Security :: Error In IIS7 With WindowsIdentity In Session
Feb 10, 2010
In our web application we provide a way for users to switch which account/credentials (Windows identity) that should be used when making requests to external services.
This "Switch user" service works like this:
The user provides the new credentials that should be used. The application performs a "login", fetch the toke and creates a new WindowsIdentity based on the token.The created identity is placed in the session. When a page is requested and an Identity is available in session, the HttpContext.Current.User is replaced with this one. Everything works as excepted when the application is hosted in IIS6. We have verified that all request to external services is made using the new identity. When we host the application in IIS7 we run into problems however. Everything works fine until we tries to access the new identity (for example by fetching the name) and we get the following exception:
[Code]....
We have no idea why this suddenly starts to happen in IIS7.
View 7 Replies
Similar Messages:
Mar 14, 2011
In order to find out what identity is running an app, this line is used:
System.Security.Principal.WindowsIdentity.GetCurrent().Name;
But is there another way to find out this name such as through the command prompt?
View 2 Replies
Mar 25, 2010
i have this line of code
WindowsIdentity wi2 = new WindowsIdentity("test1");
test1 is in the ActiveDirectory on the DomainController
when running the code I get an IncorrectFunction error
at System.Security.Principal.WindowsIdentity.KerbS4ULogon(String upn)
at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName, String type)
at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName)
at Hisco.Intranet.LoginForm.OnInit(EventArgs e) in F:HiscoDCSWebEventsManagerHiscoDCSDCSLoginForm.aspx.cs:line 17
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
I have windows auth for the website and outside users will logon that are not in the network and I need to impersonate them to login on without offering a login form( quietly behind the scenes) with the test account. I guess what I actually need is the UserTaken pointer. Is there a way to get one without ising the LogOnUser unmanaged call? I have a UserPrincipal object also so is there way to get the token from ActiveDirectory somehow?
View 2 Replies
Mar 5, 2010
I'm moving applications from IIS6 to IIS7.5 (win 7 an win server 2008 r2), when 2 applications (with identity impersonate) try to get a file with response.writefile only from a UNC path i'll get "access denied". In IIS6 and Visual Studio Developer Web Server, same code works. I can save file with FilePath.SaveAs and get name and length with FileInfo, but not download. After 2 days of nightmares I have tried to change
Response.WriteFile(filePath)
to
Response.BinaryWrite(File.ReadAllBytes(filePath))
and now work. My question is: can I have a microsoft developer to sacrificate for my avenge?)
View 2 Replies
Dec 10, 2010
We have developed MVC web app. We have used session value only once within the application to save the visibility.
I save the visibility selected in dropdown in session and when the page refreshes next time I set the drop down value based on session.
The code is as follows:
if (visibility == "All Investors")
visibility = "All";
Session["visibility"] = visibility;
if (Session["visibility"] != null )
{
visibility = Session["visibility"].ToString();
}
This works well on my local in all cases. On test server , sometime I get right session value but some time I get session value which was set before the last session value, The only difference in the environment I have on local and test is local has IIS6.0 and test has IIS7.0.
View 3 Replies
Mar 18, 2010
For testing I have 1 isolated page - no masters, controls, .... My sessions are lost after about 30 seconds. I've tried setting timeout on the page itself, in web.config, both, and neither. Tried forms authentication with timeout and windows authentication. Recycle the AppPool after changes.
I can response.write from the Session_Start , but I never get any response.writes from the Session_End.
Some things I've tried:
<sessionState mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;"
cookieless="false"
timeout="20" />
<sessionState mode="InProc" cookieless="false" timeout="20"/>
<sessionState mode="InProc" timeout="20"/>
<sessionState timeout="20"/>
No luck.
My runtime is set to:
<httpRuntime useFullyQualifiedRedirectUrl="true"
maxRequestLength="204800"
requestLengthDiskThreshold="204800"
executionTimeout="600" />
I don't know what this would be relevant, but I can't think of anything else to post!
View 2 Replies
Aug 23, 2010
I've got an ASP.NET MVC app running under IIS7. It's using the default in-proc session management, which, according to all that I read, should lose the users' session after an app pool recycle.It doesn't seem to be losing it though. Even an IIS reset doesn't lose the session.Has something changed in IIS7 that keeps the session alive?
View 1 Replies
Aug 27, 2010
I've set-up a cruisecontrol.net server with IIS7. I want to be able to view the web dashboard. Everything has worked for me before fine in IIS6, but now it seems to be broke in IIS7.
If I browser to: http://192.168.93.133:21234/default.aspx
I get the following error:
XML Parsing Error: not well-formed
Location: http://192.168.93.133:21234/default.aspx
Line Number 1, Column 5:.NET
It looks like ASP.NET isn't being hit when I request the page. But as far as I know the application pool of the site is set to .NET, and I don't know how to check whether ASP.NET is configured correctly with IIS7. if this a problem which can be rectified in IIS7?Has anyone test CruiseControl.NET from installation in IIS7?
