RE: Getting forms auth challenge

From: Jim Cheshire [MSFT] (jamesche_at_online.microsoft.com)
Date: 07/28/04 

Date: Wed, 28 Jul 2004 21:35:15 GMT

Mark,

You are allowing everyone to the site. Therefore, no one needs to
authenticate. You need to change your <authorization> section as follows:

<authorization>
    <deny users="?" />
    <allow users="*" />
</authorization>

Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
Microsoft Developer Support
jamesche@online.microsoft.com

This post is provided "AS-IS" with no warranties and confers no rights.

--------------------
>From: murphy@murphysw.com (MarkMurphy)
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>Subject: Getting forms auth challenge
>Date: 28 Jul 2004 12:04:34 -0700
>Organization: http://groups.google.com
>Lines: 32
>Message-ID: <e061eb57.0407281104.7cab54ba@posting.google.com>
>NNTP-Posting-Host: 144.223.23.86
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: 8bit
>X-Trace: posting.google.com 1091041475 8883 127.0.0.1 (28 Jul 2004
19:04:35 GMT)
>X-Complaints-To: groups-abuse@google.com
>NNTP-Posting-Date: Wed, 28 Jul 2004 19:04:35 +0000 (UTC)
>Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.s
ul.t-online.de!t-online.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!p
ostnews2.google.com!not-for-mail
>Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:10952
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>I'm implementing forms authentication on a site and can't get the
>redirection to the login page to work happen. It is behaving as
>though still doing windows authentication.
>
>In web.config:
>
> <authentication mode="Forms">
> <forms loginUrl="login.aspx" name=".ASPXFORMSAUTH"
>protection="All"/>
> </authentication>
>
> <!-- AUTHORIZATION
> This section sets the authorization policies of the
>application. You can allow or deny access
> to application resources by user or role. Wildcards: "*"
>mean everyone, "?" means anonymous
> (unauthenticated) users.
> -->
>
> <authorization>
> <allow users="*" /> <!-- Allow all users -->
> <!-- <allow users="[comma separated list of users]"
> roles="[comma separated list of roles]"/>
> <deny users="[comma separated list of users]"
> roles="[comma separated list of roles]"/>
> -->
> </authorization>
>
>
>Am I missing something?
>
>Thanks in advance, Mark
>

Relevant Pages

  • asp.net vulnerability
    ... From: Windows NTBugtraq Mailing List ... More details on ASP.NET vulnerability ... There has been some confusion with the ASP.NET forms authentication issue ... authorization issue, not an authentication issue. ...
    (microsoft.public.sharepoint.portalserver)
  • Re: application pool custom identity
    ... Kerberos becomes a possibility when the web server is in a Domain, ... The problem happens when the browser/server selects Kerberos authentication, ... LocalSystem credentials will work for Kerberos; custom AppPool Identity ... Authorization. ...
    (microsoft.public.inetserver.iis)
  • Re: Kerberos OpenLDAP Frontend
    ... Jonathan Javier Cordoba Gonzalez wrote: ... but then you are mixing the authentication with the authorization. ... A KDC with passwords and LDAP ...
    (comp.protocols.kerberos)
  • Re: ASP.NET Authentication exception case
    ... It doesn't seem to like the authorization tag underneath the location tag ... This section sets the authentication policies of the application. ... <!-- SESSION STATE SETTINGS ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: ADAM - SSO and provisioning considerations
    ... ADAM and "custom" security principals and gives you ... for authentication, where you might ship some default providers (ADAM LDAP ... be used to link up to the authorization store. ... > customer's identity store is a non-MS directory, ...
    (microsoft.public.windows.server.active_directory)