Form Authentication (redirect to https)


D

dgator

We are using forms authentication for security within our web app. Within
the web.config file, we have the logonURL set to "https://www.mysite.com" so
that if the user gets to the login page via http, they will be forced to
https version.

We do this same redirect on other websites without any problems, but for
some reason on this one website, when we redirect to https, a windows login
prompt is presented to the user which is NOT what we want. I have looked
throughout the web.config file and the iis setup and see no differences in
the site that works with the redirect and one that doesn't.


Any ideas?

Thanks in advance.
 
Ad

Advertisements

G

Guest

We are using forms authentication for security within our web app.  Within
the web.config file, we have the logonURL set to "https://www.mysite.com" so
that if the user gets to the login page via http, they will be forced to
https version.

We do this same redirect on other websites without any problems, but for
some reason on this one website, when we redirect to https, a windows login
prompt is presented to the user which is NOT what we want.  I have looked
throughout the web.config file and the iis setup and see no differences in
the site that works with the redirect and one that doesn't.  

Any ideas?

Thanks in advance.

I think it does mean that the IUSR_<server> account has no access to
the root directory of the site. Check directory permissions to see if
the this account is allowed access to the files. Check if Anonymous
authentication is enabled in IIS.
 
D

dgator

If i type https://www.mysite.com it works fine as long as the "logonURL" in
the forms authentication section of the web.config just points to the logon
page like "logon.aspx".

As soon as I change the logonURL to "https://www.mysite.com/logon.aspx", the
windows logon prompt is presented to the user.

The directory permissions for the IUSR seem to be fine.

Any other thoughts?

Thanks

Daivd
 
G

Guest

If i typehttps://www.mysite.comit works fine as long as the "logonURL" in
the forms authentication section of the web.config just points to the logon
page like "logon.aspx".  

As soon as I change the logonURL to "https://www.mysite.com/logon.aspx", the
windows logon prompt is presented to the user.

The directory permissions for the IUSR seem to be fine.

Any other thoughts?

Thanks

Daivd






- Show quoted text -

David, when you do this on other websites, do you use a custom 403
redirect at IIS from http to https?
 
D

dgator

I do the redirect through the form authentication section of the web.config
file.

Here is my current entry in web.config

<authentication mode="Forms">
<forms loginUrl="wtLogon.aspx" name="sqlAuthCookie" timeout="60"
path="/">
</forms>
</authentication>

This works if the user types in https://www.mysite.com. If the user type
http>//www.mysite.com, they are redirected to the login page, but still in
http.

If I change the entry in the web.config to the following

<authentication mode="Forms">
<forms loginUrl="https://www.mysite.com/wtLogon.aspx"
name="sqlAuthCookie" timeout="60" path="/">
</forms>
</authentication>

I get the windows login prompt.

Very strange.
 
Ad

Advertisements

G

Guest

I do the redirect through the form authentication section of the web.config
file.

Here is my current entry in web.config

<authentication mode="Forms">
      <forms loginUrl="wtLogon.aspx" name="sqlAuthCookie" timeout="60"
path="/">
      </forms>
    </authentication>

This works if the user types inhttps://www.mysite.com.  If the user type
http>//www.mysite.com, they are redirected to the login page, but still in
http.

If I change the entry in the web.config to the following

<authentication mode="Forms">
      <forms loginUrl="https://www.mysite.com/wtLogon.aspx"
name="sqlAuthCookie" timeout="60" path="/">
      </forms>
    </authentication>

I get the windows login prompt.

Very strange.






- Show quoted text -

I think the trick here is that you have to add custom 403 (403;4 if I
am not wrong) in IIS where you can redirect from http://....login.aspx
to https://....login.aspx using simple
Response.Redirect("https://....login.aspx");
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top