Security :: Forms Authentication - Multiple Companies In One Site?
May 1, 2010
I'm working on a new project and I would like to use forms authentication to protect the necessary pages. The project is going to be focused on companies where a company would create an account and have multiple users. Each company should have its own data and should not be able to see other companies' data. What would be the best way to go about this? I've considered using a subdomain for each company which would tell the application which membership provider to use. I've also considered using an additional credential such as company ID to specify which company the user is logging into.
View 7 Replies
Similar Messages:
Dec 21, 2010
I have 2 website A and B.
B site with windows authentication
I want to open B site as new window from A site, so its ask for windows credential. I have credential in A site. I am opening B site using Javascript.window.open.
how i can set credential for B site from A site.
View 2 Replies
Jun 16, 2010
I work for an agency that has been responsible for maintaining a client's .net 3.5 website for a number of years along with another agency. Work is farmed out by the client to both agencies on a pretty much ad-hoc basis.
The site is quite old and has a structure and deployment process to match. The site is setup that developers have local copies of the sites. There is a staging environment, where client feedback and approval happens, followed by the live environment. There are a number of scenarios where work from one agency will be on the staging environment awaiting approval, and changes from the other agency need to go through staging, approval and deployed to live without the original changes being affected. Most of the time we get away with it but it's far from ideal as not all conflicts can be resolved.
Up until recently we had still been on Sourcesafe but have moved over to Subversion and are running into many more scenarios where work is overwritten. This obviously isn't a fault with subversion, rather that the locking of projects and files in Sourcesafe served as a good indicator to developers from both agencies that someone was working on that project or file. The process previously was that you checked out a file from sourcesafe and kept it checked out until changes went live (acknowledge that this is a rubbish process hence the desire to move away from sourcesafe and such a model)
The trouble is that even though we know that the way we do it now is bad, I'm at a bit of a loss as to how to restructure the overall site and deployment process to make it "better". Some ideas we've pondered are:
Separate dev, test and live branches in subversion so we need to commit and build the appropriate branch before deploying (not really sure how to make that work)Single repository for both agencies but a separate staging environment for each. Staging environment could then reflect the changes assigned to each agencyA separate instance of the staging site for each branch
View 1 Replies
Mar 7, 2011
We're using ASP.NET and IIS 6.0. I realise that the definitions of applications, websites and virtual directories are ill-defined in IIS 6, and changed a lot in IIS 7. However, I'm stuck with IIS 6.0 for now.
We have a single web site defined in IIS, and a number of separate sub-sites in Virtual Directories.
The scheme looks like this:-
[URL]
[URL]
site1, site2, ... are virtual directories in IIS 6.0, under the "Default Web Site".
I need to use ASP.NET sessions and forms authentication in most of these sites, and I don't want them to share authentication data or session information at all.
Both the mechanisms currently depend on cookies. However, the cookies created by default use the same name, and have a path of "/" in the browser, meaning the sites' cookies will clash with each other.
Without changing the default name for each cookie, how can I enforce separation between my sub-sites? Do I need to change the virtual directories for IIS 6 "Applications"? Or is there some way in code to enforce a more limited scope for the cookies?
View 1 Replies
Sep 5, 2010
I am taking an existing ASP.NET site with authentication, membership & roles and updating it. In the process I am pulling the authentication portion off of the site and using an SSO (through Central Authentication Services - CAS). I need to retain the use the membership and roles of .NET. Right now my site allows users to add an account and I approve and add them to groups. Since I will no longer do the account management I still need a way to add them to the proper groups once they have an account.
The question is sort of a chicken/egg question... Since I am the admin I need to add myself first, but since the authentication is no longer local how do I do this? Do I develop a special function just to add my account and then other pages to manage the rest?
View 2 Replies
Mar 7, 2011
I have two applications with a single domain name ([URL] and [URL]). First one has been developed in .NET 2 and the other one with .NET 4. I have configured web.config as these steps:
1- I've set the same machine key for both of them.
2- I've set the coockie name.
3- I've set the domain name to "domain.com".
4- Also, I've set hardcoded coockie domain name to "domain.com" .
Everything was working fine when both of them were running on a single web server. Recently, I've been asked to move test.domain.com to another server. After moving, authentication ticket is not valid on the second server. I tested both of them on a single server again and everything was workinh fine, but in two servers users can't acces to test.domain.com. (Authentication Ticket is invalid)
Edited: The second server is a virtual (VMWare) server. I don't have any problem in physical servers. I checked the server's time to be synchronized. I also used fiddler to see if the server does not get the auth ticket and ther ticket is sent to the 2nd server. Note: Servers are located in different networks and maybe proxy or firewall causes this (I've no idea)
View 3 Replies
Jul 26, 2010
i m trying to set up an Intranet site with Windows Authentication. I have configured the web.config as shown below.
