Multiple log-in requests for single aspx page - WHY?

Discussion in 'ASP .Net Security' started by Paul Bryant, Oct 17, 2003.

  1. Paul Bryant

    Paul Bryant Guest

    I have a subweb secured with Windows authentication. IIS has anonymous
    access disabled & basic auth enabled. The sub folder has acls set to allow
    access to a single non-admin user as well as administrators. Upon browsing
    to the home of the secured subweb users are prompted to log-in once, and
    assuming correct credentials are entered can access the site. When then
    non-admin user then follows a link to browse to an aspx page within the
    subweb another log-in prompt is displayed.
    WEIRD:
    If the user enters their username/password the log-in dialog re-appears 3
    times then the page is displayed. HOWEVER if they click cancel/press escape
    the page IS STILL DISPLAYED.

    This only happens from a win2k client, accessing the page from XP works as
    expected.

    Also, I found that when setting unique permissions on the subweb using the
    FPSE admin web pages I lost the ASPNET account permissions, breaking the
    application, and had to manually re-add them. This doesn't seem very clever.
    As if security wasn't complicated enough with ASP I now have to check ACLs,
    IIS settings, FPSE settings AND web.configs, any or all of which can break
    the security.

    TIA,

    Paul Bryant
     
    Paul Bryant, Oct 17, 2003
    #1
    1. Advertising

  2. Paul,

    Are you impersonating in your ASP.NET application? If not, I would think
    that the cause of the problem is that ASPNET (the user account for the
    aspnet_wp.exe process) is being denied access. However, the fact that it
    works from a Windows XP machine is very strange.

    What do the IIS logs show? What do you see if you get a Filemon log of
    this problem? (www.sysinternals.com).

    As to the FPSE, if you try and manage permissions using FPSE, they may
    tighten security which will remove any unknown accounts from browse access
    on the site. This includes the ASPNET account. Therefore, if you do
    tighten security with FPSE, you will need to add the ASPNET account back to
    the wwwroot folder with default permissions.

    Jim Cheshire [MSFT]
    Developer Support
    ASP.NET


    This post is provided as-is with no warranties and confers no rights.


    --------------------
    >From: "Paul Bryant" <paul@NO_SP_AMgap66.com>
    >Subject: Multiple log-in requests for single aspx page - WHY?
    >Date: Fri, 17 Oct 2003 12:28:06 +0100
    >Lines: 27
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    >Message-ID: <>
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >NNTP-Posting-Host: dsl-217-155-7-30.zen.co.uk 217.155.7.30
    >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
    >Xref: cpmsftngxa06.phx.gbl

    microsoft.public.dotnet.framework.aspnet.security:7228
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >I have a subweb secured with Windows authentication. IIS has anonymous
    >access disabled & basic auth enabled. The sub folder has acls set to allow
    >access to a single non-admin user as well as administrators. Upon browsing
    >to the home of the secured subweb users are prompted to log-in once, and
    >assuming correct credentials are entered can access the site. When then
    >non-admin user then follows a link to browse to an aspx page within the
    >subweb another log-in prompt is displayed.
    >WEIRD:
    >If the user enters their username/password the log-in dialog re-appears 3
    >times then the page is displayed. HOWEVER if they click cancel/press escape
    >the page IS STILL DISPLAYED.
    >
    >This only happens from a win2k client, accessing the page from XP works as
    >expected.
    >
    >Also, I found that when setting unique permissions on the subweb using the
    >FPSE admin web pages I lost the ASPNET account permissions, breaking the
    >application, and had to manually re-add them. This doesn't seem very

    clever.
    >As if security wasn't complicated enough with ASP I now have to check ACLs,
    >IIS settings, FPSE settings AND web.configs, any or all of which can break
    >the security.
    >
    >TIA,
    >
    >Paul Bryant
    >
    >
    >
     
    Jim Cheshire [MSFT], Oct 17, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?QWRyaWphbiBKb3NpYw==?=

    catching all requests with a single page

    =?Utf-8?B?QWRyaWphbiBKb3NpYw==?=, Feb 6, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    397
    bruce barker
    Feb 6, 2004
  2. Fernando Arámburu

    web requests and mobile requests

    Fernando Arámburu, Apr 8, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    458
    Joerg Jooss
    Apr 8, 2005
  3. Mr. SweatyFinger
    Replies:
    2
    Views:
    2,077
    Smokey Grindel
    Dec 2, 2006
  4. shaji
    Replies:
    0
    Views:
    332
    shaji
    Sep 16, 2010
  5. Replies:
    0
    Views:
    169
Loading...

Share This Page