Login control and restricted member pages

[NickP]

Hi there,

I have setup a website to use the login control and have been following
this tutorial,

http://msdn2.microsoft.com/en-us/library/879kf95c(VS.80).aspx

All of my member-only pages are stored in a directoy access that has
annonymous access set to deny all. Unfortunately when login occurs and the
default member page is navigated to a Windows Forms dialog appears and asks
for my username and password, to which I have to supply my hosting
credentials in order to see the site correctly. If I leave the entries
blank and press cancel, I see the page but the graphics / styles to not
load.

Any ideas what I am doing wrong here? Many thanks for your time and
help.

Nick.

 

[Steven Cheng[MSFT]]

Hi Nick,

From your description, your ASP.NET application is using Forms
Authentication and you make one of the folder protected from
unauthenticated user. However, you find that after you login, you will
still get a popup window for windows credential when visit pages in a
certain folder, correct?

Regarding on this problem symptom, I think it is likely caused by windows
NTFS permission limitation. By default, even you use Forms Authentication,
ASP.NET runtime will perform file authorization checking on each aspx file
being requested. That means it will ensure the current user(security
account) has the permission to access that certain aspx page's physical
file(through NTFS permission setting). For your scenario, you're using
Forms Authentication(and assume you haven't perform impersonate in your
web.config), the security context is your ASP.NET worker process
identity(in IIS5, the default one is MACHINE\ASPNET, in IIS6, the default
one is "Network Service" account). Therefore, you need to make sure that
account have the permission to access the asp.net page file(will be
requested in your application).

Here are some reference about ASP.NET process identity and
authorization(include url authorization):

#ASP.NET Process Identity
http://msdn2.microsoft.com/en-us/library/aa291339(VS.71).aspx

#Configuring ASP.NET Process Identity
http://msdn2.microsoft.com/en-us/library/dwc1xthy.aspx

#ASP.NET Authorization
http://msdn2.microsoft.com/en-us/library/wce3kxhd.aspx


If you have anything unclear, welcome to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------

 

[NickP]

Hi Steven,

I'm not quite sure I understand to be totally honest, let me give you a
scenario,

1. I attempt to navigate to a restricted member page without logging in
2. The HTML of the aspx page loads fine, but I recieve a login dialog
once for each image on the page.

* The images folder within this restricted folder is unaccessible, but
the root members folder isn't.

appname/members << (anonymous set to deny all) accessible
appname/members/images << inaccessible

If I log in, using the login control in the app root,

appname/login.aspx

exactly the same thing happens. So my question is this,

Why does the page load but not the images, regardless of the login
status?

The control panel suggests that both folders have *exactly* the same
permissions set, but I cannot access any of the images. I'm just contacting
the hosting guys to find out if they can check the NTFS permissions.

To be honest the links you sent didn't really help me much, there was no
clear explanation or description of my problem occuring.

Many thanks for your time and help.

Nick.

 

[Steven Cheng[MSFT]]

Thanks for your reply Nick,

As you said the login dialog prompts each time the page loading a image,
have you verified the image files's access permission(NTFS file permission)
on that server machine? It is likely that those images file are stored in a
protected folder. When a page display some images file, the client browser
will send http request to download each of them after the page content is
loaded. Thus, if the image file is protected or not accessible, browser
will also prompt for credentials. Also, you can check the IIS log on the
server machine and look for those access denied entries(401 error) to see
which pages or resources cause the access denied behavior.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------

From: "NickP" <[email protected]>
References: <#[email protected]>

 

[NickP]

Hi Steven,

Fortunately the problem has been resolved now by removing the annonymous
/ deny attributes from the members directory, it redirects to the login page
if you aren't logged in anyway. I thought that maybe it would be good to
give that extra level of security but I guess not.

Many thanks for your time and help.

Nick.

 

[Steven Cheng[MSFT]]

Thanks for your reply Nick,

Glad that you have got it resolved.

Have a good day!

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

From: "NickP" <[email protected]>
References: <#[email protected]>

<[email protected]>