Re: Forms Authentication and SSL

From: Kipp Hawley (kh@traxonline.com)
Date: 10/02/02 

From: "Kipp Hawley" <kh@traxonline.com>
Date: Wed, 2 Oct 2002 14:09:44 -0700

Hi Patrick -
Thanks for the note on the loginUrl attribute.
re: login dialog - we do have Anonymous access set for the site as well as
Windows Authentication (needed so developers can work with the files through
FrontPage Extensions). When I turn off Windows Authentication I still get
the "going to secure channel" message, then I simply get the "access denied"
message.

On closer inspection, it appears that using the full absolute https URL in
web.config shortcircuits the authentication process: when I try to browse
the login page itself and receive the access denial, the address bar says
https://myserver/myapp/login.aspx?ReturnUrl=%2fmyapp%2flogin.aspx. So, it
looks like the forms authentication module isn't realizing that the browsed
file is actually the loginUrl in web.config, which should be available
without authentication. Compare this to when the loginUrl is simply the
relative url "login.aspx" - browsing right to login.aspx is no problem at
all.

Kipp

"Patrick C. Cole (MS)" <patcole@online.microsoft.com> wrote in message
news:oCRKUrjaCHA.1064@cpmsftngxa08...
> Kipp,
>
> You will need to put the full address in the loginUrl attribute. The
login
> dialog you mention may be that you do not have Anonymous access set for
the
> site. Having NTLM or Basic would prompt the user for authentication.
>
> Hope this helps,
>
> Patrick Cole
> Microsoft Developer Support
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> You assume all risk for your use. © 2002 Microsoft Corporation. All rights
> reserved.
>
> --------------------
> | From: "Kipp Hawley" <kh@traxonline.com>
> | Subject: Forms Authentication and SSL
> | Date: Tue, 1 Oct 2002 17:38:45 -0700
> | Lines: 27
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="iso-8859-1"
> | Content-Transfer-Encoding: 7bit
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> | Message-ID: <OMSJovaaCHA.1332@tkmsftngp11>
> | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | NNTP-Posting-Host: 64.167.199.132
> | Path: cpmsftngxa09!cpmsftngxa06!tkmsftngp01!tkmsftngp11
> | Xref: cpmsftngxa09
microsoft.public.dotnet.framework.aspnet.security:2416
> | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> |
> | Greetings -
> | After getting Forms Authentication working I took the next step of using
> SSL
> | for the login page. The login page is in the same directory as the rest
of
> | the web's pages, and is the only one set to use SSL. If I browse
directly
> to
> | it there is no problem, but I can't find a way to get Forms
Authentication
> | to use it properly. If I just set login.aspx as the loginURL, the
browser
> | puts up the "You need to use https://..." message, and after inserting
the
> | 's' in the address bar it goes fine. This won't cut it for real users,
> | though. On the other hand, if I use https: in the loginURL, I can't get
it
> | to work without using the entire absolute address, and, worse yet, when
I
> | get redirected to login.aspx I get a Windows login screen.
> |
> | Any ideas? How do others implement SSL for Forms Authentication?
> | Here's the web.config code:
> |
> | <authentication mode="Forms" >
> | <forms loginUrl = "https://myserver/testapp/login.aspx" name =
> "TestAuth"
> | />
> | </authentication>
> | <authorization>
> | <deny users="?" />
> | </authorization>
> |
> | Thanks for your help,
> | Kipp Hawley
> | Trax Softworks, Inc.
> |
> |
>

Relevant Pages

  • [Full-Disclosure] Advisory: Dark Age of Camelot - Weak encryption of network traffic exposed persona
    ... Weak encryption in game client exposed customer billing and authentication ... encryption for billing information. ... The login binary has undergone several updates since then. ...
    (Full-Disclosure)
  • Re: Forms Authentication and SSL
    ... Kipp, ... I was thinking that another workaround would be to have the login page ... | Subject: Re: Forms Authentication and SSL ... Compare this to when the loginUrl is simply the ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Forms Authentication and SSL
    ... You will need to put the full address in the loginUrl attribute. ... Having NTLM or Basic would prompt the user for authentication. ... | for the login page. ... | Kipp Hawley ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: [PHP] Is this the best way?
    ... Why is Jason schreefing again? ... maybe I should edit my authentication function... ... attempting to login. ... really be either attempting an authentication *or* outputting some ...
    (php.general)
  • Authentication Sharing Across Apps
    ... For my part "B" question that I had (Login App was not returning ... authentication to calling app), I found the solution. ... Basically, in both the Login App and Calling App Web.Config, I did ... authenticated connection with SQL server. ...
    (microsoft.public.dotnet.framework.aspnet.security)