«

Hi there,

I'm fairly new to both IIS and ASP.NET but an experienced Windows developer
otherwise (with extensive Windows security experience). I already have a
good entry-level understanding of IIS and ASP.NET security but would like to
know how to allow requests from a specic domain to automatically bypass my
forms-based security ("<authentication mode = "Forms"> in my "web.config"
file). Is there something I can easily add to my IIS configuration and/or
"web.config" that basically says, "allow domain.com to enter while everyone
else has to log in". If not then can someone get me started on how to pull
this off in code. Thanks.

How would you know that a request came from a specific domain? If you try
to do this via source IP header, you run the risk that the client would
spoof this. It isn't a reliable form of authentication.

Do you need a real security feature here?

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Larry Smith" <no_spam@_no_spam_.com> wrote in message
news:...
> Hi there,
>
> I'm fairly new to both IIS and ASP.NET but an experienced Windows
> developer otherwise (with extensive Windows security experience). I
> already have a good entry-level understanding of IIS and ASP.NET security
> but would like to know how to allow requests from a specic domain to
> automatically bypass my forms-based security ("<authentication mode =
> "Forms"> in my "web.config" file). Is there something I can easily add to
> my IIS configuration and/or "web.config" that basically says, "allow
> domain.com to enter while everyone else has to log in". If not then can
> someone get me started on how to pull this off in code. Thanks.
>

> How would you know that a request came from a specific domain? If you try
> to do this via source IP header, you run the risk that the client would
> spoof this. It isn't a reliable form of authentication.

Thanks for the feedback but for my needs it's ok. I'm going to be opening a
hosted site shortly that will normally be open to all (anonymous) users on
the web. I periodically want to conduct some maintenance however so to
facilitate this, I want to restrict all other users except myself. The
easiest way I've been able to find to do this so far is to add the following
to my "web.config" file:

<authorization>
<!-- Deny all unauthenticated users -->
<deny users="?"/>
</authorization>

This will force all users to a login form where I can then control who can
enter my site. That will only be me for now. During maintenance however, I
want to conduct a test where I click a button on one of my pages which takes
me to another site where a particular transaction is conducted. That site
will then post back to a designated page on my site in a secure manner. When
doing so however, I obviously don't want the page blocked by the above entry
in my "web.config" file. This is why I'm trying to figure out how to allow
that particular domain to bypass the login form. As for intruders, it's
extremely unlikely anyone else will try to access the same page which is
only known to the domain I'm dealing with. Even if it did occur, they won't
get very far since I have an RSA-based security mechanism in place that will
prevent them from doing any harm (it's a shared protocol between me and the
specific domain I'm dealing with).

If you know of a better or more "official" way I can do this then I'd be
interested in knowing. Note BTW that I'd rather not rely on the IIS
configuration panel to do assist since my site is hosted. I therefore don't
want to rely on my web host's personnel to access the IIS configuration
panel for me whenever I have to do maintenance. Thanks in advance for any
help you can provide.

you should supply a webservice page which you exclude from forms
authentication (see docs for controlling login by path). the use an rsa
key as a parameter to the webservice.

-- bruce (sqlwork.com)

Larry Smith wrote:
>> How would you know that a request came from a specific domain? If you try
>> to do this via source IP header, you run the risk that the client would
>> spoof this. It isn't a reliable form of authentication.
>
> Thanks for the feedback but for my needs it's ok. I'm going to be opening a
> hosted site shortly that will normally be open to all (anonymous) users on
> the web. I periodically want to conduct some maintenance however so to
> facilitate this, I want to restrict all other users except myself. The
> easiest way I've been able to find to do this so far is to add the following
> to my "web.config" file:
>
> <authorization>
> <!-- Deny all unauthenticated users -->
> <deny users="?"/>
> </authorization>
>
> This will force all users to a login form where I can then control who can
> enter my site. That will only be me for now. During maintenance however, I
> want to conduct a test where I click a button on one of my pages which takes
> me to another site where a particular transaction is conducted. That site
> will then post back to a designated page on my site in a secure manner. When
> doing so however, I obviously don't want the page blocked by the above entry
> in my "web.config" file. This is why I'm trying to figure out how to allow
> that particular domain to bypass the login form. As for intruders, it's
> extremely unlikely anyone else will try to access the same page which is
> only known to the domain I'm dealing with. Even if it did occur, they won't
> get very far since I have an RSA-based security mechanism in place that will
> prevent them from doing any harm (it's a shared protocol between me and the
> specific domain I'm dealing with).
>
> If you know of a better or more "official" way I can do this then I'd be
> interested in knowing. Note BTW that I'd rather not rely on the IIS
> configuration panel to do assist since my site is hosted. I therefore don't
> want to rely on my web host's personnel to access the IIS configuration
> panel for me whenever I have to do maintenance. Thanks in advance for any
> help you can provide.
>
>

I think what I would probably try to do is have a piece of code that
basically integrates with the existing forms login system and generates a
forms login ticket/cookie directly based on the source IP server variable.

Perhaps something that runs in BeginRequest or Authenticate like an
HttpModule or Global.asax handler that generates a forms auth cookie via
SetAuthCookie and sets a valid IPrincipal in Context.User would be
sufficient. It should effectively provide SSO for clients presenting the
required source IP and will challenge for forms auth as normal for those
that do not.

