Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Configuring Windows-based Authentication and UrlAuthorization

Reply
Thread Tools

Configuring Windows-based Authentication and UrlAuthorization

 
 
MCM
Guest
Posts: n/a
 
      08-31-2009
I have tried that as well.

"Alexey Smirnov" wrote:

> On Aug 31, 11:29 pm, MCM <(E-Mail Removed)> wrote:
> > I tried disabling Anonymous access, but there was no change.
> >
> >
> >
> > "Thomas Sun [MSFT]" wrote:
> > > Hi MCM,

> >
> > > Thanks for your response.

> >
> > > Please make sure we only enable Integrated Windows Authentication and
> > > disable Anonymous access option on IIS. When anonymous access is enabled,
> > > no authenticated user credentials are required to access the site. For more
> > > information, seehttp://support.microsoft.com/kb/324274

> >
> > > I look forward to receiving your test results.

> >
> > > --
> > > Best Regards,
> > > Thomas Sun

> >
> > > Microsoft Online Partner Support

> >
> > > >Hi Thomas-

> >
> > > >> Firstly, we need to make sure the identity that requests your website is
> > > in
> > > >> the Administrators role that you specify in <allow> section of
> > > <location>
> > > >> settings. For test, we can present the identity name in page by
> > > following
> > > >> code:
> > > >> ===============================
> > > >> Response.Write(User.Identity.Name);
> > > >> ===============================

> >
> > > >No name is displaying at all. This value is blank. Could this be a browser
> > > >setting?

> >
> > > >> Besides, we also can specify a domain user in <location> settings and
> > > then
> > > >> request your website with that identity to see whether it works. For
> > > >> example:
> > > >> ===============================
> > > >> <location path="Admin">
> > > >> <system.web>
> > > >> <authorization>
> > > >> <allow users="YourDomain\OneUserName"/>
> > > >> <deny users="*"/>
> > > >> </authorization>
> > > >> </system.web>
> > > >> </location>
> > > >> ===============================

> >
> > > >This also does not let me have access. But I presume that until we fix the
> > > >blank username problem, we won't get anywhere.

> >
> > > >-Max- Hide quoted text -

> >
> > - Show quoted text -

>
> Well, I would try to setup clean web.config, get rid of
>
> <remove name="FormsAuthentication" />
> <remove name="PassportAuthentication" />
> <remove name="AnonymousIdentification" />
> <remove name="FileAuthorization" />
> <remove name="OutputCache" />
> <remove name="RoleManager" />
> <remove name="Profile" />
> <remove name="ServiceModel" />
> <remove name="ErrorHandlerModule" />
>
> (let's load all by default)
>
> enable trace
>
> and put just
>
> <deny users="?"/>
>
> and see what happens
>

 
Reply With Quote
 
 
 
 
Thomas Sun [MSFT]
Guest
Posts: n/a
 
      09-01-2009
Hi MCM,

Could you please tell me how you configure your website on IIS? Do you
create Virtual Directory for the Admin folder? As I mentioned above, when
we use Anonymous access, user credentials won't be sent. And one
application just can have one authentication mode.

If you want to enable Anonymous access for public part and use Integrated
Windows Authentication for Admin part, I suggest you treat them as separate
website. By doing so, we can configure them separately on IIS.

For example, you can add web.config file with Windows Authentication and
<authorization> section in Admin folder. On IIS, we can add new Application
under your Public section and point its Physical path to the Admin folder.
If we do so, the Admin is the child application of Public application. And
then you can configure Admin application using Integrated Windows
Authentication and configure Public application using Anonymous access on
IIS.

I look forward to receiving your test results.


--
Best Regards,
Thomas Sun

Microsoft Online Partner Support



--------------------
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>Is it possible to disable anonymous access just for the Admin folder? I'd
>like to allow it for the public section.
>
>
>"Thomas Sun [MSFT]" wrote:
>
>> Hi MCM,
>>
>> Thanks for your response.
>>
>> Please make sure we only enable Integrated Windows Authentication and
>> disable Anonymous access option on IIS. When anonymous access is

enabled,
>> no authenticated user credentials are required to access the site. For

more
>> information, see http://support.microsoft.com/kb/324274
>>
>>
>> I look forward to receiving your test results.
>>
>>
>> --
>> Best Regards,
>> Thomas Sun
>>
>> Microsoft Online Partner Support
>>
>> >
>> >Hi Thomas-
>> >
>> >> Firstly, we need to make sure the identity that requests your website

is
>> in
>> >> the Administrators role that you specify in <allow> section of

>> <location>
>> >> settings. For test, we can present the identity name in page by

>> following
>> >> code:
>> >> ===============================
>> >> Response.Write(User.Identity.Name);
>> >> ===============================
>> >
>> >No name is displaying at all. This value is blank. Could this be a

browser
>> >setting?
>> >
>> >
>> >> Besides, we also can specify a domain user in <location> settings and

>> then
>> >> request your website with that identity to see whether it works. For
>> >> example:
>> >> ===============================
>> >> <location path="Admin">
>> >> <system.web>
>> >> <authorization>
>> >> <allow users="YourDomain\OneUserName"/>
>> >> <deny users="*"/>
>> >> </authorization>
>> >> </system.web>
>> >> </location>
>> >> ===============================
>> >
>> >This also does not let me have access. But I presume that until we fix

the
>> >blank username problem, we won't get anywhere.
>> >
>> >-Max
>> >

>>
>>

>


 
Reply With Quote
 
 
 
 
MCM
Guest
Posts: n/a
 
      09-02-2009
I'm happy to work with Virtual Directories as needed. But just to get this
working at all, I tried to switch the whole site to Windows Authentication. I
used the following in my web.config:

<authentication mode="Windows"/>
<authorization>
<deny users="?" />
</authorization>

It is STILL giving me 401 access denied errors. Not sure what to try next.