View 1 Replies
Jan 6, 2011
I have an application running ASP.NET. I have different domains and different sub-domains. I want the domains to share session with their sub domains.
For Example, the following domains access this application:
[URL]
If a user goes to www.example1.com and print.example1.com, I want it to use the same session. If the user were to go to www.example2.com and print.example2.com, I would want it to use a different session than the *.example1.com.
The way I used to handle it was a hack in page_load that works perfectly in IIS6:
Response.Cookies["ASP.NET_SessionId"].Value = Session.SessionID;
Response.Cookies["ASP.NET_SessionId"].Domain = SiteUtility.GetCookieDomain();
(SiteUtility.GetCookieDomain would return .example1.com or .example2.com depending on the url of the request) Unfortunately, this no longer seems to work for iis7. Each subdomain/domain a user goes to, the user gets a new session cookie.
I then found the web.config entry: '<httpCookies domain=".example1.com" />. This works great for sharing session cookie between example1.com subdomains. Unfortunately, this completely screws up session state for *.example2.com.
View 3 Replies
Sep 13, 2010
I've just upgraded my development machine from XP SP3 (IIS5.1) to Win7 x64 (IIS7.5)
Since doing this, my app has started to behave differently. Within it I store users' preferences/access levels using an instance of a class that I store within the Session object. This class is shown:
[Code]....
My requirement is that on each page request (other than the login page), the application should check that the Session object exists. The page data is therefore shown based on the values within the session object (e.g. which customer account they are using etc)...Previously on IIS5.1 if I was logged into the app, but made some changes to a file within App_Code, or Web.Config for example, when I then continued to use the app, I would get kicked out to the login page straight away. This is the intended behaviour. Now however, on IIS7.5, the app continues to provide access to the pages, but debugging shows that the session value has had all of its values set to 0 (zero). Therefore, the pages continue to load but the data shown is corrupted because the app no longer displays it accurately. Here is the code I use which (on IIS5.1) caught this occurence. Can anyone offer any advice on just what's now happening
[Code]....
I have tried changing this line:
[Code]....
View 11 Replies
Jan 7, 2010
I'm writing an ASP.net application and I'm working with the WindowsIdentity.GetCurrent() function. I want to know how (or if it's possible) to change what identity the ASP.net application runs as.
I eventually want to run it as an account associated with the end-user. I understand I can do this with Windows Authentication in IIS, but Windows Authentication will not work with my particular application. If I can programmatically log the user in with a AD username and password, that will be fine.
How can I set the WindowsIdentity the ASP.net application runs as without using Windows Authentication in IIS?
Update: This question has been sitting idle for a long time. I think that perhaps the framework does not allow me to do what I'm describing here.
View 1 Replies
Dec 7, 2010
I have an asp.net 2.0 application that is suppose to pick the Identity of the currently logged in user on a client machine and use it to setup working environment for the user. On win xp and windows server 2003 this works fine. but on moving the application to Windows Server 2008 R2 .
View 1 Replies
Mar 24, 2010
I have an application that ran fine on a Win 2003 box using windows authentication. After installing the app on a 32-bit Windows Server 2008 box the users are now prompted for domain credentials every time they call the site. I went into IIS manager for IIS7 and disabled anonymous authentication and enabled windows authentication. What do I need to do here for the user to not be prompted for the credentials?
View 5 Replies
Mar 29, 2011
For my current project I am using form authentication.What occasionally will happen is a user will timeout (unbeknownst to them),they try navigating to a different page (call it Page B) and they get kicked back to the login screen.This is fine and I have no problems with this.
However,after they enter their credentials and are authenticated they are redirected back to "Page B" and an error is produced because a session variable wasn't loaded. This is due to the fact that they were redirected to "Page B" instead of the page they would normally hit after a login (call it Page A).Is there anyway to force the user to go to Page A instead of Page B in these situation to avoid these errors?
View 2 Replies
Jan 20, 2011
I'm having a tough time implementing mixed-mode authentication (windows & forms based) for my application using IIS 7. Doing it in IIS6 is easy, but the process doesn't translate to 7/7.5 - and my research has led to me to conflicting answers, none of which.
I have redirect page called WindowsLogin.aspx, and a forms-based one called Login.aspx. I'm having difficulty enabling Windows authentication for just WindowsLogin.aspx.
View 1 Replies
Dec 13, 2010
I'm running IIS7 ( in integrated mode ) and Net. 4.0 framework on Windows 7.
a) If web application runs within Asp.Net v4.0 pool, then both Net Users and Net Roles features are not available.
b) I assume Asp.Net 4.0 apps can only run within Asp.Net v4.0 pools?
