be a single, unified event pipeline, and you can hook into this pipeline using managed code (i.e. the forms authentication HTTP module supplied with .NET). Cheers Ken Show quoteHide quote "Chad Beckner" <cbeck***@iupui.edu> wrote in message nhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/htmlnews:e0tUL5NsFHA.3216@TK2MSFTNGP12.phx.gbl... : So, in effect, how does that protect files in a directory (.gif, .htm, : etc)? That, to me, doesn't seem to provide "true"security of an area, like : IIS does... Does anyone know if this has changed in 2.0? : : For now, I guess I can keep using the ISAPI filter that I built... Unless : anyone else has a better solution. However, I am disappointed that I can't : set up this kind of security in .NET/FormsAuthentication like I can with IIS : Basic. I want to protect ALL files (and not have everything be processed : through the isapi_aspnet dll) in a particular area and have them : authenticate before accessing it, but without a "windows logon" prompt. : : Thanks for the help, : : Chad : : "Sam Santiago" <ssantiago@n0spam-SoftiTechture.com> wrote in message : news:Oi0PhrNsFHA.2008@TK2MSFTNGP10.phx.gbl... : When you use Forms authentication you have to set IIS to Anonymous : authentication. Check out this article for a discussion on the combinations : between ASP.NET authentication and IIS authentication: : : /authaspdotnet.asp : http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/elmah.asp: If you think you can customize ASP.NET to use forms with Basis : Authentication you'll probably have to write an HTTP Module. Check out this : article for a discussion on Modules and Handlers: : : Show quoteHide quote : : Good luck. : : -- : _______________________________ : Sam Santiago : ssantiago@n0spam-SoftiTechture.com : http://www.SoftiTechture.com : _______________________________ : "Chad Beckner" <cbeck***@iupui.edu> wrote in message : news:uQIFS58rFHA.3352@TK2MSFTNGP14.phx.gbl... : > Hi everyone, : > : > First off, sorry for the cross-post... : > : > I am developing a site (ASP.NET) in which the root will be set with : > Anonymous AND/OR Basic permissions. Past that I will have an application : > (directory) in which I will be developing applications, which will have : > IIS : > Basic Authentication set (this can't be avoided). In the past, I have : > been : > able to use a ISAPI Filter to add the response headers dynamically, and : > add : > the authentication to the request, therefore, allowing users into the : > secure : > directory, and all of this is form based, there is no browser prompt for : > their username/password (and it adds it to every request, images, .htm : > files, .asp files, etc). Now I am trying to do this with ASP.NET (VB), : > again, trying to avoid the browser prompt, and add the authentication to : > every request (again, images, .htm files, aspx files, etc). However, I : > have : > been unsuccessful using FormsAuthentication with the directory set to IIS : > Basic Authentication (since IIS sees the request first, I get a browser : > prompt. I want to replace this with a redirect to a login form). I have : > been able to get the FormsAuthentication to set the cookie, but when it : > tries to go into the Basic secured directory, I get a browser prompt. Any : > help would be greatly appreciated!! (Do I need to write another ISAPI : > Filter, can I use FormsAuthentication to do this?? Suggestions?) : > : > I have looked at hundreds of articles (or at least it seems!), and am not : > 100% how to write an ISAPI filter in .NET, if that needs to be done. Any : > pointers to live artices, code, etc. would be very helpful. : > : > Overall, basically, I want to use Basic Authentication protocol and : > FormsAuthentication to access an IIS-set Basic Authentication directory, : > but : > I want to use a form instead of the normal windows logon prompt. Our : > users : > share computers, so having them being able to "save their password" is a : > major security concern, which is why I need a login form page. : > : > Thanks! : > : > Chad : > : > : : 
Other interesting topics
Single sign on in asp.net
Questions and observations about CAS and the StrongNameIdentityPermssionAttribute. Signed XML Private Key X509 Certificate WSE 2.0 Issue\Errors C#.NET app to run on Win 2003 from another Win2003 on the local net? LsaStorePrivateData and VB .Net Certificate Valid Date Range Providing persistent storage in a locked down environment Sign with Smartcard security warning with https CredentialCache.DefaultCredentials is empty |
|||||||||||||||||||||||
