Forms Authentication

[frpascal]

Hi,

For an Intranet, I try to capture the windows logon automaticaly to identify
the user with a little javascript. I put this varaible in an Input object
and use it with a
"FormsAuthentication.RedirectFromLoginPage(LoginUserWindows.Value, False)"
just before the Response.Redirect("\Planning\PagePrincipale.aspx").
After that i recall the value with an "User.Identity.Name".

The trace tells me that Auth-User and Remote-User values are correct but I
can't get those values with the User.Identity.name after the redirection.

It is working fine with W2000 but don't work anymore with Win XP neither Win
2003.

Thanks for any help.
Pascal

 

[[MSFT]]

Hello Pascal,

When we call RedirectFromLoginPage(LoginUserWindows.Value, False), the User
Name(LoginUserWindows.Value) will be stored in Cookies. Since the problem
only occur on parts of your servers, you may check if the cookies default
setting on these server have been changed. And, were the cookies passed to
server side, and were their path are correct.

Hope this help,

Luke

 

[Dominick Baier [DevelopMentor]]

Hello frpascal,

so a use can be whoever he wants to when he manually changes the value (filled
by your javascript) before the POST to the server??

That's not a good solution.

Why don't you provide a separate directory for windows users - with windows
auth - then in AuthenticateRequest - construct a formsAuth ticket manually,
set the cookie and redirect to your main page?

 

[frpascal]

Hi Dominick,

The Input is Hidden and my users are kind office workers who just want to
logon automaticaly, i just use the logon name for their planning and worked
hours reports. No real security matter in fact.

I don't want to implement windows auth because of the pop up window.

Luke, I checked my servers and I don't find the cookies default setting, in
fact i changed nothing since I installed the new server.
Before now I already have the problem because my dev/test machine has
migrated to WinXP, from that time this "capture" didn't work any more on the
dev/test machine but worked properly on the W2000 server.
I checked other Forms Auth messages and I found a message about fiddler. I
tried to use it :
On the first page about Cookies :
- Cookie: ASP.NET_SessionId=a4ly5ymfrnp315555ytsak55
- Set-Cookie:
..ASPXAUTH=F3667128E001B12F31C9C0D130BC4600483EC7F09C2EBB653367A99BEDCDD2DF59
DB46986051F28B7A153E24C4737AFD8EDC95EC49927907EC81225A41684F9DBDE3604E5CC3E1
73; path=/
On the destination page :
- Cookie: ASP.NET_SessionId=a4ly5ymfrnp315555ytsak55;
..ASPXAUTH=F3667128E001B12F31C9C0D130BC4600483EC7F09C2EBB653367A99BEDCDD2DF59
DB46986051F28B7A153E24C4737AFD8EDC95EC49927907EC81225A41684F9DBDE3604E5CC3E1
73

I hope this can help you to help me
Thanks a lot !
Pascal

"Dominick Baier [DevelopMentor]" <[email protected]> a
écrit dans le message de

 

[Dominick Baier [DevelopMentor]]

Hello frpascal,

hidden input provides no security...

why do you get a windows pop up window? are the users not domain users? In
domains you get single sign on AND decent authentication for free

are there two different web apps involved?

if yes be sure to sync the following settings:

cookie name & path
machineKey

 

[[MSFT]]

Hello Pascal,

Is the target web page in a different folder from the login page? This may
cause cookie has different path.

BTW, windows auth won't cause a pop up window except you use Basic
authentication. Therefore, windows auth is still a choice as Dominick
suggested.

Luke

 

[frpascal]

Hi Luke, Dominick,

There is two different applications and folders. It was also the case with
my W2000 server...

I tried to modify the Web.Config to put a path for the cookie in forms. I
tested several option but none is working.
What kind of address I can put there instead of the default "/", I found no
exemple ...

Thanks again !
Pascal

 

[[MSFT]]

Hello Pascal,

Maybe we can do a test on cookies first. For example, add following code in
your login form:

Response.Cookies("Test") = "TestValue"

Can you get this value in target page with:

Request.Cookies("Test")

If this failed, there must be some issues with the cookie.

Anyway, to get windows logon, I sitll suggest you consider windows
authentication, here is an article about how to implement Windows
authentication and authorization in ASP.NET

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q323176

Hope this help,

Luke

 

[frpascal]

Hi Luke,

Your cookie test is successfull.
I also replace the "testvalue" by my user logon so now my application is
working properly.

It looks like the "User.Identity.Name.Trim" doesn't work properly from an
application to another... ???

About the windows authentication, i resist to that solution because the
Domain is manage by another office in UK and with the new SOX procedures it
is a real mess to have an account with some rights correctly configured. My
new server will not be AD...

Thanks a lot for your precious help !
Pascal

 

[[MSFT]]

Thank you for the update. Regarding the question, it is worthy a try to
deny access to the Anonymous user in the Web.config file, use the following
syntax:

<authorization>
<deny users = "?" /> <!-- This denies access to the Anonymous user -->
<allow users ="*" /> <!-- This allows access to all users -->
</authorization>


Luke

 

[frpascal]

I tried that,

It is redirected to a login.apsx page that doesn't exist as I don't need it
normaly :
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its
dependencies) could have been removed, had its name changed, or is
temporarily unavailable. Please review the following URL and make sure that
it is spelled correctly.

Requested Url: /Intranet/login.aspx

Pascal

 

[[MSFT]]

Hello pascal,

Can you post the whole web.config file here? I will study it to see if I
can find something.

Thanks,

Luke