Form Authentication (redirect to https)

[dgator]

We are using forms authentication for security within our web app. Within
the web.config file, we have the logonURL set to "https://www.mysite.com" so
that if the user gets to the login page via http, they will be forced to
https version.

We do this same redirect on other websites without any problems, but for
some reason on this one website, when we redirect to https, a windows login
prompt is presented to the user which is NOT what we want. I have looked
throughout the web.config file and the iis setup and see no differences in
the site that works with the redirect and one that doesn't.


Any ideas?

Thanks in advance.

 

[Guest]

We are using forms authentication for security within our web app.  Within
the web.config file, we have the logonURL set to "https://www.mysite.com" so
that if the user gets to the login page via http, they will be forced to
https version.

We do this same redirect on other websites without any problems, but for
some reason on this one website, when we redirect to https, a windows login
prompt is presented to the user which is NOT what we want.  I have looked
throughout the web.config file and the iis setup and see no differences in
the site that works with the redirect and one that doesn't.  

Any ideas?

Thanks in advance.

I think it does mean that the IUSR_<server> account has no access to
the root directory of the site. Check directory permissions to see if
the this account is allowed access to the files. Check if Anonymous
authentication is enabled in IIS.

 

[dgator]

If i type https://www.mysite.com it works fine as long as the "logonURL" in
the forms authentication section of the web.config just points to the logon
page like "logon.aspx".

As soon as I change the logonURL to "https://www.mysite.com/logon.aspx", the
windows logon prompt is presented to the user.

The directory permissions for the IUSR seem to be fine.

Any other thoughts?

Thanks

Daivd

 

[Guest]

If i typehttps://www.mysite.comit works fine as long as the "logonURL" in
the forms authentication section of the web.config just points to the logon
page like "logon.aspx".  

As soon as I change the logonURL to "https://www.mysite.com/logon.aspx", the
windows logon prompt is presented to the user.

The directory permissions for the IUSR seem to be fine.

Any other thoughts?

Thanks

Daivd






- Show quoted text -

David, when you do this on other websites, do you use a custom 403
redirect at IIS from http to https?

 

[dgator]

I do the redirect through the form authentication section of the web.config
file.

Here is my current entry in web.config

<authentication mode="Forms">
<forms loginUrl="wtLogon.aspx" name="sqlAuthCookie" timeout="60"
path="/">
</forms>
</authentication>

This works if the user types in https://www.mysite.com. If the user type
http>//www.mysite.com, they are redirected to the login page, but still in
http.

If I change the entry in the web.config to the following

<authentication mode="Forms">
<forms loginUrl="https://www.mysite.com/wtLogon.aspx"
name="sqlAuthCookie" timeout="60" path="/">
</forms>
</authentication>

I get the windows login prompt.

Very strange.

 

[Guest]

I do the redirect through the form authentication section of the web.config
file.

Here is my current entry in web.config

<authentication mode="Forms">
      <forms loginUrl="wtLogon.aspx" name="sqlAuthCookie" timeout="60"
path="/">
      </forms>
    </authentication>

This works if the user types inhttps://www.mysite.com.  If the user type
http>//www.mysite.com, they are redirected to the login page, but still in
http.

If I change the entry in the web.config to the following

<authentication mode="Forms">
      <forms loginUrl="https://www.mysite.com/wtLogon.aspx"
name="sqlAuthCookie" timeout="60" path="/">
      </forms>
    </authentication>

I get the windows login prompt.

Very strange.






- Show quoted text -

I think the trick here is that you have to add custom 403 (403;4 if I
am not wrong) in IIS where you can redirect from http://....login.aspx
to https://....login.aspx using simple
Response.Redirect("https://....login.aspx");