<authentication mode="Windows">
<roleManager enabled="true" />
I wanted to do authorization by roles so
<authorization>
<deny users ="?"/>
<allow roles="D820MySite_Developers, D820MySite_Admins"/>
</authorization>
I'm in the D820MySite_Developers group. When I attempt to login, it wants my password. I thought that with Windows Authentication it should not prompt for the password. If is use <allow user="*"/> it does not.
1. Is this the correct behavior?
2. My aspnetdb does not appear in the App_Data folder. Should it and is this causing the problem. If it should be there, how do I get it there?
3. I was under the impression that by using Windows Authentication, I can prevent users from accessing pages by folder. Is this provided by IIS or is this provided by Windows (using Windows Explorer)?
View 3 Replies
Feb 24, 2011
We would like to use AD authentication with our Intranet site to control what pages different users can access. I'm very new to ASP.net and would be interested in links to a how to description. We are using Visual Studio 2008.
View 1 Replies
Mar 23, 2010
I'm trying to set up Windows authentication on an intranet site. I have this code in the web.config:
<system.web>
<authentication mode="Windows"/>
<authorization>
<allow users="domainuser, domainuser2" />
<deny users="*" />
</authorization>
</system.web>
I can log in with my own credentials, but I have virtually all the rights in AD. User2 can not log in. The website is set to use Windows authentication in IIS manager. And I've tried setting permissions in IIS manager and NTFS permissions for the folde
View 3 Replies
Oct 2, 2010
I am trying to build a web app for an intranet site that for security reasons needs to make the user type in their Windows or Active Directory username pwd manually. I have previously worked with Integrated Windows Auth but in this case, we do want them to use type in their AD credentials.
I have been trying to look up how to do this and frankly I am a bit lost. It should be a fairly straightforward task and am hoping you can point me in the right direction, with some tutorials or examples. We will be using SSL so, dont have to worry about passing pwd in cleartext over the wire.
My environment is visual studio 2008 in C#, .net 3.5 if that matters.
View 1 Replies
Oct 15, 2010
I have an intranet site that i set up to windows authentication. It works fine most of the time but some departments wont be able to access the site and will be asked to enter user name and password.I checked their Active Directory account and the only difference i could see was that the organizational unit parameter was different than the rest of the users.
View 5 Replies
Nov 18, 2010
We have a link in our site that pin points to sharepoint documents and we are retreiving some documents files (*.doc). Our sharepoint uses IWA (integrated windows authentication) which is prompted if we're trying to access that documents, unfortunately we don't want to prompt that window to authenticate the user. We need is to create a username and password and authenticate it. how can we do that.
Note* we have 2 server one for our application and the other one is for sharepoint.
View 3 Replies
Nov 10, 2010
I have three asp.net web applications
,Second and Third applications are accessed throught the first,So Authentication (form authentication) is happening from the first application only , all are deployed on same IIS with seperate virtual directory
Like
1.Localhost/EmpMananger
1. Localhost/Hr
2.Localhost/Payroll
, I used the same Entires in both <machineKey> and
<forms> Elements in webconfig file of all applications,
Applications are working fine and Page.User.Identity are available in all applications but once loginUrl and defaultUrl entry is changed to actual name other than localhost
Eg: localhost/EmpManager/default.aspx To myserver/EmpManger/default.aspx
the authentication ticket is not available in second and third applicaiton
View 4 Replies
Mar 16, 2010
I have a small project I am working on using web developer express, and I am trying to get windows authentication to work with my intranet website project. This website is only to be accessed inside my LAN and not from the internet at all, so I figured windows authentication would be best.What happens when I turn it on (and I've tested this from multiple browsers: IE8, Firefox, Chrome, Safari) is that the website asks the user to log in (via pop up textbox). Not only does it request the user to log in (which I don't think it should, since the login is based on windows authentication and I am on a windows machine already logged into the internal domain) but it requests the user to login multiple times, sometimes I get asked to log in and type in the same username/password combination 12 different times. It seems to me that the asp page is requesting permission to view each individual element and requires authentication to load one object (like an image or text box).
I am severely annoyed. :( I just wanted authentication to work smoothly without any login requests, or at the mostone request.
View 1 Replies
Mar 10, 2011
I have read the many posts of people trying to use two different login pages: one for users and one for admins. My question is very different. I have a Site.master page with a LoginView and LoginControl. I then have three root level pages Default.aspx, About.aspx, and Contact.aspx that derive from the Site.master. All three pages are set in the web.config to be allowed to all users. I then have a MemberPage in a Member folder which is only accessible to authenticated users. What I want to have happen is to be able to login from either the Default, About, or Contact pages and then be directed to the MemberPage.
