Re: Forms Authentication and SSL
From: Patrick C. Cole (patcole@online.microsoft.com)
Date: 10/04/02
- Next message: Willy Denoyette [MVP]: "Re: Howto: LDAP Authenticate user with pwdlastset=0 in C# .NET"
- Previous message: Patrick C. Cole: "RE: Problem with RSA encryption on w2k"
- In reply to: Kipp Hawley: "Re: Forms Authentication and SSL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: patcole@online.microsoft.com (Patrick C. Cole (MS)) Date: Fri, 04 Oct 2002 19:26:00 GMT
Kipp,
The workaround you have found (from your other post) is a logical solution.
I have been able to duplicate the issue, but have not located a better
solution. I will continue to research and will post more information as
sson as I have some.
Patrick Cole
Microsoft Developer Support
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2002 Microsoft Corporation. All rights
reserved.
--------------------
| From: "Kipp Hawley" <kh@traxonline.com>
| References: <OMSJovaaCHA.1332@tkmsftngp11> <oCRKUrjaCHA.1064@cpmsftngxa08>
| Subject: Re: Forms Authentication and SSL
| Date: Wed, 2 Oct 2002 14:09:44 -0700
| Lines: 101
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 8bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
| Message-ID: <#$gYgflaCHA.392@tkmsftngp09>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: 64.167.199.132
| Path: cpmsftngxa06!tkmsftngp01!tkmsftngp09
| Xref: cpmsftngxa06 microsoft.public.dotnet.framework.aspnet.security:2429
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| Hi Patrick -
| Thanks for the note on the loginUrl attribute.
| re: login dialog - we do have Anonymous access set for the site as well as
| Windows Authentication (needed so developers can work with the files
through
| FrontPage Extensions). When I turn off Windows Authentication I still get
| the "going to secure channel" message, then I simply get the "access
denied"
| message.
|
| On closer inspection, it appears that using the full absolute https URL in
| web.config shortcircuits the authentication process: when I try to browse
| the login page itself and receive the access denial, the address bar says
| https://myserver/myapp/login.aspx?ReturnUrl=%2fmyapp%2flogin.aspx. So, it
| looks like the forms authentication module isn't realizing that the
browsed
| file is actually the loginUrl in web.config, which should be available
| without authentication. Compare this to when the loginUrl is simply the
| relative url "login.aspx" - browsing right to login.aspx is no problem at
| all.
|
| Kipp
|
| "Patrick C. Cole (MS)" <patcole@online.microsoft.com> wrote in message
| news:oCRKUrjaCHA.1064@cpmsftngxa08...
| > Kipp,
| >
| > You will need to put the full address in the loginUrl attribute. The
| login
| > dialog you mention may be that you do not have Anonymous access set for
| the
| > site. Having NTLM or Basic would prompt the user for authentication.
| >
| > Hope this helps,
| >
| > Patrick Cole
| > Microsoft Developer Support
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| rights.
| > You assume all risk for your use. © 2002 Microsoft Corporation. All
rights
| > reserved.
| >
| > --------------------
| > | From: "Kipp Hawley" <kh@traxonline.com>
| > | Subject: Forms Authentication and SSL
| > | Date: Tue, 1 Oct 2002 17:38:45 -0700
| > | Lines: 27
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="iso-8859-1"
| > | Content-Transfer-Encoding: 7bit
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
| > | Message-ID: <OMSJovaaCHA.1332@tkmsftngp11>
| > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| > | NNTP-Posting-Host: 64.167.199.132
| > | Path: cpmsftngxa09!cpmsftngxa06!tkmsftngp01!tkmsftngp11
| > | Xref: cpmsftngxa09
| microsoft.public.dotnet.framework.aspnet.security:2416
| > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| > |
| > | Greetings -
| > | After getting Forms Authentication working I took the next step of
using
| > SSL
| > | for the login page. The login page is in the same directory as the
rest
| of
| > | the web's pages, and is the only one set to use SSL. If I browse
| directly
| > to
| > | it there is no problem, but I can't find a way to get Forms
| Authentication
| > | to use it properly. If I just set login.aspx as the loginURL, the
| browser
| > | puts up the "You need to use https://..." message, and after inserting
| the
| > | 's' in the address bar it goes fine. This won't cut it for real users,
| > | though. On the other hand, if I use https: in the loginURL, I can't
get
| it
| > | to work without using the entire absolute address, and, worse yet,
when
| I
| > | get redirected to login.aspx I get a Windows login screen.
| > |
| > | Any ideas? How do others implement SSL for Forms Authentication?
| > | Here's the web.config code:
| > |
| > | <authentication mode="Forms" >
| > | <forms loginUrl = "https://myserver/testapp/login.aspx" name =
| > "TestAuth"
| > | />
| > | </authentication>
| > | <authorization>
| > | <deny users="?" />
| > | </authorization>
| > |
| > | Thanks for your help,
| > | Kipp Hawley
| > | Trax Softworks, Inc.
| > |
| > |
| >
|
|
- Next message: Willy Denoyette [MVP]: "Re: Howto: LDAP Authenticate user with pwdlastset=0 in C# .NET"
- Previous message: Patrick C. Cole: "RE: Problem with RSA encryption on w2k"
- In reply to: Kipp Hawley: "Re: Forms Authentication and SSL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