I also tend to agree with Bruce's parallel comment that providing a
non-forms auth method for accessing a page designed for programmatic access
like a web service is probably a good idea.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Larry Smith" <no_spam@_no_spam_.com> wrote in message
news:...
>
> Thanks for the feedback but for my needs it's ok. I'm going to be opening
> a hosted site shortly that will normally be open to all (anonymous) users
> on the web. I periodically want to conduct some maintenance however so to
> facilitate this, I want to restrict all other users except myself. The
> easiest way I've been able to find to do this so far is to add the
> following to my "web.config" file:
>
> <authorization>
> <!-- Deny all unauthenticated users -->
> <deny users="?"/>
> </authorization>
>
> This will force all users to a login form where I can then control who can
> enter my site. That will only be me for now. During maintenance however, I
> want to conduct a test where I click a button on one of my pages which
> takes me to another site where a particular transaction is conducted. That
> site will then post back to a designated page on my site in a secure
> manner. When doing so however, I obviously don't want the page blocked by
> the above entry in my "web.config" file. This is why I'm trying to figure
> out how to allow that particular domain to bypass the login form. As for
> intruders, it's extremely unlikely anyone else will try to access the same
> page which is only known to the domain I'm dealing with. Even if it did
> occur, they won't get very far since I have an RSA-based security
> mechanism in place that will prevent them from doing any harm (it's a
> shared protocol between me and the specific domain I'm dealing with).
>
> If you know of a better or more "official" way I can do this then I'd be
> interested in knowing. Note BTW that I'd rather not rely on the IIS
> configuration panel to do assist since my site is hosted. I therefore
> don't want to rely on my web host's personnel to access the IIS
> configuration panel for me whenever I have to do maintenance. Thanks in
> advance for any help you can provide.
>

>I think what I would probably try to do is have a piece of code that
>basically integrates with the existing forms login system and generates a
>forms login ticket/cookie directly based on the source IP server variable.
>
> Perhaps something that runs in BeginRequest or Authenticate like an
> HttpModule or Global.asax handler that generates a forms auth cookie via
> SetAuthCookie and sets a valid IPrincipal in Context.User would be
> sufficient. It should effectively provide SSO for clients presenting the
> required source IP and will challenge for forms auth as normal for those
> that do not.
>
> I also tend to agree with Bruce's parallel comment that providing a
> non-forms auth method for accessing a page designed for programmatic
> access like a web service is probably a good idea.

Thanks for the feedback (to both of you). Do either of you know of a link
with an example I can extrapolate from. I don't need a lot of hand-holding.
Also, how do you get hold of the calling domain in code (or their IP address
at the very least). Thanks.

> Request.UserHostAddress;

Thanks very much!

> Complete waste of time, as spoofing this is trivial...

Not in my case as mentioned earlier (I have another layer of security in
place that prevents it).

Check out this document for the list of IIS server variables:

http://msdn.microsoft.com/en-us/library/ms524602.aspx

REMOTE_ADDR will give you the remote IP address. You could also try
REMOTE_HOST to get the translated DNS name, but that might not be as
reliable. Try it and see if that works for your needs.

I don't have source code for unfortunately. I think the Authenticate event
is likely to be the way to go with this as it will allow forms
authentication to work normally first and then give your code a crack to
handle this condition afterward.

You could either take the approach to generate a fixed authenticated user
context based on a match to your source IP and have this user participate in
authorized access to the site or you could take the approach of allowing
matches to this source IP access the site anonymously from the Context.User
perspective.

To do the former, you should just need to generate a valid IPrincipal object
and set that in Context.User and then potentially generate a forms auth
cookie for that user to handle subsequent requests. So, the first thing to
check in the Authenticate event is whether the forms auth module has already
authenticated a user.

If you want requests that match this source IP to access the site
anonymously, you can just call HttpContext.SkipAuthorization. This will
instruct the UrlAuthorizationModule to skip this request and allow anonymous
access to whatever was requested.

I don't know enough about the details of your system to know which approach
would be preferable.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Larry Smith" <no_spam@_no_spam_.com> wrote in message
news:...
> >I think what I would probably try to do is have a piece of code that
> >basically integrates with the existing forms login system and generates a
> >forms login ticket/cookie directly based on the source IP server
> >variable.
>>
>> Perhaps something that runs in BeginRequest or Authenticate like an
>> HttpModule or Global.asax handler that generates a forms auth cookie via
>> SetAuthCookie and sets a valid IPrincipal in Context.User would be
>> sufficient. It should effectively provide SSO for clients presenting the
>> required source IP and will challenge for forms auth as normal for those
>> that do not.
>>
>> I also tend to agree with Bruce's parallel comment that providing a
>> non-forms auth method for accessing a page designed for programmatic
>> access like a web service is probably a good idea.
>
> Thanks for the feedback (to both of you). Do either of you know of a link
> with an example I can extrapolate from. I don't need a lot of
> hand-holding. Also, how do you get hold of the calling domain in code (or
> their IP address at the very least). Thanks.
>

Thanks very much for all your advice. I'll research the ideas you presented
and see if I can leverage them for my needs. Your help was greatly
appreciated (same to the others).