Bug in Authorization??? IIS 5 Config Problem??

[Mark Olbert]

I am having a devil of a time trying to get Forms authentication to work in a very simple test
webapp (I've gotten it to work many, many times when developing on my WinXP client box, but I've
just switched to doing development/debug on a Win2K server with IIS5, and something is obviously
wrong).

Here's the site:

login.aspx
/ssl/members/members.aspx

(accessing members.aspx is supposed to require authentication)

Web.config file extracts:

<configuration>
<system.web>
<authentication mode="Forms">
<forms name=".ASPAUTHSCEF" protection="None" loginUrl="/login.aspx" timeout="30" />
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
<location path="ssl/members">
<system.web>
<authorization>
<allow users="user1" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>

Right now all login.aspx has is a single button that triggers the following code:

private void doLogin_Click(object sender, System.EventArgs e)
{
FormsAuthentication.RedirectFromLoginPage("user1", false);
}

For debugging purposes I have the following code in global.asax.cs:

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
HttpApplication theApp = (HttpApplication) sender;

if( theApp.Request.IsAuthenticated && theApp.User.Identity is FormsIdentity )
{
FormsIdentity theIdentity = (FormsIdentity) theApp.User.Identity;
}
}

So, as you can see, this is a VERY simple testbed.

When I run this app in the debugger and break in Global::Application_AuthenticateRequest() I can see
the initial two requests (for ssl/members/members.aspx, followed by /login.aspx because
authentication is required).

The login page then comes up and I click the button, which causes
FormsAuthentication.RedirectFromLoginPage("user1", false) to get called.

Application_AuthenticateRequest() then breaks again, looking for /ssl/members/members.aspx (as it
should)...but theApp.User is <undefined>! Which means the authentication that
RedirectFromLoginPage() was supposed to do never happened!!!

What the !#!#$^!@#(#^! is going on???

Thanx in advance for any leads and/or help!

- Mark

 

[Hermit Dave]

never used app to get hold of user info...
have you tried using

if(HttpContext.Current.User != null)
{
if(HttpContext.Current.User.Identity.IsAuthenticated)
{
if(HttpContext.Current.User.Identity is FormsIdentity)
{
FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;

// get data stored in cookie
string userData = ticket.UserData;
string[] roles = userData.Split(',');
HttpContext.Current.User = new GenericPrincipal(id, roles);
}
}
}

the above code is for application_authenticaterequest

so something equivalent..... not sure if application and checking the
current request is the right way...

--
Regards,

HD

I am having a devil of a time trying to get Forms authentication to work in a very simple test
webapp (I've gotten it to work many, many times when developing on my WinXP client box, but I've
just switched to doing development/debug on a Win2K server with IIS5, and something is obviously
wrong).

Here's the site:

login.aspx
/ssl/members/members.aspx

(accessing members.aspx is supposed to require authentication)

Web.config file extracts:

<configuration>
<system.web>
<authentication mode="Forms">
<forms name=".ASPAUTHSCEF" protection="None" loginUrl="/login.aspx" timeout="30" />
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
<location path="ssl/members">
<system.web>
<authorization>
<allow users="user1" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>

Right now all login.aspx has is a single button that triggers the following code:

private void doLogin_Click(object sender, System.EventArgs e)
{
FormsAuthentication.RedirectFromLoginPage("user1", false);
}

For debugging purposes I have the following code in global.asax.cs:

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
HttpApplication theApp = (HttpApplication) sender;

if( theApp.Request.IsAuthenticated && theApp.User.Identity is FormsIdentity )
{
FormsIdentity theIdentity = (FormsIdentity) theApp.User.Identity;
}
}

So, as you can see, this is a VERY simple testbed.

When I run this app in the debugger and break in

Global::Application_AuthenticateRequest() I can see

the initial two requests (for ssl/members/members.aspx, followed by /login.aspx because
authentication is required).

The login page then comes up and I click the button, which causes
FormsAuthentication.RedirectFromLoginPage("user1", false) to get called.

Application_AuthenticateRequest() then breaks again, looking for

/ssl/members/members.aspx (as it

 

[Mark Olbert]

Sorry, I should've explained that I have another website on the same server (which I >>thought<< was
using the same approach) that works, and I can see the Identity using theApp.User.Identity.

Any ideas on what's causing the failure?

- Mark

 

[Hermit Dave]

Sorry mate.. see what others say..

--
Regards,

HD

Sorry, I should've explained that I have another website on the same

server (which I >>thought<< was

 

[Steven Cheng[MSFT]]

Hi Mark,

Thank you for posting here. Based on this issue, I found it a duplicated
one with another post(id:£²£°£·£¶£¹£°£µ£±). I'll send the reply in that
one. And if you have any questions, please feel free to post there.

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)