"Thomas Sun [MSFT]" wrote:

> Hi MCM,
>
> Could you please tell me how you configure your website on IIS? Do you
> create Virtual Directory for the Admin folder? As I mentioned above, when
> we use Anonymous access, user credentials won't be sent. And one
> application just can have one authentication mode.
>
> If you want to enable Anonymous access for public part and use Integrated
> Windows Authentication for Admin part, I suggest you treat them as separate
> website. By doing so, we can configure them separately on IIS.
>
> For example, you can add web.config file with Windows Authentication and
> <authorization> section in Admin folder. On IIS, we can add new Application
> under your Public section and point its Physical path to the Admin folder.
> If we do so, the Admin is the child application of Public application. And
> then you can configure Admin application using Integrated Windows
> Authentication and configure Public application using Anonymous access on
> IIS.
>
> I look forward to receiving your test results.
>
>
> --
> Best Regards,
> Thomas Sun
>
> Microsoft Online Partner Support
>
>
>
> --------------------
> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> >
> >Is it possible to disable anonymous access just for the Admin folder? I'd
> >like to allow it for the public section.
> >
> >
> >"Thomas Sun [MSFT]" wrote:
> >
> >> Hi MCM,
> >>
> >> Thanks for your response.
> >>
> >> Please make sure we only enable Integrated Windows Authentication and
> >> disable Anonymous access option on IIS. When anonymous access is

> enabled,
> >> no authenticated user credentials are required to access the site. For

> more
> >> information, see http://support.microsoft.com/kb/324274
> >>
> >>
> >> I look forward to receiving your test results.
> >>
> >>
> >> --
> >> Best Regards,
> >> Thomas Sun
> >>
> >> Microsoft Online Partner Support
> >>
> >> >
> >> >Hi Thomas-
> >> >
> >> >> Firstly, we need to make sure the identity that requests your website

> is
> >> in
> >> >> the Administrators role that you specify in <allow> section of
> >> <location>
> >> >> settings. For test, we can present the identity name in page by
> >> following
> >> >> code:
> >> >> ===============================
> >> >> Response.Write(User.Identity.Name);
> >> >> ===============================
> >> >
> >> >No name is displaying at all. This value is blank. Could this be a

> browser
> >> >setting?
> >> >
> >> >
> >> >> Besides, we also can specify a domain user in <location> settings and
> >> then
> >> >> request your website with that identity to see whether it works. For
> >> >> example:
> >> >> ===============================
> >> >> <location path="Admin">
> >> >> <system.web>
> >> >> <authorization>
> >> >> <allow users="YourDomain\OneUserName"/>
> >> >> <deny users="*"/>
> >> >> </authorization>
> >> >> </system.web>
> >> >> </location>
> >> >> ===============================
> >> >
> >> >This also does not let me have access. But I presume that until we fix

> the
> >> >blank username problem, we won't get anywhere.
> >> >
> >> >-Max
> >> >
> >>
> >>

> >

>
>

 
Reply With Quote
 
MCM
Guest
Posts: n/a
 
      09-02-2009
Here's a weird twist... I tried it in FireFox and it works. Still no change
with IE8 though.


"MCM" wrote:

> I'm happy to work with Virtual Directories as needed. But just to get this
> working at all, I tried to switch the whole site to Windows Authentication. I
> used the following in my web.config:
>
> <authentication mode="Windows"/>
> <authorization>
> <deny users="?" />
> </authorization>
>
> It is STILL giving me 401 access denied errors. Not sure what to try next.
>
>
> "Thomas Sun [MSFT]" wrote:
>
> > Hi MCM,
> >
> > Could you please tell me how you configure your website on IIS? Do you
> > create Virtual Directory for the Admin folder? As I mentioned above, when
> > we use Anonymous access, user credentials won't be sent. And one
> > application just can have one authentication mode.
> >
> > If you want to enable Anonymous access for public part and use Integrated
> > Windows Authentication for Admin part, I suggest you treat them as separate
> > website. By doing so, we can configure them separately on IIS.
> >
> > For example, you can add web.config file with Windows Authentication and
> > <authorization> section in Admin folder. On IIS, we can add new Application
> > under your Public section and point its Physical path to the Admin folder.
> > If we do so, the Admin is the child application of Public application. And
> > then you can configure Admin application using Integrated Windows
> > Authentication and configure Public application using Anonymous access on
> > IIS.
> >
> > I look forward to receiving your test results.
> >
> >
> > --
> > Best Regards,
> > Thomas Sun
> >
> > Microsoft Online Partner Support
> >
> >
> >
> > --------------------
> > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> > >
> > >Is it possible to disable anonymous access just for the Admin folder? I'd
> > >like to allow it for the public section.
> > >
> > >
> > >"Thomas Sun [MSFT]" wrote:
> > >
> > >> Hi MCM,
> > >>
> > >> Thanks for your response.
> > >>
> > >> Please make sure we only enable Integrated Windows Authentication and
> > >> disable Anonymous access option on IIS. When anonymous access is

> > enabled,
> > >> no authenticated user credentials are required to access the site. For

> > more
> > >> information, see http://support.microsoft.com/kb/324274
> > >>
> > >>
> > >> I look forward to receiving your test results.
> > >>
> > >>
> > >> --
> > >> Best Regards,
> > >> Thomas Sun
> > >>
> > >> Microsoft Online Partner Support
> > >>
> > >> >
> > >> >Hi Thomas-
> > >> >
> > >> >> Firstly, we need to make sure the identity that requests your website

> > is
> > >> in
> > >> >> the Administrators role that you specify in <allow> section of
> > >> <location>
> > >> >> settings. For test, we can present the identity name in page by
> > >> following
> > >> >> code:
> > >> >> ===============================
> > >> >> Response.Write(User.Identity.Name);
> > >> >> ===============================
> > >> >
> > >> >No name is displaying at all. This value is blank. Could this be a

> > browser
> > >> >setting?
> > >> >
> > >> >
> > >> >> Besides, we also can specify a domain user in <location> settings and
> > >> then
> > >> >> request your website with that identity to see whether it works. For
> > >> >> example:
> > >> >> ===============================
> > >> >> <location path="Admin">
> > >> >> <system.web>
> > >> >> <authorization>
> > >> >> <allow users="YourDomain\OneUserName"/>
> > >> >> <deny users="*"/>
> > >> >> </authorization>
> > >> >> </system.web>
> > >> >> </location>
> > >> >> ===============================
> > >> >
> > >> >This also does not let me have access. But I presume that until we fix

> > the
> > >> >blank username problem, we won't get anywhere.
> > >> >
> > >> >-Max
> > >> >
> > >>
> > >>
> > >

> >
> >

 
Reply With Quote
 
MCM
Guest
Posts: n/a
 
      09-02-2009
So I have all the security working as planned in FireFox, but still not
functional in IE8. A quick search for "windows authentication ie8" will show
you there are a lot of people out there with this problem. I assume there
must be a fix for it by now. Probably a security setting within IE? Any ideas?


"MCM" wrote:

> Here's a weird twist... I tried it in FireFox and it works. Still no change
> with IE8 though.
>
>
> "MCM" wrote:
>
> > I'm happy to work with Virtual Directories as needed. But just to get this
> > working at all, I tried to switch the whole site to Windows Authentication. I
> > used the following in my web.config:
> >
> > <authentication mode="Windows"/>
> > <authorization>
> > <deny users="?" />
> > </authorization>
> >
> > It is STILL giving me 401 access denied errors. Not sure what to try next.
> >
> >
> > "Thomas Sun [MSFT]" wrote:
> >
> > > Hi MCM,
> > >
> > > Could you please tell me how you configure your website on IIS? Do you
> > > create Virtual Directory for the Admin folder? As I mentioned above, when
> > > we use Anonymous access, user credentials won't be sent. And one
> > > application just can have one authentication mode.
> > >
> > > If you want to enable Anonymous access for public part and use Integrated
> > > Windows Authentication for Admin part, I suggest you treat them as separate
> > > website. By doing so, we can configure them separately on IIS.
> > >
> > > For example, you can add web.config file with Windows Authentication and
> > > <authorization> section in Admin folder. On IIS, we can add new Application
> > > under your Public section and point its Physical path to the Admin folder.
> > > If we do so, the Admin is the child application of Public application. And
> > > then you can configure Admin application using Integrated Windows
> > > Authentication and configure Public application using Anonymous access on
> > > IIS.
> > >
> > > I look forward to receiving your test results.
> > >
> > >
> > > --
> > > Best Regards,
> > > Thomas Sun
> > >
> > > Microsoft Online Partner Support
> > >
> > >
> > >
> > > --------------------
> > > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> > > >
> > > >Is it possible to disable anonymous access just for the Admin folder? I'd
> > > >like to allow it for the public section.
> > > >
> > > >
> > > >"Thomas Sun [MSFT]" wrote:
> > > >
> > > >> Hi MCM,
> > > >>
> > > >> Thanks for your response.
> > > >>
> > > >> Please make sure we only enable Integrated Windows Authentication and
> > > >> disable Anonymous access option on IIS. When anonymous access is
> > > enabled,
> > > >> no authenticated user credentials are required to access the site. For
> > > more
> > > >> information, see http://support.microsoft.com/kb/324274
> > > >>
> > > >>
> > > >> I look forward to receiving your test results.
> > > >>
> > > >>
> > > >> --
> > > >> Best Regards,
> > > >> Thomas Sun
> > > >>
> > > >> Microsoft Online Partner Support
> > > >>
> > > >> >
> > > >> >Hi Thomas-
> > > >> >
> > > >> >> Firstly, we need to make sure the identity that requests your website
> > > is
> > > >> in
> > > >> >> the Administrators role that you specify in <allow> section of
> > > >> <location>
> > > >> >> settings. For test, we can present the identity name in page by
> > > >> following
> > > >> >> code:
> > > >> >> ===============================
> > > >> >> Response.Write(User.Identity.Name);
> > > >> >> ===============================
> > > >> >
> > > >> >No name is displaying at all. This value is blank. Could this be a
> > > browser
> > > >> >setting?
> > > >> >
> > > >> >
> > > >> >> Besides, we also can specify a domain user in <location> settings and
> > > >> then
> > > >> >> request your website with that identity to see whether it works. For
> > > >> >> example:
> > > >> >> ===============================
> > > >> >> <location path="Admin">
> > > >> >> <system.web>
> > > >> >> <authorization>
> > > >> >> <allow users="YourDomain\OneUserName"/>
> > > >> >> <deny users="*"/>
> > > >> >> </authorization>
> > > >> >> </system.web>
> > > >> >> </location>
> > > >> >> ===============================
> > > >> >
> > > >> >This also does not let me have access. But I presume that until we fix
> > > the
> > > >> >blank username problem, we won't get anywhere.
> > > >> >
> > > >> >-Max
> > > >> >
> > > >>
> > > >>
> > > >
> > >
> > >

 
Reply With Quote
 
Thomas Sun [MSFT]
Guest
Posts: n/a
 
      09-03-2009
Hi MCM,

If we create a simple ASP.NET website with Window Authentication and deploy
it on IIS, does it have the same issue? What URL you were using to request
your website? Please try to add the URL into local Web Site
(IE->Tools->Internet Options->Security tab->Select "Local intranet"-> Click
"Sites"->Click "Advanced" button->Add the URL), and enable "Automatic Logon
with current username and password" (Internet Explorer --> Tools-->Internet
Options --> Security-->Local Intranet Zone-->Custom Level-->User
Authentication-->Logon -->Automatic Logon with current username and
password).

If the issue still exists, could you please post detailed steps here that
can repro the issue? You also can send me a simplified package that can
repro the error on your machine. My email is http://www.velocityreviews.com/forums/(E-Mail Removed).


I look forward to hearing from you.


--
Best Regards,
Thomas Sun

Microsoft Online Partner Support



--------------------

>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>So I have all the security working as planned in FireFox, but still not
>functional in IE8. A quick search for "windows authentication ie8" will

show
>you there are a lot of people out there with this problem. I assume there
>must be a fix for it by now. Probably a security setting within IE? Any

ideas?
>
>
>"MCM" wrote:
>
>> Here's a weird twist... I tried it in FireFox and it works. Still no

change
>> with IE8 though.
>>
>>
>> "MCM" wrote:
>>
>> > I'm happy to work with Virtual Directories as needed. But just to get

this
>> > working at all, I tried to switch the whole site to Windows

Authentication. I
>> > used the following in my web.config:
>> >
>> > <authentication mode="Windows"/>
>> > <authorization>
>> > <deny users="?" />
>> > </authorization>
>> >
>> > It is STILL giving me 401 access denied errors. Not sure what to try

next.
>> >
>> >
>> > "Thomas Sun [MSFT]" wrote:
>> >
>> > > Hi MCM,
>> > >
>> > > Could you please tell me how you configure your website on IIS? Do

you
>> > > create Virtual Directory for the Admin folder? As I mentioned above,

when
>> > > we use Anonymous access, user credentials won't be sent. And one
>> > > application just can have one authentication mode.
>> > >
>> > > If you want to enable Anonymous access for public part and use

Integrated
>> > > Windows Authentication for Admin part, I suggest you treat them as

separate
>> > > website. By doing so, we can configure them separately on IIS.
>> > >
>> > > For example, you can add web.config file with Windows Authentication

and
>> > > <authorization> section in Admin folder. On IIS, we can add new

Application
>> > > under your Public section and point its Physical path to the Admin

folder.
>> > > If we do so, the Admin is the child application of Public

application. And
>> > > then you can configure Admin application using Integrated Windows
>> > > Authentication and configure Public application using Anonymous

access on
>> > > IIS.
>> > >
>> > > I look forward to receiving your test results.
>> > >
>> > >
>> > > --
>> > > Best Regards,
>> > > Thomas Sun
>> > >
>> > > Microsoft Online Partner Support
>> > >
>> > >
>> > >
>> > > --------------------
>> > > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>> > > >
>> > > >Is it possible to disable anonymous access just for the Admin

folder? I'd
>> > > >like to allow it for the public section.
>> > > >
>> > > >
>> > > >"Thomas Sun [MSFT]" wrote:
>> > > >
>> > > >> Hi MCM,
>> > > >>
>> > > >> Thanks for your response.
>> > > >>
>> > > >> Please make sure we only enable Integrated Windows Authentication

and
>> > > >> disable Anonymous access option on IIS. When anonymous access is
>> > > enabled,
>> > > >> no authenticated user credentials are required to access the

site. For
>> > > more
>> > > >> information, see http://support.microsoft.com/kb/324274
>> > > >>
>> > > >>
>> > > >> I look forward to receiving your test results.
>> > > >>
>> > > >>
>> > > >> --
>> > > >> Best Regards,
>> > > >> Thomas Sun
>> > > >>
>> > > >> Microsoft Online Partner Support
>> > > >>
>> > > >> >
>> > > >> >Hi Thomas-
>> > > >> >
>> > > >> >> Firstly, we need to make sure the identity that requests your

website
>> > > is
>> > > >> in
>> > > >> >> the Administrators role that you specify in <allow> section of
>> > > >> <location>
>> > > >> >> settings. For test, we can present the identity name in page

by
>> > > >> following
>> > > >> >> code:
>> > > >> >> ===============================
>> > > >> >> Response.Write(User.Identity.Name);
>> > > >> >> ===============================
>> > > >> >
>> > > >> >No name is displaying at all. This value is blank. Could this be

a
>> > > browser
>> > > >> >setting?
>> > > >> >
>> > > >> >
>> > > >> >> Besides, we also can specify a domain user in <location>

settings and
>> > > >> then
>> > > >> >> request your website with that identity to see whether it

works. For
>> > > >> >> example:
>> > > >> >> ===============================
>> > > >> >> <location path="Admin">
>> > > >> >> <system.web>
>> > > >> >> <authorization>
>> > > >> >> <allow users="YourDomain\OneUserName"/>
>> > > >> >> <deny users="*"/>
>> > > >> >> </authorization>
>> > > >> >> </system.web>
>> > > >> >> </location>
>> > > >> >> ===============================
>> > > >> >
>> > > >> >This also does not let me have access. But I presume that until

we fix
>> > > the
>> > > >> >blank username problem, we won't get anywhere.
>> > > >> >
>> > > >> >-Max
>> > > >> >
>> > > >>
>> > > >>
>> > > >
>> > >
>> > >

>


 
Reply With Quote
 
MCM
Guest
Posts: n/a
 
      09-03-2009
I was in the process of creating a package for you to test when I solved the
problem. In IIS, I had set the bindings for the site to http://SERVER. When I
changed the binding to http://test.domain.local and added that to the IE
Intranet zone, it works.

I still believe this is a pretty annoying bug in IE8 - especially since it
was working fine in FireFox. But in the end, I am able to work around it.

Thank you for your help.

"Thomas Sun [MSFT]" wrote:

> Hi MCM,
>
> If we create a simple ASP.NET website with Window Authentication and deploy
> it on IIS, does it have the same issue? What URL you were using to request
> your website? Please try to add the URL into local Web Site
> (IE->Tools->Internet Options->Security tab->Select "Local intranet"-> Click
> "Sites"->Click "Advanced" button->Add the URL), and enable "Automatic Logon
> with current username and password" (Internet Explorer --> Tools-->Internet
> Options --> Security-->Local Intranet Zone-->Custom Level-->User
> Authentication-->Logon -->Automatic Logon with current username and
> password).
>
> If the issue still exists, could you please post detailed steps here that
> can repro the issue? You also can send me a simplified package that can
> repro the error on your machine. My email is (E-Mail Removed).
>
>
> I look forward to hearing from you.
>
>
> --
> Best Regards,
> Thomas Sun
>
> Microsoft Online Partner Support
>
>
>
> --------------------
>
> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> >
> >So I have all the security working as planned in FireFox, but still not
> >functional in IE8. A quick search for "windows authentication ie8" will

> show
> >you there are a lot of people out there with this problem. I assume there
> >must be a fix for it by now. Probably a security setting within IE? Any

> ideas?
> >
> >
> >"MCM" wrote:
> >
> >> Here's a weird twist... I tried it in FireFox and it works. Still no

> change
> >> with IE8 though.
> >>
> >>
> >> "MCM" wrote:
> >>
> >> > I'm happy to work with Virtual Directories as needed. But just to get

> this
> >> > working at all, I tried to switch the whole site to Windows

> Authentication. I
> >> > used the following in my web.config:
> >> >
> >> > <authentication mode="Windows"/>
> >> > <authorization>
> >> > <deny users="?" />
> >> > </authorization>
> >> >
> >> > It is STILL giving me 401 access denied errors. Not sure what to try

> next.
> >> >
> >> >
> >> > "Thomas Sun [MSFT]" wrote:
> >> >
> >> > > Hi MCM,
> >> > >
> >> > > Could you please tell me how you configure your website on IIS? Do

> you
> >> > > create Virtual Directory for the Admin folder? As I mentioned above,

> when
> >> > > we use Anonymous access, user credentials won't be sent. And one
> >> > > application just can have one authentication mode.
> >> > >
> >> > > If you want to enable Anonymous access for public part and use

> Integrated
> >> > > Windows Authentication for Admin part, I suggest you treat them as

> separate
> >> > > website. By doing so, we can configure them separately on IIS.
> >> > >
> >> > > For example, you can add web.config file with Windows Authentication

> and
> >> > > <authorization> section in Admin folder. On IIS, we can add new

> Application
> >> > > under your Public section and point its Physical path to the Admin

> folder.
> >> > > If we do so, the Admin is the child application of Public

> application. And
> >> > > then you can configure Admin application using Integrated Windows
> >> > > Authentication and configure Public application using Anonymous

> access on
> >> > > IIS.
> >> > >
> >> > > I look forward to receiving your test results.
> >> > >
> >> > >
> >> > > --
> >> > > Best Regards,
> >> > > Thomas Sun
> >> > >
> >> > > Microsoft Online Partner Support
> >> > >
> >> > >
> >> > >
> >> > > --------------------
> >> > > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> >> > > >
> >> > > >Is it possible to disable anonymous access just for the Admin

> folder? I'd
> >> > > >like to allow it for the public section.
> >> > > >
> >> > > >
> >> > > >"Thomas Sun [MSFT]" wrote:
> >> > > >
> >> > > >> Hi MCM,
> >> > > >>
> >> > > >> Thanks for your response.
> >> > > >>
> >> > > >> Please make sure we only enable Integrated Windows Authentication

> and
> >> > > >> disable Anonymous access option on IIS. When anonymous access is
> >> > > enabled,
> >> > > >> no authenticated user credentials are required to access the

> site. For
> >> > > more
> >> > > >> information, see http://support.microsoft.com/kb/324274
> >> > > >>
> >> > > >>
> >> > > >> I look forward to receiving your test results.
> >> > > >>
> >> > > >>
> >> > > >> --
> >> > > >> Best Regards,
> >> > > >> Thomas Sun
> >> > > >>
> >> > > >> Microsoft Online Partner Support
> >> > > >>
> >> > > >> >
> >> > > >> >Hi Thomas-
> >> > > >> >
> >> > > >> >> Firstly, we need to make sure the identity that requests your

> website
> >> > > is
> >> > > >> in
> >> > > >> >> the Administrators role that you specify in <allow> section of
> >> > > >> <location>
> >> > > >> >> settings. For test, we can present the identity name in page

> by
> >> > > >> following
> >> > > >> >> code:
> >> > > >> >> ===============================
> >> > > >> >> Response.Write(User.Identity.Name);
> >> > > >> >> ===============================
> >> > > >> >
> >> > > >> >No name is displaying at all. This value is blank. Could this be

> a
> >> > > browser
> >> > > >> >setting?
> >> > > >> >
> >> > > >> >
> >> > > >> >> Besides, we also can specify a domain user in <location>

> settings and
> >> > > >> then
> >> > > >> >> request your website with that identity to see whether it

> works. For
> >> > > >> >> example:
> >> > > >> >> ===============================
> >> > > >> >> <location path="Admin">
> >> > > >> >> <system.web>
> >> > > >> >> <authorization>
> >> > > >> >> <allow users="YourDomain\OneUserName"/>
> >> > > >> >> <deny users="*"/>
> >> > > >> >> </authorization>
> >> > > >> >> </system.web>
> >> > > >> >> </location>
> >> > > >> >> ===============================
> >> > > >> >
> >> > > >> >This also does not let me have access. But I presume that until

> we fix
> >> > > the
> >> > > >> >blank username problem, we won't get anywhere.
> >> > > >> >
> >> > > >> >-Max
> >> > > >> >
> >> > > >>
> >> > > >>
> >> > > >
> >> > >
> >> > >

> >

>
>

 
Reply With Quote
 
Thomas Sun [MSFT]
Guest
Posts: n/a
 
      09-04-2009
Hi MCM,

Thanks for your update and I am glad that you resolved it.

For security, IE doesn't send sensitive information to website that is not
in Local intranet list automatically by default.

You also can post the feedback on the Connect Website
(https://connect.microsoft.com/IE/Feedback). Our developer will evaluate
them seriously and take them into consideration when designing future
release of the product.


--
Best Regards,
Thomas Sun

Microsoft Online Partner Support


--------------------
>Xref: TK2MSFTNGHUB02.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 3125
>NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>I was in the process of creating a package for you to test when I solved

the
>problem. In IIS, I had set the bindings for the site to http://SERVER.

When I
>changed the binding to http://test.domain.local and added that to the IE
>Intranet zone, it works.
>
>I still believe this is a pretty annoying bug in IE8 - especially since it
>was working fine in FireFox. But in the end, I am able to work around it.
>
>Thank you for your help.
>
>"Thomas Sun [MSFT]" wrote:
>
>> Hi MCM,
>>
>> If we create a simple ASP.NET website with Window Authentication and

deploy
>> it on IIS, does it have the same issue? What URL you were using to

request
>> your website? Please try to add the URL into local Web Site
>> (IE->Tools->Internet Options->Security tab->Select "Local intranet"->

Click
>> "Sites"->Click "Advanced" button->Add the URL), and enable "Automatic

Logon
>> with current username and password" (Internet Explorer -->

Tools-->Internet
>> Options --> Security-->Local Intranet Zone-->Custom Level-->User
>> Authentication-->Logon -->Automatic Logon with current username and
>> password).
>>
>> If the issue still exists, could you please post detailed steps here

that
>> can repro the issue? You also can send me a simplified package that

can
>> repro the error on your machine. My email is (E-Mail Removed).
>>
>>
>> I look forward to hearing from you.
>>
>>
>> --
>> Best Regards,
>> Thomas Sun
>>
>> Microsoft Online Partner Support
>>
>>
>>
>> --------------------
>>
>> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>> >
>> >So I have all the security working as planned in FireFox, but still not
>> >functional in IE8. A quick search for "windows authentication ie8" will

>> show
>> >you there are a lot of people out there with this problem. I assume

there
>> >must be a fix for it by now. Probably a security setting within IE? Any

>> ideas?
>> >
>> >
>> >"MCM" wrote:
>> >
>> >> Here's a weird twist... I tried it in FireFox and it works. Still no

>> change
>> >> with IE8 though.
>> >>
>> >>
>> >> "MCM" wrote:
>> >>
>> >> > I'm happy to work with Virtual Directories as needed. But just to

get
>> this
>> >> > working at all, I tried to switch the whole site to Windows

>> Authentication. I
>> >> > used the following in my web.config:
>> >> >
>> >> > <authentication mode="Windows"/>
>> >> > <authorization>
>> >> > <deny users="?" />
>> >> > </authorization>
>> >> >
>> >> > It is STILL giving me 401 access denied errors. Not sure what to

try
>> next.
>> >> >
>> >> >
>> >> > "Thomas Sun [MSFT]" wrote:
>> >> >
>> >> > > Hi MCM,
>> >> > >
>> >> > > Could you please tell me how you configure your website on IIS?

Do
>> you
>> >> > > create Virtual Directory for the Admin folder? As I mentioned

above,
>> when
>> >> > > we use Anonymous access, user credentials won't be sent. And one
>> >> > > application just can have one authentication mode.
>> >> > >
>> >> > > If you want to enable Anonymous access for public part and use

>> Integrated
>> >> > > Windows Authentication for Admin part, I suggest you treat them

as
>> separate
>> >> > > website. By doing so, we can configure them separately on IIS.
>> >> > >
>> >> > > For example, you can add web.config file with Windows

Authentication
>> and
>> >> > > <authorization> section in Admin folder. On IIS, we can add new

>> Application
>> >> > > under your Public section and point its Physical path to the

Admin
>> folder.
>> >> > > If we do so, the Admin is the child application of Public

>> application. And
>> >> > > then you can configure Admin application using Integrated Windows
>> >> > > Authentication and configure Public application using Anonymous

>> access on
>> >> > > IIS.
>> >> > >
>> >> > > I look forward to receiving your test results.
>> >> > >
>> >> > >
>> >> > > --
>> >> > > Best Regards,
>> >> > > Thomas Sun
>> >> > >
>> >> > > Microsoft Online Partner Support
>> >> > >
>> >> > >
>> >> > >
>> >> > > --------------------
>> >> > > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>> >> > > >
>> >> > > >Is it possible to disable anonymous access just for the Admin

>> folder? I'd
>> >> > > >like to allow it for the public section.
>> >> > > >
>> >> > > >
>> >> > > >"Thomas Sun [MSFT]" wrote:
>> >> > > >
>> >> > > >> Hi MCM,
>> >> > > >>
>> >> > > >> Thanks for your response.
>> >> > > >>
>> >> > > >> Please make sure we only enable Integrated Windows

Authentication
>> and
>> >> > > >> disable Anonymous access option on IIS. When anonymous access

is
>> >> > > enabled,
>> >> > > >> no authenticated user credentials are required to access the

>> site. For
>> >> > > more
>> >> > > >> information, see http://support.microsoft.com/kb/324274
>> >> > > >>
>> >> > > >>
>> >> > > >> I look forward to receiving your test results.
>> >> > > >>
>> >> > > >>
>> >> > > >> --
>> >> > > >> Best Regards,
>> >> > > >> Thomas Sun
>> >> > > >>
>> >> > > >> Microsoft Online Partner Support
>> >> > > >>
>> >> > > >> >
>> >> > > >> >Hi Thomas-
>> >> > > >> >
>> >> > > >> >> Firstly, we need to make sure the identity that requests

your
>> website
>> >> > > is
>> >> > > >> in
>> >> > > >> >> the Administrators role that you specify in <allow> section

of
>> >> > > >> <location>
>> >> > > >> >> settings. For test, we can present the identity name in

page
>> by
>> >> > > >> following
>> >> > > >> >> code:
>> >> > > >> >> ===============================
>> >> > > >> >> Response.Write(User.Identity.Name);
>> >> > > >> >> ===============================
>> >> > > >> >
>> >> > > >> >No name is displaying at all. This value is blank. Could this

be
>> a
>> >> > > browser
>> >> > > >> >setting?
>> >> > > >> >
>> >> > > >> >
>> >> > > >> >> Besides, we also can specify a domain user in <location>

>> settings and
>> >> > > >> then
>> >> > > >> >> request your website with that identity to see whether it

>> works. For
>> >> > > >> >> example:
>> >> > > >> >> ===============================
>> >> > > >> >> <location path="Admin">
>> >> > > >> >> <system.web>
>> >> > > >> >> <authorization>
>> >> > > >> >> <allow users="YourDomain\OneUserName"/>
>> >> > > >> >> <deny users="*"/>
>> >> > > >> >> </authorization>
>> >> > > >> >> </system.web>
>> >> > > >> >> </location>
>> >> > > >> >> ===============================
>> >> > > >> >
>> >> > > >> >This also does not let me have access. But I presume that

until
>> we fix
>> >> > > the
>> >> > > >> >blank username problem, we won't get anywhere.
>> >> > > >> >
>> >> > > >> >-Max
>> >> > > >> >
>> >> > > >>
>> >> > > >>
>> >> > > >
>> >> > >
>> >> > >
>> >

>>
>>

>


 
Reply With Quote
 
MCM
Guest
Posts: n/a
 
      09-04-2009
Yes. I understand that the site had to be in the Intranet Zone - and it was.
I was just using the abbreviated server name instead of a FQDN. So even
though it was listed in Intranet and even though it worked in FireFox, it
didn't work in IE. I'll write a note to the IE Feedback site like you
suggested. Thanks.


"Thomas Sun [MSFT]" wrote:

> Hi MCM,
>
> Thanks for your update and I am glad that you resolved it.
>
> For security, IE doesn't send sensitive information to website that is not
> in Local intranet list automatically by default.
>
> You also can post the feedback on the Connect Website
> (https://connect.microsoft.com/IE/Feedback). Our developer will evaluate
> them seriously and take them into consideration when designing future
> release of the product.
>
>
> --
> Best Regards,
> Thomas Sun
>
> Microsoft Online Partner Support
>
>
> --------------------
> >Xref: TK2MSFTNGHUB02.phx.gbl

> microsoft.public.dotnet.framework.aspnet.security: 3125
> >NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> >
> >I was in the process of creating a package for you to test when I solved

> the
> >problem. In IIS, I had set the bindings for the site to http://SERVER.

> When I
> >changed the binding to http://test.domain.local and added that to the IE
> >Intranet zone, it works.
> >
> >I still believe this is a pretty annoying bug in IE8 - especially since it
> >was working fine in FireFox. But in the end, I am able to work around it.
> >
> >Thank you for your help.
> >
> >"Thomas Sun [MSFT]" wrote:
> >
> >> Hi MCM,
> >>
> >> If we create a simple ASP.NET website with Window Authentication and

> deploy
> >> it on IIS, does it have the same issue? What URL you were using to

> request
> >> your website? Please try to add the URL into local Web Site
> >> (IE->Tools->Internet Options->Security tab->Select "Local intranet"->

> Click
> >> "Sites"->Click "Advanced" button->Add the URL), and enable "Automatic

> Logon
> >> with current username and password" (Internet Explorer -->

> Tools-->Internet
> >> Options --> Security-->Local Intranet Zone-->Custom Level-->User
> >> Authentication-->Logon -->Automatic Logon with current username and
> >> password).
> >>
> >> If the issue still exists, could you please post detailed steps here

> that
> >> can repro the issue? You also can send me a simplified package that

> can
> >> repro the error on your machine. My email is (E-Mail Removed).
> >>
> >>
> >> I look forward to hearing from you.
> >>
> >>
> >> --
> >> Best Regards,
> >> Thomas Sun
> >>
> >> Microsoft Online Partner Support
> >>
> >>
> >>
> >> --------------------
> >>
> >> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> >> >
> >> >So I have all the security working as planned in FireFox, but still not
> >> >functional in IE8. A quick search for "windows authentication ie8" will
> >> show
> >> >you there are a lot of people out there with this problem. I assume

> there
> >> >must be a fix for it by now. Probably a security setting within IE? Any
> >> ideas?
> >> >
> >> >
> >> >"MCM" wrote:
> >> >
> >> >> Here's a weird twist... I tried it in FireFox and it works. Still no
> >> change
> >> >> with IE8 though.
> >> >>
> >> >>
> >> >> "MCM" wrote:
> >> >>
> >> >> > I'm happy to work with Virtual Directories as needed. But just to

> get
> >> this
> >> >> > working at all, I tried to switch the whole site to Windows
> >> Authentication. I
> >> >> > used the following in my web.config:
> >> >> >
> >> >> > <authentication mode="Windows"/>
> >> >> > <authorization>
> >> >> > <deny users="?" />
> >> >> > </authorization>
> >> >> >
> >> >> > It is STILL giving me 401 access denied errors. Not sure what to

> try
> >> next.
> >> >> >
> >> >> >
> >> >> > "Thomas Sun [MSFT]" wrote:
> >> >> >
> >> >> > > Hi MCM,
> >> >> > >
> >> >> > > Could you please tell me how you configure your website on IIS?

> Do
> >> you
> >> >> > > create Virtual Directory for the Admin folder? As I mentioned

> above,
> >> when
> >> >> > > we use Anonymous access, user credentials won't be sent. And one
> >> >> > > application just can have one authentication mode.
> >> >> > >
> >> >> > > If you want to enable Anonymous access for public part and use
> >> Integrated
> >> >> > > Windows Authentication for Admin part, I suggest you treat them

> as
> >> separate
> >> >> > > website. By doing so, we can configure them separately on IIS.
> >> >> > >
> >> >> > > For example, you can add web.config file with Windows

> Authentication
> >> and
> >> >> > > <authorization> section in Admin folder. On IIS, we can add new
> >> Application
> >> >> > > under your Public section and point its Physical path to the

> Admin
> >> folder.
> >> >> > > If we do so, the Admin is the child application of Public
> >> application. And
> >> >> > > then you can configure Admin application using Integrated Windows
> >> >> > > Authentication and configure Public application using Anonymous
> >> access on
> >> >> > > IIS.
> >> >> > >
> >> >> > > I look forward to receiving your test results.
> >> >> > >
> >> >> > >
> >> >> > > --
> >> >> > > Best Regards,
> >> >> > > Thomas Sun
> >> >> > >
> >> >> > > Microsoft Online Partner Support
> >> >> > >
> >> >> > >
> >> >> > >
> >> >> > > --------------------
> >> >> > > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> >> >> > > >
> >> >> > > >Is it possible to disable anonymous access just for the Admin
> >> folder? I'd
> >> >> > > >like to allow it for the public section.
> >> >> > > >
> >> >> > > >
> >> >> > > >"Thomas Sun [MSFT]" wrote:
> >> >> > > >
> >> >> > > >> Hi MCM,
> >> >> > > >>
> >> >> > > >> Thanks for your response.
> >> >> > > >>
> >> >> > > >> Please make sure we only enable Integrated Windows

> Authentication
> >> and
> >> >> > > >> disable Anonymous access option on IIS. When anonymous access

> is
> >> >> > > enabled,
> >> >> > > >> no authenticated user credentials are required to access the
> >> site. For
> >> >> > > more
> >> >> > > >> information, see http://support.microsoft.com/kb/324274
> >> >> > > >>
> >> >> > > >>
> >> >> > > >> I look forward to receiving your test results.
> >> >> > > >>
> >> >> > > >>
> >> >> > > >> --
> >> >> > > >> Best Regards,
> >> >> > > >> Thomas Sun
> >> >> > > >>
> >> >> > > >> Microsoft Online Partner Support
> >> >> > > >>
> >> >> > > >> >
> >> >> > > >> >Hi Thomas-
> >> >> > > >> >
> >> >> > > >> >> Firstly, we need to make sure the identity that requests

> your
> >> website
> >> >> > > is
> >> >> > > >> in
> >> >> > > >> >> the Administrators role that you specify in <allow> section

> of
> >> >> > > >> <location>
> >> >> > > >> >> settings. For test, we can present the identity name in

> page
> >> by
> >> >> > > >> following
> >> >> > > >> >> code:
> >> >> > > >> >> ===============================
> >> >> > > >> >> Response.Write(User.Identity.Name);
> >> >> > > >> >> ===============================
> >> >> > > >> >
> >> >> > > >> >No name is displaying at all. This value is blank. Could this

> be
> >> a
> >> >> > > browser
> >> >> > > >> >setting?
> >> >> > > >> >
> >> >> > > >> >
> >> >> > > >> >> Besides, we also can specify a domain user in <location>
> >> settings and
> >> >> > > >> then
> >> >> > > >> >> request your website with that identity to see whether it
> >> works. For
> >> >> > > >> >> example:
> >> >> > > >> >> ===============================
> >> >> > > >> >> <location path="Admin">
> >> >> > > >> >> <system.web>
> >> >> > > >> >> <authorization>
> >> >> > > >> >> <allow users="YourDomain\OneUserName"/>
> >> >> > > >> >> <deny users="*"/>
> >> >> > > >> >> </authorization>
> >> >> > > >> >> </system.web>
> >> >> > > >> >> </location>
> >> >> > > >> >> ===============================
> >> >> > > >> >
> >> >> > > >> >This also does not let me have access. But I presume that

> until
> >> we fix
> >> >> > > the
> >> >> > > >> >blank username problem, we won't get anywhere.
> >> >> > > >> >
> >> >> > > >> >-Max
> >> >> > > >> >
> >> >> > > >>
> >> >> > > >>
> >> >> > > >
> >> >> > >
> >> >> > >
> >> >
> >>
> >>

> >

>
>

 
Reply With Quote
 
Alexey Smirnov
Guest
Posts: n/a
 
      09-04-2009
On Sep 4, 6:30*am, MCM <(E-Mail Removed)> wrote:
> Yes. I understand that the site had to be in the Intranet Zone - and it was.
> I was just using the abbreviated server name instead of a FQDN. So even
> though it was listed in Intranet and even though it worked in FireFox, it
> didn't work in IE. I'll write a note to the IE Feedback site like you
> suggested. Thanks.
>


Ensure that the Include all network paths (UNC) check box has been
checked. (Internet Options - Security - Sites). If it was checked, it
could be interesting to see the difference in Fiddler between IE with
the abbreviated server name and with FQDN

Fiddler can be found here www.fiddlertool.com

You might also try to add *.domain.local or 10.*.*.* to sites list to
see if it works or not
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Configuring ACS 4.2 to delegate authentication request 2 radiusserver Arnnei Cisco 0 12-10-2009 06:40 PM
re configuring dlink524 and wireless laptop and wii gaming system vid Computer Support 0 01-13-2008 09:35 PM
a urlauthorization question =?Utf-8?B?UG9ueSBUc3Vp?= ASP .Net 9 04-07-2006 02:03 AM
Windows authentication breaks after configuring application pool identity Igor Dombrovan ASP .Net Security 2 03-01-2005 05:35 PM
Forms Authentication question: How to have some pages open and some requiring forms authentication Eric ASP .Net 2 02-13-2004 02:14 PM



Advertisments