Microsoft.Owin.Security.IAuthenticationManager does not redirect to the login page

Question

Microsoft.Owin.Security.IAuthenticationManager does not redirect to the login page

I am using Microsoft.Owin.Security in my application (ASP.NET MVC v 5.2.0 on .NET 4.5). But only part of OWIN security is nothing more. When a user wants to access a secure URL, the request is redirected locally to the login page. But when I publish the application on the server, I get this window instead of redirecting:

enter image description here

My entry and exit methods:

 public void LogIn(long userId, string username, string email, bool persistent) { var claims = new List<Claim>{ new Claim(ClaimTypes.NameIdentifier, userId.ToString(CultureInfo.InvariantCulture)), new Claim(ClaimTypes.Name, username), new Claim(ClaimTypes.Email, email), new Claim(ClaimTypes.IsPersistent, persistent.ToString()) }; var id = new ClaimsIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie); var ctx = HttpContext.Current.Request.GetOwinContext(); var authenticationManager = ctx.Authentication; authenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie); authenticationManager.SignIn(new AuthenticationProperties { IsPersistent = persistent }, id); } public void LogOut() { var ctx = HttpContext.Current.Request.GetOwinContext(); var authenticationManager = ctx.Authentication; authenticationManager.SignOut(); }

and here is my launch:

 public partial class Startup { public void ConfigureAuth(IAppBuilder app) { app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, LoginPath = new PathString("/account/log-in/"), AuthenticationMode = AuthenticationMode.Active, CookieHttpOnly = true, CookieName = ".some-cookie-name", ExpireTimeSpan = TimeSpan.FromDays(1), LogoutPath = new PathString("/account/log-out/"), SlidingExpiration = true, ReturnUrlParameter = "continue" }); } }

I also have this line in the global.asax::Application_Start method:

 AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;

and these configurations in web.config:

 <system.web> <authentication mode="None" /> <httpModules> <remove name="FormsAuthenticationModule" /> <remove name="RoleManager" /> </httpModules> </system.web> <system.webServer> <validation validateIntegratedModeConfiguration="false" /> <modules runAllManagedModulesForAllRequests="false"> <remove name="FormsAuthenticationModule" /> <remove name="RoleManager" /> </modules> </system.webServer>

and finally, I run the application on a Windows 2008 R2 machine with IIS 7.5 . Do you know what to do to make OWIN work correctly on my server, just like my local one?

UPDATE: To be clear:

Suppose I have the following actions:

 [AllowAnonymous] public ActionResult AnonymousAction() { } [Authorize] public ActionResult UsersAction() { }

One for anonymous users and one for registered users (who are well decorated with attributes). Anonymous users can easily access AnonymousAction without any errors or errors. But when they (I mean anonymous users) want to access UsersAction , instead of being redirected to the login page, they will see the window that I mentioned above.

+6

asp.net-mvc iis owin asp.net-mvc-5.2

javad amiry Oct 08 '14 at 13:45

source share

3 answers

As Eric says, your IIS has the wrong settings, most likely the authentication is configured incorrectly.

Go to your IIS, select your site and select the "Authentication" section. It should look like this:

Make sure anonymous authentication is turned on and everything else is turned off.

+3

trailmax Dec 22 '14 at 0:46

source share

How does this relate to the URL of your account in Startup? I notice this line;

 LoginPath = new PathString("/account/log-in/")

always refers to the root URL of the server. Therefore, if you use, say,

 http://myserver.com/application1

then the login page will be

 http://myserver.com/account/log-in/

but you probably mean

 http://myserver.com/application1/account/log-in/

So you can try something like:

 LoginPath = new PathString("~/account/log-in/")

with the symbol ~ . Same thing for exit url.

+2

Steve cooper Dec 22 '14 at 0:29

source share

javad amiry · Accepted Answer · 2014-12-27T10:31:47+0000

Well, that was really easy. According to @trailmax's answer (thanks to him), I realized that I should pay attention to the http response code. That was code 401 - Unauthorized . So I asked myself why? Until I found this answer . Then the only thing I needed was to create the following attribute:

 [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true)] public class AuthorizeAttribute : System.Web.Mvc.AuthorizeAttribute { protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) { if (filterContext.HttpContext.Request.IsAuthenticated) { filterContext.Result = new HttpStatusCodeResult((int)System.Net.HttpStatusCode.Forbidden); } else { base.HandleUnauthorizedRequest(filterContext); } } }

Microsoft.Owin.Security.IAuthenticationManager does not redirect to the login page

More articles: