All geek questions in one place

Form authentication ignored in virtual application

I have an admin site configured as a virtual application inside another website.

I would like visitors in a subdirectory (virtual application) to be advertised for credentials using the same forms-based authentication that was installed on the main parent site

We tried all kinds of things, but could not get it to work, including

Removing all <authentication mode="Forms"> , <authorization> , <membership> and <roles> sections from the web.config virtual application

Copying the same sections <authentication mode="Forms"> , <authorization> , <membership> and <roles> from the parent to the web.config virtual application

Using a virtual directory instead of a virtual application

But I never tried credentials

Does anyone know how to get this setting?

thanks

UPDATE:

Now it has received permission inheritance from the parent by deleting the application name in IIS (to make it a virtual directory, not a virtual application)

However this twists all the way in the admin site

eg. I get the following error:

The file '/Site.master' does not exist.

So should I use a virtual directory (which seems to inherit authentication from the parent)?

Or a virtual application (which does not currently inherit auth from the parent, but has the correct relative paths)?

Here is the parent config

 <membership defaultProvider="SqlServerMembershipProvider"> <providers> <add connectionStringName="xxxxxxxx" requiresQuestionAndAnswer="false" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression="" name="SqlServerMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/> </providers> </membership> <roleManager enabled="true" defaultProvider="SqlServerRoleProvider"> <providers> <add connectionStringName="xxxxxxx" applicationName="/" name="SqlServerRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/> </providers> </roleManager> <authentication mode="Forms"> <forms name=".EPiServerLogin" loginUrl="login.aspx" timeout="120"/> </authentication> <authorization> <deny users="?"/> </authorization>
+4
source share
3 answers

I needed to use a single sign solution as described here

http://www.codeproject.com/KB/aspnet/SingleSignon.aspx

Most importantly, each site must use the same encryption key for cookie values. Therefore, this machineKey element must be added to each site participating in Single Sign On

+2
source

How are you configured authorization ?

Also, I assume that you have not authenticated with the parent site yet?

In the admin subdirectory, you should have something like the following in your web.config (obviously, you may have additional information):

 <configuration> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </configuration>

This will reject all anonymous users, but allow all authenticated users to gain access. You can easily extend this if you use a role provider to allow specific roles:

  <allow roles="Admin" /> <deny users="*" />

Please note that you need to "Deny all users", because by default this is allowed to all users. Authorization works from top to bottom in the sense that it starts at the top of the list, and as soon as it finds a match, it stops processing, so if the user is in the Admin role, he will not get access to Deny all users .

You can also configure this in the root web.config using the <location> element .

Reply to comments

And does your authentication / authorization work on the parent site?

Could you please change your question to include the (misinformed) sections of web.config that you tried so that we can see if there is something obvious, for example, if you use Roles to block the administration area, you enable it ( <roleManager enabled="true"> , defaults to false ).

+1
source

We do what you try to do quite often here.

We do this as follows: the root level is a virtual application, it contains the web.config and global.ascx wizards. We have a normal admin folder inside. Inside this we have a small web.config, it contains only XML information <authorization> . You will need a login page somewhere, either in the root folder or in the administrator folder.

I am a little confused in your post about whether three applications / directories (application, parent application, application administrator) are involved or only two (application and application administrator). I make a critical assumption that these are two. If you have three, it will be a little more work to run this business.

alt text

0
source

Source: https://habr.com/ru/post/1304143/

More articles: