Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
DotNet
acad.assignment.mngr
academic
adonet
aspnet
aspnet.announcements
aspnet.build.controls
aspnet.caching
aspnet.datagridcontrol
aspnet.mobile
aspnet.security
aspnet.webcontrols
aspnet.webservices
clr
compactframework
component_services
datatools
distributed_apps
drawing
faqs
framework
framework.wmi
general
internationalization
interop
languages.csharp
languages.jscript
languages.vb
languages.vb.controls
languages.vb.data
languages.vb.upgrade
languages.vc
languages.vc.libraries
myservices
odbcnet
performance
remoting
scripting
sdk
security
setup
vjsharp
vsa
webservi.enhancements
webservices
windowsforms
windowsforms.controls
winforms.databinding
winforms.designtime
xml
  
 
date: Mon, 30 Jun 2008 16:16:55 -0700,    group: microsoft.public.dotnet.framework.aspnet.security        back       


Form Authentication (redirect to https)    
We are using forms authentication for security within our web app.  Within 
the web.config file, we have the logonURL set to "https://www.mysite.com" so 
that if the user gets to the login page via http, they will be forced to 
https version.

We do this same redirect on other websites without any problems, but for 
some reason on this one website, when we redirect to https, a windows login 
prompt is presented to the user which is NOT what we want.  I have looked 
throughout the web.config file and the iis setup and see no differences in 
the site that works with the redirect and one that doesn't.  


Any ideas?

Thanks in advance.
date: Mon, 30 Jun 2008 16:16:55 -0700   author:   dgator

Re: Form Authentication (redirect to https)    
On Jul 1, 1:16 am, dgator  wrote:
> We are using forms authentication for security within our web app.  Within
> the web.config file, we have the logonURL set to "https://www.mysite.com" so
> that if the user gets to the login page via http, they will be forced to
> https version.
>
> We do this same redirect on other websites without any problems, but for
> some reason on this one website, when we redirect to https, a windows login
> prompt is presented to the user which is NOT what we want.  I have looked
> throughout the web.config file and the iis setup and see no differences in> the site that works with the redirect and one that doesn't.  
>
> Any ideas?
>
> Thanks in advance.

I think it does mean that the IUSR_<server> account has no access to
the root directory of the site. Check directory permissions to see if
the this account is allowed access to the files. Check if Anonymous
authentication is enabled in IIS.
date: Tue, 1 Jul 2008 02:22:59 -0700 (PDT)   author:   Alexey Smirnov

Re: Form Authentication (redirect to https)    
If i type https://www.mysite.com it works fine as long as the "logonURL" in 
the forms authentication section of the web.config just points to the logon 
page like "logon.aspx".  

As soon as I change the logonURL to "https://www.mysite.com/logon.aspx", the 
windows logon prompt is presented to the user.

The directory permissions for the IUSR seem to be fine.

Any other thoughts?

Thanks

Daivd

"Alexey Smirnov" wrote:

> On Jul 1, 1:16 am, dgator  wrote:
> > We are using forms authentication for security within our web app.  Within
> > the web.config file, we have the logonURL set to "https://www.mysite.com" so
> > that if the user gets to the login page via http, they will be forced to
> > https version.
> >
> > We do this same redirect on other websites without any problems, but for
> > some reason on this one website, when we redirect to https, a windows login
> > prompt is presented to the user which is NOT what we want.  I have looked
> > throughout the web.config file and the iis setup and see no differences in
> > the site that works with the redirect and one that doesn't.  
> >
> > Any ideas?
> >
> > Thanks in advance.
> 
> I think it does mean that the IUSR_<server> account has no access to
> the root directory of the site. Check directory permissions to see if
> the this account is allowed access to the files. Check if Anonymous
> authentication is enabled in IIS.
>
date: Tue, 1 Jul 2008 04:01:01 -0700   author:   dgator

Re: Form Authentication (redirect to https)    
On Jul 1, 1:01 pm, dgator  wrote:
> If i typehttps://www.mysite.comit works fine as long as the "logonURL" in
> the forms authentication section of the web.config just points to the logon
> page like "logon.aspx".  
>
> As soon as I change the logonURL to "https://www.mysite.com/logon.aspx", the
> windows logon prompt is presented to the user.
>
> The directory permissions for the IUSR seem to be fine.
>
> Any other thoughts?
>
> Thanks
>
> Daivd
>
>
>
> "Alexey Smirnov" wrote:
> > On Jul 1, 1:16 am, dgator  wrote:
> > > We are using forms authentication for security within our web app.  Within
> > > the web.config file, we have the logonURL set to "https://www.mysite.com" so
> > > that if the user gets to the login page via http, they will be forced to
> > > https version.
>
> > > We do this same redirect on other websites without any problems, but for
> > > some reason on this one website, when we redirect to https, a windows login
> > > prompt is presented to the user which is NOT what we want.  I have looked
> > > throughout the web.config file and the iis setup and see no differences in
> > > the site that works with the redirect and one that doesn't.  
>
> > > Any ideas?
>
> > > Thanks in advance.
>
> > I think it does mean that the IUSR_<server> account has no access to
> > the root directory of the site. Check directory permissions to see if
> > the this account is allowed access to the files. Check if Anonymous
> > authentication is enabled in IIS.- Hide quoted text -
>
> - Show quoted text -

David, when you do this on other websites, do you use a custom 403
redirect at IIS from http to https?
date: Tue, 1 Jul 2008 12:54:35 -0700 (PDT)   author:   Alexey Smirnov

Re: Form Authentication (redirect to https)    
I do the redirect through the form authentication section of the web.config 
file.

Here is my current entry in web.config

<authentication mode="Forms">
      <forms loginUrl="wtLogon.aspx" name="sqlAuthCookie" timeout="60" 
path="/">
      </forms>
    </authentication>

This works if the user types in https://www.mysite.com.  If the user type 
http>//www.mysite.com, they are redirected to the login page, but still in 
http.

If I change the entry in the web.config to the following

<authentication mode="Forms">
      <forms loginUrl="https://www.mysite.com/wtLogon.aspx" 
name="sqlAuthCookie" timeout="60" path="/">
      </forms>
    </authentication>

I get the windows login prompt.

Very strange.


"Alexey Smirnov" wrote:

> On Jul 1, 1:01 pm, dgator  wrote:
> > If i typehttps://www.mysite.comit works fine as long as the "logonURL" in
> > the forms authentication section of the web.config just points to the logon
> > page like "logon.aspx".  
> >
> > As soon as I change the logonURL to "https://www.mysite.com/logon.aspx", the
> > windows logon prompt is presented to the user.
> >
> > The directory permissions for the IUSR seem to be fine.
> >
> > Any other thoughts?
> >
> > Thanks
> >
> > Daivd
> >
> >
> >
> > "Alexey Smirnov" wrote:
> > > On Jul 1, 1:16 am, dgator  wrote:
> > > > We are using forms authentication for security within our web app.  Within
> > > > the web.config file, we have the logonURL set to "https://www.mysite.com" so
> > > > that if the user gets to the login page via http, they will be forced to
> > > > https version.
> >
> > > > We do this same redirect on other websites without any problems, but for
> > > > some reason on this one website, when we redirect to https, a windows login
> > > > prompt is presented to the user which is NOT what we want.  I have looked
> > > > throughout the web.config file and the iis setup and see no differences in
> > > > the site that works with the redirect and one that doesn't.  
> >
> > > > Any ideas?
> >
> > > > Thanks in advance.
> >
> > > I think it does mean that the IUSR_<server> account has no access to
> > > the root directory of the site. Check directory permissions to see if
> > > the this account is allowed access to the files. Check if Anonymous
> > > authentication is enabled in IIS.- Hide quoted text -
> >
> > - Show quoted text -
> 
> David, when you do this on other websites, do you use a custom 403
> redirect at IIS from http to https?
>
date: Tue, 1 Jul 2008 13:30:02 -0700   author:   dgator

Re: Form Authentication (redirect to https)    
On Jul 1, 10:30 pm, dgator  wrote:
> I do the redirect through the form authentication section of the web.config
> file.
>
> Here is my current entry in web.config
>
> <authentication mode="Forms">
>       <forms loginUrl="wtLogon.aspx" name="sqlAuthCookie" timeout="60"
> path="/">
>       </forms>
>     </authentication>
>
> This works if the user types inhttps://www.mysite.com.  If the user type> http>//www.mysite.com, they are redirected to the login page, but still in> http.
>
> If I change the entry in the web.config to the following
>
> <authentication mode="Forms">
>       <forms loginUrl="https://www.mysite.com/wtLogon.aspx"
> name="sqlAuthCookie" timeout="60" path="/">
>       </forms>
>     </authentication>
>
> I get the windows login prompt.
>
> Very strange.
>
>
>
> "Alexey Smirnov" wrote:
> > On Jul 1, 1:01 pm, dgator  wrote:
> > > If i typehttps://www.mysite.comitworks fine as long as the "logonURL" in
> > > the forms authentication section of the web.config just points to the logon
> > > page like "logon.aspx".  
>
> > > As soon as I change the logonURL to "https://www.mysite.com/logon.aspx", the
> > > windows logon prompt is presented to the user.
>
> > > The directory permissions for the IUSR seem to be fine.
>
> > > Any other thoughts?
>
> > > Thanks
>
> > > Daivd
>
> > > "Alexey Smirnov" wrote:
> > > > On Jul 1, 1:16 am, dgator  wrote:
> > > > > We are using forms authentication for security within our web app.  Within
> > > > > the web.config file, we have the logonURL set to "https://www.mysite.com" so
> > > > > that if the user gets to the login page via http, they will be forced to
> > > > > https version.
>
> > > > > We do this same redirect on other websites without any problems, but for
> > > > > some reason on this one website, when we redirect to https, a windows login
> > > > > prompt is presented to the user which is NOT what we want.  I have looked
> > > > > throughout the web.config file and the iis setup and see no differences in
> > > > > the site that works with the redirect and one that doesn't.  
>
> > > > > Any ideas?
>
> > > > > Thanks in advance.
>
> > > > I think it does mean that the IUSR_<server> account has no access to> > > > the root directory of the site. Check directory permissions to see if
> > > > the this account is allowed access to the files. Check if Anonymous
> > > > authentication is enabled in IIS.- Hide quoted text -
>
> > > - Show quoted text -
>
> > David, when you do this on other websites, do you use a custom 403
> > redirect at IIS from http to https?- Hide quoted text -
>
> - Show quoted text -

I think the trick here is that you have to add custom 403 (403;4 if I
am not wrong) in IIS where you can redirect from http://....login.aspx
to https://....login.aspx using simple
Response.Redirect("https://....login.aspx");
date: Tue, 1 Jul 2008 23:37:19 -0700 (PDT)   author:   Alexey Smirnov

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us