View 2 Replies
Nov 8, 2010
We are upgrading the asp.net 2.0 web application to asp.net 4.0. The application contain three main modules (sub application) like End User, Franchise and Admin with separate web.config, asp.net form Authentication, login page and running with single domain. the URL like,mydomain.com/login.aspxmydomain.com/franchise/login.aspxmydomain.com/admin/login.aspx In asp.net 2.0, working fine with 3 sub applications with separate form authentication under a single domain name and also we can working with all threes in same time. After the up gradation process (ASP.NET 2.0 to 4.0),We didn't run all three applications in same times and also form authentication crossed.
View 2 Replies
Apr 8, 2010
Requirment is to stop more than one user to login at a time using same user id.I am storeing user id in session. I searched the internet and found some ways but somehow they do not work in these situations:If javascript in brower is turned off. If user do not click logout and directly close brower.
View 3 Replies
Jan 26, 2010
I created a mixed mode authentication mechanism based on a few of the articles that I have read on this topic. It's similar to something like this: [URL]
Basically, there are two web applications. One accepts the Windows Auth and one accepts Forms Auth. The Windows Auth then creates a forms auth ticket and passes control to the Forms auth application. This solution works fine when both applications are housed within the same IIS web site.
Now, order to control the security of this solution we set up multiple IIS web sites on the same machine. Web Site 1 serves external traffic (forms auth) and Web Site 2 serves internal traffic (windows auth).
So the design is that an internal user can hit the site using Windows auth via a internal name (myserver) while the external users use Forms Auth hitting [URL].
All that said, the solution works when the two applications are in the same site. Doesn't work when they are in different sites.
View 4 Replies
May 29, 2010
I have created a web application which has two section user and admin. Admin files are within
~/admin folder and user files are in ~/User folder. Admin and user has two different login page within respective directory.
Now I want two apply form authentication for admin and user section. Is it possible to apply form authentication for two different section in a web application?
View 4 Replies
Feb 3, 2010
I'm trying to connect to a site using digest authentication but it continuously gives "401 - Unauthorized" even the password is correct. Here's the sample code I'm using:
[Code]....
This is the server header I got:
Server: Apache/2.2.13 (FreeBSD) mod_ssl/2.2.14 OpenSSL/0.9.8e DAV/2 mod_wsgi/2.8 Python/2.5.4 PHP/5.2.12 with Suhosin-Patch
View 1 Replies
Sep 3, 2010
What do I need to do in order to change an application from Forms Authentication to windows authentication?
View 2 Replies
Jun 3, 2010
I have developed the authenticated rss feed using the basic http authentication for my site.I also have the admin module for the site which uses the Asp.net Forms Authentication .Both are in the same project.When i turn on the forms authentication module to None in my web.config.My rss feed authentication works fine(the browser pop up the dialog box for the username and password) and upon entering the username and password the rss feed gets displayed.But with forms authentication turn on when i click the rss feed link i am getting redirected to the administrator login page.
If i set my authentication mode to none than the feed works like dream but the admin module do not work as it uses forms authentication.
How can i resolve the conflict for that one.I am using the asp.net mvc filter on my feed contoller to pop up the dialog box for the username and password.
[Code]....
View 1 Replies
Feb 16, 2011
I'm developing an internal booking sytem. Users log in to the sytem and can view existing bookings and search for bookings. They can also create new or edit existing bookings. When completing such actions I need a confirmation prior to completing the booking or updating the recorded. The confirmation is based on a reauthentication of the user.... in otherwords he needs to enter his passord again.
How can I achieve this? The system is internam and I'm using Forms Authentication. I an also using roles as som of the admin forms can only be viewed by administrators.
View 1 Replies
Sep 28, 2010
I have "published" my web application to our server which is running Windows Server 2008 and IIS 7. The app has a web.config file in it's root directory but, since I used the ASP.NET Configuration tool to set access permissions to subdirectories in my site, there are also web.config files in those subdirectories. They were created by the ASP.NET Configuration tool, and their contents are simple:
[Code]....
Now, when I try to view my app/site, I recieve the following error: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS. In the Source Error: section, the following line of my ROOT web.config file (not on of the little ones located in the subdirectories) is highlighted in red. "<authentication mode="Forms">"
Everything I have been able to find regarding this error says that one cause might be that web.config files are located in the subdirectories of my application but, the error is pointing to the web.config file in my root directory. IIS7 functions differently from previos versions, regarding web application creation. But, I think I have managed to get that set up correctly. (there is an application listed with the name of my site, and it has been assigned to the app pool that I created so, I think that is all correct). So, I think my web site IS set up as an application.
View 2 Replies
Jul 14, 2010
This could be very straight forward for some of you, but I got caught up. I am doing very simple test - browsing from IIS Manager to see the default page or "under Construction", however I am being challenged to provide my login credential . When I provide my login credential, I am able to see the default page. I wanted to see the default page without providing my credential since Enable anoymous access + basic authentication I am simply wanted to see the default page asit is working on other servers except this one. I have included screen print to make sure may question is clear.
View 3 Replies