View 1 Replies
Dec 14, 2010
We are migrating an existing asp.net application from Windows Server 2003 with IIS6 to windows server 2008 with IIS7.
we use System.Net.CredentialCache.DefaultCredentials to pass the user credential to a web service. It is working fine with the old environment but with the new one we got "The request failed with HTTP status 401: Unauthorized." error.
How can I fix this problem with IIS7?
View 1 Replies
Jun 10, 2010
I am deploying a public ASP.NET website on an IIS7 web farm.
The application runs on 3 web servers and is behind a firewall.
We want to create a single page on the website that is accessible only to internal users. It is primarily used for diagnostics, trigger cache expiry, etc.
/admin/somepage.aspx
What is the best way to control access to this page? We need to:
Prevent all external (public) users from accessing the URL. Permit specific internal users to access the page, only from certain IPs or networks.
Should this access control be done at the (a) network level, (b) application level, etc.?
View 3 Replies
Sep 21, 2010
Here are the structure of my web site:Login.aspx in the root pathUserInfor.aspx and 1.txt in the sub-directory folder named 'Restricted' Authenticate this website with form authentication configured in IIS, and does not allow anonymous to get into the Restricted folder with the web.config file.I think it should work this way, if I manually access the 1.txt in the browser, I should be able to view the content, and if I go to the modules configuration for this applicaiton in IIS7, find the 'UrlAuthorization' module, and cancle the listbox for 'invoke for requests to asp.net ...', I should be directed to the loginurl setting in the root web.config file when I access the 1.txt file without logging, however, I still can see the content of 1.txt.
View 1 Replies
Feb 4, 2011
I was hosting published site in IIS 7 on Windows 7 installed machine.I had done setting for .NET framework version, Security Options but got Error as shown below
HTTP Error 500.19 - Internal Server
Error
The requested page cannot be accessed because the related configuration data for the page is invalid. Detailed Error Information Module IIS Web Core Notification BeginRequest Handler Not yet determined
Error Code 0x800700b7
Config Error There is a duplicate
'system.web.extensions/scripting/scriptResourceHandler'
section defined
View 1 Replies
Nov 17, 2010
want my pages to handle their own 404 errors because they can suggest better alternatives for the user. Eg, a category page which produces a 404 error can suggest alternative categories etc.In iis6 this was trivial as I was able to declare statuscode 404 and everything worked out well, but in iis7 I was getting the IIs' 404 error page.Adding this:
[Code]....
I get a different 404 error page but still produced by iis7 itself ("The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.").
View 1 Replies
Dec 9, 2010
so I have a fully functioning DynamicData website, and all works fine when debugging in VS2010But when I moved the site to a webserver (server 2008, IIS7) the default paeg comes up, but any links or pages after that are all sending 404 errors http://{IP address}/{table}/{action}.aspxdoes not work when on the server, but works fine in VS.What configuration am i missing from IIS7 to make this url work?
View 1 Replies
Mar 15, 2010
I have published my site using Visual Stuido's 2008 publish feature. I have then copied these files to a windows 2008 web server with IIS7 installed, it also has .net 3.5 sp1 and MVC installed In IIS I added the site using the 'Add a new site' right click option and then pointed this at the directory my site files are located in, I used the default application pool and it is set to integrated. Then when I attempt to browse I got the error message The Web server is configured to not list the contents of this directory. So I added Default.aspx to the default document list and I then get the following error message
HTTP Error 404.3 - Not Found The page you are requesting cannot be served because of the extension configuration. If the page is a script, add a handler. If the file should be downloaded, add a MIME map. Has anyone got any ideas on what I do next ? I have read lots of articles on this online but most are confusing and dont explain the solution in simple terms Surely it should be pretty straightforard to just deploy an MVC website to IIS7
View 4 Replies
Oct 14, 2010
In my .net app, I redirect to an error page if an error occurs.
It works fine on my local IIS.
When I deploy to a web server, IIS7, it redirects to the error page, all fine, but these is text added to the error page
"The page cannot be displayed because an internal server error has occurred. "
Could this be added via IIS7? It doesnt happen locally - also IIS7.
View 2 Replies
Nov 9, 2010
I'm using .net 4.0 and iis 7 and windows server 2008
my web application use form athentication and wok properly in vs 2010
but when i try to config the web site in iis 7 the form athenticate redirection doesn't work without any kinds of error.
here is my web.config code
<authentication mode="Forms">
<forms loginUrl="Pages/login.aspx" name=".ASPXFORMSAUTH"></forms>
</authentication>
<authorization>
<allow users="?" />
</authorization>
I enabled the authentication form in iis.
View 3 Replies